Question about openfire hazelcast plugin

i have installed 2 openfire nodes with hazelcast plugin. Both nodes are members of cluster. And googled hard and had not find any answers:

  • how can i setup xmpp session replication, cause if i shutdown one node, the users need to relogin

  • how can i install one ssl cert for both nodes

  • implement http session replication (openfire web interface) would be great too

Thanks

You need a load balancer or virtual IP in front of your 2 openfire instances. This needs to be able to do a health check to see if the node is up and capable of accepting users (e.g connect to port 5222, or if you can do custom code, actually login via XMPP). Admin console is just regular HTTP, so you can either configure your load balancer to do HTTP/HTTPS proxying, or just plain TCP forwarding.

You can copy the openfire/resources/security/keystore file between the systems so they use the same SSL certificate/key. You will probably want to include the hostname of the VIP as a subjectAltName in the cert so it is valid if they go via the load balancer.

You could also perhaps use a couple of SRV records so the client will attempt to connect to both instances, although this is not as smooth as using a load balancer.

For both XMPP and Admin-HTTP, if a node goes down, they will need to relogin (most IM clients do this automatically).

Thanks for the reply, i already have astaro as LB but will rollback to Haproxy+keepalived due to ssl issue. Could you give a clear answer what the point of using openfire cluster? What benefits will i get with cluster. Cause all LB and HA need to be implement via third party tools like haproxy, keepalived, database cluster (galera in my case).

Clustering allows you to do HA between multiple servers and allow users on both systems to communicate as if it was a single entity. You can obviously scale up your environment further if you have multiple nodes.

hum

did you mean this?

user a loadbalanced to node A and user b balanced to node B and if they will communicate between each other i get the benefit from openfire cluster, but if there is no openfire cluster the packets will send from a to b from node A to node B via external interfaces? And if i have openfire cluster they will speak each other inside cluster without touching the external (VIP interface).

Users and admin console access will need to be routed via load balancer/VIP so users are routed to an available system when one fails.

Communication between Openfire nodes is done based on Hazelcast configuration, so may go via their regular interfaces, or you can force it to go via a second interface that is reserved for cluster traffic.

i have another question. i have just restarted the openfire nodes and i cant login to admin account, i tried all: insert into db values with new pass, insert new user in openfire.xml instead of admin, try to force new pass through setup of openfire - nothing helps. What the problem with it?

hum,

seems like the problem was in parameter admin.authorizedJIDS in the database. How did it appear by itself, i didnt set it?

Who can list a haproxy configuration instance?

Here is a HAProxy config that works with Openfire:

listen XMPP 172.31.0.4:8222

mode tcp

option persist

option tcplog

option allbackups

balance roundrobin

stick-table type ip size 10240k expire 30m

stick on src

server openfire1 10.250.52.6 weight 256 check port 5222 inter 30000 rise 2 fall 3

server openfire2 10.250.52.7 weight 256 check port 5222 inter 30000 rise 2 fall 3

There are a few issues with using HAProxy with Openfire in general:

  1. Since it’s TCP based, OF only sees the HAProxy instance IP rather than the real user’s IP - HAProxy will log connections when they close, but it is difficult for troubleshooting.

  2. The check just makes sure it’s listening on port 5222 - It doesn’t actually try to authenticate or do any XMPP commands

We use LVS/ipvsadm for load balancing with Openfire. We have Perl scripts that log into OF to make sure it is up, and LVS does L2 routing so the OF instances see the real user IP. Not saying HAProxy is bad - We use it for a lot of HTTP/HTTPS services, but for TCP it’s got some disadvantages.

Thank you very much for your reply! So could you list a LVS/ipvsadm configuration instance to us for referance? Thanks again~~

Here is my ldirectord config for Openfire - ipvsadm is pretty basic, and should be easily built from this. Note the xmpp check is a Perl script that logs into Openfire - You could subsitute it with a tcp check if that is enough.

checkinterval=15

autoreload=yes

logfile=“daemon”

emailalert=alert@domain.com

emailalertfreq=0

emailalertstatus=all

quiescent=no

fork=yes

maintenancedir=/etc/ldirectord/maint/

failurecount=2

checktimeout=5

virtual=700

real=openfire01:5222 gate

real=openfire02:5222 gate

scheduler=wlc

checktype=external

checkcommand="/etc/ldirectord/check/xmpp"

virtual=701

real=openfire01:5262 gate 1024

real=openfire02:5262 gate 1024

scheduler=sh

checktype=connect

service=simpletcp

checkport=5262

virtual=702

real=openfire01:9091 gate

fallback=openfire02:9091 gate

scheduler=wlc

checktype=negotiate

service=https

checkport=9091

Thanks for your help! I will try it.