This part
Check to see if you have a root certificate from you CA in your java store. Thats likely the issue, and you’ll need to import your root CA into the JRE that Openfire is using. Here is an example of the command
“C:\Program Files (x86)\Java\jre1.8.0_45\bin\keytool” -importcert -keystore “C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts” -storepass changeit -file ROOTCA.cer -noprompt
and
… but 3.10.2 requires the chain to be added… does that make sense?
I tried doing what you said and initially it failed. I later realized that OpenFire has to be bounced in order to pick up the change, as it appears that the JVM is somehow caching the contents of the store and doesn’t pick up changes made after it was started.
Here’s what did work:
[blentz@muxrhim01 ~]$ sudo service openfire stop
Shutting down openfire: [ OK ]
[blentz@muxrhim01 ~]$ sudo cp /usr/java/default/lib/security/cacerts /usr/java/default/lib/security/cacerts.orig
[blentz@muxrhim01 ~]$ sudo /usr/java/default/bin/keytool -keystore /usr/java/default/lib/security/cacerts -importcert -file ldap.muxier.com.cachain.crt -storepass changeit -noprompt -alias ldap.muxier.com.cachain.crt
Certificate was added to keystore
[blentz@muxrhim01 ~]$ sudo service openfire start
Starting openfire:
[blentz@muxrhim01 ~]$
The custom ssl socket factory is reference to some code that is used within openfire when using ssl. The original socket would accept accept any type of ssl cert, (which imho isn’t the best at security practices, although it makes things really convenient). Because the orginal code used a custom ssl socket factory, the pooling of connections to ldap didn’t work…which resulted in poor ldap performance. The quick way to resolve this was to revert to the default ssl socket factory. I hope that makes things a little more clear.