Problem:
How can I make the registration at the UMC for SSO available on an alternate name. E.g
changing ucs-sso login on the UMC from master.schein.sun to portal.schein.sun
This was tested for a singlemaster environment
Solution:
Assuming that a certificate for portal.schein.sun already exists…
This way:
(Can also be the alternate name in the UCS certificate)
In some situations you might want to add additional SAN’s (subject alternative names) to your host certificate. This is pretty handy when you’re using one or several aliases for one of your hosts.
First of all create a backup of the following files:
openssl.cnf
req.pem
root@ucs:# cd /etc/univention/ssl/<FQDN>
root@ucs:/etc/univention/ssl/<FQDN># cp openssl.cnf{,.orig}; cp req.pem{,.orig}
Now edit the certificate settings in openssl.cnf for the appropriate host certificate by changing line 1…
… and this is stored under /etc/univention/ssl/portal.schein.sun, these two further steps still necessary
Or this way:
Sometimes it’s neccessary to also create signed certificates for non-UCS systems in a domain. This also becomes more common and also more needed due to communication is often SSL encrypted nowadays.
For such purposes UCS comes with a propriate command set which makes it easy to fullfil the task.
The following command creates a signed certificate for the given server FQDN:
root@ucs-master:~# univention-certificate new -name "another-server.$(dnsdomainname)"
Creating certificate: another-server…
Or your own way.
Step 1
You need to set the ucr variable umc/saml/sp-server:
ucr set umc/saml/sp-server=portal.schein.sun
Step 2
and re-execute the following joinskript:
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
Also interesting:
Problem
The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.domainname.
In certain setups, e.g. when operating UCS in a cloud scenario, only one external DNS Record is available for a server.
Solution
The following commands have to be executed to configure the single sign-on identity provider for a different DNS Record.
FQDN=externaldns.ucsmaster.example
ucr…