Enable ldaps for SSO
Make sure you have working SSO install before applying these configurations
Enable SSL for LDAP
This example is done with self-signed certificate. It is always better to use publicly trusted certificate here.
Become root:
sudo su -
Stop any IDS applications that is running in all instances:
systemctl stop wildfly.service
systemctl stop ubilogin-server.service
systemctl stop ubilogin-directory.service
Create new self-signed certificate chain:
# Create a temporary directory for certificate creation (name does not matter)
mkdir ~/ssl_cert
cd ~/ssl_cert
# Create certificate authority
openssl req -x509 \
-sha512 \
-days 3650 \
-nodes \
-newkey rsa:4096 \
-subj "/CN=localhost/C=FI/L=Espoo" \
-keyout cakey.pem -out cacert.pem
# Create server private key
openssl genrsa -out serverkey.pem 4096
# Generate certificate signging request
cat << EOF > servercsr.cnf
[ req ]
default_bits = 4096
prompt = no
default_md = sha512
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = FI
ST = Uusimaa
L = Espoo
O = Ubisecure Oy
OU = Engineering
CN = localhost
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = $(hostname -s)
DNS.3 = $(hostname -f)
EOF
# Generate certificate signing request with previously created private key
openssl req \
-new \
-key serverkey.pem \
-out servercsr.pem \
-config servercsr.cnf
# Generate external certificate configuration
cat << EOF > cert.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = $(hostname -s)
DNS.3 = $(hostname -f)
EOF
# Generate SSL certificate With self signed CA
openssl x509 -req \
-in servercsr.pem \
-CA cacert.pem \
-CAkey cakey.pem \
-CAcreateserial \
-out servercert.pem \
-days 3650 \
-sha512 \
-extfile \
cert.conf
# View generated cert
openssl x509 -noout -in servercert.pem -text
Check that you do not have the certificate imported to cacerts:
Import the newly generated certificate to SSO Tomcat:
Check cacerts after import:
Result after the import:
Change ownership for generated files:
Change unix.config
so that it will use ldaps://
instead of ldap://
as a connection:
Result should be something like this:
Once done, run SSO setup.sh
again:
Once done, edit slapd.conf
before updating LDAP configuration:
If any errors occurs, one can always run setup.sh
again to reverse below changes to original defaults.
Reconfigure LDAP:
Update SSO configurations:
Restart services:
Â
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.