Page tree
Skip to end of metadata
Go to start of metadata

Step-by-step guide

In win32.config / unix.config –file under …\ubilogin-sso\ubilogin –directory. The following changes are mandatory. In the following example the original address was localhost:8443.

uas.url=https\://localhost\:8443  change to -> uas.url=https\://\:9443 
suffix = cn=Ubilogin, change to -> suffix=cn\=Ubilogin,dc\=localhost (* 

(* in this example, the localhost is the original address that was used during the initial installation. This could be different in you environment. 

  1. Open server.xml –file under …\ubilogin-sso\ubilogin\custom\tomcat –folder on Windows or /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat directory on Linux.
  2. Change the old address and port in server.xml.

    <Server port="-1">
    	<Service name="SSO">
    			scheme="https" secure="true"
    			proxyName="" proxyPort="9443"
    			maxThreads="150" protocol="HTTP/1.1"
    			useBodyEncodingForURI="true" maxHttpHeaderSize="65536"
       			sslProtocol="TLS" clientAuth="false"
    			keystoreFile="C:\Program Files\Ubisecure\ubilogin-sso\ubilogin/custom/tomcat/keystore.pfx"
    			keystorePass="changeit" keystoreType="PKCS12"
    	<Engine name="SSO" defaultHost="">
    		<Host name="" appBase="404"
    			unpackWARs="false" autoDeploy="false">

  3. Save the files, open the command prompt as Administrator, and run setup.cmd on that same directory (…\ubilogin-sso\ubilogin). 
  4. Import new Ubisecure SSO application secrets to LDAP

    Import SSO application secrets on Windows
    cd /d "C:\ubisecure\ubilogin-sso\ubilogin" 
    ldap\adam\import.cmd ldap\secrets.ldif
    Import SSO application secrets on Linux
    cd /usr/local/ubisecure/ubilogin-sso/ubilogin
    ./ldap/openldap/ ldap\secrets.ldif
  5. Deploy Ubisecure SSO applications to Tomcat on Windows

    Deploy SSO applications to Tomcat on Windows

    Deploy SSO applications to Tomcat on Linux

  6.  Ubisecure SSO is now working with the new address/port. The Ubisecure SSO metadata has changed. Make sure the new metadata is updated in all integrated applications.



 The LDAP suffix can be found in file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\uas\WEB-INF\ = cn=Server,ou=System,cn=Ubilogin,dc=login,dc=localhost,dc=com

Copy it starting at "cn=Ubilogin" to win32.config:


For SSO 8.4 and later

Update accounting.url

For additional information, see the configuration instructions:

If you are using a self-signed TLS certificate, generate a new self-signed certificate for the new host name as follows.

  1. Delete old keystore

    cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat"
    ren keystore.pfx keystore-old.pfx
  2. Create new keystore

    cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
    Creating keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx
  3. Update Tomcat

    The UbiloginServer service is stopping.
    The UbiloginServer service was stopped successfully.
    1 File(s) copied
    1 file(s) copied.
    840 File(s) copied
    The UbiloginServer service is starting.
    The UbiloginServer service was started successfully.
    Ubilogin Server updated at
  4. Delete old certificate from Java cacerts

    "%JRE_HOME%\bin\keytool" -delete -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert
  5. Add new certificate to Java cacerts

    "%JRE_HOME%\bin\keytool.exe" -exportcert -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx" -alias tomcat -storepass changeit | "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt
    Certificate was added to keystore

If you have a CA signed certificate (after running setup, otherwise server.xml will be overwritten):

  1. Copy your pfx file to C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat
  2. Edit C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml

    keystoreFile="C:\Program Files\Ubisecure\ubilogin-sso\ubilogin/custom/tomcat/mycert.pfx"
    keystorePass="mypassword" keystoreType="PKCS12"

  3. Add certificate to cacerts

    - First find out the alias (te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8 below)

    C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>"%JRE_HOME%\bin\keytool.exe" -list -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\ubidemo.pfx" -storepass <Enter password>

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8, Sep 2, 2021, PrivateKeyEntry,
    Certificate fingerprint (SHA1): EF:CB:21:BB:07:13:A7:BE:C6:0C:24:03:0A:18:C6:60:78:B8:5E:27

    - Then add to cacerts

    C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>"%JRE_HOME%\bin\keytool.exe" -exportcert -keystore "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\ubidemo.pfx" -alias te-2b10b1e8-5fde-4e95-976b-fcd293bc87a8 -storepass <Enter password> | "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%"\lib\security\cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt
    Certificate was added to keystore
  4. Run tomcat update
  5. Change login page links if any


All OIDC and SAML integrations need a new metadata / configuration if the host name was changed