Joining a chat room that is on a different server?

Ryan_Graham · March 16, 2006, 5:13pm

Hi avinh,

Unable to contact search service[/b]

Just a quick question, does the remote server have a search service?

Thanks,

Ryan

Alan_Vinh · March 16, 2006, 5:21pm

It could be s2s TLS/SSL related:

On the admin console go to security settings, and for

‘‘Server Connection Security’’, make it custom and

change TLS to Not Available. This should disable any

TLS attempts during s2s connections.

There are two (or three) places that SSL/TLS is used:

Clients connections: 5223 (SSL is enabled from the

word go), 5222 (TLS is enabled via STARTTLS after the

connection is made). Server connetions: 5269 TLS is

optionally enabled via STARTTLS.

Server-to-Server TLS/SSL is a firaly new feature, so

it’‘s possible that it’'s breaking something. By

disabling it, you might be able to work around the

s2s connection problems.

FYI: SSL and TLS are really exactly the same thing,

just SSL is older and is generally enabled as the

connection is made. TLS is really the same thing,

but is optionally enabled once the connection has

been made and some headers have been sent back and

forth.

Thanks for the info. I do realize that SSL has evolved into TLS (the newer technology) but for reference purposes - that’‘s what is listed on the screen as well as in the log files, so I’'m relaying the msgs.

I have disabled TLS as you have recommended, restarted both wildfire servers, tried the search from the Spark Client as well as a conference/chat room search from the Spark Client - even though the server sessions show up in the admin window of both servers, both search mechanisms popped up the same error msg windows (i.e. the user search as well as the chat room search failed).

Anything else you can think of trying?

Here is the error log from the Spark Client:[/b]

Mar 16, 2006 12:09:05 PM com.jivesoftware.spark.util.log.Logger logError

SEVERE: Problem when loading conference service.

(404)

at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverInfo(ServiceDiscoveryMa nager.java:360)

at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverInfo(ServiceDiscoveryMa nager.java:326)

at com.jivesoftware.spark.ui.conferences.BookmarkedConferences.getConferenceServic es(BookmarkedConferences.java:441)

at com.jivesoftware.spark.ui.conferences.BookmarkedConferences.access$800(Bookmark edConferences.java:72)

at com.jivesoftware.spark.ui.conferences.BookmarkedConferences$12.construct(Bookma rkedConferences.java:385)

at com.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:121)

at java.lang.Thread.run(Unknown Source)

Mar 16, 2006 12:09:05 PM com.jivesoftware.spark.util.log.Logger logError

SEVERE: Problem when loading conference service.

(404)

at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverInfo(ServiceDiscoveryMa nager.java:360)

at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverInfo(ServiceDiscoveryMa nager.java:326)

at com.jivesoftware.spark.ui.conferences.BookmarkedConferences.getConferenceServic es(BookmarkedConferences.java:441)

at com.jivesoftware.spark.ui.conferences.BookmarkedConferences.access$800(Bookmark edConferences.java:72)

at com.jivesoftware.spark.ui.conferences.BookmarkedConferences$12.construct(Bookma rkedConferences.java:385)

at com.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:121)

at java.lang.Thread.run(Unknown Source)

Mar 16, 2006 12:09:08 PM com.jivesoftware.spark.util.log.Logger logError

SEVERE: Unable to retrieve list of rooms.

(404)

at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverItems(ServiceDiscoveryM anager.java:407)

at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverItems(ServiceDiscoveryM anager.java:373)

at org.jivesoftware.smackx.muc.MultiUserChat.getHostedRooms(MultiUserChat.java:240 )

at com.jivesoftware.spark.ui.conferences.ConferenceRooms.getRoomList(ConferenceRoo ms.java:546)

at com.jivesoftware.spark.ui.conferences.ConferenceRooms.access$1200(ConferenceRoo ms.java:85)

at com.jivesoftware.spark.ui.conferences.ConferenceRooms$6.construct(ConferenceRoo ms.java:345)

at com.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:121)

at java.lang.Thread.run(Unknown Source)

Mar 16, 2006 12:09:15 PM com.jivesoftware.spark.util.log.Logger logError

SEVERE: Error setting up GroupChatTable

java.lang.NullPointerException

at com.jivesoftware.spark.ui.conferences.ConferenceRooms$6.finished(ConferenceRoom s.java:362)

at com.jivesoftware.spark.util.SwingWorker$3.run(SwingWorker.java:128)

at java.awt.event.InvocationEvent.dispatch(Unknown Source)

at java.awt.EventQueue.dispatchEvent(Unknown Source)

at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)

at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)

at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

at java.awt.EventDispatchThread.run(Unknown Source)

Here is the log from the wildfire server before disabling TLS:[/b]

2006.03.16 11:08:25 [org.jivesoftware.wildfire.ldap.LdapUserProvider.findUsers(LdapUserProvider.jav a:360)

]

java.lang.NullPointerException

at org.jivesoftware.wildfire.ldap.LdapUserProvider.findUsers(LdapUserProvider.java :349)

at org.jivesoftware.wildfire.user.UserManager.findUsers(UserManager.java:235)

at org.jivesoftware.wildfire.plugin.search.advance_002duser_002dsearch_jsp._jspSer vice(advance_002duser_002dsearch_jsp.java:76)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.jivesoftware.wildfire.container.PluginServlet.handleJSP(PluginServlet.java: 227)

at org.jivesoftware.wildfire.container.PluginServlet.service(PluginServlet.java:91 )

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:822)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:43)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:494)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:569)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:624)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1434)

at org.mortbay.http.HttpServer.service(HttpServer.java:896)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:814)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:981)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:831)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:366)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

2006.03.16 11:34:15 [org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(O utgoingServerSession.java:315)

] Error creating secured outgoing session to remote server: seurat.cbt.nist.gov(DNS lookup: seurat.cbt.nist.gov:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)

at javax.net.ssl.SSLEngine.wrap(Unknown Source)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:320)

at org.jivesoftware.wildfire.net.TLSStreamHandler.(TLSStreamHandler.java:206)

at org.jivesoftware.wildfire.net.SocketConnection.startTLS(SocketConnection.java:1 50)

at org.jivesoftware.wildfire.server.OutgoingServerSession.secureAndAuthenticate(Ou tgoingServerSession.java:343)

at org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(Ou tgoingServerSession.java:296)

at org.jivesoftware.wildfire.server.OutgoingServerSession.authenticateDomain(Outgo ingServerSession.java:139)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.createSessionAndSendPac ket(OutgoingSessionPromise.java:126)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.access$300(OutgoingSess ionPromise.java:37)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise$1$1.run(OutgoingSession Promise.java:91)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:37 1)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:281)

… 11 more

Caused by: java.security.cert.CertificateException: root certificate not trusted of

at org.jivesoftware.wildfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:133)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)

… 19 more

2006.03.16 11:34:15 [org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:159)

] Connection closed before session established

Socket[addr=/129.6.162.240,port=42584,localport=5269]

2006.03.16 11:34:15 [org.jivesoftware.wildfire.net.SocketReader.negotiateTLS(SocketReader.java:680)

] Error while negotiating TLS

javax.net.ssl.SSLException: Unsupported record version Unknown-47.115

at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)

at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:268)

at org.jivesoftware.wildfire.net.TLSStreamHandler.(TLSStreamHandler.java:206)

at org.jivesoftware.wildfire.net.SocketConnection.startTLS(SocketConnection.java:1 50)

at org.jivesoftware.wildfire.net.SocketReader.negotiateTLS(SocketReader.java:677)

at org.jivesoftware.wildfire.net.SocketReader.readStream(SocketReader.java:266)

at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:119)

at java.lang.Thread.run(Unknown Source)

2006.03.16 11:34:15 [org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:159)

] Connection closed before session established

Socket[addr=/129.6.162.240,port=42585,localport=5269]

Here is the log from the wildfire server after disabling TLS:[/b]

2006.03.16 12:05:29 [org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:159)

] Connection closed before session established

Socket[addr=/129.6.162.240,port=42591,localport=5269]

2006.03.16 12:08:44 [org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:159)

] Connection closed before session established

Socket[addr=/129.6.162.240,port=42601,localport=5269]

Alan_Vinh · March 16, 2006, 5:25pm

Hi avinh,

Unable to contact search service[/b]

Just a quick question, does the remote server have a

search service?

Thanks,

Ryan

Hi Ryan,

I’'m using the wildfire server, so under “Server->Search Properties”, I have “Service Enabed” checked to “Enabled” and the “Service Name” is “search.seurat.cbt.nist.gov” (the “seurat.cbt.nist.gov” is appended automatically by the screen).

Alan

Norman_Rasmussen · March 16, 2006, 5:29pm

I have both of my wildfire servers (version 2.5.0) on each other’'s “white list” using the default port 5269.

Try opening both servers to allow all connections, maybe the whitelist isn’'t working? Maybe the remote conference server needs to be in the whitelist too?

Alan_Vinh · March 16, 2006, 7:35pm

I have both of my wildfire servers (version 2.5.0)

on each other’'s “white list” using the default port

Try opening both servers to allow all connections,

maybe the whitelist isn’'t working? Maybe the remote

conference server needs to be in the whitelist too?

Ding, ding, ding, ding - we have a winner!

By adding “conference.seurat.cbt.nist” and “conference.p623572.campus.nist.gov” to the white list of the respective servers, they can now communicate and see each other’'s chat rooms.

In the security setting, I had to leave the “Server Connection Security” setting to “Custom->TLS not available” which is a shame since this ruins the security measure for the s2s channels. Any way around this?

As for the “Search” feature, I’‘ve added “search.seurat.cbt.nist.gov” to the white list using port 5269 too but the “Add Service” still returned an error message for not being able to connect to the seurat server. Are they using different mechanisms and port numbers versus what’'s used for s2s? How do you suggest fixing the search feature so that I can do searches using the search engine on the remote machine too?

Norman_Rasmussen · March 16, 2006, 7:48pm

If you add ‘‘search.*’’ to both white lists, then you should be able to access the search component from the other server (assuming DNS is set up, etc). If the conference is working, then the search should work too. (assuming you do the same for both)

You could try copy each server’'s cert from the Installed certificates list, and paste it into the ‘‘Install Certificate’’ box of the other side. I think this should set up the secure connection between the servers.

Alan_Vinh · March 16, 2006, 8:13pm

If you add ‘‘search.*’’ to both white lists, then you

should be able to access the search component from

the other server (assuming DNS is set up, etc). If

the conference is working, then the search should

work too. (assuming you do the same for both)

Hi normanr,

You’‘ve been a big help. I got the search engine to work - I forgot to add the DNS entry for the “search.” to the hosts files of each server so they couldn’'t figure out the IP addresses. The search feature is now working too - yay!

You could try copy each server’'s cert from the

Installed certificates list, and paste it into the

‘‘Install Certificate’’ box of the other side. I think

this should set up the secure connection between the

servers.

I tried copying the public key to the “Certificate” box as a “Client Certificate” but it returned an error:

Error installing the certificate.[/b]

I copied the following into the “Certificate” box, did I copy too much or what do you think I’'m doing wrong?

Here is the public key/certificate info from one of the servers:

Sun DSA Public Key

Parameters:DSA

p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669

455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7

6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb

83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7

q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5

g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267

5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1

3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b

cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

y:

1793a4bc 8c190921 ed6268f0 00ac318e be8c3d58 479f4ba6 1ab97378 08877064

28b290da b32ba1ab fc254e21 cd181513 2169eb4a e04ff586 c48809ce e4861de0

bbe84533 c8fbaced 767363d9 533323c5 46344854 f503475e abb33673 0ad0e2cd

1ec5c6be 014084b6 d960bfb3 71440392 92bce0bf 53043c65 d82139a1 3c7eb2ae

Norman_Rasmussen · March 16, 2006, 8:23pm

I’‘m not sure how to get the certificates in the ‘‘right’’ form, but KB 492 tells you how to import them once you’'ve got the cert.

I think the easiest way to solve your issues here is to generate two new certs from a CA, and install them on your two servers, add the CA to the approved list, and go from there.

(I think alternatively you could generate two self-signed certs, and add them to the other computer’'s CA list)

UGH, never mind that crap, you’‘ve already generate two perfectly good certs, just make sure that the CA and/or the cert’'s are imported into the acceptable CA list - re the KB article.

(fyi: i’'m off home)

Alan_Vinh · March 16, 2006, 10:12pm

I’'m not sure how to get the certificates in the

‘‘right’’ form, but <a

href="http://www.jivesoftware.org/community/entry!defa

ult.jspa?categoryID=22&externalID=492">KB 492

tells you how to import them once you’'ve got the

cert.

I think the easiest way to solve your issues here is

to generate two new certs from a CA, and install them

on your two servers, add the CA to the approved list,

and go from there.

(I think alternatively you could generate two

self-signed certs, and add them to the other

computer’'s CA list)

UGH, never mind that crap, you’'ve already generate

two perfectly good certs, just make sure that the CA

and/or the cert’'s are imported into the acceptable CA

list - re the KB article.

(fyi: i’'m off home)

The instructions for setting up wildfire uses the keytool program to create a self signed certificate for my server and put it into the “keystore” file. E.g.:

keytool -genkey -keystore keystore -alias example.com[/b]

It then goes on to show you how to create a Certificate Signing Request (CSR) file to send to the Certificat Authority (CA organizations such as Verisign) for signing:

keytool -certreq -keystore keystore -alias example.com -file certificate_file[/b]

Once you get the signed cerfificate back from the CA, you import it into your wildfire “keystore” file as follows:

keytool -import -keystore keystore -alias example.com -file signed_certificate_file[/b]

The signed certificate or the original self signed certificate is what I need for the admin screen which should look something like:

BEGIN CERTIFICATE-----

MIID6DCCA1GgA0IBAgIBADANBgkqhkiG9w0BAQQFADCBrzELMAkGA1UEBhMCVVMx

ETAPBgNVBAgTCE1hcnlsYW5kMRUwEwYDVQQHEwxHYWl0aGVyc2J1cmcxHzAdBgNV

BAoTFkRlcGFy221lbnQgb2YgQ29tbWVyY2UxNzA1BgNVBAsTLk5hdGlvbmFsIElu

c3RpdHV0ZSBvZiBTdGFuZGFyZHMgYW5kIFRlY2hub2xvZ3kxHDAaBgNVBAMTE3Nl

dXJhdC5jYnQubmlzdC5nb3YwHhcNMDYwMjE2MjIzNjEwWhcNMjYwMjExMjIzNjEw

WjCBrzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRUwEwYDVQQHEwxH

YWl0aGVyc2J1cmcxHzAdBgNVBAoTFkRlcGFydG1lbnQgb2YgQ29tbWVyY2UxNzA1

BgNVBAsTLk5hdGlvbmFsIEluc3RpdHV0ZSBvZiBTdGFuZGFyZHMgYW5kIFRlY2hu

b2xvZ3kxHDAaBgNVBAMTE3NldXJhdC5jYnQubmlzdC5nb3YwgZ8wDQYJKoZIhvcN

AQEBBQADgY0AMIGJAoGBANiWCdCIN3VaD71yrDhFBu6rRjgWznkCI1rLgp4LhNl7

Tou+bieglMsEEgrSt3u7e61wc0dEYRcPW6OBegp21Jx4Uen38pJmZRrMGQfrKZWx

nzU631K4NzXqep6jB0wGxP1VHRcYvzDmlAIk9Tvi2HrYNlmIeACLSJ9xPnX4t7FX

AgMBAAGjggEQMIIBDDAdBgNVHQ4EFgQUyVSnC9Ek9Eak79yFA9FDDk+Gpp4wgdwG

A1UdIwSB1DCB0YAUyVSnC9Ek9Eak79yFA9FDDk+Gpp6hgbWkgbIwga8xCzAJBgNV

BAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEVMBMGA1UEBxMMR2FpdGhlcnNidXJn

MR8wHQYDVQQKExZEZXBhcnRtZW50IG9mIENvbW1lcmNlMTcwNQYDVQQLEy5OYXRp

b25hbCBJbnN0aXR1dGUgb2YgU3RhbmRhcmRzIGFTZCBUZWNobm9sb2d5MRwwGgYD

VQQDExNzZXVyYXQuY2J0Lm5pc3QuZ292ggEAMGwGA1UdEwQFMAMBAf8wDQYJKoZI

hvcNAQEEBQADgYEAY2gVTlKjFyCGa40vhr3HBcdEpRXrmvZqNJBDeGfDhJeNyx

OpSz2LK0jex1bWUmYswiQF52rI2pmj9bHRWRqzHqxEdP0lXEOFsE0QAQ2I+mZaZ/

PRmy63bw5vSVUcfAcXV7+eHcj12vDqsOETfNOW5GP3C8NsRaB43XJClzg7U=

END CERTIFICATE-----

Does anyone know how to extract wildfire server’‘s certificate from the “keystore” file that lives in directory “resources/security” so that I can copy its content (such as shown above) and import it into wildfire’'s admin screen?

Norman_Rasmussen · March 17, 2006, 8:50am

Do you still have the “certificate_file’'s” that you generated? You should be able to import those.

Alan_Vinh · March 17, 2006, 7:58pm

Do you still have the “certificate_file’'s” that you

generated? You should be able to import those.

Hi normanr, sorry I’'ve been in meetings all day. The command I used:

keytool -certreq -keystore keystore -alias seurat.cbt.nist.gov -file certificate_file[/b]

Gave me a CSR (i.e. the certificate_file) to be signed by the CA and returned back to me - I don’‘t believe the CSR is a valid certificate. Once I get the signed certificate back from the CA then I can import it into the keystore. Eventhough I don’‘t think the CSR is a valid certificate, (as you have suggested above) I tried importing the CSR “text” by cutting and pasting the content of the certificate_file into the admin console and it won’'t take it - I tried it as a “client” and a “server” certificate, both returned the following msg:

Error installing the certificate.[/b]

The original command used to create the self-signed certificate and insert it into the “keystore” file was:

keytool -genkey -keystore keystore[/i] -alias seurat.cbt.nist.gov[/b]

The self-signed certificate is now inside the “keystore”[/i] file for each server. What do I have to do to get it out of each “keystore”[/i] file in order to import the self-signed certificate into the admin consoles? Someone who is familiar with being a Certificate Authority (CA) should be able to shed some light on this…

I believe that I can set myself up as a CA (using OpenSSL) to sign the CSR, but I didn’'t want to go that route since I think the self-signed certificates are already there to be extracted from the “keystore” files.

Any more thoughts on this matter?

Has anyone else been able to import certificates into the wildfire admin console under “Server->Security Settings”? What do you need and how do you do this?

Thanks - Alan

Alan_Vinh · March 17, 2006, 8:42pm

I’'m going to start another thread specifically about certificates to see if anyone else may know the answer…

Norman_Rasmussen · March 18, 2006, 12:46pm

Cool. This thread has wondered off topic anyways

Alan_Vinh · March 20, 2006, 4:21pm

Cool. This thread has wondered off topic anyways

Actually, I think we’‘ve been pretty on topic. If you can’‘t connect s2s, you can’'t search for a chatroom on the external server. If you want s2s connections with TLS, then the 2 servers have to be able to trust each other, do the hand shake deal, exchange certificate, etc… See the following link:

http://www.jivesoftware.org/community/thread.jspa?threadID=18708&tstart=0

That said, I’‘ve tried importing the certificate from the external server into the local server’‘s “keystore” and “truststore” files. I then set the “Server->Security Settings” to “Server Connection Security” to “Required”. The 2 servers still won’'t do TLS connections!

Here is the server’'s log that is trying to make a “search” connection using TLS:[/b]

2006.03.20 10:59:03 [org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(O utgoingServerSession.java:315)

] Error creating secured outgoing session to remote server: search.seurat.cbt.nist.gov(DNS lookup: search.seurat.cbt.nist.gov:5269)