How can I use certificates for XMPP client authentication in client2server connections?

Hi, I want to use certificates for XMPP client authtication, but after I digging into Openfire’s source code, I find that Openfire only support SASL EXTERNAL mechanism for server2server connections, for client2server connections Openfire supoort SASL mechanisms: ANONYMOUS,PLAIN,DIGEST-MD5,CRAM-MD5,GSSAPI,JIVE-SHAREDSECRET, but do not support EXTERNAL mechanism, does this means for client2server connections I can not use certificates for client authentication? Is there some workaround for this case?

Hey cao yunfei,

There are a few ways to accomplish client authentication in Openfire. You can either use GSSAPI or NTLM during SASL authentication. Both SASL mechanisms will let you implement SSO (Single Sign On). Moreover, in Openfire 3.4.0 (to be released soon) we added the option to check for client certificates during the TLS negotiation. You can set from the admin console the system property xmpp.client.cert.policy to

  1. needed - requires clients to have a certificate and be valid

  2. wanted - clients with certificates will be validated and if no cert was found then it will fine too

  3. disabled - client certificates are not validated


– Gato


I was also looking to do the same sorts of things but am not able to find the xmpp.client.cert.policy setting on the Admin console under the system properties.

The only ones I see are (Openfire 3.6.0)

  • xmpp.auth.anonymous

  • xmpp.domain

  • xmpp.session.conflict-limit


Are they available elsewhere ?



Hey Richard,

You will need to add the system property **xmpp.client.cert.policy in **the admin console. The admin console does not list all supported system properties. After setting the system property new connected clients will get their certificates authenticated.


– Gato

Since the admin console does not list all supported properties, is there a place where I can get this list?

I have the same problem as described. Spark web works well with HTTP, but with HTTPS it freezes, openfire debug/warning/error log is empty, and here are the settings that I am using:

function jive_sparkweb_getConfig()
return {
server: “djcfwf3j”,
connectionType: “https”,
port: “7073”,
autoLogin: “false”

Version:Openfire 3.6.0, SparkWeb 0.9.0

I have changed the default http-bind secure port to 7073.

When opening https://djcfwf3j:7073/ I am prompted to accept the certificate. After accepting the cert I see




Powered by Jetty://

which is fine, because I see the same message at http://djcfwf3j:7070/ , however plain http works perfectly.

Has anyone get https work successfully? If yes, did you have a valid certificate signed by a CA? I can not obtain that one for my domain since I am currently doing some tests on an internal domain which is not visible to outside and not registered with whois, etc.