0. File Descriptors(FD)#
The Gluu Server requires setting the file descriptors to 65k. Follow these steps or research how to do this on your Linux platform.
- Add the following lines in the
/etc/security/limits.conffile.
* soft nofile 65536
* hard nofile 262144
- Add the following lines to
/etc/pam.d/loginif not already present.
session required pam_limits.so
- Increase the FD limit to 65535. The system file limit is set in
/proc/sys/fs/file-max.
It is recommended to check the FD limit before increasing it, and if this limit is customized and more than default, we recommend using the higher one. The FD limit can be found using the below command.
# cat /proc/sys/fs/file-max
Please note, the command may vary depending on the OS flavor used.
echo 65535 > /proc/sys/fs/file-max**
- Use the
ulimitcommand to set the FD limit to the hard limit specified in/etc/security/limits.conf.
ulimit -n unlimited
- Restart your system.
1. Ubuntu Server 16.04.x
(Install RHEL 8 with the DISA STIG Security Profile)
| Description | Xenial Commands |
|---|---|
| Add Gluu Repository | # echo "deb https://repo.gluu.org/ubuntu/ xenial main" > /etc/apt/sources.list.d/gluu-repo.list |
| Add Gluu GPG Key | `# curl https://repo.gluu.org/ubuntu/gluu-apt.key |
| Update/Clean Repo | # apt-get update |
| Install Gluu Server | # apt-get install gluu-server-3.1.4 |
2. Start the Gluu Server and Log In#
The Gluu Server is a chroot container, which you must start to proceed.
For Centos 6.x, Red Hat 6.x, Ubuntu 14/16, and Debian 8, run the following commands:
# service gluu-server-3.1.4 start
# service gluu-server-3.1.4 login
3. Run setup.py #
Configuration is completed by running the setup.py script. This generates certificates, salt values and renders configuration files.
# cd /install/community-edition-setup
# ./setup.py
4. SSL Config via Letsencrypt/Webmin
- install certbot
Install
On Ubuntu systems, the Certbot team maintains a PPA. You can add it to your list of repositories and install Certbot by running the following commands.
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache
Certbot’s DNS plugins are also available for your system which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server. To use one of these plugins, you must have configured DNS for the domain you want to obtain a certificate for with a DNS provider that Certbot has a plugin for. A list of these plugins and more information about using them can be found here. To install one of these plugins, run the installation command above but replace python-certbot-apache with the name of the DNS plugin you want to install.
Get Started
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates certificate installation.
$ sudo certbot --apache
Will got error on SSL request
Webmin/Webimin configuration/SSL Encryption/ Lets Encrypts
Choice: A different Apache virtual host <Default>
Request certificate
mv /opt/gluu-server-3.1.4/etc/certs/httpd.crt /opt/gluu-server-3.1.4/etc/certs/httpd.crt.bk
mv /opt/gluu-server-3.1.4/etc/certs/httpd.key /opt/gluu-server-3.1.4/etc/certs/httpd.key.bk
cd /opt/gluu-server-3.1.4/etc/certs/
sudo ln -s /etc/webmin/letsencrypt-cert.pem /opt/gluu-server-3.1.4/etc/certs/
mv letsencrypt-cert.pem httpd.crt
sudo ln -s /etc/webmin/letsencrypt-key.pem /opt/gluu-server-3.1.4/etc/certs/
mv letsencrypt-key.pem httpd.key
openssl x509 -outform der -in httpd.crt -out httpd.der
/opt/gluu-server-3.1.4/opt/jdk1.8.0_181/jre/bin/keytool -delete -alias host._gimitec_com_httpd -keystore opt/gluu-server-3.1.4/opt/jdk1.8.0_181/jre/lib/security/cacerts -storepass changeit
/opt/gluu-server-3.1.4/opt/jdk1.8.0_181/jre/bin/keytool -importcert -file httpd.der -keystore /opt/gluu-server-3.1.4/opt/jdk1.8.0_181/jre/lib/security/cacerts -alias host_gimitec_com_httpd -storepass changeit