Ignite Realtime

powered by Jive Software

Ignite Realtime Community Forums

SSL Self Signed Certificate Fails

Openfire Openfire Support

pdxcarlos August 4, 2006, 1:52am 1

I’'m setting up a Wildfire for the first time and everything is working like a champ with one exception; attempting to use a SSL Self Signed Certificate.

I’‘ve followed the SSL Guide but it doesn’'t seem to work.

Here is my environment:

Windows Server 2003

Wildfire 3.0.1

Here is what I’'ve done:

Note: I’‘ve added keytool to my “path” so I don’'t have to reference it by directory first.

Note: Values that are in quotes are literal strings and values in angle brackets are variables.

cd c:“program files\wildfire\resources\security”

keytool -storepasswd -keystore keystore

{At the prompt I enter in the default password “changeit” and then set a new password. Let’'s call it “mypass”)

keytool -genkey -keystore keystore -alias <domain name of server>

{I enter the following: “mypass”, <domain name of server>, <OU Name>, <ORG Name>, “Portland”, “Oregon”, “OR”, “yes”}

{Press enter to use the same keystore password}

I press the Start button on the Wildfire admin console and I receive the following:

“Error starting SSL XMPP listener on port 5223: null”

"Wildfire 3.0.1

“Error starting admin console: Multiple exceptions”

I launch the admin console and login. I add the following system properties and their values:

“xmpp.socket.ssl.port” => “5223”

“xmpp.socket.ssl.storeType” => “jks”

“xmpp.socket.ssl.keystore” => “” (If it’‘s blank it’'s the default location)

“xmpp.socket.ssl.keypass” => “mypass”

“xmpp.socket.ssl.truststore” => “” (If it’‘s blank that’'s ok)

“xmpp.socket.ssl.trustpass” => “” (I don’'t have a trust store so I left it blank)

I restart the Wildfire server and the same errors occur:

“Error starting SSL XMPP listener on port 5223: null”

"Wildfire 3.0.1

“Error starting admin console: Multiple exceptions”

I launch the admin and login.

I click on the Security Settings link in the left menu and I find that the page on the right hand side is blank.

Meanwhile the admin console fills up with this:

java.io.IOException

at org.jivesoftware.wildfire.net.SSLConfig.getKeyStore(SSLConfig.java:120)

at org.jivesoftware.wildfire.admin.ssl_002dsettings_jsp._jspService(ssl_002dsettin gs_jsp.java:90)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:428)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:830)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:471)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:633)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.http.HttpServer.service(HttpServer.java:909)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

Everything goes back to normal when I remove the system properties values and put the default keystore and truststore back in from the zip file.

My Java is weak, but I’‘ll try (at a later date - I don’‘t have time right now) to see what’'s causing the IO exception.

In the meantime, has anyone encountered these issues before and solved them?

Thanks,

Carlos

Harold_Feit August 4, 2006, 2:13pm 2

Some jabber clients only work with RSA certs, others only work with DSA certs.

The default keystore from the package includes one of each.

I created both, then restarted the server and got it working.

pdxcarlos August 4, 2006, 11:17pm 3

DreadWingKnight,

This may sound like a silly question, but how do I create the two types?

I tried some syntax that I culled from another post, but on the DSA I got a message that read something like “alias is already in use.”

Harold_Feit August 4, 2006, 11:43pm 4

The aliases aren’'t really that important to have the server name.

I just named mine rsa and dsa.

pdxcarlos August 7, 2006, 7:50pm 5

Same error in the Wildfire console.

I did the following:

Replaced the keystore and the truststore with the default files that come with the default install.

cd c:“program files\wildfire\resources\security”

keytool -storepasswd -keystore keystore

{At the prompt I enter in the default password “changeit” and then set a new password. Let’'s call it “mypass”)

keytool -delete -keystore keystore -alias rsa

keytoll -delete -keystore keystore -alias dsa

keytool -genkey -keystore keystore -alias rsa -keyalg rsa

keytool -genkey -keystore keystore -alias dsa -keyalg dsa

No errors up to this point.

When starting Wildfire from the admin console, I still get the error: “Error starting SSL XMPP listener on port 5223: null”

pdxcarlos August 8, 2006, 12:19am 6

I figured it out.

I checked the error.log file and it was stating that the keystore location was c:\program files\wildfire instead of c:\program files\wildfire\resources\security.

I had the xmpp.socket.ssl.keystore property set to an empty string, because of this, it was only looking at the Wildfire home directory.

The SSL documentation guide is a bit misleading in this.

It reads:

It should probably read: “The location of the keystore file relative to your Wildfire installation root directory. You can omit this property to use the default keystore.”

Alternatively, I could have put in “resources\security” and it probably would have figured it out. Since the keystore location with an empty property value is (in Windows) c:\program files\wildfire\ (notice the trailing slash).

One more thing, with Spark, I didn’'t have a problem making a connection, but with Exodus, I had an issue. I had to add a property in order for it to work. The property and its value are: xmpp.server.certifcate.verify => false.

I believe that Exodus is still using SSL encryption, but I can’'t be sure until I capture packets with Wireshark.