Wildfire post installation steps

Hi All,

I installed Wildfire 3.1.1. and after some testing our organization decided to go with it for internal instant messaging. Now I need to tidy-up security of the server. Is there any documentation about that ? Steps which I have done already :

  1. changed keystore password. By the way - should I change Java runtime CACERTS keystore password ? If so, do I have to pass this password to Wildfire server somehow ?

  2. configured SSL with our organization Certification Authority certificate

Next steps as I see them:

  1. change password(s) for HSQLDB. We don’'t want MySQL at this moment

  2. security changes on administration web interface - disable HTTP, install our organization HTTPS certificate, anything else ? By the way - what HTTP server Wildfire is using for administration access ?

  3. Anything else ?

I investigated security issues a little bit more and here is updated to-do list:

  1. change Wildfire keystore password

  2. configure SSL with your organization Certification Authority certificate

  3. configured file system permissions so nobody could get unauthorised access to Wildfire folder

  4. change admin password through web interface - by default it is stored unencrypted on the file system

  5. disable unencrypted web administration interface by editing file %Wildfire home folder%/conf/wildfire.xml

  6. configure server not to communicate with other Jabber servers

It turned out that password change for HSQLDB is not necessary - database is used in standalone mode and can be accessed only through file system.

One thing is still I am not sure about is if I should change Java runtime CACERTS keystore password.

The following notes are related to 3.2.0RC. I’'ve not tested 3.1.1.

  1. The internal HTTP server is Jetty.

  2. To tighten security of the entire IM network, require SSL communication with the clients. See the Security Settings section of the Admin Console.

  3. Disable HTTP Binding (3.2.x only)

  4. Disable External Components (disabled by default)

  5. Disable STUN Server (disabled by default) (3.2.x only)