Disable unused SSO server components

Good security practice is to disable any unused server functionalities. Some services are disabled already by default after installation.

This guide shows how to disable more server functionalities. In this example, search and logviewer will be disabled.

Step-by-step guide

To disable unused SSO server components

Check if you are already using a customised Tomcat configuration - is there a file called server.xml in the directory ubilogin-sso\ubilogin\custom\tomcat ? If not, copy the currently used version as a base:

Windows

copy C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat

Linux

cp /usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat/conf/server.xml /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat

Modify only the relevant lines of server.xml file in C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat or /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat by commenting out the unused applications:

Before: Logviewer and Search are enabled

<Context docBase="${catalina.base}/webapps/logviewer" path="/logviewer"/>
<Context docBase="${catalina.base}/webapps/search" path="/search"/>

After: Logviewer and Search are disabled

<!-- <Context docBase="${catalina.base}/webapps/logviewer" path="/logviewer"/> -->
<!-- <Context docBase="${catalina.base}/webapps/search" path="/search"/> -->

After saving, apply the application server configuration changes by executing update.cmd as follows.

Windows

cd /d C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\
update.cmd

The server will be restarted automatically.

Linux

cd usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat
/etc/init.d/ubilogin-server stop
./update.sh
/etc/init.d/ubilogin-server start

In a clustered environment, this change must be performed sequentially on each server node.

Knowledge Base

Disable unused SSO server components

Step-by-step guide

Related articles