Enable ldaps for SSO

Owned by Elmeri Kokkonen
Last updated: 2023-10-13 by Andrei Filippov
3 min read

Make sure you have working SSO install before applying these configurations

Enable SSL for LDAP

This example is done with self-signed certificate. It is always better to use publicly trusted certificate here.

Become root:

sudo su -

Stop any IDS applications that is running in all instances:

systemctl stop wildfly.service systemctl stop ubilogin-server.service systemctl stop ubilogin-directory.service

Create new self-signed certificate chain:

# Create a temporary directory for certificate creation (name does not matter) mkdir ~/ssl_cert cd ~/ssl_cert # Create certificate authority openssl req -x509 \ -sha512 \ -days 3650 \ -nodes \ -newkey rsa:4096 \ -subj "/CN=localhost/C=FI/L=Espoo" \ -keyout cakey.pem -out cacert.pem # Create server private key openssl genrsa -out serverkey.pem 4096 # Generate certificate signging request cat << EOF > servercsr.cnf [ req ] default_bits = 4096 prompt = no default_md = sha512 req_extensions = req_ext distinguished_name = dn [ dn ] C = FI ST = Uusimaa L = Espoo O = Ubisecure Oy OU = Engineering CN = localhost [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate certificate signing request with previously created private key openssl req \ -new \ -key serverkey.pem \ -out servercsr.pem \ -config servercsr.cnf # Generate external certificate configuration cat << EOF > cert.conf authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate SSL certificate With self signed CA openssl x509 -req \ -in servercsr.pem \ -CA cacert.pem \ -CAkey cakey.pem \ -CAcreateserial \ -out servercert.pem \ -days 3650 \ -sha512 \ -extfile \ cert.conf # View generated cert openssl x509 -noout -in servercert.pem -text

Check that you do not have the certificate imported to cacerts:

Import the newly generated certificate to SSO Tomcat:

Check cacerts after import:

Result after the import:

Change ownership for generated files:

Change unix.config so that it will use ldaps:// instead of ldap:// as a connection:

Result should be something like this:

Once done, run SSO setup.sh again:

Once done, edit slapd.conf before updating LDAP configuration:

If any errors occurs, one can always run setup.sh again to reverse below changes to original defaults.

Reconfigure LDAP:

Update SSO configurations:

Restart services:

 

Ubisecure Privacy Policy & Cookie Statement