Install node 1 - SSO
Steps
Unpack the Software
Unpack the tar archive to /usr/local/ubisecure. Assuming the archive is in the current directory, we could do the following:
mkdir -p /usr/local/ubisecure tar xzvf sso-x.x.x.tar.gz -C /usr/local/ubisecure
Copy the configuration template to /usr/local/ubisecure/ubilogin-sso/ubilogin
cd /usr/local/ubisecure/ubilogin-sso/ubilogin cp config/unix.config .
Install dependencies
For 64 bit Redhat linux, the glibc and libgcc packages for i686 must be installed, update needs to be run for 64bit version of libgcc to prevent version mismatch problem. Linux standard base package is also needed.
yum install glibc.i686 yum update libgcc yum install libgcc.i686 yum install lsb
Create Accounting Service user and database
See PostgreSQL preparation on Linux.
Modify the configuration template
Open unix.config file in a text editor. Modify the following keys:
uas.url
Modify the public visible URL address of the Ubisecure SSO deployment, which is set with key uas.url. The installation is only accessible from the local machine if the value is set as localhost. The resulting line for uas.url might look like the following:
uas.url = https://sso.example.com
This is the publicly visible URL address of your Ubisecure SSO installation. The value must not include a path component and must not end with a '/' character.
This address must be accessible for all users of this installation. In an installation with front-end reverse proxy servers this address refers to the first front-end server that is accessible from the public network.
Accounting Service settings
This step is mandatory since v. 8.4, see Linux single node installation / Modify the configuration template.
ldap.url
ldap.url = ldap://127.0.0.1:389
Modify ldap.url value from localhost to 127.0.0.1:389
suffix
suffix = cn=Ubilogin,dc=sso,dc=example,dc=com
The suffix defines the name of the Ubisecure Directory. This value and the uas.url value uniquely identify a Ubisecure SSO installation. The name of the Ubisecure Directory cannot be changed without reinstalling the entire system, so consider carefully your choice for the suffix.
Configure reverse proxy
proxy.remote-addr-name = X-Forwarded-For proxy.local.url = http://localhost:8080
The value "X-Forwarded-For" is commonly used by proxy servers to pass the address of the requesting client. The proxy server must be configured to pass the end-user IP address in this header.
Save the changes and close the unix.config file, then create the configuration files with the setup.sh script:
./setup.sh
if setup.sh execution does not finish quickly, you will have to check that entropy generation settings are in order. Consult this blog post http://www.usn-it.de/index.php/2009/02/20/oracle-11g-jdbc-driver-hangs-blocked-by-devrandom-entropy-pool-empty/ for more information.
Accounting Service additional configuration
This step is mandatory since v. 8,4, see Linux single node installation / Configure Accounting Service.
Set up the System User
A system user ubilogin (default name) will be created automatically by the installation scripts. This user will run the Ubisecure daemons.
LDAP configuration
Add the two rows in Listing 10 to the file /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_server_list.conf on node 1. Modify hostnames to the correct ones.
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_server_list.conf
These are addresses where Ubisecure Directory is running on different nodes:
serverID 1 ldap://<node1 hostname>:389 serverID 2 ldap://<node2 hostname>:389
Add the following lines to the file /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_peer.conf on node 1.
Ensure that all quotation marks are standard quotation marks.
syncrepl rid=001 provider=ldap://<node1 hostname>:389 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com" bindmethod=simple binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com" credentials="secret" type=refreshAndPersist timeout=1 retry="1 10 60 10 600 +" syncrepl rid=002 provider=ldap://<node2 hostname>:389 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com" bindmethod=simple binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com" credentials="secret" type=refreshAndPersist timeout=1 retry="1 10 60 10 600 +" mirrormode on # overlay syncprov
There are configurations for both nodes. rid=001 is node 1 and rid=002 is node 2.
| Provider | LDAP address must match Listing 10 |
Searchbase | Searchbase must match the suffix defined in unix.config |
| Binddn | Enter suffix from from
|
| Credentials | Enter openldap.root.password from unix.config |
Modify Ubisecure Directory startup script (settings.sh) on node 1. This is needed so that OpenLDAP shall listen both to the external and internal URLs to support failover.
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh
Add node 1 local hostname address ldap://node1host:389 to settings.sh. NOTE that this addition is lost always when the setup script is executed.
ADD the following new line below the line reading "esac" LDAP_LISTEN_URLS="ldap://node1host:389 $LDAP_LISTEN_URLS"
Install OpenLDAP
Install and start OpenLDAP using the following command:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./ldap/openldap/install.sh
If the OpenLDAP install script prompts for LDAP Password, type secret and press return.
Install Ubisecure SSO Tomcat and Accounting Service
Run the Tomcat install script to install and configure Tomcat to start automatically when Linux is started. Since v. 8.4 also the Accounting Service shall be installed as such a service.
The install script starts both of the services.
./config/tomcat/install.sh
About Accounting Service initial installation:
- On the first time the necessary database tables are created in your database.
- If the service does not start you may need to change the Accounting Service related settings in the
unix.configfile before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.
Start Accounting Service
Start the Ubisecure Accounting service using the following command.
systemctl start ubisecure-accounting
- On the first time the necessary database tables are created in your database.
- If you are doing the initial Accounting Service installation and the service does not start you may need to change the Accounting Service related settings in the
unix.configfile before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.
Accounting Service should always be running before SSO is started or otherwise SSO log will be filled with errors but still keeps running if there is enough disk space. SSO can recover without a restart from Accounting Service restart if necessary.
Start Ubisecure SSO
Start the Ubisecure SSO process using the following commands.
systemctl start ubilogin-directory systemctl start ubilogin-server
Verify Installation
Continue on page Single node installation finalization to finalize and verify the installation.