Gluu Server CE Cert import

🎯 Purpose

This guide outlines the process to securely log into the Gluu Server virtual machine (VM), retrieve the Gluu server's TLS certificate, import it into the Java truststore, and restart services to enable trusted internal HTTPS communication.

🔐 Logging into the Gluu VM

🖥️ Open a terminal or SSH client on your admin machine.
🔌 Connect to your Gluu Server via SSH:
```
ssh root@your-gluu-server-ip
```
💡 If Gluu is running locally (e.g., in Proxmox/XCP-ng), log in via the hypervisor console directly as root.

🧰 Prerequisites

Root or sudo access to the Gluu VM
Domain name of Gluu: gluu.mslspartners.com
Java truststore password (default: changeit or custom)
Tools: openssl, keytool, awk

🚀 Step-by-Step Instructions

1️⃣ Create the Script

nano /root/import-gluu-cert.sh

2️⃣ Paste the Script Below

#!/bin/bash

DOMAIN="gluu.mslspartners.com"
CERT_PATH="/etc/certs/gluu-full-chain.crt"
KEYSTORE_PATH="/opt/jre/lib/security/cacerts"
KEYSTORE_PASS="changeit"
ALIAS="gluu-remote"

echo "🔐 Fetching certificate from $DOMAIN..."
openssl s_client -showcerts -connect ${DOMAIN}:443 </dev/null \
  | awk '/BEGIN CERT/,/END CERT/ { print }' > "$CERT_PATH"

if [[ $? -ne 0 ]]; then
  echo "❌ Failed to retrieve certificate."
  exit 1
fi

echo "🗑️ Removing old certificate (if any)..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASS" 2>/dev/null

echo "➕ Importing new certificate..."
keytool -import -alias "$ALIAS" \
  -keystore "$KEYSTORE_PATH" \
  -trustcacerts -file "$CERT_PATH" \
  -storepass "$KEYSTORE_PASS" -noprompt

echo "🔁 Restarting Gluu services..."
/root/restart-gluu.sh

echo "✅ Import and restart complete!"

3️⃣ Make the Script Executable

chmod +x /root/import-gluu-cert.sh

4️⃣ Run the Script

/root/import-gluu-cert.sh

🔍 Verifying Certificate Import

🧾 Check Truststore Entry:

keytool -list -keystore /opt/jre/lib/security/cacerts -storepass changeit | grep gluu-remote

🔒 Check Active Truststore in Java:

/opt/jre/bin/java -XshowSettings:properties -version 2>&1 | grep trustStore

📛 Confirm Issuer/Subject:

openssl x509 -in /etc/certs/gluu-full-chain.crt -noout -issuer -subject

🛠 Troubleshooting

❗ SSL Errors: Usually mean the cert isn't trusted. Double-check import step.
🔒 Permission Denied: Ensure you're running as root.
🧱 Service Not Restarting: Review logs in /opt/gluu/jetty/<app>/logs/.

📘 Notes

This guide is for internal/self-signed Gluu certificates.
Public CA certs usually don’t require this step unless using a non-standard CA.
The script assumes a restart script exists at /root/restart-gluu.sh.

🔑 Step 1: SSH into the Host Server

Use SSH to connect to your Gluu server:

ssh root@your-gluu-server-ip

Replace your-gluu-server-ip with the actual IP or hostname.

🧭 Step 2: Enter the Gluu Chroot Environment

To manage Gluu, you must enter the isolated environment:

/sbin/gluu-serverd login

Once inside, you will see the prompt change, e.g.:

[gluu@gluu ~]#

📂 Step 3: Navigate to Gluu Directories

Components like oxAuth, Identity, IDP, etc., are under:

cd /opt/gluu/jetty/

📊 Step 4: Check Logs

To view the last 50 lines of a service's log file, run:

tail -n 50 /opt/gluu/jetty/oxauth/logs/oxauth.log

♻️ Step 5: Restart Gluu Services

If you have a restart script:

/root/restart-gluu.sh

Or restart specific services manually:

cd /opt/gluu/jetty/oxauth && nohup java -jar ../../jetty/start.jar &

🔒 Step 6: Verify Java Trust Store

keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass 'changeit' | grep gluu

🚦 Step 7: Check Java Processes

ps aux | grep java | grep -v grep

💡 Tip: Exit the Gluu Chroot Environment

exit

This returns you to the main server shell.

✅ Summary

🔧 For persistent issues, validate SSL certificates and inspect oxauth.log and oxtrust.log.