Openfire Properties

This is an attempt at documenting every property used by Openfire. Please keep this list in alphabetical order, for easier searching.

  1. XML Properties

  2. Openfire System Properties

  3. Java System Properties

  4. Http-Bind Properties

XML Properties

Property

Description

Default

admin.authorizedUsernames

A comma seperated list of usernames allowed to log into the admin console.

admin

admin.authorizedJIDs

A comma seperated list of full JID's allowed to log into the admin console. The JIDs may belong to remote users.

adminConsole.port

The port number the admon console listens on (not encrpyted). Disable by using \-1.

9090

adminConsole.securePort

The port number the admin console listens on (encrypted). Disable by using \-1.

9091

connectionProvider.className

The class name of the database connection provider

database.defaultProvider.driver

see http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/database .html

database.defaultProvider.serverURL

see http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/database .html

database.defaultProvider.username

TODO

database.defaultProvider.password

TODO

database.defaultProvider.minConnections

minimum database connections

database.defaultProvider.maxConnections

maximum database connections TODO

database.defaultProvider.connectionTimeout

database connection timeout

database.defaultProvider.testSQL

SQL command to test whether a connection is fine

database.defaultProvider.testBeforeUse

true / false - test connection before using it

database.defaultProvider.testAfterUse true / false - test connection after using it
database.defaultProvider.checkOpenConnection TODO - is it still valid?
database.defaultProvider.openConnectionTimeLimit TODO - is it still valid?

database.mysql.useUnicode

TODO

database.JDNIProvider.name

TODO

ldap.adminDN

a directory administrator's DN. All directory operations will be performed with this account. The admin must be able to perform searches and load user records. The user does not need to be able to make changes to the directory, as Openfire treats the directory as read-only. If this property is not set, an anonymous login to the server will be attempted. If you do not allow anonymous searches to your LDAP server, you must set this.

ldap.adminPassword

the password for the directory administrator.

ldap.alternateBaseDN

a second DN in the directory can optionally be set. If set, the alternate base DN will be used for authentication and loading single users, but will not be used to display a list of users (due to technical limitations).

ldap.authCache.enabled

Enable LDAP authentication cache, if using the LdapAuth provider

true

ldap.authCache.maxLifetime

TODO

ldap.authCache.size

Cache size (in bytes) for LDAP authentication cache

524288

ldap.autoFollowReferrals

a value of "true" indicates that LDAP referrals should be automatically followed. If this property is not set or is set to "false", the referral policy used is left up to to the provider. A referral is an entity that is used to redirect a client's request to another server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client has requested can be found at another location (or locations), possibly at another server or several servers.

ldap.baseDN

the starting DN that searches for users will performed with. The entire subtree under the base DN will be searched for user accounts. This is required for all LDAP setups.

ldap.clientSideSorting

If Openfire should sort the LDAP results itself set to true. If the ldap server can do it, set to false.

False

ldap.connectionPoolEnabled

a value of "false" disables LDAP connection pooling.

true

ldap.debugEnabled

a value of "true" if debugging should be turned on. When on, trace information about buffers sent and received by the LDAP provider is written to System.out

ldap.emailField

the field name that holds the user's email address. If this property is not set, the default value is mail. Active Directory users should use the the default value mail.

ldap.groupDescriptionField

the field name that holds the description a group. If this property is not set, the default value is description.

ldap.groupMemberField

the field name that holds the members in a group. If this property is not set, the default value is member.

ldap.groupNameField

the field name that the groupname lookups will be performed on. If this property is not set, the default value is cn.This is required if you wish to use groups from LDAP.

ldap.groupSearchFilter

the search filter that should be used when loading groups.

ldap.groupNameField=

ldap.host

LDAP server host; e.g. localhost or machine.example.com, etc. It is possible to use many LDAP servers but all of them should share the same configuration (e.g. SSL, baseDN, admin account, etc). To specify many LDAP servers use the comma or the white space character as delimiter. Obviously, this is required for LDAP setups.

ldap.initialContextFactory

the name of the class that should be used as an initial context factory. if this value is not specified, "com.sun.jndi.ldap.LdapCtxFactory" will be used instead. Most users will not need to set this value.

ldap.nameField

the field name that holds the user's name. If this property is not set, the default value is cn. Active Directory users should use the default value displayName.

cn

ldap.port

LDAP server port number.

389

ldap.posixMode

a value of "true" means that users are stored within the group by their user name alone. A value of "false" means that users are stored by their entire DN within the group. If this property is not set, the default value is false. Note: the posix mode must be set correctly for your server in order for group integration to work. This is required if you wish to use groups from LDAP.

ldap.sslEnabled

a value of "true" to enable SSL connections to your LDAP server. If you enable SSL connections, the LDAP server port number most likely should be changed to 636.

ldap.searchFields

the LDAP fields that will be used for user searches. If this property is not set, the username, name, and email fields will be searched. An example value for this field is "Username/uid,Name/cname". That searches the uid and cname fields in the directory and labels them as "Username" and "Name" in the search UI. You can add as many fields as you'd like using comma-delimited "DisplayName/Field" pairs. You should ensure that any fields used for searching are properly indexed so that searches return quickly.

ldap.searchFilter

the search filter that should be used when loading users.

The default search will be for users that have the attribute specified by ldap.usernameField.

ldap.usernameField

the field name that the username lookups will be performed on. If this property is not set, the default value is uid. Active Directory users should try the default value sAMAccountName.

ldap.vcard-mapping

The literal mapping between ldap fields and the XML to go in the vcard

log.debug.enabled

Turn on debug logging

log.debug.format

The format used for debug logging

log.debug.size

The maximum size of the debug log

log.directory

The directory all log files will go into

log.error.format

The format used for the error log

log.error.size

The maximum size of the error log

log.info.format

The format used for the info log

log.info.size

The maximum size of the info log

log.warn.format

The format used for the warn log

log.warn.size

The maximum size of the warn log

locale

The locale (language settings)

nativeAuth.domain

TODO

network.interface

An ip address to bind to. Generally only useful on multi-homed systems.

pop3.authCache.enabled

TODO

pop3.authCache.maxLifetime

TODO

pop3.authCache.size

TODO

512*1024

pop3.authRequiresDomain

TODO

pop3.debug

TODO

pop3.domain

TODO

pop3.host

TODO

pop3.port

TODO

pop3.ssl

TODO

provider.auth.className

The class name of the AuthProvider (Authentication)

provider.user.className

The class name of the UserProvider

provider.group.className

The class name of the GroupProvider

provider.vcard.className

The class name of the VcardProvider

sasl.mechs

Configure which authorization mechanisms Openfire allows (DIGEST-MD5 PLAIN CRAM-MD5). Java's CRAM-MD5 implementation and Cryus SASL's implementation differ slightly. Multiple values are seperated by commas.

ANONYMOUS

PLAIN

DIGEST-MD5

CRAM-MD5

JIVE-SHAREDSECRET

SCRAM-SHA-1

GSSAPI

EXTERNAL

sasl.approvedRealms

sasl.gssapi.config

sasl.gssapi.debug

false

sasl.gssapi.useSubjectCredsOnly

false

sasl.realm

setup

True if Openfire has been configured. False only after an initial install before configuring.

 

Openfire System Properties

 

Property

Description

Default

cache.name.maxLifetime

Cache expiration time for name in milleseconds.

see How to configure Openfire's caches

cache.name.size

Cache size for name in bytes

see How to configure Openfire's caches

locale.timeZone

The timezone for your locale

dnsutil.dnsOverride

(!http://www.igniterealtime.org/issues/images/icons/newfeature.gif! [JM-711\

http://www.igniterealtime.org/issues/browse/JM-711]) Internal DNS that allows to specify target IP addresses and ports to use for domains. Sample values for the property (make sure to insert no space characters!):

{example.com,127.0.0.33:5269}

{example.com,127.0.0.33:5269},{de.de,192.168.0.33:4567}

flash.crossdomain.enabled Boolean for if the flash cross domain server is enabled (new in OF 3.6.5) true
flash.crossdomain.port Integer for the port number to listen on for crossdomain requests (new in OF 3.6.5) 5229
hazelcast.config.xml.filename Name of the Hazelcast configuration file. By overriding this value you can easily install a custom cluster configuration file in the Hazelcast plugin /classes/ directory, or in the classpath of your own custom plugin. hazelcast-cache-config.xml
hazelcast.max.execution.seconds Maximum time to wait when running a synchronous task across members of the cluster. 30
hazelcast.startup.delay.seconds Number of seconds to wait before launching the Hazelcast plugin. This allows Openfire to deploy any other plugins before initializing the cluster caches, etc. 5
hazelcast.startup.retry.count Number of times to retry initialization if the cluster fails to start on the first attempt. 1
hazelcast.startup.retry.seconds Number of seconds to wait between subsequent attempts to start the cluster. 10
ldap.override.avatar When enabled allows users to changer/add an avatar openfire servers  bound to LDAP that do not have an LDAP defined avatar.  The Property  Values are true or false. true

mail.debug

Enable debugging for mail.

mail.smtp.host

The SMTP Hostname to use

mail.smtp.password

The SMTP Password to use when using SMTP Auth

mail.smtp.port

The port to use for SMTP

25

mail.smtp.ssl

Enable SSL for smtp

false

mail.smtp.username

The SMTP Username to use when using SMTP Auth

mediaproxy.enabled

The value "false" if the Openfire media proxy should not be enabled. The media proxy allows Jingle clients to communicate when peer to peer connections fail (such as when behind a strict firewall).

true (a null value means true)

mediaproxy.idleTimeout

The maximum amount of time (in milleseconds) to wait before a media proxy session is closed when there is no activity.

90000

mediaproxy.portMin

The minimum port value that the media proxy will use for UDP client connections. The port range must be large enough to handle as many client connections as will occur.

10000

mediaproxy.portMax

The maximum port value that the media proxy will use for UDP client connections. The port range must be large enough to handle as many client connections as will occur.

20000

passwordKey Key used to decrypt Blowfish encrypted passwords in 'ofUser.encryptedPassword' (when user.usePlainPassword is set to false) randomly generated when detected as null

plugins.upload.enabled

Enables the ability to upload plugins from the admin interface.

true

register.inband

Allow inband registration

true

register.password

Allow inband password changes

true

route.all-resources

Enable routing of messages to base JID to every client logged in with the same base JID (different resources) and the same (highest) priority

false

rss.enabled

Enable or disable the RSS feed in the admin console  http://www.igniterealtime.org/issues/browse/JM-1172

true

session.stalled.cap If there are more than this number of bytes waiting to be written to a connection session, then it's assumed that the session has stalled and it will be closed 5242880 - i.e. 5 MB

shutdownMessage.enabled

If true, send a shutdown message to all connected users before terminating the server

update.lastCheck

Keep track of the last time we checked for updates. Don't edit this value.

update.proxy.host

Sets the host of the proxy to use to connect to jivesoftware.org or 'null' if no proxy is used.

update.proxy.port

Sets the port of the proxy to use to connect to jivesoftware.org or \-1 if no proxy is being used.

user.usePlainPassword Sets wether the password for users is stored in the database in plaintext format in the ofUser.plainPassword column, or encrypted using the Blowfish algorithm in the ofUser.encryptedPassword column, using the key found in the "passwordKey" property. false

xmpp.audit.active

Turn on packet auditing

xmpp.audit.ignore

A comma seperated list of users to ignore when auditing packets

xmpp.audit.iq

If true, audit ip packets

xmpp.audit.logdir

The directory to put the audit file in

xmpp.audit.logtimeout

TODO

xmpp.audit.maxcount

TODO

xmpp.audit.maxsize

TODO

xmpp.audit.message

If true, audit message packets

xmpp.audit.presence

If true, audit presence packets

xmpp.audit.xpath

TODO

xmpp.auth.anonymous

True if anonymous authentication is allowed

xmpp.auth.retries

Number of failed authentication attempts allowed.

3

xmpp.client.compression.policy

TODO

xmpp.client.idle

Time in millesconds to disconnect an idle client. Use -1 to disable.

6 * 60 * 1000 (thanks Keehong)

xmpp.client.login.allowed

A comma seperated list of IP addresses clients are allowed to log in from

xmpp.client.roster.active

Enables the roster for clients. If false, it is not possible to retrieve users rosters or broadcast presence packets to roster contacts.

xmpp.client.tls.policy

TODO

xmpp.client.validate.host

If true, validate the hostname in the stream header sent by clients.

xmpp.command.limit

TODO

xmpp.command.timeout

TODO

xmpp.component.defaultSecret

TODO

xmpp.component.permission

TODO

xmpp.component.socket.active

TODO

xmpp.component.socket.port

TODO

xmpp.domain

The name of the server

127.0.0.1)

xmpp.forward.admins

TODO

xmpp.muc.create.anyone

Permission policy for creating rooms. Set to false to allow anyone to create rooms, true to restrict to jids listed in xmpp.muc.create.jid. Note: The meaning is reversed:-)

false

xmpp.muc.create.jid

List of JIDs that are allowed to create a MUC room.

xmpp.muc.discover.locked

Checks if the room may be included in search results.

true

xmpp.muc.enabled

Set this to false to disable MUC / conference. Requires server restart. (looks like it doesnt work on 3.6.4 - wroot)

true

xmpp.muc.history.maxNumber

The maximum number of chat history messages stored for the room.

25

xmpp.muc.history.type

Set history strategy type. Valid values: defaulType, none, all, number

number

xmpp.muc.service

Host name of MUC service. Requires server restart.

conference

xmpp.muc.skipInvite (3.7.0+) Disable the auto invitation of newly added members to a MUC chatroom's access control list. false

xmpp.muc.sysadmin.jid

Load the list of JIDs that are system admins of the MUC service.

xmpp.muc.tasks.log.batchsize

The number of messages to log on each run of the logging process.

50

xmpp.muc.tasks.log.timeout

The number of milliseconds to elapse between logging of room conversations.

300000

xmpp.muc.tasks.user.idle

The number of milliseconds a user must be idle before he/she gets kicked from all the rooms.

-1

xmpp.muc.tasks.user.timeout

The number of milliseconds before clearing of idle chat users.

300000

xmpp.muc.unload.empty_days

The server will unload from memory persistent rooms that have been empty for 30 (default) days. The room will still exist in the database and users may still join. The only consequence is that it won't appear in the discovery list. This option is valid for prior 3.6.0 versions only. As 3.6.0 has introduced multiple conference services.

30

xmpp.offline.quota

How many messages to store before bouncing or dropping as per xmpp.offline.type

100 * 1024 messages?

xmpp.offline.type

Controls the strategy for handling messages to offline users:

- bounce: All messages are bounced to the sender.

- drop: All messages are silently dropped.

- store: All messages are stored

- store_and_bounce: Messages are stored up to the storage limit, and then bounced.

- store_and_drop: Messages are stored up to the storage limit, and then silently dropped.

store_and_bounce

xmpp.parser.buffer.size

since 3.5.2 / JM-1350: XMLLightweightParser allows N Bytes of buffered data before closing a potential dangerous connection to avoid an Out-Of-Memory error.

1048576

xmpp.privateStorageEnabled

TODO

xmpp.proxy.enabled

TODO

xmpp.proxy.externalip

Some servers are setup to use DNS SRV records. In that case, their domain may not the actual server address. For example, the DNS SRV record for igniterealtime.org could point to a server at xmpp.igniterealtime.org. This will affect non XMPP traffic like the file proxy transfer service, since the proxy service can't give out the normal XMPP domain name and have that work.
When this property is set, the file transfer proxy service will advertise the given IP address rather than the XMPP server domain.

xmpp.proxy.port

TODO

xmpp.proxy.service

TODO

xmpp.pubsub.create.anyone Determines if anyone can create nodes
xmpp.pubsub.create.jid List of JID's of those that are allowed to create nodes

xmpp.pubsub.enabled

since 3.5.0 / JM-1262: Disable pubsub by setting this value to false

true

xmpp.pubsub.multiple-subscriptions Turns the ability to have multiple subscriptions to a node on/off true
xmpp.pubsub.root.creator Specifies the JID of the root node creator
xmpp.pubsub.root.nodeID Specifies the id of the root collection node
xmpp.pubsub.service The pubsub service name pubsub
xmpp.pubsub.sysadmin.jid Sets the specified JID's as pubsub admins
xmpp.pubsub.flush.timer The time delay (in seconds) between flushing of the published items cache to persistent storage. 120 (seconds)
xmpp.pubsub.flush.max The maximum number of items the published items cache will hold before it flushes itelf to persistent storage. 1000
xmpp.pubsub.fetch.max The maximum number of items that a get items operations on a node will return.  Openfire doesn't support Result Sets in pubsub yet, so making this number too large will cause memory and performance issues. 2000
xmpp.pubsub.purge.timer The time delay (in seconds) to purge stale data from the database. 300 (seconds)

xmpp.server.certificate.accept-selfsigned

TODO

xmpp.server.certificate.verify

TODO

xmpp.server.certificate.verify.chain

TODO

xmpp.server.certificate.verify.root

TODO

xmpp.server.certificate.verify.validity

TODO

xmpp.server.compression.policy

TODO

xmpp.server.dialback.enabled

TODO

xmpp.server.outgoing.threads

TODO

xmpp.server.permission

TODO

xmpp.server.processing.threads

TODO

xmpp.server.read.timeout

TODO

xmpp.server.session.allowmultiple

TODO

xmpp.server.session.idle

TODO

xmpp.server.session.timeout

TODO

xmpp.server.socket.active

TODO

xmpp.server.socket.port

TODO

xmpp.server.socket.remotePort

TODO

xmpp.server.tls.enabled

TODO

xmpp.session.conflict-limit

TODO

xmpp.session.sending-limit

TODO

xmpp.socket.plain.active

TODO

xmpp.socket.plain.port

TODO

xmpp.socket.ssl.active

TODO

xmpp.socket.ssl.algorithm

TODO

xmpp.socket.ssl.keypass

TODO

xmpp.socket.ssl.keystore

TODO

xmpp.socket.ssl.port

TODO

xmpp.socket.ssl.storeType

TODO

xmpp.socket.ssl.trustpass

TODO

xmpp.socket.ssl.truststore

TODO

 

Java System Properties

 

Property

Description

Default

app.name

"Openfire"

appdir

The location Openfire is installed in

java.library.path

Where to look for the native library path for NativeAuthProvider

line.separator

What the default line seperator is.

"\n"

mrj.version

Only used for OS detection in Mac OS

pluginDirs

The directory the plugins live in

os.name

The OS Name (eg "Windows 2000").

Automatically set by Java

whack.componentManagerClass

TODO

openfire.lib.dir

The place to look for ServerStarter.

'../lib'

openfireHome

The location where Openfire is installed in

For plugins (gateway), see http://www.igniterealtime.org/community/docs/DOC-1002

 

Http-Bind Properties

 

Property
Description
Default
log.httpbind.enabled Print all packets which were sent or received via http-bind to STOUT. false
xmpp.httpbind.client.idle Seconds a session has to be idle to be closed 30
xmpp.httpbind.client.requests.max the number of simultaneous requests allowable. 2
xmpp.httpbind.client.requests.wait the longest time (in seconds) that Openfire is allowed to wait before responding to any request during the session. 0x7fffffff
xmpp.httpbind.client.requests.polling the maximum allowable period over which a client can send empty requests to the server. 5
6 Likes

This is a really great idea - I didn’t know there were so many properties.

As an aside, for disabling the admin ports, it shows -1 is the ‘’ a delimiter ?

Then, what does “TODO” mean?

It isn’t implemented yet, so I can’t use right now?

Martyn: No, the ‘’ is an error in importing this web page from the old wiki, it shouldnt be there at all.

africa1971: TODO means the property is used in the source somewhere, but it has not been documented yet.

Thanks, slushpupie.

Thanks Slushpupie, this is a very useful repository of the properties used by Openfire.

Perhaps we could have a basic ‘default’ set of properties configured on first install, with the defaults added on upgrade if they don’t exist ?

Martyn,

Im not sure I follow- isn’t that what the “Default” column provides?

Sorry, I meant that rather than the properties being ‘default’ but not in the DB table, we have a default set in the table.

For instance, I only found out the RSS feed could be disabled because I found a referance for it - if it was in the table, but the default setting is enabled, it would be easier to find. Does that make sense ?

Ok, that makes sense. However the way things are done now that isnt likely to happen, as it would take rewriting every instance in the source a property is grabbed.

OK, it’s not a problem, I just wondered if it would have made things easier for people if they could see the entries in the table.

What about populating the table on a first install ? would that be simple enough, without causing code to be re-written ?

I see JiveGlobals.getIntProperty(“xmpp.client.idle”, 6601000)/1000 in the source code for xmpp.client.idle, not 30 * 60 * 1000.

Thank you so much, this is very helpful!

I got error when trying to set to -1 on console text field, it says

“Please type a valid port number or restore to default”.

But setting it in /opt/openfire/conf/openfire.xml all works fine

and the port no longer stays open after OF restart.

msg above is about disable access to OF console via port 9090, allowing only 9091 https connections.

xmpp.client_ssl.processing.threads

  • number of threads to use to process incoming SSL connections
  • DEFAULT = 16 (integer)

xmpp.client.cert.policy

  • SSL client certification policy
  • DEFAULT = “disabled” (string)
  • OTHER KNOWN VALUES = “needed”, “wanted”

xmpp.socket.plain.active

  • whether to listen for unencrypted socket connections from clients
  • DEFAULT = true (boolean)

xmpp.socket.ssl.active

  • whether to listen for SSL socket connections from clients
  • DEFAULT = true (boolean)

xmpp.component.socket.active

  • whether to listen for socket connections from components
  • DEFAULT = false (boolean)

xmpp.server.socket.active

  • whether to listen for socket connections from other servers
  • DEFAULT = true (boolean)

xmpp.multiplex.socket.active

  • whether to listen to multiplexed socket connections from other servers (maybe for clustering?)
  • DEFAULT = false (boolean)

xmpp.socket.plain.port

  • which port to listen for incoming unencrypted socket connections
  • DEFAULT = 5222 (int)

xmpp.socket.ssl.port

  • which port to listen for incoming SSL socket connections
  • DEFAULT = 5223 (int)

xmpp.component.socket.port

  • which port to listen for incoming external component connections
  • DEFAULT = 5275 (int)

xmpp.server.socket.port

  • which port to listen for incoming external server connections
  • DEFAULT = 5269 (int)

xmpp.multiplex.socket.port

  • which port to listen for incoming multiplex connections
  • DEFAULT = 5262 (int)

xmpp.socket.backlog

  • socket listening backlog queue length
  • DEFAULT = 50 (int)

xmpp.socket.buffer.receive

  • low level socket receiving buffer size
  • DEFAULT = -1 (int)

xmpp.socket.buffer.send

  • low level socket sending buffer size
  • DEFAULT = -1 (int)

xmpp.socket.linger

  • low level socket linger (?)
  • DEFAULT = -1

xmpp.socket.tcp-nodelay

  • DEFAULT = ? (boolean)

xmpp.processor.count

  • the number of threads (-1) in the pool to accept socket connections
  • DEFAULT = Runtime.getRuntime().availableProcessors() (the number of processors available to the JVM, int)

Anyone tested the xmpp.client.idle ? Doesn;t seem to work.

The xmpp.client.idle doesn’t seem to work. i checked the db in ofproperty and the xmpp.client.idle is set to 60000 which is equivalent to 1min unless it is not in millis. I am trying to make sure that the user gets disconnected if he is idle. I.e I tried logging in then just unplugging my ethernet cable but for some reason the user stays active in the openfire session and is not getting kicked as it should if it is idle. I really don’t want to have to go down the route of implementing a timer bean that consistently checks the user’s session before kicking them since this is a function that has been implemented in openfire unless I am not doing it right.

Many thanks.

Any ideas on why this would happen ?

Hello again, sorry for spamming this thread but I am getting desperate. I still cannot figure out why the xmpp.client.idle will not work. Is that something that actually hasn’t been implemented in 3.6.3 ? Any other way to force the user out if he is idle for more than i.e 10mins instead of having to use the xmpp.client.property or a timer bean ?

Thanks.