powered by Jive Software

Professional Secure Installation

Hello. I am looking for someone to install openfire on my server, with all needed features, set up SSL, OMEMO support, configure Firewall, make everything as secure as possible using OpenFire and also make an installation tutorial with all steps done for my personal use, so I could do all that myself, when needed. If you are able to do all that, then please contact me and we will discuss a remuneration for this work. Thank You.

https://www.igniterealtime.org/support/service_providers.jsp

1 Like

Luksias, OMEMO is client side, so you’ll need a client that supports it. The rest is easy enough. Some things to keep in mind in your scope…
is this for internal use or will be accessible from the internet?
Will you be using ldap/ad?
Will you want to use an external database like mysql or ms sql?
since you mentioned ssl…openfire creates a self-signed cert. if you’d like a trusted cert from a public CA, then you’ll need to have an external domain
Where do you want openfire placed on the network? dmz, lan? do you want to run a reverse proxy?

Hello. So Openfire should support OMEMO out of the box? If I use clients with OMEMO support it should just work?
The setup is for external use, to secure communication for an organisation, desktops and mobile.
Not sure if I need that LDAP/AD. Would you recommend implementing that for the setup that i need? Does that add more security? Im not familiar with that.
I am using MariaDB - that seems to be setup all good.

SSL: Is there an actual difference for a simple users if you use CA approved certificate or not? Security level is still the same, or not? I do have an external domain. Main domain is parked at different server, but i have A record and SERV records done to point to Openfire server with FQDN set as example: my.server.com. seems to work.

Would you recommend reverse proxy? :slight_smile:
Thanks!

correct…omemo is e2e encryption, so its client driven. it should work out of the box with openfire.

ldap/ad might be considered if you already have it in your environment, and if you want to use a single login. If you don’t already have AD or LDAP, then there is no need to add it.

Cert from a 3rd party trusted CA is helpful if you want to federate your server with others. It will also (usually) prevents the certificate pops ups on clients (similar to how web browsers do with self signed certs).

Since your server will be internet facing, and no need to connect back to your lan; putting it on the DMZ would be ok…no real need to run it through a reverse proxy.

1 Like

Hi there.
Could you please list things that need to be sorted/configured to have a most secure Openfire installation possible?
Also, i managed to test OMEMO messages from mobile device to browser, but I can’t figure out how to encrypt Group chat messages. Maybe you could help me here, please?
Thanks

There is no such document or list that we can share. In general i would suggest enabling and enforcing TLS encryption for all connections (client and web admin). And maybe also using firewall to limit the access (especially to the web admin part).

As we said OMEMO is a client side feature. You should ask developers of the clients you are using. As far as i remember OMEMO can work in group chat only when all participants support it.

Is it safer in some way to install OpenFire not as root user? Thank you!

If you mean installation on Linux, then you can run install via sudo command. Openfire will create a user openfire:openfire to run its daemon, so it won’t be running as a root. In Windows case a service is running as a System user.

I use Centos. I understand that I can do it with other user, but does that add security or is there no dufference really? Cheers.

I think there won’t be much difference. Openfire user is created only to run Openfire and only should have access to Openfire files.

A post was split to a new topic: OMEMO issues with various clients

Hi guys. The new question is what do you guys use for FQDN and for main domain in your servers? What is the best setup DNS wise?
I currently have domain parked on another server, and pointed A record to XMPP server and also added SRV records that Openfire requested. Is that the best way to do this? How do you setup?

Also I was looking for some simple explanation on how to install SSL certificates via admin panel, could not find any. Could someone guide me through this process? where do I get a signing key which i need to provide to CA to get a signed certificate? Please assist.
I read a bit about certbot, but Im still confused about how does that certbot get the info that it needs to retrieve certificate? Do I need to provide Let’s Encrypt with any info, or does certbot do all the work, finding domains that need certificates?
Also which certbot do I need for my Openfire server? Standalone?

Thanks!

Nothing?

I like to set things up like you would email. so my xmpp domain would be mydomain.com. This would make the jid (user) look like speedy@mydomain.com

Then, you’d make an A record like xmpp.mydomain.com

Next create your SRV record that points to the newly created A record.

If you want to use a public CA, then get it for xmpp.mydomain.com, as the root domain should also be covered.

I dont recall how to create the CSR or if openfire does that…it might have to be done via java tooling…I can check tomorrow when I"m at work.

I don’t have experience with lets encrypt…so I can’t help you there.

1 Like

Thanks speedy. I guess this is the exact DNS setup I have now, and it seems to work ok.
I wil try to investigate myself a bit more about that Let’s Encrypt business when i find a bit more time too. Sad that there is no clear documentation how to do everything. :slight_smile: Cheers!

There is some documentation here http://download.igniterealtime.org/openfire/docs/latest/documentation/ssl-guide.html although it is a bit outdated. When there are so few developers and they don’t have much time to code, documentation is the most lagging behind thing usually. I will try to add a few newer bits to that document later. On my job i’m working with a system which costs a pile of money and in their documentation they don’t cover how to generate private keys, csr, etc. Their support told me it’s your job to know how to do such things :slight_smile:

I think you can use OpenSSL also to generate a private key and csr. It doesn’t have to be keytool. There is also a new plugin Certificate Manager, which allows to setup a hotplug folder to add new certiticates dynamically (say from Let’s encrypt bot).

This is hard to cover in a single document (all the options that can be).

Hi wroot. I was doing some work manually tryting to install SSL certificate, I came to the point where I have to do a chown command to change ownership of certificates for Openfire to be able to read them and use them, but when i did this chown openfire … i got this:
chown: invalid user: ‘openfire’

Then I checked the user list:

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
mysql:x:997:995:MySQL server:/var/lib/mysql:/sbin/nologin

I don’t see any openfire user. you mentioned that it gets created automatically. What do I do at this point? thanks!

Ive been also trying to install SSL. I have got the certbot, which installed certificate into the server for FQDN of the server (my.domain.com). Was not able to install for XMPP server name (domain.com), because it is pointing to different IP address (as discussed before), then i have copied those files to hotdeploy directory, changed their names to full domain name of certificate e.g. my.domain.com.cert and my.domain.com.key

changed permissions to daemon (i assume this is the user in charge of openfire, since there is no other user created for openfire to run), and chmod them to 400. I got this now:

total 8
-r-------- 1 daemon root 3554 Aug 26 13:10 my.domain.com.cert
-r-------- 1 daemon root 1708 Aug 26 13:09 my.domain.com.key

nothing got deployed or installed…

I was thinking that maybe that Hotdeploy option does not work? Then I copied the .key and .cert contents into manual “Import Private Key and Certificate” through Openfire administration page, and tried to import that way, and I got:
"There was an error while trying to import the private key and signed certificate. Internal server error: The supplied certificate chain does not cover the domain of this XMPP service. "

Whats my next move? I guess this SRV record thing is not really working, if you want to have a certificates that covers subdomain and domain name.
Any suggestions?

It is possible that this openfire user doesn’t have a password. I haven’t tried to login with it. When doing chown command use openfire:openfire as you must also specify a group as far as i remember.

Can’t help with certificates. I only used self signed ones and never hosted Openfire on internet. I think SRV record is only meant to solve networking/dns issues, but not to make certificate issued for different domain to work. Unless i misunderstood and you actually have a cert issued for domain.com which is also your xmpp domain. If so, then maybe someone having more experience can comment on that.