Page tree
Skip to end of metadata
Go to start of metadata

Step-by-step guide

In win32.config / unix.config –file under …\ubilogin-sso\ubilogin –directory. The following changes are mandatory. In the following example the original address was localhost:8443.

win32.config
uas.url=https\://localhost\:8443  change to -> uas.url=https\://new_address.com\:9443 
ubilogin.url=@uas.url@
logviewer.url=@ubilogin.url@
search.url=@ubilogin.url@
password.url=@uas.url@
ldap.url=ldap\://localhost\:389
suffix = cn=Ubilogin,@uas.url.host.dn@ change to -> suffix=cn\=Ubilogin,dc\=localhost (* 
password.encoding=

(* in this example, the localhost is the original address that was used during the initial installation. This could be different in you environment. 

  1. Open server.xml –file under …\ubilogin-sso\ubilogin\custom\tomcat –folder on Windows or /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat directory on Linux.
  2. Change the old address and port in server.xml.

    server.xml
    <Server port="-1">
    	<Service name="SSO">
    		<Connector
    			port="9443"
    			scheme="https" secure="true"
    			proxyName="new_address.com" proxyPort="9443"
    			maxThreads="150" protocol="HTTP/1.1"
    			useBodyEncodingForURI="true" maxHttpHeaderSize="65536"
       			SSLEnabled="true" 
       			sslProtocol="TLS" clientAuth="false"
    			keystoreFile="C:\Program Files\Ubisecure\ubilogin-sso\ubilogin/custom/tomcat/keystore.pfx"
    			keystorePass="changeit" keystoreType="PKCS12"
    		/>
    	<Engine name="SSO" defaultHost="new_address.com">
    		<Host name="new_address.com" appBase="404"
    			unpackWARs="false" autoDeploy="false">


  3. Save the files, open the command prompt as Administrator, and run setup.cmd on that same directory (…\ubilogin-sso\ubilogin). 
  4. Import new Ubisecure SSO application secrets to LDAP

    Import SSO application secrets on Windows
    cd /d "C:\ubisecure\ubilogin-sso\ubilogin" 
    ldap\adam\import.cmd ldap\secrets.ldif
    Import SSO application secrets on Linux
    cd /usr/local/ubisecure/ubilogin-sso/ubilogin
    ./ldap/openldap/import.sh ldap\secrets.ldif
  5. Deploy Ubisecure SSO applications to Tomcat on Windows

    Deploy SSO applications to Tomcat on Windows
    ..\ubilogin-sso\ubilogin\config\tomcat\update.cmd


    Deploy SSO applications to Tomcat on Linux
    ./../ubilogin-sso/ubilogin/config/tomcat/update.sh


  6.  Ubisecure SSO is now working with the new address/port. The Ubisecure SSO metadata has changed. Make sure the new metadata is updated in all integrated applications.

 

Note

 The LDAP suffix can be found in file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\uas\WEB-INF\jndi.properties:

java.naming.security.principal = cn=Server,ou=System,cn=Ubilogin,dc=login,dc=localhost,dc=com

Copy it starting at "cn=Ubilogin" to win32.config:

suffix=cn=Ubilogin,dc=login,dc=localhost,dc=com


For SSO 8.4 and later

Update accounting.url

For additional information, see the configuration instructions:
https://developer.ubisecure.com/docs/display/IDS20181/Configuration+and+setup+application+to+create+configurations+-+SSO


If you are using a self-signed TLS certificate, generate a new self-signed certificate for the new host name as follows.

  1. Delete old keystore

    cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat"
    ren keystore.pfx keystore-old.pfx
  2. Create new keystore

    cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
    config\tomcat\cert.cmd
    Creating login.newplan.com keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx
  3. Update Tomcat

    config\tomcat\update.cmd
    The UbiloginServer service is stopping.
    The UbiloginServer service was stopped successfully.
    1 File(s) copied
    1 file(s) copied.
    840 File(s) copied
    The UbiloginServer service is starting.
    The UbiloginServer service was started successfully.
    Ubilogin Server updated at https://login.newplan.com:8445/ubilogin/
  4. Delete old certificate from Java cacerts

    "%JRE_HOME%\bin\keytool" -delete -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert
  5. Add new certificate to Java cacerts

    "%JRE_HOME%\bin\keytool.exe" -exportcert -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx" -alias tomcat -storepass changeit | "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt
    Certificate was added to keystore

If you have a CA signed certificate (after running setup, otherwise server.xml will be overwritten):

  1. Copy your pfx file to C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat
  2. Edit C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml

    keystoreFile="C:\Program Files\Ubisecure\ubilogin-sso\ubilogin/custom/tomcat/mycert.pfx"
    keystorePass="mypassword" keystoreType="PKCS12"

  3. Add certificate to cacerts

    - First find out the alias (te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8 below)

    C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>"%JRE_HOME%\bin\keytool.exe" -list -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\ubidemo.pfx" -storepass <Enter password>

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8, Sep 2, 2021, PrivateKeyEntry,
    Certificate fingerprint (SHA1): EF:CB:21:BB:07:13:A7:BE:C6:0C:24:03:0A:18:C6:60:78:B8:5E:27

    - Then add to cacerts

    C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>"%JRE_HOME%\bin\keytool.exe" -exportcert -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\ubidemo.pfx" -alias te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8 -storepass <Enter password> | "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt
    Certificate was added to keystore
  4. Run tomcat update
  5. Change login page links if any

Note

All OIDC and SAML integrations need a new metadata / configuration if the host name was changed