Installing Gluu Server on RHEL 8 with the DISA STIG security profile

A Secure Technical Implementation Guide (“STIG”) is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but there can also be problems caused by the use of misconfigured systems.

The DISA STIG for Red Hat Enterprise Linux version 8 (“RHEL 8”)  is available on Github. As there are 291 rules, implementation can be somewhat time consuming (and error prone). Luckily, while installing RHEL 8, you can select the DISA STIG security profile. This makes setting up a compliant server incredibly easy.  This is incredible work by the Red Hat security team.

A Secure Technical Implemenation Guide (“STIG”) is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but they can also be problems caused by the use of misconfigured systems.

Some of the features of this security profile may be significantly more strict then the default configuration for RHEL 8. In particular, consider these three services:

  •  fapolicyd : This is a kernel level process that enforces which system users can access which files. Rules are defined in /etc/fapolicyd/fapolicyd.rules.
  • SELinux : A kernel level security layer that enforces policies like which users can run a process or use a network port.
  •  System-Wide Cryptographic Policies :  A mechanism to enforce which crypto algorithms are available for use by certain applications, like Java programs or OpenSSL.


Before you install the Gluu Server, you’ll need to do a base installation of RHEL 8. Here is a rough procedure:

1. Download rhel-8.4-x86_64.dvd.iso

2. Select Minimal Software installation

3. Manual Partition:
/tmp, 1G
/boot, 500M
/home, 3G
/var, 5G
/var/log, 3G
/var/log/audit, 2G
/var/tmp, 1G
/ (rest of the space)

4. Security Profile: DISA STIG

5. Enable network and set a FQDN hostname

Once you have the base installation completed, don’t forget to connect to the RHEL package repository:

$ sudo su –
# subscription-manager register
Username: (your acct name)
Password: *******
# subscription-manager attach –auto
# yum upgrade

Installing the Gluu Server on a RHEL 8 server with the DISA STIG is only possible using a new distribution of Gluu 4.3. You can download the beta version here. You’ll also need to download the Gluu RPM GPG key


# mv RPM-GPG-KEY-GLUU /etc/pki/rpm-gpg/
# rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU
# dnf install gluu-server-fips-4.3.0.el8.x86_64.rpm

After installing the package, navigate to /install/community-edition-setup, and run setup.py as normal.  You’ll also need to open the local system firewall for https


# firewall-cmd –zone=public –permanent –add-service=https
# firewall-cmd –reload

There are some important differences between this distribution of CE and the one you are used to. First, this is a “no-chroot” distribution–meaning that the Gluu software is installed in the host system (not in /opt/gluu-server). At present, this package does not contain the Shibboleth IDP. We plan to add that later. Nor does it currently contain passport-js (and it’s unclear if we will add this component in the future to this distribution, because it’s Javascript, which is not managed by the central crypto policies). So the main use case here is SSO for applications that support OpenID Connect. You’ll also notice that the OpenID Connect provider supports a shorter list of cryptographic signing and encryption algorithms, to align with FIPS 140-2 guidelines. 

This distribution is based on open source components, and the binary is freely available. If you’re organization is interested in deploying a highly available cluster of these servers, you should reach out for more information about a VIP support subscription