/
Lab 1.1: Ubisecure IAM Installation

Lab 1.1: Ubisecure IAM Installation

Purpose

The purpose of this lab is to:

  • Give a short overview of the installation process of Ubisecure Identity Server

  • Get familiar with the IAM Academy Managed IAM environment

Requirements

  • You have access to your own IAM Academy environment (a Windows Server 2019 virtual machine)

Introduction

During this training you will receive a pre-installed Ubisecure Identity Server environment for your learning purposes. However, knowing the installation process of Ubisecure Identity Server will be very useful in the future when you need to install or upgrade on your own.

In practice, Ubisecure Identity Server is built based on two main components: Ubisecure SSO and Ubisecure CustomerID. For both components, Single Node Installation is the simplest possible deployment and will be used for training purposes.

SSO is installed first, as it is a requirement for installing CustomerID.

 

The following graph shows an overview of the main steps of installing Ubisecure Identity Server:

 

 

Ubisecure SSO Installation

 

Ubisecure CustomerID Installation

 

 

 

IAM Academy environment

Each student has access to a pre-installed IAM Academy environment consisting of the following services

Ubisecure SSO Management Console

https://login.smartplan.com:8443/ubilogin

Ubisecure CustomerID Administration Interface

https://login.smartplan.com:7443/eidm2/wf/admin

Ubisecure CustomerID Self-service Interface

https://login.smartplan.com:7443/eidm2/wf/self-service

Ubisecure CustomerID Password reset tool

https://login.smartplan.com:7443/eidm2/wf/changepwd

You will access the environment using your browser on your virtual machine

 

Connecting to your own virtual machine

Open your browser and load the portal https://iamacademy.ubisecure.com/

 

Portal

https://iamacademy.ubisecure.com/

User name

StudentX (each student has a different username e.g. Student1)

Password

************ (provided by the instructor)


 Once you login, you will see:

 

 

Click the icon and that will launch the virtual machine on your browser tab.

Changing the keyboard layout on the computer

By default, your computer offers three keyboard layouts. You can view these options from the taskbar:

If your preferred keyboard layout option isn't available on the current list, you can add it by following the instructions below.

Navigate to Windows Settings and choose “Time & Language”.

Click on "Language" and, under "Preferred Languages", select "Add a language."

Choose a language to install.

Now you're ready to start the exercises!

 

Instructions

Part 1: Getting familiar with Ubisecure SSO Management

Now it's time to get familiar with some basics about SSO management.

Step 1: Sign in to Ubisecure SSO management console

  1. Open the address https://login.smartplan.com:8443/ubilogin in a browser (inside your virtual machine)
    Username: system
    Password: ***********

Step 2: Change the system user password

  1. On Site Navigator, select site ”System”

  2. Select ”Users” tab

  3. Select user ”Administrator”. Note, username of the "Administrator" user is system.

  4. Select ”Password” and enter a new password of your choice

  5. Verify by logging out and then logging in

      

Step 3: Create your own administrative user account

  1. On Site Navigator, select site ”System”

  2. Select ”Users” tab

  3. At the bottom select "New User"

  4. Enter the fields "Name" and "Username." We suggest using your first name as "username." Don't fill in "Mobile Phone" or any other field.

  5. Check "Enabled" and finally click "OK" button.

  6. There are still three steps to do:

    1. enabling Password as an authentication method for the user,

    2. Setting a password, and

    3. Adding the user to the administrators' group

  7. To set a password, first go to the "Methods" tab. Check the authentication method "Password" and finally click the button "Update" at the bottom of the page.

  8. Now, the password is an authentication method enabled for this user.

  9. Now go back to the Users tab, and click on the "Password" button under "Common Tasks"

  10. Write your password (twice) and click OK. For the duration of this training, use the password "Password1". Once the pop-up disappears, click "Update."



  11. To add the user to the administrators' group, first go to the "Member of" tab. Then click the "Add" button at the bottom of the page. Select "Administrators" and "Authenticated Users" groups and click the button "OK"



  12. Log out from the system user.

  13. Now log in with your own administrative user account.

 

Part 2: Prepare for federation training tasks

To minimise configuration steps, we must enable two settings - one to disable backchannel logout flows, which can be prevented by incorrect firewall settings, and the second to set the metadata configuration to show the public key within an X.509 certificate.

On the main screen, add SAML 2.0 Compatibility Flags (notice the space between the two flags):

LiteNoBackChannel MetadataCertificate

 

Once the flag is set, press the "Update" button

 

Part 3: Manage Ubisecure SSO Services

It's useful to get familiar with the services that Ubisecure SSO runs and how they affect the system. SSO runs two services:

  • UbiloginDirectory (Active Directory Lightweight Directory Services)

  • UbiloginServer (Apache Tomcat)

These services restart automatically whenever the system reboots.

When do you need to restart a service?

  • When changing files that reference new files (new languages, new logos, new templates)

  • When installing upgrades

Step 1: Restarting Ubisecure SSO Services

There are two ways of restarting the services: via Command Prompt or via the "Services" GUI.

The first way is via the Command Prompt. To open it, type "cmd" in the Search box, and right-click to run as Administrator.

The sequence of commands is:

net stop ubiloginserver net stop ubilogindirectory net start ubilogindirectory net start ubiloginserver

The second way is via the Windows graphical user interface. To launch the "Services" GUI, type "services" in the Search box.

In the following screenshot you can see the two services running:

You must replicate the four steps in the exact order.

Now choose your preferred way, and perform the following tasks in this order:

  1. Stop UbiloginServer

  2. Stop UbiloginDirectory

  3. Start UbiloginDirectory

  4. Start UbiloginServer

Verify that the service is running by logging in.

Step 2: System User Password Reset

If the ”system” user account password has been forgotten, execute the following command:

system password reset
cd /d C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap adam\import.cmd system-password.ldif

The ”system” user password is reset to the default. Obs: Once you log in, you will be forced to change the default password.

 

Step 3: Disable System User

Security best practice dictates that administrators should always access the system using personally named accounts and any generic accounts should be disabled.

In the Ubisecure SSO management interface, go to Home / System / Users, then select "Administrator." The User object main view will look like this:

Uncheck the "Enabled" status and then click the "Update" button. Now the system user is disabled.

Verify by logging in as the "system" user.