Change the hostname of a CustomerID installation

Tested with CustomerID 5.3.5

During the initial testing of Ubisecure CustomerID, it is often needed to change a working system’s hostname. It can be done quite simply as described below.

Note: host name changes should never be done on a production system after it has gone live.

If the hostname of a Ubisecure CustomerID installation needs to be changed, it can be done following the steps below:

Step-by-step guide

On Windows:

1. Stop Ubisecure CustomerID

   net stop wildfly

2. Edit win32.config, example (login.smartplan.com -> login.newplan.com)
   

   cd "C:\Program Files\Ubisecure\customerid\application"
   copy win32.config win32.config-old
   notepad win32.config

   Example:

   
   # Ubisecure SSO URL (from Ubisecure SSO win32.config)
   uas.url=https\://login.newplan.com\:8445

   # Ubisecure SSO installation path
   ubilogin.home=C\:\\Program Files\\Ubisecure\\ubilogin-sso\\ubilogin

   # The public visible URL address of Ubisecure CustomerID without path
   eidm.url=https\://login.newplan.com\:7445

   # The local listen address of Ubisecure CustomerID if reverse proxy server is used
   proxy.local.url=@eidm.url@

   ...

   #ldap.suffix=cn\=Ubilogin,@uas.url.host.dn@
   ldap.suffix=cn\=Ubilogin,dc=login,dc=smartplan,dc=com

3. Run setup

   cd "C:\Program Files\Ubisecure\customerid\application"
   setup.cmd
   C:\Program Files\Ubisecure\customerid\application\config\settings.cmd
   C:\Program Files\Ubisecure\customerid\application\custom\eidm2_generated.properties
   C:\Program Files\Ubisecure\customerid\application\custom\jndi.properties
   C:\Program Files\Ubisecure\customerid\application\ldap\customerid-adlds.ldif
   C:\Program Files\Ubisecure\customerid\application\ldap\customerid-secrets.ldif
   C:\Program Files\Ubisecure\customerid\application\ldap\customerid.ldif

4. Edit widfly config

   cd "C:\Program Files\wildfly-14.0.1.Final\standalone\configuration"
   notepad standalone.xml

   Example:

   
    <host name="default-host" alias="localhost,login.newplan.com,login.newplan.com">
    <location name="/" handler="welcome-content"/>
    <http-invoker security-realm="ApplicationRealm"/>
    </host>
    
    <socket-binding name="https" port="7445"/>

5. Certificate related changes
   a.  If a self-signed TLS certificate is used, create a new self-signed certificate, add it to Java trusted certificate store

   C:\Program Files\Ubisecure\customerid\tools>"%JRE_HOME%\bin\keytool" -delete -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias wildfly-trusted

   C:\Program Files\Ubisecure\customerid\tools>del "C:\Program Files\wildfly-13.0.0.Final\standalone\configuration\keystore.pfx"

   C:\Program Files\Ubisecure\customerid\tools>cert.cmd
   Creating login.newplan.com keystore C:\Program Files\wildfly-13.0.0.Final\standalone\configuration\keystore.pfx

   You may choose to import the self-signed certificate to JRE's cacerts truststore.
   (C:\Program Files\Java\jdk1.8.0_144\jre\lib\security\cacerts)
   Importing the certificate will make Java trust this certificate as a certificate authority
   and accept every server connection which certificate has been signed with it.

   Do you want to import the self-signed server certificate to your cacerts truststore?
   [Y]es / [N]o: y
   Exporting certificate with alias wildfly from "C:\Program Files\wildfly-13.0.0.Final\standalone\configuration\keystore.pfx" to "C:\Users\ADMINI~1\AppData\Local\Temp\2\exported.cer"
   Certificate stored in file <C:\Users\ADMINI~1\AppData\Local\Temp\2\exported.cer>
   Importing certificate file with alias wildfly-trusted to C:\Program Files\Java\jdk1.8.0_144\jre\lib\security\cacerts
   Owner: CN=login.newplan.com
   Issuer: CN=login.newplan.com
   Serial number: 3ca66f8149c1d20
   Valid from: Sun Sep 02 00:00:00 UTC 2018 until: Sun Sep 02 00:00:00 UTC 2029
   Certificate fingerprints:
        MD5: 65:F4:6A:D0:7C:DD:9D:6B:48:7E:42:57:93:92:E9:18
        SHA1: 33:25:6C:15:B9:CD:7F:2C:4F:E6:49:5A:84:F6:CD:83:6C:AE:FC:22
        SHA256: 9F:71:A0:6F:74:5B:46:44:3B:1B:56:A1:2C:58:82:3B:91:20:1D:4E:86:26:99:35:E5:01:83:DE:EC:BE:AA:AC
        Signature algorithm name: SHA256withRSA
        Version: 3
   Trust this certificate? [no]: y
   Certificate was added to keystore

   b. If you have a CA signed certificate:

   Edit standalone.xml, example:

    <ssl>
    <keystore path="C:\\Program Files\\wildfly-13.0.0.Final\\standalone\\configuration\\ubidemo.pfx" keystore-password="nmhxx29ZPvfb3fwxJP67" alias="te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8"/>
    </ssl>

   If you use the same cert than with SSO, it was added to cacerts already. Otherwise, add it to cacerts, see SSO instructions above.

6. Create new SAML2 identity files

   cd "C:\Program Files\Ubisecure\customerid\application\custom"
   rename saml2 saml2-old
   mkdir saml2

   
   cd "\Program Files\Ubisecure\customerid\tools"
   init-eidm-sp.cmd
   init-eidm-ap.cmd

7. Optionally download SSO metadata (This must be done if SSO external address has been changed)

   cd "C:\Program Files\Ubisecure\customerid\tools"
   get-metadata.cmd
   A subdirectory or file C:\Program Files\Ubisecure\customerid\application\custom\saml2\sp\metadata already exists.
   A subdirectory or file C:\Program Files\Ubisecure\customerid\application\custom\saml2\workflowsp\metadata already exists.
    % Total % Received % Xferd Average Speed Time Time Time Current
                       Dload Upload Total Spent Left Speed
   100 5200 0 5200 0 0 14444 0 --:--:-- --:--:-- --:--:-- 14444
    % Total % Received % Xferd Average Speed Time Time Time Current
                       Dload Upload Total Spent Left Speed
   100 5200 0 5200 0 0 30232 0 --:--:-- --:--:-- --:--:-- 30232

   cd "C:\Program Files\Ubisecure\customerid\tools"
   get-metadata-for-ap.cmd
   A subdirectory or file C:\Program Files\Ubisecure\customerid\application\custom\saml2\ap\metadata already exists.
    % Total % Received % Xferd Average Speed Time Time Time Current
                       Dload Upload Total Spent Left Speed
   100 2736 0 2736 0 0 13477 0 --:--:-- --:--:-- --:--:-- 13477

   
   Verify by opening the metadata files with a text editor
   - In case of errors the files may contain an html error page instead of valid metadata
   C:\Program Files\Ubisecure\customerid\application\custom\saml2\sp\metadata\metadata.xml
   C:\Program Files\Ubisecure\customerid\application\custom\saml2\workflowsp\metadata\metadata.xml
   C:\Program Files\Ubisecure\customerid\application\custom\saml2\ap\metadata\metadata.xml

8. Start Widlfy, verify logs

9. Upload the new SAML identities to Ubisecure configuration directory

   If you have changed rest.username and/or rest.password in eidm2.properties, temporatily comment them out and restart wildfly

   cd "C:\Program Files\Ubisecure\customerid\tools"
   init-customerid-data-storages.cmd
   <init><initializeDatabase/></init>

   cd "C:\Program Files\Ubisecure\customerid\tools"
   update-ap-metadata.cmd
   <init><updateSamlApMetadata/></init>

10. Restart Widlfy, verify logs

11. Modify properties files

    - eidm2.properties
    - messages.properties
    - messages_xx.properties
    - mailmessages.properties
    - mailmessages_xx.properties
    - protection.properties

12. Restart Wildfly, verify logs, verify functionality
    
    

    Note

    All OIDC and SAML integrations need a new metadata / configuration if the host name was changed

Related articles

• Page:
  Change the hostname of a CustomerID installation
• Page:
  1. Accessing logs and adjusting logging levels of SSO and CustomerID
• Page:
  ImportTool file format for Scandinavian characters
• Page:
  Considerations for systems with large attribute or role volumes
• Page:
  VirtualHostManager has no default host