Product Documentation

    An installation script can be used for installing SKSO.

     

    Prerequisites

    This application needs the following before the running the script:

    • StrongKey's Tellaro Appliance with SKFS.

    • OpenJDK 11.

    • A public fully qualified domain name (FQDN) for the machine.

    • Binary distribution for SKSO.

    • jwtsigningtruststore.bcfks from StrongKey's Tellaro Appliance.

     

    NOTE: If FIPS is enabled in your environment, FIPS will need to be disabled to perform asadmin commands using export _JAVA_OPTIONS=-Dcom.redhat.fips=false

    Installation

    1. Open a terminal and change directory to the target download folder.

    2. Extract the downloaded binary ditribution file to the current directory:

      shell> tar xvzf <SKSO-Distribution-file>

    3. Verify the machine's FQDN is set as its hostname. This is necessary to properly configure the self-signed certificate for the API. 

      Run the following command:

      shell> hostname

      If only the machine name is returned, and not the public FQDN, run the following command:

      shell> sudo hostnamectl set-hostname <SERVER PUBLIC FQDN>

      If no DNS is configured for this machine, please run the following command to add an entry to the /etc/hosts file.

      shell> echo `hostname -I | awk '{print $1}'` $(hostname) | sudo tee -a /etc/hosts

    4. Copy the jwtsigningtruststore.bcfks to the directory where you untarred the distribution.

    5. Edit the SKSO installation script using a preferred text editor

      shell> sudo vi install-skso.sh

      The installation script contains configurable values that allow one to customize how the SKSO will function. In particular, here are the recommended values to be changed:

      SKFSURL: This should be the hostname for the machine where SKFS is installed. For example, "https://demo.strongkey.com:8181/".
      CITRIX_INTEGRATION: This should be set to true if a virtual server is deployed on Citrix ADC.
      CITRIX_HOSTNAME: This should be the hostname for the machine where Citrix Gateway Virtual Server is deployed. For example: "https://citrixgateway.strongkey.com/".
      RPID: This should be the RPID for the machine where SAKA-SKFS is installed. For example: "strongkey.com".
      SKSO_VM_INSTANCE(S): change this variable to add the list of all the IP addresses of virtual machines that will be hosting SKSO. If the value is not set or localhost, then it defaults to IP address of current SKSO VM. For example: 10.0.2.84,10.0.2.85.
      LDAP_SEARCH: Set it to true if AD is configured.
      LDAP_URL: Change the variable to point to AD Server.
      LDAP_BASE_DN: Change the variable with the BASE DN for AD Server.
      LDAP_REGISTER_ALLOWED_KEY: this is the attribute name set in LDAP Directory to verify if a user is allowed to create FIDO credentials.

    6. Execute the install-skfs.sh script as follows:

      shell> ./install-skso.sh

      The installation script will create a user account with the home directory of /usr/local/strongauth. All software required for SKSO will be deployed to the /usr/local/strongauth directory and be run by the "strongauth" user. The default password for the strongauth user is ShaZam123.

      The script also installs Payara running HTTPS on port 8181 and creates /usr/local/strongauth/skso/etc with skso-configuration.properties file which can be changed if required.

    7. Optionally, import the certificate of the AD Servers, Tellaro servers and/or the Tellaro load balancers in SKSO payara trustore. Download all the necessary certificates before running the following command.

      shell> keytool -import -file <certificate-file> -keystore /usr/local/strongauth/payara6/glassfish/domains/domain1/config/cacerts.p12 -storepass changeit -alias <alias-name>
      Repeat the command for all the certificates that need to be imported.

      OR

      Use the certimport script to import the AD, Load Balancer and/or Tellaro certificates

      Usage: certimport.sh hostname -p <port> -k<JAVA | GLASSFISH | keystorepath > -w <keystorepassword>
------------------------------------------------------------------------
	certimport.sh saka201 (defaults to JAVA_HOME keystore) 
	certimport.sh expo1.strongkey.com -p8282 -kGLASSFISH
	certimport.sh deicda02 -k../config/cacerts.p12 -wAbcd1234!

Following are the examples on how to import certificates for Tellaro Appliances:
shell> certimport.sh saka01.strongkey.com -p8181
shell> certimport.sh saka01.strongkey.com -p8181 -kGLASSFISH

Following are examples on how to import certificates for AD Servers.
shell> certimport.sh WIN-A7RTV2GGJ12.rootdomain.strongkey.com -p636
shell> certimport.sh WIN-A7RTV2GGJ12.rootdomain.strongkey.com -p636 -kGLASSFISH

    8. Restart payara after adding new certificates. This is only necessary if executing the previous step.

      shell> sudo systemctl restart payara

     

    NOTE: If the install fails for any reason, run the cleanup script and restart from the beginning