Linux single node installation - SSO

Steps

When following the instructions given in this manual, it is advisable to type the commands manually instead of copy/pasting them. This is because sometimes characters may be lost or modified in the copying process.

Enable LDAPS

The easiest way to enable LDAPS for OpenLDAP is to first finish basic install process for SSO and then enable LDAPS following: Enable ldaps for SSO

Check Java and set system wide environment variables

Make sure you have Java installed and JAVA_HOME set according to the Installation requirements - SSO.

Unpack the software

Unpack the tar archive to /usr/local/ubisecure.

mkdir -p /usr/local/ubisecure
tar -xzvf sso-x.x.x-unix.tar.gz -C /usr/local/ubisecure

Install dependencies

Linux standard base package is needed for sysVinit script dependency (/etc/init.d -scripts)

yum install lsb

Modify the configuration template

Copy the configuration template to /usr/local/ubisecure/ubilogin-sso/ubilogin:

cd /usr/local/ubisecure/ubilogin-sso/ubilogin
cp config/unix.config .

Open unix.config file in a text editor. Modify the public visible URL address of the Ubisecure deployment, which is set with key uas.url. The installation is only accessible from the local machine if the value is set as localhost. The resulting line for uas.url might look like the following:

uas.url = https://sso.example.com:8443
Before saving the changes modify additional Accounting Service related settings.

Example of modified Accounting Service related settings:

accounting.url = https://manage.example.com
accounting.proxy.local.url = https://localhost:8442
accounting.datasource.url = jdbc:postgresql://databasehost:5432/accountingdb
accounting.datasource.username = accounting_user
accounting.datasource.password = Wsop%6deE65-_ftl+tY

Create the configuration files

Create the configuration files with the setup.sh script.

./setup.sh

New LDAP passwords are generated every time the setup command is executed. For this reason, the secrets.ldif file must be imported to the LDAP directory after running the setup script. After this, the Tomcat update script must be run to have the applications use the new passwords. See Applications upgrade - SSO for more details about the update process.

Install and prepare PostgreSQL

Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service.

See PostgreSQL preparation on Linux for more information and steps to accomplish.

Configure Accounting Service

Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contents in the location referred by accounting.secret-key-location in unix.config. See Accounting Service security about the usage of the key for pseudonymisation. The page contains a suggested script to create a secure enough secret in the default location.

You may also customise other Accounting Service configuration settings for your needs, which is recommended. See Accounting Service additional configuration about the properties to set.

When customising edit this file which is copied from the installation package by the setup script: /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/accounting/config/application.yaml

If the file were not present copy the default file from this directory: /usr/local/ubisecure/ubilogin-sso/ubilogin/config/accounting/config/

Install Ubisecure Directory

Install OpenLDAP using following command:

cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./ldap/openldap/install.sh

Since 8.4 installation script creates and configures a site named Accounting under System site with an OAuth 2.0 application named Accounting. This application is needed for the secured endpoints to access Accounting Service data. The application is allowed to a group named Accounting Users. The System Administrator user is by default added to this group but you can configure the users otherwise once Ubisecure SSO is running, see SSO Management UI Groups.

If the OpenLDAP install script prompts for LDAP Password, type secret and press return. 

In RedHat 7 install.sh script fails.

As a workaround, start OpenLDAP from shell by executing:

./start.sh

After OpenLDAP has started, open a new shell and execute the following commands:

./import.sh ../cnroot.ldif
 ./import.sh ../uas.ldif
 ./import.sh ../secrets.ldif
 ./import.sh ../system-password.ldif
 ./import.sh groups.ldif

After finishing the execution, kill the OpenLDAP instance from the other window.

When using LDAPS, cacert.pem, server certificate and server certificate key needs to be located at /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/ and TLSCACertificateFile, TLSCertificateFile and TLSCertificateKeyFile needs to be uncommented from slapd.conf.

Install Ubisecure SSO Tomcat and Accounting Service

Run the Tomcat install script to install and configure Tomcat to start automatically when Linux is started. Since v. 8.4 also the Accounting Service shall be installed as such a service.

./config/tomcat/install.sh

The install script does the following:

  1. Creates a self-signed SSL certificate for test purposes with the configured host name as the subject DN a.k.a owner.
  2. Installs the applications in ubilogin/webapps for Tomcat.
  3. Creates the init scripts used to start and stop the Tomcat process.
  4. Copies the Accounting Service configuration settings to /accounting/config directory.
  5. Creates the init scripts used to start and stop the Accounting Service process.

Start Accounting Service

Start the Ubisecure Accounting service using the following command.

systemctl start ubisecure-accounting
  1. On the first time the necessary database tables are created in your database.
  2. If you are doing the initial Accounting Service installation and the service does not start you may need to change the Accounting Service related settings in the unix.config file before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.

Accounting Service should always be running before SSO is started or otherwise SSO log will be filled with errors but still keeps running if there is enough disk space. SSO can recover without a restart from Accounting Service restart if necessary.

Start Ubisecure SSO

Start the Ubisecure SSO process using the following commands.

systemctl start ubilogin-directory 
systemctl start ubilogin-server

Continue on page Installation finalisation to finalise and verify the installation.