Change hostname of Ubisecure SSO
Step-by-step guide
In win32.config / unix.config –file under …\ubilogin-sso\ubilogin –directory. The following changes are mandatory. In the following example the original address was localhost:8443.
uas.url=https\://localhost\:8443 change to -> uas.url=https\://new_address.com\:9443 ubilogin.url=@uas.url@ logviewer.url=@ubilogin.url@ search.url=@ubilogin.url@ password.url=@uas.url@ ldap.url=ldap\://localhost\:389 suffix = cn=Ubilogin,@uas.url.host.dn@ change to -> suffix=cn\=Ubilogin,dc\=localhost (* password.encoding=
(* in this example, the localhost is the original address that was used during the initial installation. This could be different in you environment.
- Open server.xml –file under …\ubilogin-sso\ubilogin\custom\tomcat –folder on Windows or /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat directory on Linux.
Change the old address and port in server.xml.
server.xml<Server port="-1"> <Service name="SSO"> <Connector port="9443" scheme="https" secure="true" proxyName="new_address.com" proxyPort="9443" maxThreads="150" protocol="HTTP/1.1" useBodyEncodingForURI="true" maxHttpHeaderSize="65536" SSLEnabled="true" sslProtocol="TLS" clientAuth="false" keystoreFile="C:\Program Files\Ubisecure\ubilogin-sso\ubilogin/custom/tomcat/keystore.pfx" keystorePass="changeit" keystoreType="PKCS12" /> <Engine name="SSO" defaultHost="new_address.com"> <Host name="new_address.com" appBase="404" unpackWARs="false" autoDeploy="false">
- Save the files, open the command prompt as Administrator, and run setup.cmd on that same directory (…\ubilogin-sso\ubilogin).
Import new Ubisecure SSO application secrets to LDAP
Import SSO application secrets on Windowscd /d "C:\ubisecure\ubilogin-sso\ubilogin" ldap\adam\import.cmd ldap\secrets.ldif
Import SSO application secrets on Linuxcd /usr/local/ubisecure/ubilogin-sso/ubilogin ./ldap/openldap/import.sh ldap\secrets.ldif
Deploy Ubisecure SSO applications to Tomcat on Windows
Deploy SSO applications to Tomcat on Windows..\ubilogin-sso\ubilogin\config\tomcat\update.cmd
Deploy SSO applications to Tomcat on Linux./../ubilogin-sso/ubilogin/config/tomcat/update.sh
- Ubisecure SSO is now working with the new address/port. The Ubisecure SSO metadata has changed. Make sure the new metadata is updated in all integrated applications.
Note
The LDAP suffix can be found in file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\uas\WEB-INF\jndi.properties:
java.naming.security.principal = cn=Server,ou=System,cn=Ubilogin,dc=login,dc=localhost,dc=com
Copy it starting at "cn=Ubilogin" to win32.config:
suffix=cn=Ubilogin,dc=login,dc=localhost,dc=com
Update accounting.url
For additional information, see the configuration instructions:
https://ubisecuredev.atlassian.net/wiki/display/IDS20181/Configuration+and+setup+application+to+create+configurations+-+SSO
If you are using a self-signed TLS certificate, generate a new self-signed certificate for the new host name as follows.
Delete old keystore
cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat"
ren keystore.pfx keystore-old.pfxCreate new keystore
cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
config\tomcat\cert.cmd
Creating login.newplan.com keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfxUpdate Tomcat
config\tomcat\update.cmd
The UbiloginServer service is stopping.
The UbiloginServer service was stopped successfully.1 File(s) copied
1 file(s) copied.
840 File(s) copied
The UbiloginServer service is starting.
The UbiloginServer service was started successfully.Ubilogin Server updated at https://login.newplan.com:8445/ubilogin/
Delete old certificate from Java cacerts
"%JRE_HOME%\bin\keytool" -delete -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert
Add new certificate to Java cacerts
"%JRE_HOME%\bin\keytool.exe" -exportcert -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx" -alias tomcat -storepass changeit | "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt
Certificate was added to keystore
If you have a CA signed certificate (after running setup, otherwise server.xml will be overwritten):
- Copy your pfx file to C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat
Edit C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml
keystoreFile="C:\Program Files\Ubisecure\ubilogin-sso\ubilogin/custom/tomcat/mycert.pfx"
keystorePass="mypassword" keystoreType="PKCS12"Add certificate to cacerts
- First find out the alias (te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8 below)
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>"%JRE_HOME%\bin\keytool.exe" -list -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\ubidemo.pfx" -storepass <Enter password>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8, Sep 2, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): EF:CB:21:BB:07:13:A7:BE:C6:0C:24:03:0A:18:C6:60:78:B8:5E:27
- Then add to cacerts
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>"%JRE_HOME%\bin\keytool.exe" -exportcert -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\ubidemo.pfx" -alias te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8 -storepass <Enter password> | "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt
Certificate was added to keystore- Run tomcat update
- Change login page links if any
Note
All OIDC and SAML integrations need a new metadata / configuration if the host name was changed
Related articles