When reproducing, using, or extracting this text, always reference the source and the author : Ignacio Rondini

Installing Openfire

I’ve been spending some time installing an Openfire server to self-host. I wanted to rewrite in my terms the minimal configuration that’s needed. This is based on the information https://download.igniterealtime.org/openfire/docs/latest/documentation and my own experience.

About OpenFire

Openfire is an opensource xmpp server. Xmpp is a decentralized protocol for communications. There’s no particular reason to choose it more than the fact that’s written in Java. As it is a language I know well, it would make it easier to contribute to the project in the future.

Installing the package on ubuntu

The packages can be downloaded from the official page and installed via dpkg -i package_name

Setup

After the installation, Openfire will create a central directory at /usr/share/openfire where all the important directories are found. There’s one important file, the /user/share/openfire/conf/openfire.xml with the core initial configuration options, specially, the ports to be used for admin page, which will let you manage your instance.

You can allow the admin page to only be accessible via some specific interface of your host (local, some vpn etc) or to let it exposed to the full internet, or by every interface. I strongly suggest to restrict this by adding the tag <interface> below the admin ports. Be sure that the ports are not already in use!.

If you make modifications at this level, do not forget to restart Openfire via systemctl restart openfire.

Logs

You can check the logs at /user/share/openfire/logs/openfire.log. This is the first place to look if anything doesn’t go as planned. You can change the logging configuration using the file /user/share/openfire/log4j.xml. For instance, you can set the level of logging at debug if you need to explore something.

Setup page

Once the installation is done, you’ll be able to access, once, to the setup page connecting to <interface_adress>:<admin port>. There you’ll be able to configure the essentials of your instance (service name, server name, admin account etc).

At this stage, you can select if the admin panel will be open to internet or restricted (Openfire set it to 127.0.0.1, if you use another one, then you have to specify it again on openfire.xml).

Configuring the Keystore

Openfire is a Java server, so it uses a keystore on a JKS format (Java Key Store). This is used to handle signed certificates, private keys, etc. You will be able to perform some actions via the admin page, another ones via the command line using the ‘keytool’. A utility provided by java to perform operations on a jks keystore.

Change the password

This is paramount. First of all, change the password of the java keystore to something else

keytool -storepasswd -keystore <keystore_file> -storepass <old_password> -new <new_password>

The old password is the one by default in every java server keystore.

Don’t forget to change the value of the password via the admin page too.

Importing your certificate

If you want to use a certificate signed by an external CA, then you can import it via the admin panel > TLS connection > manage keystore. You’ll be asked to add the certificate and the private key. Provide the Full chain certificate. You can then remove any unnecessary certificate (like the self-signed default ones). If you’re using a different service and server name, then you need to provide keys and certificates for both?

If you keep the self-signed cert, then xmpp clients will be asked to trust the self-signed certificate, otherwise, clients may just reject the conexión.

Network configuration service name, FQSD and SRV

There are two main different properties that need to be set.

1. The xmpp domain name or service name, is the name of your xmpp service. This will be part of the JID of your users (e.g., user@service-name.com)
2. The Fully Qualified Domain name or server host name. It is the name of the server where Openfire will be deployed

On a default installation, both names and port would be standard. However, if we need to use a non-standard configuration (a different server name, or non-standard ports) then we need to ensure to put SRV records on the dns zone.

_xmpp-client._tcp.example.org. 86400 IN SRV 0 5 5222 xmpp.example.org.
_xmpp-server._tcp.example.org. 86400 IN SRV 0 5 5269 xmpp.example.org.
_xmpps-client._tcp.example.org. 86400 IN SRV 0 5 5223 xmpp.example.org.
_xmpps-server._tcp.example.org. 86400 IN SRV 0 5 5270 xmpp.example.org.

For example, if you want to use a service name as chat.test so users have a JID of user@chat.test, but you need to run the server on a server having a dns server.test on port starting with 7 (7222,…) then you should have the following configuration :

_xmpp-client._tcp.chat.test. 86400 IN SRV 0 5 7222 server.test.
_xmpp-server._tcp.chat.test. 86400 IN SRV 0 5 7269 server.test.
_xmpps-client._tcp.chat.test. 86400 IN SRV 0 5 7223 server.test.
_xmpps-server._tcp.chat.test. 86400 IN SRV 0 5 7270 server.test.

Configuring smtp

If you have a smtp service, you can easily configure on the admin panel.

DB

Openfire has an internal DB used by default. I have used it for now. In the future, I plan to use an external DB. No further configuration was needed for this step.

Uninstalling

Launch setup again

Sometimes we just want to relaunch the initial configuration. For this, we can modify the openfire.xml configuration and set the tag to false. However, if you made a mistake during the initial setup, often is most clean to just reinstall the full server instead of tweaking things from the beginning.

Fully uninstall

1. Removing the package :

sudo apt remove --purge openfire
sudo apt autoremove

2. Removing remaining files :

sudo rm -rf /usr/share/openfire
sudo rm -rf /usr/share/openfire/conf
sudo rm -rf /var/lib/openfire
sudo rm -rf /var/log/openfire
sudo rm -rf /etc/openfire

3. Removing user and groups

sudo userdel openfire
sudo groupdel openfire