in openfire admin cp we have already added xmpp ssl certificate. How do we secure the “The port used for secured Admin Console access.”? so when we are going to the admin cp through a browser it is secure with a CA signed SSL certificate.
Hi,
You just need to use the URL https://example.com:9091/ . Make sure to enter https:// in your browser. Take a look at conf/openfire.xml - there you can configure or disable the unencrypted (default 9090) and the securePort (default 9091).
LG
we have port 9091 (secured) working but when you go through browser, it shows in IE.
There is a problem with this website’s security certificate.
I have an xmpp ssl certificate added in admin cp. How do I get the SSL certificate to work in browser. We also have a wildcard ssl certificate.
Hi,
you may want to inspect this problem. Either it’s no more valid, the domain name does not match or the company which did sign the certificate is not known by your browser. In any case you can accept the certificate and use the encrypted connection.
LG
our wildcard ssl certificate is installed on our server and works with port 443 (standard https). so if I type https://[Your Internet IP Address] it works, if I type https://[Your Internet IP Address]:9091 the ssl error comes up.
I believe the xmpp ssl certificate added in openfire admin cp is for communication from client to server regarding chatting.
It is the openfire admin cp through the browser I want to secure.
the error in IE is
---------- start
There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
---- end
Our xmpp added in openfire admin cp is signed by CA and is for RSA. It has not expired.
Hi,
so you need to add the “CA” to your browser as a trusted “CA”.
to fix"The security certificate presented by this website was not issued by a trusted certificate authority." you need to add the CA to your browser.
You write “Our xmpp added in openfire admin cp is signed by CA and is for RSA.” - “by CA” is not very specific. I guess it’s not Verisign or another well-known CA.
LG
our xmpp certificate which is added in openfire admin cp is from xmpp.org. our wildcard ssl certificate is from rapidssl. both are known. our wildcard is accepted through browser by https://ip.address but as soon as I do https://ip.address:9091 the same certificate is not accepted.
Hi,
when you use “https://server” you will likely not use the certificate of Openfire but the one of your webserver (rapidssl).
When you open “https://server:9091” you connect to Openfire. Read http://xmpp.org/ca/developers.shtml for more information about the root CA which you may need to import in your browser.
LG
I looked at this page you’ve recommend http://xmpp.org/ca/developers.shtml but there were no instructions. I went to http://xmpp.org/ca/installation.shtml and followed these instructions. copied the new domain.crt (with 3 begins certificates in the file) to {openfire-home}/resources/security. the file is rw-r–r--. stop and started openfire. still the same error.
where am I going wrong? also in openfire admin cp system properties I have this
xmpp.socket.ssl.active = true
xmpp.socket.ssl.port = 5222
Hi,
you need to import the certificate or the CA into your browser so your browser can accept it without a warning.
LG
Yeap, when you get that warning, you should see a red field near the address bar. You can click on that and then see an information about the certificate. There you will see Install (or Import) button, so you will be able to install that certificate to your browser’s trusted store.
Unfortunately this will not solve our problem. We have links on our web site to plugins “fastpath” and “presense”. Especially fastpath we want secure. On our web pages in the head html tags we have https://server:9091/webchat/jivelive.jsp. Our chat works, everything from openfire works except the security part. We cannot expect every person to come to our web site and accept the certificate through their browser. The general public will not know how to do this.
So the question is how do we install any CA signed certificate so that any communication from port 9091 for openfire is secure? Anyone that goes through the browser and wants anything from openfire it will be secure just like our port 443? There has to be a way.
Hi,
use Apache and mod_proxy on port 80/443 with a standard certificate in front or Openfire. It’s always a bad idea to allow access to the Openfire admin interface.
LG
LG,
what do you mean “bad idea to allow acces to Openfire admin interface”? For fastpath and presence, it is just using port 9091. For openfire admin cp, it we want https:///server:9091 for admin people. For the general public it is https://server:9091/plugin/something/something.
I will look into apache and mod_proxy for port 80/443 and report back.
Have you tried installing fast path onto an application server as is recommended? Once that is done you will not have the general public pointing to your openfire server, and it will not be providing the security certificate for the fast path chat interface. This will also reduce the load on your openfire server and such.
how do we install webchat/fastpath on production server? I looked at the readme document for fasthpath and it talked about port http://www.igniterealtime.org/projects/openfire/plugins/webchat/readme.html. we would like it on the same server our openfire is located. we are using centos and web stuff go /var/www/html.
Hi,
take a look at http://www.igniterealtime.org/community/message/18422
I expect that you are running Apache and Openfire on the same host. You configure (a vhost and) there the needed rewrite rules for webchat (or the registration plugin)
RewriteCond %{REQUEST_URI} ^/registration/sign-up.jsp
RewriteRule ^/(.*) http://localhost:9090/plugins/$1 [P]
And you use another vhost or Apache for the admin access. So you can use Apache configuration options to limit access by IP address and additionally you will get an access_log of your admin console.
LG