Setup template on Linux - CustomerID

Owned by ubisebastian
2022-10-24
4 min read

Ubisecure CustomerID uses the same Ubisecure Directory as Ubisecure SSO. For this reason, Ubisecure CustomerID needs some of the configuration details from the Ubisecure SSO configuration. This chapter describes how this information can be added to the Ubisecure CustomerID configuration. The other properties can be adjusted according to the needs of the specific installation environment.

Create a copy of the Ubisecure CustomerID configuration template:

cd /usr/local/ubisecure/customerid/application
cp config/linux.config ./

Copy entries from Ubisecure SSO configuration file to Ubisecure CustomerID configuration file:

  1. Copy some values from Ubisecure SSO ubilogin-sso/ubilogin/unix.config file to the Ubisecure CustomerID customerid/application/linux.config file. The following table shows what key values to copy and where:

    From: Ubisecure SSO

    To: Ubisecure CustomerID

    master.secret

    master.secret

    uas.url

    uas.url

    ldap.url

    ldap.url

    suffix

    ldap.suffix

    NOTE: Check that there are no additional control characters or white space at the end of uas.url-value. In fact, make this same check for all values as you proceed.

  2. The rest of the fields in the Ubisecure CustomerID linux.config file can be defined independently from the Ubisecure SSO.

Edit linux.config

Field Name

Field Description

uas.entityIdSAML identity provider entityID when SSO is acting as the identity provider. The default value uas.entityId = @uas.url@/uas does not normally need to be modified.
uas.saml2.metadata.urlSAML identity provider metadata download URL when SSO is acting as the identity provider. The default value uas.saml2.metadata.url=@uas.url@/uas/saml2/metadata.xml does not normally need to be modified.
uas.saml2.saml.ap.custid.metadata.urlSAML service provider metadata download URL for saml.ap.custid authentication method in SSO. The default value uas.saml2.saml.ap.custid.metadata.url=@uas.url@/uas/saml2/names/ac/saml.ap.custid/metadata.xml does not normally need to be modified.
ubilogin.homeThis is the path to the location where Ubisecure SSO has been installed.
eidm.urlThis is the publicly visible URL address of your Ubisecure CustomerID installation. The value must not include a path component and must not end with a '/' character. This address must be accessible for all users of this installation. In an installation with front-end reverse proxy servers this address refers to the first front-end server that is accessible from the public network.
eidm.url=https://cid.example.com
proxy.local.url (if proxy is used)In case there is a reverse proxy server acting in front of the Ubisecure CustomerID, proxy.local.url specifies the URL that will be used by the reverse proxy when accessing the Ubisecure CustomerID. In example below, you must configure proxy to listen to eidm.url and forward requests to port 7443 on host1.local
proxy.local.url=https://host1.local:7443/
rest.oauth2.client.uuid

OAuth 2.0 client ID of CustomerID API application CustomerID uses internally to validate OAuth2 access token for REST API and needs to be known by the integrator, see Configuring OAuth2 authentication for REST API. You may leave it empty and one will be generated for you and preserved in future upgrades.

Tip

OAuth2 authentication can be disabled after initial CustomerID setup by clearing either rest.oauth2.client.uuid or rest.oauth2.client.secret or both and running setup again.

rest.oauth2.client.secretOAuth 2.0 client secret of CustomerID API application for REST API OAuth2 authentication CustomerID uses internally to validate OAuth2 access token for REST API but not needed by the integrator. Leave it empty and one will be generated for you and preserved in future upgrades.

rest.oauth2.introspection.url

The SSO introspection URL that OAuth 2.0 client uses to validate OAuth2 access token for REST API.

Default value

rest.oauth2.introspection.url = @uas.url@/uas/oauth2/introspection

This means that by default public address of SSO is accessed as uas.url contains the public address. You might want to specify the internal address of the SSO or the internal address of a single node in a SSO cluster instead. This configuration supports only one address. If you need load balancing for multiple internal SSO addresses then you need to configure a load balancing proxy for them and use that address.

Example:

rest.oauth2.introspection.url = https://node1.sso.example.com:8443/uas/oauth2/introspection
rest.usernameThe username used with REST calls, obsolete in case of OAuth2 based authentication.
rest.passwordThe password used with REST calls, obsolete in case of OAuth2 based authentication.
ldap.principalThe object in LDAP that is used as login object for LDAP connections from Ubisecure CustomerID.
ldap.passwordThe object in LDAP that is used as login object for LDAP connections from Ubisecure CustomerID.
database.hostDefines the host where PostgreSQL is installed. This can be an IP number or fully qualified domain name (FQDN).
database.portDefines the public TCP port of the PostgreSQL server. Default is 5432.
database.nameDefines the name of the database that Ubisecure CustomerID should use from the PostgreSQL server.
database.userDefines a user name that Ubisecure CustomerID should use to connect to PostgreSQL.
database.passwordDefines the connection password for Ubisecure CustomerID database user.
wildfly.homeDefines the folder where WildFly is installed.
wildfly.http.portDefines the TCP port where WildFly listens for unencrypted HTTP connections.
wildfly.https.portDefines the TCP port where WildFly listens for encrypted HTTP connections.
wildfly.ip_addr.masterInternal IP address or hostname of CustomerID master node (disregard if standalone).
wildfly.ip_addr.slaveInternal IP address or hostname of CustomerID slave node (disregard if standalone).
wildfly.slave.passwordIn a HA installation the servers need to authenticate themselves in order to join the domain cluster. This password allows the customerid-slave host to connect to the domain master host.
database.driver.pathDefines the path where scripts can find the PostgreSQL JDBC driver. (If you have followed instructions to the letter, this must be defined to point to ~/customerid.)
database.driver.fileDefines the file name of the actual JDBC database driver library.
keystore.aliasDefines a custom alias for the server's SSL key pair in the certificate key store.
keystore.passwordDefines a password for the key store.
mail.hostThe DNS name or IP address of the mail server.
mail.portThe TCP port of the mail server. Usually 25 for SMTP.
mail.usernameThe user account name used to log on to the mail server. This is an optional field.
mail.password

The password of the user account name used to log on to the mail server. This is configured only in conjunction with mail.username.

Note: if your password contains character "(" you need to escape it with "\\". Example your mail server password is "abTE(kjd12" you need to set mail.password = abTE\\(kjd12

mail.from

The email address to put in the from field of the message.

Notes: You need to escape the "@" character with another "@" character. Example: john.doe@@example.com

mail.sslDefine if SSL should be used when contacting the mail server. Value is either true or empty.

To run Ubisecure CustomerID setup script:

If setup.sh execution does not finish quickly, you will have to check that entropy generation settings are in order. Consult this blog post http://www.usn-it.de/index.php/2009/02/20/oracle-11g-jdbc-driver-hangs-blocked-by-devrandom-entropy-pool-empty/ for more information.

Check entropy level with cat /proc/sys/kernel/random/entropy_avail. Entropy should be over 1000.

Generate the setup configurations from templates by issuing the following commands: 

cd /usr/local/ubisecure/customerid/application
./setup.sh

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2022. All Rights Reserved.