powered by Jive Software

Configuring JM v2.2 to listen for XMPP connections on multiple ports

For various reasons related to network security, I need to configure Jive Messenger v2.2 to listen for XMPP client connections on two different SSL-enabled ports:

5223 (standard SSL port)

443 (non-standard, required because of proxy server restrictions)

I noticed that the jive-messenger.xml no longer contains information on the listening port configuration. Using the admin webapp, I do see where I can modify the port numbers for ‘‘Client Port’’, and ‘‘Client SSL Port’’. However, there is no obvious way to add additional listening ports.

Is my only option to run two separate instances of the server, each listing on a different port for Client SSL connections?

Thanks,

jason

Hey jason,

Is my only option to run two separate instances of

the server, each listing on a different port for

Client SSL connections?

You are correct. JM will only listen to one port for unsecured client connections and another port for secured connections. So as you said, you will have to have different servers if you need to listen to many ports or maybe you can use some proxies that will route traffic to different ports to the server ports.

Regards,

– Gato

Hmm - that helps, but doesn’‘t get me all the way there. Here’'s why:

Because port assignments are stored in the database, and both instances of Jive Messenger have to point to the same database instance, I don’'t think I can use that configuration.

I’'ll go ahead and try out the proxy-based configuration (most likely, Apache 2.0 mod_proxy) and see how that works out.

Thanks,

jason

Hey jason,

Because port assignments are stored in the database,

and both instances of Jive Messenger have to point to

the same database instance, I don’'t think I can use

that configuration.

You are once again correct. Different JM installations will require its own database. In other words, you can’'t share the same db between JM servers.

I’'ll go ahead and try out the proxy-based

configuration (most likely, Apache 2.0 mod_proxy) and

see how that works out.

Ok. I never tried this configuration but it should work. Let us know how it goes.

Thanks,

– Gato

Here is a very workable solution that actually does three things for me:

  • It allows me to use the same SSL certificate and key files that are used with Apache - plain .pem encoded, not .x509.
  • I can configured Jive Messenger to not listen on any SSL ports for either the Admin Webapp or Secure XMPP connections.
  • I can configure the server to only bind to specific interfaces and ports.

Here is what I used:

ssl_proxy v1.0.3



It is very simple to install (just type ‘‘make’’), and uses no configuration files. Instead, you simply give it command line parameters for each listening port. This is the SSL listener for ‘‘im.buberel.org’’ port 443 that relays all XMPP connections to the jive_messenger server running on port 5222:


/opt/sslproxy/ssl_proxy -s 82.165.246.93:443 -c 127.0.0.1:5222 -C /etc/ssl/buberel.org/certs/im.buberel.org.cert.pem -K /etc/ssl/buberel.org/private/im.buberel.org.key.pem


This line does the same for port 5223:


/opt/sslproxy/ssl_proxy -s 82.165.246.93:5223 -c 127.0.0.1:5222 -C /etc/ssl/buberel.org/certs/im.buberel.org.cert.pem -K /etc/ssl/buberel.org/private/im.buberel.org.key.pem


I just added these to my jive_messenger startup script, and it works like a charm!!

Woohoo!

Message was edited by:
jbuberel

One additional note:

You can just as easily use sslproxy to allow HTTPS connections to the Jive Messnger Admin server with a standard OpenSSL/Apache-compatible certificate file. This saves you the trouble of having to convert an existing certificate/key pait into x509 format:

/opt/sslproxy/ssl_proxy -s 82.165.246.93:9093 -c 127.0.0.1:9009 -C /etc/ssl/buberel.org/certs/im.buberel.org.cert.pem -K /etc/ssl/buberel.org/private/im.buberel.org.key.pem

Also works like a charm!

Discovered one problem with this approach, however:

When using a proxy to wrap the non-SSL HTTP listener with SSL-security (in order to avoid having to convert my certificates to Java/x509 format), it appears as though the Jive Messenger Admin Webapp is sending redirects that use the full URL (http://…/).

As you can probably guess, this really screws things up a bit when you are trying to force all HTTP requests to be routed via the Proxy listener using SSL.

Would this be considered a ‘‘bug’’?

From the author of ‘‘sslproxy’’:

The key to the problem is the following error near the end of the log:

32468:error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request:s23_srvr.c:400:

I have searched the net and I found that this error indicates a client

speaking HTTP instead of HTTPS. Is it possible on your server that somathing

refers to a http://yourhost:9091/ address insted of a https://yourhost:9091/

address? If this is impossible then could you give me access to your site, so

I could try out myself what happens. I have tried to connect to it, but it

seems the server is behind a firewall, a couldn’'t connect to it.