I have spent a bunch of time over the past week trying to get Openfire working with SSL. I have a really good handle (or so it seems) on how to get the SSL working, with publicly rooted, privately rooted and self-signed certificates. Lots of hiccups but I can consistently get certificates generated an imported and working into the server.
However I’m getting nowhere with turning on the client authentication. I can’t find anywhere information on:
-
how to turn it on (I’ve tried a number of things but the clients - Pidgin and Spark don’t prompt me for certs)
-
how to manage what certs to trust (can I simply import a CA root and have all certs from it trusted)
-
how to I map cert attributes to users
-
how do I manage certs in the clients - can I import CA roots ahead of time or do I just have to manage them as they come in
What I tried so far after I got the SSL working is:
-
added the system property sasl.mechs=EXTERNAL
-
added the system property xmpp.client.cert.policy=required
I’d really appreciate it if anyone can give me any guidance on how to get it working. If I’m able to pull together all the info I need I’d be more than happy to pull together a new SSL configuration guide that covers off all of the new features and publish it here.