Gluu Server CE Cert import

🎯 Purpose

This guide outlines the process to securely log into the Gluu Server virtual machine (VM), retrieve the Gluu server's TLS certificate, import it into the Java truststore, and restart services to enable trusted internal HTTPS communication.

🔐 Logging into the Gluu VM

~~🖥️ Open a terminal or SSH client on your admin machine.~~

~~🔌 Connect to your Gluu Server via SSH:~~
```
ssh root@your-gluu-server-ip
```

~~💡 If Gluu is running locally (e.g., in Proxmox/XCP-ng), log in via the hypervisor console directly as~~ root.

🧰 Prerequisites

~~Root or sudo access to the Gluu VM~~

~~Domain name of Gluu:~~ gluu.mslspartners.com

~~Java truststore password (default:~~ changeit ~~or custom)~~

~~Tools:~~ openssl, keytool, awk

🚀 Step-by-Step Instructions

1️⃣ Create the Script

nano /root/import-gluu-cert.sh

2️⃣ Paste the Script Below

#!/bin/bash

DOMAIN="gluu.mslspartners.com"
CERT_PATH="/etc/certs/gluu-full-chain.crt"
KEYSTORE_PATH="/opt/jre/lib/security/cacerts"
KEYSTORE_PASS="changeit"
ALIAS="gluu-remote"

echo "🔐 Fetching certificate from $DOMAIN..."
openssl s_client -showcerts -connect ${DOMAIN}:443 </dev/null \
  | awk '/BEGIN CERT/,/END CERT/ { print }' > "$CERT_PATH"

if [[ $? -ne 0 ]]; then
  echo "❌ Failed to retrieve certificate."
  exit 1
fi

echo "🗑️ Removing old certificate (if any)..."
keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASS" 2>/dev/null

echo "➕ Importing new certificate..."
keytool -import -alias "$ALIAS" \
  -keystore "$KEYSTORE_PATH" \
  -trustcacerts -file "$CERT_PATH" \
  -storepass "$KEYSTORE_PASS" -noprompt

echo "🔁 Restarting Gluu services..."
/root/restart-gluu.sh

echo "✅ Import and restart complete!"

3️⃣ Make the Script Executable

chmod +x /root/import-gluu-cert.sh

4️⃣ Run the Script

/root/import-gluu-cert.sh

🔍 Verifying Certificate Import

🧾 Check Truststore Entry:

keytool -list -keystore /opt/jre/lib/security/cacerts -storepass changeit | grep gluu-remote

🔒 Check Active Truststore in Java:

/opt/jre/bin/java -XshowSettings:properties -version 2>&1 | grep trustStore

📛 Confirm Issuer/Subject:

openssl x509 -in /etc/certs/gluu-full-chain.crt -noout -issuer -subject

🛠 Troubleshooting

❗ ~~SSL Errors:~~ ~~Usually mean the cert isn't trusted. Double-check import step.~~

🔒 ~~Permission Denied:~~ ~~Ensure you're running as~~ root.

🧱 ~~Service Not Restarting:~~ ~~Review logs in~~ /opt/gluu/jetty/<app>/logs/.

📘 Notes

~~This guide is for internal/self-signed Gluu certificates.~~

~~Public CA certs usually don’t require this step unless using a non-standard CA.~~

~~The script assumes a restart script exists at~~ /root/restart-gluu.sh.

🔑 Step 1: SSH intoInto the Host ServerMachine

~~Use~~From ~~SSH~~your tolocal terminal, connect to your Gluu ~~server:~~server host:

ssh root@your-gluu-server-ip

Replace your-gluu-server-ip with ~~the~~your actual IP address or hostname.

🧭📦 Step 2: EnterLog In to the Gluu Chroot Environment

ToGluu ~~manage~~runs ~~Gluu,~~inside ~~you~~a ~~must~~chroot ~~enter~~container. ~~the~~Enter ~~isolated~~it ~~environment:~~with:

/sbin/gluu-serverd login

~~Once~~You’ll ~~inside,~~know ~~you~~you're ~~will~~inside ~~see~~when ~~the~~your prompt ~~change,~~changes (e.g.:

[gluu@gluu ~]#

📂📁 Step 3: Navigate tothe Gluu DirectoriesFile Structure

~~Components~~Core ~~like oxAuth, Identity, IDP, etc.,~~services are found under:

cd /opt/gluu/jetty/

oxauth: OAuth2/OpenID Connect Provider

identity: Admin UI (oxTrust)

idp: SAML IDP

scim: SCIM User Management

fido2: FIDO2 Service

casa: User Self-Service Portal

📊📜 Step 4: CheckView Logs for Troubleshooting

~~To view~~Check the ~~last~~most 50recent log lines offor a ~~service's~~service. ~~log~~Example ~~file, run:~~(oxAuth):

tail -n 50 /opt/gluu/jetty/oxauth/logs/oxauth.log

Replace oxauth with the appropriate service name as needed.

♻️🔁 Step 5: Restart Gluu Services

Option youA: haveUsing a restart script:
Script

/root/restart-gluu.sh

Option restartB: specificManual servicesService manually:
Restart


cd /opt/gluu/jetty/oxauth &&
nohup java -jar ../../jetty/start.jar > oxauth.log 2>&1 &

Repeat for other services like identity, idp, etc.

🔒🔍 Step 6: VerifyCheck Running Java Trust StoreServices

keytool

Use -listthis -keystoreto /etc/ssl/certs/java/cacertsverify -storepassif 'changeit'services |are grep gluu

🚦 Step 7: Check Java Processes

active:

ps aux | grep java | grep -v grep

💡🔐 Tip:Step 7: Verify Java Truststore for Certificates

Ensure custom certs are loaded:

keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass 'your-password' | grep gluu

🚪 Step 8: Exit the Gluu Chroot Environment

To return to the regular Linux shell:

exit

~~This returns you to the main server shell.~~

✅📝 Summary

~~Login:~~🛠️ Use /sbin/gluu-serverd login to manage Gluu internals
~~Services:~~🧭 ~~Located~~Services inlocated at /opt/gluu/jettyjetty/
~~Logs:~~📈 Logs help debug services under /logs

🔐 Use tailkeytool to ~~inspect~~

verify

~~Restart:~~Java ~~Use~~truststore ~~script or start.jar per service~~

~~Truststore: Managed with~~ keytoolcertificates

🔧💡 ~~For~~Tip: ~~persistent~~Always ~~issues,~~ensure ~~validate SSL~~your certificates ~~and~~are ~~inspect~~trusted oxauth.logby ~~and~~the oxtrust.log.JVM for SSL-based connections to succeed!