Linux single node installation - SSO
Steps
Enable LDAPS
The easiest way to enable LDAPS for OpenLDAP is to first finish basic install process for SSO and then enable LDAPS following: Enable ldaps for SSO
Red Hat 9 support
Red Hat 9 requires SSO 9.4 or higher as the SysVinit service support has been deprecated in favour of systemd
Check Java and set system wide environment variables
Make sure you have Java installed and JAVA_HOME set according to the Installation requirements - SSO.
Unpack the software
Unpack the tar archive to /usr/local/ubisecure
.
mkdir -p /usr/local/ubisecure tar -xzvf sso-x.x.x-unix.tar.gz -C /usr/local/ubisecure
Modify the configuration template
Copy the configuration template to /usr/local/ubisecure/ubilogin-sso/ubilogin
:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin cp config/unix.config .
Open unix.config
file in a text editor. Modify the public visible URL address of the Ubisecure deployment, which is set with key uas.url
. The installation is only accessible from the local machine if the value is set as localhost
. The resulting line for uas.url
might look like the following:
uas.url = https://sso.example.com:8443
Example of modified Accounting Service related settings:
accounting.url = https://manage.example.com accounting.proxy.local.url = https://localhost:8442 accounting.datasource.url = jdbc:postgresql://databasehost:5432/accountingdb accounting.datasource.username = accounting_user accounting.datasource.password = Wsop%6deE65-_ftl+tY
Create the configuration files
Create the configuration files with the setup.sh
script.
./setup.sh
New LDAP passwords are generated every time the setup command is executed. For this reason, the secrets.ldif
file must be imported to the LDAP directory after running the setup script. After this, the Tomcat update script must be run to have the applications use the new passwords. See Applications upgrade - SSO for more details about the update process.
Install and prepare PostgreSQL
Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service.
See PostgreSQL preparation on Linux for more information and steps to accomplish.
Configure Accounting Service
Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contents in the location referred by accounting.secret-key-location
in unix.config
. See Accounting Service security about the usage of the key for pseudonymisation. The page contains a suggested script to create a secure enough secret in the default location.
You may also customise other Accounting Service configuration settings for your needs, which is recommended. See Accounting Service additional configuration about the properties to set.
When customising edit this file which is copied from the installation package by the setup script: /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/accounting/config/application.yaml
If the file were not present copy the default file from this directory: /usr/local/ubisecure/ubilogin-sso/ubilogin/config/accounting/config/
Install Ubisecure Directory
libxcrypt-compat
package must be installed when using OpenLDAP on RHEL 9 based Linux distributions.
Install OpenLDAP using following command:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./ldap/openldap/install.sh
Since 8.4 installation script creates and configures a site named Accounting
under System
site with an OAuth 2.0 application named Accounting
. This application is needed for the secured endpoints to access Accounting Service data. The application is allowed to a group named Accounting Users
. The System Administrator
user is by default added to this group but you can configure the users otherwise once Ubisecure SSO is running, see SSO Management UI Groups.
If the OpenLDAP install script prompts for LDAP Password, type secret
and press return.
When using LDAPS, cacert.pem
, server certificate and server certificate key needs to be located at /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/
and TLSCACertificateFile
, TLSCertificateFile
and TLSCertificateKeyFile
needs to be uncommented from slapd.conf.
Install Ubisecure SSO Tomcat and Accounting Service
Run the Tomcat install script to install and configure Tomcat to start automatically when Linux is started. Since v. 8.4 also the Accounting Service shall be installed as such a service.
./config/tomcat/install.sh
The install script does the following:
- Creates a self-signed SSL certificate for test purposes with the configured host name as the subject DN a.k.a owner.
- Installs the applications in
ubilogin/webapps
for Tomcat. - Creates the init scripts used to start and stop the Tomcat process.
- Copies the Accounting Service configuration settings to
/accounting/config
directory. - Creates the init scripts used to start and stop the Accounting Service process.
Start Accounting Service
Start the Ubisecure Accounting service using the following command.
systemctl start ubisecure-accounting
- On the first time the necessary database tables are created in your database.
- If you are doing the initial Accounting Service installation and the service does not start you may need to change the Accounting Service related settings in the
unix.config
file before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.
Accounting Service should always be running before SSO is started or otherwise SSO log will be filled with errors but still keeps running if there is enough disk space. SSO can recover without a restart from Accounting Service restart if necessary.
Start Ubisecure SSO
Start the Ubisecure SSO process using the following commands.
systemctl start ubilogin-directory systemctl start ubilogin-server
Continue on page Installation finalisation to finalise and verify the installation.
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.