How can I make the registration at the UMC for SSO available on an alternate name. E.g
Assuming that a certificate for portal.schein.sun already exists…
In some situations you might want to add additional SAN’s (subject alternative names) to your host certificate. This is pretty handy when you’re using one or several aliases for one of your hosts.
While some of these steps can be done on a Domaincontroller Backup, renewing can only be done from a Domaincontroller Master and additionally changes would be overwritten. Therefore everything has to be done at the Master.
First of all create a backup of the following files:
openssl.cnf
req.pem
ro…
… and this is stored under /etc/univention/ssl/portal.schein.sun, these two further steps still necessary
Sometimes it’s neccessary to also create signed certificates for non-UCS systems in a domain. This also becomes more common and also more needed due to communication is often SSL encrypted nowadays.
For such purposes UCS comes with a propriate command set which makes it easy to fullfil the task.
The following command creates a signed certificate for the given server FQDN:
root@ucs-master:~# univention-certificate new -name "another-server.$(dnsdomainname)"
Creating certificate: another-server…
Or your own way.
You need to set the ucr variable umc/saml/sp-server:
ucr set umc/saml/sp-server=portal.schein.sun
and re-execute the following joinskript:
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
Please be advised: This article describes a very rare scenario. One UCS DC Master is reconfigured, and no other UCS servers are in the domain or will ever be joined.
For a detailed overview of UCS Single Sign On configuration see article 16161
Problem
The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.domainname.
In certain setups, e.g. when operating UCS in…