Make sure you have working SSO install before applying these configurations
Enable SSL for LDAP
This example is done with self-signed certificate. It is always better to use publicly trusted certificate here.
Become root
sudo su -
Stop any IDS applications that is running in all instances.
systemctl stop wildfly.service systemctl stop ubilogin-server.service systemctl stop ubilogin-directory.service
Create new self-signed certificate chain
# Create folder mkdir -p ~/ssl cd ~/ssl # Create certificate authority openssl req -x509 \ -sha512 \ -days 3650 \ -nodes \ -newkey rsa:4096 \ -subj "/CN=localhost/C=FI/L=Espoo" \ -keyout cakey.pem -out cacert.pem # Create server private key openssl genrsa -out serverkey.pem 4096 # Generate certificate signging request cat << EOF > servercsr.cnf [ req ] default_bits = 4096 prompt = no default_md = sha512 req_extensions = req_ext distinguished_name = dn [ dn ] C = FI ST = Uusimaa L = Espoo O = Ubisecure Oy OU = Engineering CN = localhost [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate certificate signing request with previously created private key openssl req \ -new \ -key serverkey.pem \ -out servercsr.pem \ -config servercsr.cnf # Generate external certificate configuration cat << EOF > cert.conf authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate SSL certificate With self signed CA openssl x509 -req \ -in servercsr.pem \ -CA cacert.pem \ -CAkey cakey.pem \ -CAcreateserial \ -out servercert.pem \ -days 3650 \ -sha512 \ -extfile \ cert.conf # View generated cert openssl x509 -noout -in servercert.pem -text
Check keystore before import
# View all certificates keytool -list \ -storepass changeit \ -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx
Result before the import
Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry tomcat, Aug 28, 2023, PrivateKeyEntry, Certificate fingerprint (SHA-256): FF:BC:BE:57:69:2C:F0:35:06:8D:2D:F8:F3:42:D7:02:5F:1B:0D:47:29:1B:34:4D:FF:B5:DB:0F:1C:3B:4A:0A
Export the newly generated certificate to SSO tomcat
# Export serverkey keytool -import \ -trustcacerts \ -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx \ -storepass changeit \ -noprompt \ -alias 1-ubilogin-directory \ -file servercert.pem
Check keystore after import (note, make sure that the trusted self-signed certificate is topmost position).
# View all certificates keytool -list \ -storepass changeit \ -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx
Result after the import
Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries 1-ubilogin-directory, Aug 28, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): B9:08:F3:95:D7:4D:FD:ED:F7:E2:FC:8F:DE:81:B5:74:EE:2B:5F:2F:3C:96:9B:81:B8:06:3C:1E:3E:F0:89:0C tomcat, Aug 28, 2023, PrivateKeyEntry, Certificate fingerprint (SHA-256): FF:BC:BE:57:69:2C:F0:35:06:8D:2D:F8:F3:42:D7:02:5F:1B:0D:47:29:1B:34:4D:FF:B5:DB:0F:1C:3B:4A:0A
Change ownership for generated files
# Copy generated certificate and serverkey cd ~/ssl cp cacert.pem servercert.pem serverkey.pem /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/ # Fix rights chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cacert.pem chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/serverkey.pem chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/servercert.pem # Fix ownership chown -R ubilogin. /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap
Change unix.config
so that it will use ldaps://
instead of ldap://
as a connection.
# Make a backup of existing unix.config cp /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config \ /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config.$(date +%Y%m%d%H%M%S) # Apply change sed -i 's/ldap.url=.*/ldap.url=ldaps:\/\/localhost:636/g' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config
Once done, run sso setup.sh
again.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./setup.sh
Once done, edit slapd.conf before updating ldap configuration
If any errors occurs, one can always run setup.sh
again to reverse below changes to original defaults.
sed -i 's/#TLSCertificateFile/TLSCertificateFile/' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf sed -i 's/#TLSCertificateKeyFile/TLSCertificateKeyFile/' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf sed -i 's/#TLSCACertificateFile/TLSCACertificateFile/' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf
Reconfigure ldap
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap export JAVA_HOME=/usr/lib/jvm/temurin-11-jdk # Make sure you have correct JDK ./install.sh
And finally update sso configurations
# Update configurations cd /usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat ./remove.sh ./install.sh # Restart services systemctl start ubilogin-directory.service systemctl start ubilogin-server.service systemctl start wildfly.service