Server to Server (S2S) connection

Hi to all,

I’m italian student and I must do a connection Server to Server between 2 different pc; I have installed Openfire 3.6.0a on everyone pc.

The network is:

pc1 <-------------> pc router <----------------> pc2

on pc1 I have a server openfire.

on pc2 I have a server openfire.

on pc1 I have a client with user called user1 connected with the server on pc1 (I have registered user1 on the server).

on pc2 I have a client with user called user2 connected with the server on pc2 (I have registered user2 on the server).

Mi objective is that user1 on pc1 must communicate with user2 on pc2.

I think that I must do a S2S connection and I think that I must open a “Server Session”.

Do you want other information?

Sorry for my bad english, thanks in advance.

Crystal

first each of the pc’s must have a valid DNS entry and openfire must be confured to match the DNS entry. Second their firewalls must allow all the traffic for S2S. It should then be as easy as entering the full ID of the user in the roster (for eaxmple: user2@pc2.domain.com).

Thank you for your answer.

  1. Both pc are in same room (I don’t need of internet communication between 2 because it’s a simulation in laboratory for now).

I set up the ethernet of pc so:

eth0 of pc1 is 10.11.7.1

eth0 of pc2 is 10.11.9.1

I ping pc1 from pc2 and pc2 from pc1 correctly.

on pc1

openfire server name is: centroservizi.lit.ing.unicas.it

openfire host name is: 10.11.7.1

on pc2

openfire server name: autotreno.lit.ing.unicas.it

openfire host name: 10.11.9.1

Do you think I need of DNS anyway?

  1. The OS installed on both pc is FEDORA and I already disable all firewall.

How I can start the communication between 2 server?

How I can be sure that server of pc1 see server of pc2?

Thank you in advance very much.

Crystal

Hi crystal 13282,

crystal13282 wrote:

Thank you for your answer.

  1. Both pc are in same room (I don’t need of internet communication between 2 because it’s a simulation in laboratory for now).

Do you think I need of DNS anyway?

have you configured the xmpp.domain value of 10.11.7.1 to be centroservizi.lit.ing.unicas.it and 10.11.9.1 to be autotreno.lit.ing.unicas.it?

After configuring the correctly the xmpp.domain value on both servers, verify that centroservizi.lit.ing.unicas.it can be resolved by autotreno.lit.ing.unicas.it and vise versa. I think to make this successfull is enough (not need for DNS, you can define the hosts in for example each server’s /etc/hosts -file), but I might be wrong. Sorry, i did not have time to test.

  1. The OS installed on both pc is FEDORA and I already disable all firewall.

How I can start the communication between 2 server?

How I can be sure that server of pc1 see server of pc2?

By default server-2-server functionality should be enabled after installing Openfire. To verify this you should see both servers listening port 5269 (if you have not changed them ofcourse) example with using netstat.

To test if the “server 1 sees server 2” you should be able to forexample telnet from centroservizi.lit.ing.unicas.it to autotreno.lit.ing.unicas.it’s port 5269.

If you are stuck I think the best is that you connect to centroservizi.lit.ing.unicas.it with user1 and try to send a message to user2@autotreno.lit.ing.unicas.it. If the sending of messages does not work please copy paste the errors you will see in the OpenFire’s logs.

And as you might have already noticed from other posts, this doc will propably answer to your questions better:

Hi, thank you for yours answers.

Ok, I have defined the hosts on each server in /etc/hosts and I have verifyed that centroservizi.lit.ing.unicas.it is resolved by autotreno.lit.ing.unicas.it and vise versa. Infact now ping is ok:

on pc1, if I do: ping autotreno.lit.ing.unicas.it, it’s ok now

on pc2, if I do: ping centroservizi.lit.ing.unicas.it, it’s ok now.

Then, I’m logged with user “tir” on client (SPARK) of pc2 and I’m logged with user “warning” on client (SPARK) of pc1.

Then I add user warning on client of pc2 as: warning@centroservizi.lit.ing.unicas.it and I add user tir on client of pc1 as: tir@autotreno.lit.ing.unicas.it.

Now, if I try to contact user warning from user tir they can’t speak beacause both user are see as “PENDING”.

But, I’m thinking that the problem is the pc-router, because I have installed openfire on pc-router too, I did the same things that I have done for pc1 and the S2S connection between pc-router and pc2 has been established (user tir (that is logged on pc2) speaks with user “prova” (that is logged on pc-router).

Why The connection S2S between pc-router(eth0 10.11.9.7) <—> pc2(eth0 10.11.9.1) is ok (single link) and instead the connection between pc1 <–> pc-router <–> pc2 (double link) is refused? What do you think about it?

Thank you very much.

I think the most frustrating thing is that the logic that causes s2s to send a “remote-server-not-found” is not sending any reasons to the error or debug logs. It would help incredibly if the error packet at least said -which- remote server was not found.

Also, there appears to be an NPE showing up in the error log:

java.lang.NullPointerException
at java.util.concurrent.LinkedBlockingQueue.extract(LinkedBlockingQueue.java:157)
at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:440)
at org.jivesoftware.openfire.pubsub.PublishedItemTask.run(PublishedItemTask.java:7 0)
at java.util.TimerThread.mainLoop(Timer.java:527)
at java.util.TimerThread.run(Timer.java:477)
2008.10.15 11:19:04 [org.jivesoftware.openfire.pubsub.PublishedItemTask.run(PublishedItemTask.java: 79)] Internal server error

bob

I do another test:

I connected pc1 with pc2 without pc router and user of pc1 cant speak with user of pc2 (the users are both “PENDING” and so S2S connection is impossibile).

So, now I think that the problem is on pc2…

Then I tryed to connect user of pc1 on server of pc2 for can speak user of pc1 and user of pc2, and this connection is impossibile, too!

What do you think about it?

I do another test; I have changed the server name of both server so:

Server name of pc1 10.11.7.1

Server name of pc2 10.11.9.1

I try to do speak user on pc1 (warning) with user on pc2 (tir) but S2S connection can’t be established.

The warning log openfire is:

2008.10.17 09:51:15 Error returning error to sender. Original packet:

org.jivesoftware.openfire.PacketException: Cannot route packet of type IQ or Presence to bare JID:





at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.jav a:217)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.return ErrorToSender(OutgoingSessionPromise.java:285)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:219)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

can you help me?

Hi Crystal,

please check the doc “Server to Server how to’s” http://www.igniterealtime.org/community/docs/DOC-1030.

The first two main requirements are (as described in above doc):

  1. Server-2-server communication occurs on port 5269 (by default).

So the first thing to check is that there is no firewall closing that port.

  1. The second task would be to verify that the server name of each Openfire server can be resolved by the DNS. XMPP servers will do a DNS SRV look up to figure out the actual IP address and port to use to connect to the remote server.

You can check the first requirement forexample on pc1 doing “$telnet 10.11.7.1 5269” and vise versa on pc2. Does that work?

Socket[addr=/192.168.5.2,port=33100,localport=5269]
2009.07.29 13:00:08 Connexion clôturée avant l établissement de la session
2009.07.29 13:00:07 ServerDialback: RS - Trying to connect to Authoritative Server: srv1:5269(DNS lookup: srv1:5269)
2009.07.29 13:00:07 ServerDialback: RS - Received dialback key from host: srv1 to: srv2
2009.07.29 13:00:07 Connect Socket[addr=/192.168.5.2,port=8073,localport=5269]

Connexion clôturée avant l’établissement de la session /

Connection closed before the establishment of the session

=> Can this be due to the firewall ?

java.net.ConnectException: Connection timed out: connect
2009.07.29 13:04:02 Error verifying key of remote server: srv1

javax.net.ssl.SSLException: Unsupported record version Unknown-47.115
] Error while negotiating TLS: org.jivesoftware.openfire.net.SocketConnection@a87a8 socket: Socket[addr=/192.168.5.2,port=27562,localport=5269] session: org.jivesoftware.openfire.session.LocalIncomingServerSession@1644c9 status: 1 address: srv2/fde67ca5 id: fde67ca5
2009.07.29 13:05:22 [org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode .java:77)
at java.lang.Thread.run(Unknown Source)

I have set the server connection to NOT be TLS and I still see these in the error log.

got a similar proble few year ago (think it was openfire vesion 3.3) … but it sounds like the same problem…

in my case its all about dns verification !

it was NOT possible to insert the pc-name into /etc/hosts, the server name must be resolvable by a dns lookup.

For example: in a private network at home it was impossible to establish a s2s connection, the only way to get the connection up was setting up the servers on two pc’s which were in the domain of the university with a qualified dns-server. the other way is to set up the servers on the internet where the names can be resolved via global dns.

Further the configured name of the openfire MUST be the full qualified dns name… otherwise i got connection errors when i tried to establish the s2s connection.

Ok I well understand this issue.

My pb is that srv1 is in DMZ and srv2 is in LAN - separated with a Firewall - rules are set and it looks like the pakets are forwarded…

BUT srv1 is for external users /clients to connect with srv2 which is used internaly …

So in this actual setup (2srv 1 in DMZ with DNS OK and 2 in LAN cannot be DNS requested)

=> my project is dead …

Only way is to authenticate ALL users external and internal on the same server being in the DMZ…
Is that so ?

dont now if there were made some changes in the past year but when i developed a plugin using s2s communication both (all) server names must be resolvable via the same dns.

if server1 is in dmz and tries to connect to server2 (in lan) it makes a dns-lookup to its assigned dns - in this case ur server in the lan can’t be resolved.

so in this configuration i think its not possible to get a s2s connection.

maybe its possible to setup ur server within the lan using ur wan ip (or domainname if resolved to ur wan ip) as servername and use nat to forward all necessary ports to ur server-machine within the lan …

I see, for security reasons it is better to have the LAn users connecting into the DMZ server to share with external users

rather then the inverse…

So I guest this is my option.