This cheat sheet will contain shortcuts or tips to Gluu installation and configuration.
- # /sbin/gluu-serverd-3.1.5 start
- # /sbin/gluu-serverd-3.1.5 login
- # service httpd restart
- # service identity restart
- # service idp restart
- # service oxauth restart
- # service oxauth-rp restart
- # service passport restart
Important
oxTrust is widely used in documentation and Admin UI. The web context is /identity.
Configuration can be directly found in LDAP under ou=oxtrust,ou=configuration,inum=[appliance-number],ou=appliances,o=gluu
- Enable debug logging at Configuration > JSON Configuration > oxTrust Configuration > loggingLevel (switch from INFO to DEBUG)
- Build oxTrust with $ mvn clean install -DskipTests
- SCP oxtrust-server.war from .../git/oxTrust/server/target to Gluu server
- In Gluu server, remember it is a chroot environment
- Rename oxtrust-server.war to identity.war
- Copy to /opt/gluu/jetty/identity/webapps
- # service identity restart
- The war file will be exploded to /opt/jetty-9.4/temp/jetty-localhost-8082-identity.war-_identity-any-XXXX.dir
- Watch the logs in /opt/gluu/jetty/identity/logs
- [root@localhost]# yum clean all
- [root@localhost]# yum -y update
- [root@localhost]# yum -y install memcached
TO DO: Document down how to integre with Gluu https://www.liquidweb.com/kb/how-to-install-memcached-on-centos-7/
- Location: /etc/default
[root@localhost default]# ls
identity idp nss oxauth oxauth-rp passport
Important
Default installation comes with self-signed certificate
Better to use a proper certificate from Let's Encrypt
[root@sso ~]# /sbin/gluu-serverd-3.1.5 login
[root@localhost certs]# cd /opt/jdk1.8.0_181/jre/lib/security/
[root@localhost security]# cp cacerts cacerts.SELF-SIGNED
[root@localhost ~]# cd /etc/certs/
[root@localhost certs]# cp httpd.crt httpd.crt.SELF-SIGNED
[root@localhost certs]# cat httpd.csr
- Copy the content of .csr
- Go to https://zerossl.com/free-ssl/#crt
- Follow instructions from AZLABS WIKI (http://192.168.0.13/wiki/doku.php?id=noc:letsencrypt)
- Rename domain-crt.txt to httpd.crt
- Upload to Gluu server and copy to /opt/gluu-server-3.1.5/etc/certs/
[root@localhost certs]# cp /root/httpd.crt .
[root@localhost certs]# openssl x509 -outform der -in httpd.crt -out httpd.der
[root@localhost certs]# keytool -list -keystore /opt/jdk1.8.0_181/jre/lib/security/cacerts -storepass changeit | grep sso
sso.azlabs.sg_passport-sp, 25 Mar, 2019, trustedCertEntry,
sso.azlabs.sg_idp-signing, 25 Mar, 2019, trustedCertEntry,
sso.azlabs.sg_idp-encryption, 25 Mar, 2019, trustedCertEntry,
sso.azlabs.sg_asimba, 25 Mar, 2019, trustedCertEntry,
sso.azlabs.sg_opendj, 25 Mar, 2019, trustedCertEntry,
sso.azlabs.sg_shibidp, 25 Mar, 2019, trustedCertEntry,
**sso.azlabs.sg_httpd**, 25 Mar, 2019, trustedCertEntry,
[root@localhost certs]# keytool -delete -alias sso.azlabs.sg_httpd -keystore /opt/jdk1.8.0_181/jre/lib/security/cacerts -storepass changeit
[root@localhost certs]# keytool -importcert -file ./httpd.der -alias sso.azlabs.sg_httpd -keystore /opt/jdk1.8.0_181/jre/lib/security/cacerts -storepass changeit
[root@localhost certs]# exit
[root@sso azlabs]# /sbin/gluu-serverd-3.1.5 restart
- [root@localhost]# cd /etc/httpd/conf.d
- [root@localhost conf.d]# cp https_gluu.conf https_gluu.conf.ORIG
- [root@localhost]# vi https_gluu.conf
<Location /ciam>
ProxyPass http://192.168.1.176:8080/ciam retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
- # service httpd restart
[root@localhost ~]# wget https://repo.gluu.org/upd/3-1-6-upg.sh
[root@localhost ~]# sh 3-1-6-upg.sh
Creating directory /opt/upd/3.1.6upg/
Verifying archive integrity... 100% MD5 checksums are OK. All good.
Installed:
python-ldap.x86_64 0:2.4.15-2.el7 python2-jsonschema.noarch 0:2.5.1-3.el7
Dependency Installed:
python-repoze-lru.noarch 0:0.4-3.el7
Complete!
Restarting program
Starting upgrade. CONTINUE? (y|N): y
Would you like to replace all the default Gluu Server scripts WITH SCRIPTS FROM 3.1.6?
(This will replace any customization you may have made to these default script entries) (Y|n)
Starting Upgrade...
Current Gluu Server version 3.1.5
Stopping Jetty: OK
Stopping Jetty: OK
Updating ldap schema
Stopping LDAP Server
Stopping OpenDJ
Executing /etc/init.d/opendj stop
[01/Apr/2019:21:24:49 +0800] category=PLUGGABLE severity=NOTICE msgID=org.opends.messages.backend.370 msg=The backend metric is now taken offline
[01/Apr/2019:21:24:49 +0800] category=PLUGGABLE severity=NOTICE msgID=org.opends.messages.backend.370 msg=The backend site is now taken offline
[01/Apr/2019:21:24:50 +0800] category=PLUGGABLE severity=NOTICE msgID=org.opends.messages.backend.370 msg=The backend userRoot is now taken offline
[01/Apr/2019:21:24:50 +0800] category=CORE severity=NOTICE msgID=org.opends.messages.core.203 msg=The Directory Server is now stopped
/opt/opendj/config/schema/101-ox.ldif
Backing up /opt/opendj/config/schema/101-ox.ldif
Copying new_schema /opt/upd/3.1.6upg/ldap/opendj/101-ox.ldif
Copying new_schema /opt/upd/3.1.6upg/ldap/opendj/96-eduperson.ldif
Starting LDAP Server
Starting OpenDJ
Executing /etc/init.d/opendj start
oxAuthLogoutURI modified
oxAuthPostLogoutRedirectURI modified
Backing up current scripts
Deleting current script inum=@!4CDC.D57C.C87D.1D6D!0001!1F07.55B8!2124.0CF1,ou=scripts,o=@!4CDC.D57C.C87D.1D6D!0001!1F07.55B8,o=gluu
Adding new script inum=@!4CDC.D57C.C87D.1D6D!0001!1F07.55B8!2124.0CF1,ou=scripts,o=@!4CDC.D57C.C87D.1D6D!0001!1F07.55B8,o=gluu
:
:
Backing up oxauth.war to /opt/upd/3.1.6upg/backup_2019-04-01.21:24:27
Updating oxauth.war
Backing up identity.war to /opt/upd/3.1.6upg/backup_2019-04-01.21:24:27
Updating identity.war
Backing up idp.war to /opt/upd/3.1.6upg/backup_2019-04-01.21:24:27
Updating idp.war
checking /opt/shibboleth-idp/metadata/idp-metadata.xml
Updating jetty
chown: cannot access โ/opt/jetty-9.4/temp/jetty-localhost-8086-idp.war-_idp-any-5944512476372526077.dirโ: No such file or directory
Updating Passport
Stopping passport: OK
tar: Removing leading `/' from member names
Extracting passport.tgz into /opt/gluu/node/passport
Extracting passport node modules
oxAuthenticationMode was set to auth_ldap_server
oxTrustAuthenticationMode was set to auth_ldap_server
oxCacheConfiguration was modified as {"cacheProviderType": "IN_MEMORY", "nativePersistenceConfiguration": {"defaultPutExpiration": 60}, "redisConfiguration": {"useSSL": false, "defaultPutExpiration": 60, "servers": "localhost:6379", "sslTrustStoreFilePath": "", "decryptedPassword": null, "password": null, "redisProviderType": "STANDALONE"}, "memcachedConfiguration": {"servers": "localhost:11211", "defaultPutExpiration": 60, "bufferSize": 32768, "maxOperationQueueLength": 100000, "connectionFactoryType": "DEFAULT"}, "inMemoryConfiguration": {"defaultPutExpiration": 60}}
Updating oxAuthConfDynamic
Updating oxTrustConfApplication
Updating oxAuthConfErrors
Backing up /opt/shibboleth-idp to /opt/upd/3.1.6upg/backup_2019-04-01.21:24:27
Updating idp-metadata.xml
Updadting shibboleth-idp
Please Note: oxAuthenticationMode and oxTrustAuthenticationMode was
set to auth_ldap_server in case custom authentication script fails.
Please review your scripts and adjust default authentication method
Update is complete, please exit from container and restart gluu server
[root@localhost ~]# exit
logout
[root@sso azlabs]# /sbin/gluu-serverd-3.1.5 restart
Important
Scripts and directories outside the Chroot will still reflect the version from which you upgraded. For example, if you started with version 3.1.3, the directory will still be gluu-server-3.1.3 even after upgrading to 3.1.6.
Important
It is good to maintain a README.LATEST manually
[root@sso]# cd /opt
[root@sso opt]# cat README.LATEST
Current Gluu Server version 3.1.5
Current Gluu Server version 3.1.6 <-- 1.APR.2019
If your IP changes after initial setup, you need to change your Gluu Server's configuration.
- Start the Gluu Server
- Change to new IP address in /etc/hosts
- Log into Gluu Server Chroot container
- Change to new IP address in /etc/hosts
Important
Apache and LDAP Configuration are automatically changed to reflect the new IP, unlike previous version of Gluu
- Exit Gluu Server Chroot container
- Restart Gluu Server Chroot container with /sbin/gluu-serverd-3.1.5 restart
- Test
Important
{"error":"invalid_grant_and_session","error_description":"The provided access token and session state are invalid or were issued to another client.","reason":"id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided."}
If you are having issues, please let us know. We have a mailing list located at: [email protected]
The project is licensed under the MIT License (MIT).