OPENFIRE

CREATE YOUR OWN XMPP MESSAGING SERVER

Open Source Software - Basic Server Setup Guide

Edition 2017/01
By

KARL M. JOCH

Copyright © 2017

Website: http://KMJ.at

The books and e-books page on my site:
https://kmj.at/buecher-und-e-books/
Exclusive distribution of this e-book by:
CTS GMBH
A-5020 Austria
Website: http://CTS.at

INTRODUCTION
1978 I started in the IT-Industry with IBM S3/15, Siemens BS2000 Jumbos and
DEC PDP systems. At this time we have done most of the coding in Assembler,
Cobol and other languages people mostly don’t know anymore.
As the market was growing I opened my own company, CTS GMBH
(https://CTS.at), in November 1985 to serve customers with IT services.
CTS GMBH is successful since over 30 years and a trusted partner for IT
services. Customers range from small companies to European Top-500.
Working with Open Source Software started in the early 90’s of the last century,
building up a knowledge which is not seen very often. Privacy and security was
always a top priority for me.
General rule: “I don’t have anything to hide, but compared to a lot of people I do
care a lot who spies on me and collects data about me.”
I hope you enjoy reading my books, using the information to build solutions for a
stable, secure, monitored, scalable, easy maintainable and as much as possible
automated IT-infrastructure.
*Note: I am native German speaker and have done the best to make my English error free as much as possible. If you still find typos or
grammar errors, feel free to inform me at books@kmj.at.
TABLE OF CONTENTS

Introduction
Table of Contents
Legal Notes
Introduction to Openfire
SSL encrypted messaging 7

Firewall Setup (Optional)

Description of firewall ports 8

Download & Install Openfire

Download the software 13
Install and start the software 13

First configuration steps

Connect to the web interface 15
First time connecting 15

Detailed setup of Openfire

Protect the web interface with SSL 18
Create SSL certificates for all stores 21

The Server tab

Server Manager 22
Server Information 22
System Properties 22
Server Manager other tabs 22
Server Settings 23
Client Connections 23
Server to Server Settings 24
Registration & Login (Really check this one) 26
Gateways 27
Settings 27
Transport 27
Archiving 27
Archive Settings 27

User/Groups
Users 29
Groups 29

Configure your client

 Setting up a desktop client 31
Connect and test 31
Test external connections 32

More Features
About The Author
Other Books By (Author)
Link List for this e-book
Openfire project page 36
Openfire download page 36
Authors e-book about SSL Certificates 36
Description of the XMPP protocol 36
FreeBSD Project Page 36
XMPP / Jabber Clients 36

Can I Ask A Favour?

LEGAL NOTES

The author’s intellectual property rights are protected by international Copyright law. You are licensed to use this digital copy strictly for
your personal enjoyment only. It must not be redistributed or offered for sale in any form.
Non of my book are “an advice” in any form. I describe my own experiences, which must not work for you. To all of my writing rules 1-3
from below applies and you should never try things out without asking an expert first.
For all content of this book, all information in this book and for any of the described software the following terms, in regard of warranty or
liability, of the GPL 3.0 (http://gnu.org) applies:
1) Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY
AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
2) Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY
OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY
OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
3. Interpretation of Sections 1 and 2.
If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing
courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a
warranty or assumption of liability accompanies a copy of the Program in return for a fee.

INTRODUCTION TO OPENFIRE
SSL ENCRYPTED MESSAGING
Openfire, previously know as Wildfire and Jive Messenger, is a Java based Open
Source instant messaging system and group chat server.
The software is using the XMPP protocol and because of Java the software is
platform independent and runs on all major operating systems like Linux, Unix,
Mac OS X and Windows.
The Openfire project page shows more than 7 Million downloads for build 4.1.1
and offers binaries for the named operating systems.
Openfire is able to run your own secure and encrypted private messaging server
for friends and family in the same way as the software can run your scalable
enterprise messaging system.
Openfire offers:
Web-based administration panel
Plugin interface
SSL/TLS support
User-friendly web interface
embedded HSQLDB or other DBMS
LDAP connectivity
Platform independent, pure Java
can support > 50,000 concurrent users
FIREWALL SETUP (OPTIONAL)
DESCRIPTION OF FIREWALL PORTS
Before you setup Openfire I suggest you decide the IP to use and prepare your
firewall in front of the Openfire server. This is optional, but a server always should
have the best possible protection.
Openfire by default uses the following ports, some of them are switched on and
off, depending on your configuration:

The standard port for
clients to connect to
the server. On this port
plain-text connections
Client to are established, which,
5222
Server depending on
configurable security
settings, can (or must)
be upgraded to
encrypted connections.

The port used for

clients to connect to
the server using the old
SSL/TLS method.
Connections
established on this port
are established using a
pre-encrypted
Client to connection. This type
5223
Server of connectivity is
commonly referred to
as the “old-style” or
“legacy” method of
establishing encrypted
connections.
Configuration details
can be modified in the
security settings.

The port used for

7070 HTTP Binding unsecured HTTP client
connections.

The port used for

7443 HTTP Binding secured HTTP client
connections.

The port used for

remote servers to
connect to this server.
Connections
established on this port
are established using a
 pre-encrypted
Server to connection. This type
5269
Server of connectivity is
commonly referred to
as the “old-style” or
“legacy” method of
establishing encrypted
connections.
Configuration details
can be modified in the
security settings.

The port used for

external components to
connect to the server.
On this port plain-text
connections are
External
5275 established, which,
Components
depending on
configurable security
settings, can (or must)
be upgraded to
encrypted connections.

The port used for

external components to
the server using the old
SSL/TLS method.
Connections
established on this port
are established using a
pre-encrypted
External connection. This type
5276
Components of connectivity is
commonly referred to
as the “old-style” or
“legacy” method of
establishing encrypted
connections.
Configuration details
can be modified in the
security settings.

The port used for

connection managers
to connect to the
server. On this port
plain-text connections
Connection
5262 are established, which,
Manager
depending on
configurable security
settings, can (or must)
be upgraded to
encrypted connections.

The port used for

connection managers
to the server using the
old SSL/TLS method.
Connections
established on this port
are established using a
pre-encrypted
5263 Connection connection. This type
Manager of connectivity is
commonly referred to
as the “old-style” or
“legacy” method of
establishing encrypted
connections.
Configuration details
can be modified in the
security settings.

The port used for

Admin
9090 unsecured Admin
Console
Console access.

The port used for

Admin
9091 secured Admin
Console
Console access.

The port used for the

proxy service that
File Transfer allows file transfers to
7777
Proxy occur between two
entities on the XMPP
network.

Service that allows

Flash Cross Flash clients connect
5229
Domain to other hostnames
and ports.

! If your firewall or router is running with NAT enabled you must forward the
described ports to the same ports of your Openfire server’s LAN IP address.
! If you are connected with a dynamic IP running your Openfire Server thru Tor
hidden services lets access your server without NAT and port forwarding. Learn
more about the Tor network in my upcoming book about the Tor network and the
good sides of the Darknet.
DOWNLOAD & INSTALL OPENFIRE
DOWNLOAD THE SOFTWARE
You find the binary versions and the source tarballs at the projects download page
http://www.igniterealtime.org/downloads/
Download the version for your operating system.
INSTALL AND START THE SOFTWARE
Run the installer as with other software on your system. Installing from source is
out the scope of this guide.
If you are on Linux or FreeBSD your package manager should have a package for
Openfire available.
ON Debian
apt-get update
apt-get install openfire
does the job. It should install the OpenJDK too.
We have chosen FreeBSD for our installation, so
pkg update
pkg install openfire
installs Openfire, OpenJDK and dependencies for us.
FreeBSD requires to have
openfire_enable=“YES”
in /etc/rc.conf for starting Openfire on system startup.
Run
service openfire start
to start Openfire the first time.
! If you are using a firewall or NAT router at least port 5222, 5223 (SSL) and 7777
(for file transfers if requried) must be forwarded to the Openfire server.
!! NOTE for Windows installs: The installer for Windows includes a JRE and
saves you from downloading and installing the appropriate JRE by your own. You
can install Openfire as service using Openfire-service /install and Openfire-
service /uninstall. Openfire-service /start and Openfire-service /stop is used to
start and stop the service on Windows.
The basic setup of Openfire is done!





FIRST CONFIGURATION STEPS
CONNECT TO THE WEB INTERFACE
Openfire opens the admin web interface on port 9090. Access the interface with
your browser surfing to one of these possibilities:
If you run a system with a graphical desktop, you can access the web
interface browsing to
http://127.0.0.1:9090
If you run a command line operating system, as we have chosen with
FreeBSD, point your browser to
http://<YOUR IP ADDRESS>:9090
FIRST TIME CONNECTING
If you are connecting the first time Openfire asks you a few simple questions
regarding your setup. This includes the language and some basic server settings.
I suggest you chose the embedded HSQLDB for your installation, but other
databases, including MySQL can be used too.
We also want to keep user and password management within the Openfire server
and select the default option to store everything in the embedded database.
Most of the defaults should be fine for you.
Now we need to pick a domain name for our server.
!! You really should use a valid domain name here. The domain name is part of
your XMPP/Jabber account name.
The domain name must be DNS-resolvable in the case you want to connect users
from different Openfire servers or if you allow other XMPP/Jabber users
communicate with users on your server.
The example hostname for our server is
xmpp.ctseuro.com
and my username there is karl.
My full XMPP/Jabber Account name would be:
karl@xmpp.ctseuro.com
If we allow server-to-server connections, other XMPP or Jabber users can
message me at
karl@xmpp.ctseuro.com
!! This is an XMPP/Jabber address and no e-mail address even it looks the
same.
Finally enter a secure password of your choise and you are ready to login into
your Openfire server!
 After logging in
you should see the dashboard of your Openfire server and we are ready to
continue.

DETAILED SETUP OF OPENFIRE
PROTECT THE WEB INTERFACE WITH SSL
Before we continue we want to secure the web interface with SSL encryption so
we can access it with https:// and strong encryption.
Change to the TLS/SSL Certificates Tab

and scroll down to the Admin Console Stores

Openfire handles certificates within Certificate Stores. There are different stores
for different actions. These “Admin Console Stores” are used for the web-based
admin console.
Handling certificates works the same for all stores.
By default Openfire can create self signed certificates for you and for a quick start
you should be fine with it.
The “Trust store” holds certificates of trusted root CA’s like Comodo and others.
If you build your own CA as described in my e-book “My own Certificate Authotity“
( https://www.amazon.com/own-Certificate-Authority-graphical-PRO-
ebook/dp/B01N31I9PQ ) you must import your master root certificate here.
Click the “Manage Store Contents” below Trust store of Admin Console Stores
and follow the “import form” link to

You can import

server certificates from your own CA or bought ones to the Identity store. These
one holds your server certificates, in that case the one for the web interface.

At the moment we use self signed for this book. But I encourage you to at least
create your own CA and handle your certificates like a professional.
!! From now on use 9091 as port for the web interface only! If using a self signed
one, your browser will ask for an certificate exception, then you should be in and
strong encrypted.
Access the interface with your browser surfing to one of these possibilities:

If you run a system with a graphical desktop, you can access the web
interface browsing to
https://127.0.0.1:9091
If you run a command line operating system, as we have chosen with
FreeBSD, point your browser to
https://<YOUR IP ADDRESS>:9091
This way nobody can sniff the traffic, especially if you maintain your server over
Internet connections.
But its cool to never trust any connection in regard of sniffing. So 9091 is your
friend even in LAN networks!
CREATE SSL CERTIFICATES FOR ALL STORES
Just to have everything finished complete this task for all stores. Move to TLS/SSL
Certificates

and repeat the above step for all stores. At least create self signed certificates in
all Identity stores of the system. We definitely use them later and no
communication or traffic should be unencrypted!








THE SERVER TAB
I describe only the tabs needed for your basic setup to get you started with
Openfire. I encourage you to check all tabs to get familiar with Openfire.
SERVER MANAGER
SERVER INFORMATION
Shows you general informations about your server, possible updates, Memory
and ports
SYSTEM PROPERTIES
Is a list of the system properties. Values for encrypted and sensitive fields are
hidden. Long property names and values are clipped. Hold your mouse over the
property name to see the full value or to see both the full name and value, click
the edit icon next to the property.
On this tab you would be able to change e.g. the port of the web interface and
other server related settings.

SERVER MANAGER OTHER TABS

There are other tabs to set Language and Time, check your cache, view logs and
check or access your database.
The Email Settings tab lets you define the mail server your Openfire server should
use. You really should set this according to your infrastructure.
SERVER SETTINGS
CLIENT CONNECTIONS
This tab is very important, because we want to make sure only encrypted
connections have access to our server. Move to the Client Connections tab

and click on the “Advanced configuration” link. It is very important, you select
“required” on the STARTTLS policy.
“Allow peer certificates to be self-signed” if you work with self signed certificates
and at least “Verify that the certificate is currently valid”.
Starting with 2017 prefered encryption protocol is TLSv1.2 only.

Set the “Advanced configuration” of port 5223 accordingly.

SERVER TO SERVER SETTINGS

This tabs controls how Openfire handles connections with other XMPP Server.
Also Jabber Servers can connect if enabled. A great way to communicate with
other people having their account on other XMPP or Jabber servers. For sure, you
are able to setup a local Openfire Server in different locations of your company
too. Communication is done via encrypted Server to Server connections.
E.g. a user someone@anotherxmppserver.com wants to send a message to me
at karl@xmpp.ctseuro.com. The other server connects to xmpp.ctseuro.com and
sends the message to karl. Depending on the configuration, fully encrypted.

Make sure you

open the advanced configuration and setup everything as needed.

Importand is STARTTLS policy. If possible set encryption to required. In that case

only server using encryption too are able to connect and no clear text connections
are established. For sure, this can deny some Jabber or XMPP servers access.
But do you really want to communicate unencrypted over the Internet, letting
everybody sniff what you are talking?
Decision is yours for sure.
REGISTRATION & LOGIN (REALLY CHECK THIS ONE)
The registration settings are something you really have to check in detail.
Here you set if foreigners are able to create an account on your server, which
should be enabled only if the server is running a publicly available XMPP service.
You decide if users can change their password and if anonymous login is allowed.
I am sure you want “Anonymous login” disabled.
Furthermore, you can allow/deny access by IP address.

Your really should double check this one!

There are more tabs to check, especially “File Transfer Settings” to enable or
disable File Transfers, different Auditing settings,Content Filter, Email Listener.
Check out all tabs at least once before going online.
GATEWAYS
SETTINGS
You can enable “Message Events (XEP-0022) support enabled (old chat
notifications)” here.
TRANSPORT
Here you can allow different Gateways, e.g. jabber.org. Gateways are needed in
case of external connects.
ARCHIVING
ARCHIVE SETTINGS
This is another “must have” checked tab. Here you can enable or disable
archiving of the messages depending on your policy. I personally do not like
archiving messages so my settings are as follows

But depending on
your policy this can change.
USER/GROUPS
USERS
We can create our first user now. Click “Create New Users” and fill out the fields.
Do not grant Administrator to normal users.

And our user shows up in User

Summary. We have the first user ready for logging in.
GROUPS
You are able to create groups for your users. Different clients are able to show
users in groups to make using the messenger easier.
Add 2 or 3 users to be able to test your system.
You are now ready for setup the first client and start using Openfire.














CONFIGURE YOUR CLIENT
SETTING UP A DESKTOP CLIENT
To use the messaging server you should select a client from the XMPP client list
and install it on your desktop.
I use PSI, but e.g. Pidgin is a great selection too. But there are so much clients
and I encourage you to select your personal favorite.
Setup is very easy and nearly the same with all clients. Beside different setting for
interface layout and features user connection is something like:

CONNECT AND TEST
Now your client should connect to your server. Add a client on another system
and try to chat between these to see how it works out. If file transfer is enabled try
sending files.
Check Sessions->Client Sessions that everything in encrypted:
TEST EXTERNAL CONNECTIONS
If tests are fine and in case you allow external connects create a jabber.org
account on a public server of their list at jabber.org.
Setup this account on some client on one of your systems and try to message
between your jabber.org account and your local server.
Check Sessions->Server Sessions that Server-to-Server connection is ok and
encrypted:

In case of
problems consult Server->Logs for details.
MORE FEATURES

Openfire is a very complex software but developer made setup very easy. I hope
my guide helped you to get your server up and running.
The intention of this e-book was to have a secure server with encrypted
communication without archiving the messages with a few steps. External
communication to talk to other XMPP users or jabber.org users was introduced
and setup too.
Other features like SIP voice and video chats, group chats and more was out the
scope of this guide which is meant as basic setup guide. But I wanted you to be
aware of additional features.

ABOUT THE AUTHOR

Karl M. Joch
Find out more at
https://kmj.at/
Karl M. Joch is founder of CTS GMBH with more than 30 years experience in
national and international projects. He worked in over 15 countries.
IT Skills, especially with Open Source Solutions:
IT Infrastructur / Network
IT Security – Firewalls, Virusprotection
Email Security, Appliances
Home Automation Solutions, MQTT, aso.
HA Solutions, Auto Failover
VPN Solutions
FreeBSD, Unix, Linux
Asterisk VOIP (Voice over IP)
Network Monitoring
Webhosting, E-Commerce Solutions
Virtualization
OTHER BOOKS BY (AUTHOR)

An always up-to-date list of my books can be found here:
https://kmj.at/buecher-und-e-books/
LINK LIST FOR THIS E-BOOK
OPENFIRE PROJECT PAGE
http://www.igniterealtime.org/projects/openfire/index.jsp
OPENFIRE DOWNLOAD PAGE
http://www.igniterealtime.org/downloads/
AUTHORS E-BOOK ABOUT SSL CERTIFICATES
https://www.amazon.com/own-Certificate-Authority-graphical-PRO-
ebook/dp/B01N31I9PQ
DESCRIPTION OF THE XMPP PROTOCOL
https://en.wikipedia.org/wiki/XMPP
FREEBSD PROJECT PAGE
http://freebsd.org
XMPP / JABBER CLIENTS
The XMPP.org Website has a huge list of clients available for different operating
systems at
http://xmpp.org/software/clients.html
I personally run PSI on Linux and Monal IM on IOS. Both works great for me, but
you can use any of the listed ones as long as you like the interface and the
features.
Tails Linux, the special one suggested by Edward Snowden, includes Pidgin for
example. I will describe this in my upcoming book about the Tor network and the
good sides of the Darknet.
The xmpp.org list while writing this book looked like this:
Name Platform(s)

Adium OSX

Apple Messages OSX

AQQ Windows

Mobile (Android, iOS) / Linux /

AstraChat
OSX / Windows

Beem Mobile (Android)

BitlBee Linux

Mobile (Android, Blackberry

BlueJabb (BBOS), Nokia Symbian
S40/S60 and Asha)

Boogie Chat Mobile (iOS)

Buddycloud Mobile / Web / Console

Candy Browser

ChatSecure Mobile (Android, iOS)

Coccinella Linux / OSX / Windows

Conversations Mobile (Android)

Converse.js Browser

Coversant SoapBox
Windows
Communicator

eM Client Windows

Empathy Linux

Finch Console / Text-Mode

Gajim Linux / Windows

GNU Freetalk Console / Text-Mode

GreenJab IBM i

IM+ Mobile

Instantbird Linux / OSX / Windows

irssi-xmpp Console / Text-Mode

jabber.el Linux

Jabbim Linux / OSX / Windows

JAJC Windows

Jappix Browser

Jitsi Linux / OSX / Windows

JSXC Browser

JWChat Browser

Kadu Linux / OSX / Windows

Kaiwa Browser

Kopete Linux

mcabber Console / Text-Mode

Miranda IM Windows

Miranda NG Windows

Monal IM Mobile (iOS)

Movim Browser

Mozilla Thunderbird Linux / OSX / Windows

OneTeam for iPhone Mobile (iOS)

OneTeam Linux / OSX / Windows

Pidgin Linux / OSX / Windows

Poezio Console / Text-Mode

Profanity Console / Text-Mode

Psi+ Linux / OSX / Windows

Psi Linux / OSX / Windows

Quiet Internet Pager Windows

qutIM Linux / OSX / Windows

 Linux / Console / Text-Mode /
Salut à Toi
Browser

Sim-IM Linux

Spark Linux / OSX / Windows

SparkWeb Browser

Swift Linux / OSX / Windows

Talkonaut Mobile

Tigase Messenger Browser

Tigase Minichat Browser

Tkabber Linux / OSX / Windows

Windows/ OSX / Mobile /

Trillian
Browser

V&V Messenger Windows

Vayusphere Mobile (BlackBerry)

VSTalk Windows

WTW Windows

Xabber Mobile (Android)

xmpp-client Linux / OSX

xmppchat Browser

XMPPWebChat Browser

yaxim Mobile (Android)

CAN I ASK A FAVOUR?
If you enjoyed this book, found it useful or otherwise then I’d really appreciate it if
you would post a short review at the shop you was buying. I try to read all the
reviews personally and appreciate your post.
I do care who reads my books so the server created for this book is up and
running. I would appreciate if you send a message to
karl@xmpp.ctseuro.com
after your server is up and running.
Thank you very much for your support!