Beruflich Dokumente
Kultur Dokumente
Edition 2017/01
By
KARL M. JOCH
Copyright © 2017
Website: http://KMJ.at
The books and e-books page on my site:
https://kmj.at/buecher-und-e-books/
Exclusive distribution of this e-book by:
CTS GMBH
A-5020 Austria
Website: http://CTS.at
INTRODUCTION
1978 I started in the IT-Industry with IBM S3/15, Siemens BS2000 Jumbos and
DEC PDP systems. At this time we have done most of the coding in Assembler,
Cobol and other languages people mostly don’t know anymore.
As the market was growing I opened my own company, CTS GMBH
(https://CTS.at), in November 1985 to serve customers with IT services.
CTS GMBH is successful since over 30 years and a trusted partner for IT
services. Customers range from small companies to European Top-500.
Working with Open Source Software started in the early 90’s of the last century,
building up a knowledge which is not seen very often. Privacy and security was
always a top priority for me.
General rule: “I don’t have anything to hide, but compared to a lot of people I do
care a lot who spies on me and collects data about me.”
I hope you enjoy reading my books, using the information to build solutions for a
stable, secure, monitored, scalable, easy maintainable and as much as possible
automated IT-infrastructure.
*Note: I am native German speaker and have done the best to make my English error free as much as possible. If you still find typos or
grammar errors, feel free to inform me at books@kmj.at.
TABLE OF CONTENTS
Introduction
Table of Contents
Legal Notes
Introduction to Openfire
SSL encrypted messaging 7
User/Groups
Users 29
Groups 29
More Features
About The Author
Other Books By (Author)
Link List for this e-book
Openfire project page 36
Openfire download page 36
Authors e-book about SSL Certificates 36
Description of the XMPP protocol 36
FreeBSD Project Page 36
XMPP / Jabber Clients 36
! If your firewall or router is running with NAT enabled you must forward the
described ports to the same ports of your Openfire server’s LAN IP address.
! If you are connected with a dynamic IP running your Openfire Server thru Tor
hidden services lets access your server without NAT and port forwarding. Learn
more about the Tor network in my upcoming book about the Tor network and the
good sides of the Darknet.
DOWNLOAD & INSTALL OPENFIRE
DOWNLOAD THE SOFTWARE
You find the binary versions and the source tarballs at the projects download page
http://www.igniterealtime.org/downloads/
Download the version for your operating system.
INSTALL AND START THE SOFTWARE
Run the installer as with other software on your system. Installing from source is
out the scope of this guide.
If you are on Linux or FreeBSD your package manager should have a package for
Openfire available.
ON Debian
apt-get update
apt-get install openfire
does the job. It should install the OpenJDK too.
We have chosen FreeBSD for our installation, so
pkg update
pkg install openfire
installs Openfire, OpenJDK and dependencies for us.
FreeBSD requires to have
openfire_enable=“YES”
in /etc/rc.conf for starting Openfire on system startup.
Run
service openfire start
to start Openfire the first time.
! If you are using a firewall or NAT router at least port 5222, 5223 (SSL) and 7777
(for file transfers if requried) must be forwarded to the Openfire server.
!! NOTE for Windows installs: The installer for Windows includes a JRE and
saves you from downloading and installing the appropriate JRE by your own. You
can install Openfire as service using Openfire-service /install and Openfire-
service /uninstall. Openfire-service /start and Openfire-service /stop is used to
start and stop the service on Windows.
The basic setup of Openfire is done!
FIRST CONFIGURATION STEPS
CONNECT TO THE WEB INTERFACE
Openfire opens the admin web interface on port 9090. Access the interface with
your browser surfing to one of these possibilities:
If you run a system with a graphical desktop, you can access the web
interface browsing to
http://127.0.0.1:9090
If you run a command line operating system, as we have chosen with
FreeBSD, point your browser to
http://<YOUR IP ADDRESS>:9090
FIRST TIME CONNECTING
If you are connecting the first time Openfire asks you a few simple questions
regarding your setup. This includes the language and some basic server settings.
I suggest you chose the embedded HSQLDB for your installation, but other
databases, including MySQL can be used too.
We also want to keep user and password management within the Openfire server
and select the default option to store everything in the embedded database.
Most of the defaults should be fine for you.
Now we need to pick a domain name for our server.
!! You really should use a valid domain name here. The domain name is part of
your XMPP/Jabber account name.
The domain name must be DNS-resolvable in the case you want to connect users
from different Openfire servers or if you allow other XMPP/Jabber users
communicate with users on your server.
The example hostname for our server is
xmpp.ctseuro.com
and my username there is karl.
My full XMPP/Jabber Account name would be:
karl@xmpp.ctseuro.com
If we allow server-to-server connections, other XMPP or Jabber users can
message me at
karl@xmpp.ctseuro.com
!! This is an XMPP/Jabber address and no e-mail address even it looks the
same.
Finally enter a secure password of your choise and you are ready to login into
your Openfire server!
After logging in
you should see the dashboard of your Openfire server and we are ready to
continue.
DETAILED SETUP OF OPENFIRE
PROTECT THE WEB INTERFACE WITH SSL
Before we continue we want to secure the web interface with SSL encryption so
we can access it with https:// and strong encryption.
Change to the TLS/SSL Certificates Tab
Openfire handles certificates within Certificate Stores. There are different stores
for different actions. These “Admin Console Stores” are used for the web-based
admin console.
Handling certificates works the same for all stores.
By default Openfire can create self signed certificates for you and for a quick start
you should be fine with it.
The “Trust store” holds certificates of trusted root CA’s like Comodo and others.
If you build your own CA as described in my e-book “My own Certificate Authotity“
( https://www.amazon.com/own-Certificate-Authority-graphical-PRO-
ebook/dp/B01N31I9PQ ) you must import your master root certificate here.
Click the “Manage Store Contents” below Trust store of Admin Console Stores
and follow the “import form” link to
At the moment we use self signed for this book. But I encourage you to at least
create your own CA and handle your certificates like a professional.
!! From now on use 9091 as port for the web interface only! If using a self signed
one, your browser will ask for an certificate exception, then you should be in and
strong encrypted.
Access the interface with your browser surfing to one of these possibilities:
If you run a system with a graphical desktop, you can access the web
interface browsing to
https://127.0.0.1:9091
If you run a command line operating system, as we have chosen with
FreeBSD, point your browser to
https://<YOUR IP ADDRESS>:9091
This way nobody can sniff the traffic, especially if you maintain your server over
Internet connections.
But its cool to never trust any connection in regard of sniffing. So 9091 is your
friend even in LAN networks!
CREATE SSL CERTIFICATES FOR ALL STORES
Just to have everything finished complete this task for all stores. Move to TLS/SSL
Certificates
and repeat the above step for all stores. At least create self signed certificates in
all Identity stores of the system. We definitely use them later and no
communication or traffic should be unencrypted!
THE SERVER TAB
I describe only the tabs needed for your basic setup to get you started with
Openfire. I encourage you to check all tabs to get familiar with Openfire.
SERVER MANAGER
SERVER INFORMATION
Shows you general informations about your server, possible updates, Memory
and ports
SYSTEM PROPERTIES
Is a list of the system properties. Values for encrypted and sensitive fields are
hidden. Long property names and values are clipped. Hold your mouse over the
property name to see the full value or to see both the full name and value, click
the edit icon next to the property.
On this tab you would be able to change e.g. the port of the web interface and
other server related settings.
and click on the “Advanced configuration” link. It is very important, you select
“required” on the STARTTLS policy.
“Allow peer certificates to be self-signed” if you work with self signed certificates
and at least “Verify that the certificate is currently valid”.
Starting with 2017 prefered encryption protocol is TLSv1.2 only.
Set the “Advanced configuration” of port 5223 accordingly.
But depending on
your policy this can change.
USER/GROUPS
USERS
We can create our first user now. Click “Create New Users” and fill out the fields.
Do not grant Administrator to normal users.
CONNECT AND TEST
Now your client should connect to your server. Add a client on another system
and try to chat between these to see how it works out. If file transfer is enabled try
sending files.
Check Sessions->Client Sessions that everything in encrypted:
TEST EXTERNAL CONNECTIONS
If tests are fine and in case you allow external connects create a jabber.org
account on a public server of their list at jabber.org.
Setup this account on some client on one of your systems and try to message
between your jabber.org account and your local server.
Check Sessions->Server Sessions that Server-to-Server connection is ok and
encrypted:
In case of
problems consult Server->Logs for details.
MORE FEATURES
Openfire is a very complex software but developer made setup very easy. I hope
my guide helped you to get your server up and running.
The intention of this e-book was to have a secure server with encrypted
communication without archiving the messages with a few steps. External
communication to talk to other XMPP users or jabber.org users was introduced
and setup too.
Other features like SIP voice and video chats, group chats and more was out the
scope of this guide which is meant as basic setup guide. But I wanted you to be
aware of additional features.
ABOUT THE AUTHOR
Karl M. Joch
Find out more at
https://kmj.at/
Karl M. Joch is founder of CTS GMBH with more than 30 years experience in
national and international projects. He worked in over 15 countries.
IT Skills, especially with Open Source Solutions:
IT Infrastructur / Network
IT Security – Firewalls, Virusprotection
Email Security, Appliances
Home Automation Solutions, MQTT, aso.
HA Solutions, Auto Failover
VPN Solutions
FreeBSD, Unix, Linux
Asterisk VOIP (Voice over IP)
Network Monitoring
Webhosting, E-Commerce Solutions
Virtualization
OTHER BOOKS BY (AUTHOR)
An always up-to-date list of my books can be found here:
https://kmj.at/buecher-und-e-books/
LINK LIST FOR THIS E-BOOK
OPENFIRE PROJECT PAGE
http://www.igniterealtime.org/projects/openfire/index.jsp
OPENFIRE DOWNLOAD PAGE
http://www.igniterealtime.org/downloads/
AUTHORS E-BOOK ABOUT SSL CERTIFICATES
https://www.amazon.com/own-Certificate-Authority-graphical-PRO-
ebook/dp/B01N31I9PQ
DESCRIPTION OF THE XMPP PROTOCOL
https://en.wikipedia.org/wiki/XMPP
FREEBSD PROJECT PAGE
http://freebsd.org
XMPP / JABBER CLIENTS
The XMPP.org Website has a huge list of clients available for different operating
systems at
http://xmpp.org/software/clients.html
I personally run PSI on Linux and Monal IM on IOS. Both works great for me, but
you can use any of the listed ones as long as you like the interface and the
features.
Tails Linux, the special one suggested by Edward Snowden, includes Pidgin for
example. I will describe this in my upcoming book about the Tor network and the
good sides of the Darknet.
The xmpp.org list while writing this book looked like this:
Name Platform(s)
Adium OSX
AQQ Windows
BitlBee Linux
Candy Browser
Converse.js Browser
Coversant SoapBox
Windows
Communicator
eM Client Windows
Empathy Linux
GreenJab IBM i
IM+ Mobile
jabber.el Linux
JAJC Windows
Jappix Browser
JSXC Browser
JWChat Browser
Kaiwa Browser
Kopete Linux
Miranda IM Windows
Miranda NG Windows
Movim Browser
Sim-IM Linux
SparkWeb Browser
Talkonaut Mobile
VSTalk Windows
WTW Windows
xmppchat Browser
XMPPWebChat Browser
CAN I ASK A FAVOUR?
If you enjoyed this book, found it useful or otherwise then I’d really appreciate it if
you would post a short review at the shop you was buying. I try to read all the
reviews personally and appreciate your post.
I do care who reads my books so the server created for this book is up and
running. I would appreciate if you send a message to
karl@xmpp.ctseuro.com
after your server is up and running.
Thank you very much for your support!