This documentation supports the 1.4 version of Remedy with Smart IT.

To view the latest version, select the version from the Product version menu.

Enabling SSL for Openfire chat server

Complete the following steps to enable a secure sockets layer (SSL) for the Openfire chat server that runs with BMC Remedy with Smart IT (Smart IT).

To configure SSL for Openfire

  1. Obtain a valid, signed certificate from a trusted certificate authority (CA). The certificate can be in any format, such as .pem, .cer, or .crt.
  2. Import the certificate provided by the CA. Do these steps for all Openfire nodes, if installed in a cluster.
    1. Import the signed root certificate and private key to the Openfire keystore, located by default in <Openfire_installation_directory>/resources/security/keystore.
    2. Import the Smart IT server certificate to the Openfire truststore, located by default in <Openfire_installation_directory>/resources/security/truststore. Also import the Smart IT certificate to the client.truststore, if available (<Openfire_installation_directory>/resources/security/client.truststore). This step is required for the SSL handshake between Openfire and Smart IT that is used for mutual authentication.


      If Openfire is installed on the same server as Smart IT, the keystore and truststore are located under the Smart IT installation folder.

      If you have specified a truststore file in the Apache server.xml file, you must import the root and intermediate certificates there.


      You can use one of the following methods to import the certificate:

        • (Recommended) By using a keytool, such as KeyStore Explorer:
          a. Download and install KeyStore Explorer from
          b. Choose Tools > Import Trust Certificate to import the certificate to the keystore and truststore.
        • By using the OpenSSL command line:
          Example (keystore import): <JAVA_HOME>\bin\keytool -import -keystore keystore -alias -file signed_certificate_file
          Example (trustore import): <JAVA_HOME>\bin\keytool -import -keystore truststore -alias user_name -file certificate_file

          Note: Make sure that the alias does not already have an associated key, or you will receive an error.
  3. Import the the Openfire root certificate to the installed JRE location used by Smart IT for the mutual handshake: <JRE_installation_directory>/lib/security/cacerts.


    This should be the same JRE that Apache Tomcat uses.
  4. Change the following statements in the file in Tomcat/external-conf/: = <Fully qualified domain name (FQDN)>
    chat.server.client.port = 5222
    chat.server.admin.login = 
    chat.server.admin.password = 
    chat.server.groupChatService = conference
    chat.server.admin.pool.size = 6
    chat.server.boshUrl = https://<Fully qualified domain name (FQDN)>:<port>/http-bind/
    chat.server.domain = <Fully qualified domain name (FQDN)>

    Example: =
    chat.server.client.port = 5222
    chat.server.admin.login = admin
    chat.server.admin.password = fdNSxb1XU5a%2F184s3OkhcA%3D%3D
    chat.server.groupChatService = conference
    chat.server.admin.pool.size = 6
    chat.server.boshUrl =
    chat.server.domain =


    To locate the port number for chat.server.boshUrl, from the Openfire Admin Console, go to Server > Server Settings > HTTP Binding:

  5. From the Openfire Admin Console, go to Server > Server Manager > System Properties.
  6. Change the provider.auth.authResource property to https://<Smart_IT_host>:<Smart_IT_port>/ux/rest/users/chat/.
  7. Restart the Openfire service.
    If the Openfire or SSL services do not start, look for errors in the Openfire logs to confirm that the certificate imports were correct.
  8. Restart the Smart IT service.

Related topics

Configuring SSL for the Tomcat server

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.


  1. Shawn Pierson

    This documentation is invalid.  Here are a few things that stand out to me:

    1. The directory name is "resources" not "resource" in steps 1 and 2.
    2. There is no actual command given to run for steps 1, 2, 3.
    3. I don't understand why the certificates are being split into two files instead of just in the keystore like you normally do with Tomcat.
    4. The password for the keystore isn't listed anywhere.
    5. There is no discussion of where to get the certificates needed or what format they must be in.  I have already imported my certificates for Tomcat for Smart IT, you should provide instructions on how to use those exact certificates here.


    Feb 29, 2016 09:42
    1. Catherine Siderine

      Thanks for letting us know about these issues, Shawn. We are in the process of updating this topic.



      Mar 03, 2016 06:15
    1. Catherine Siderine

      Hi Shawn,

      I have made numerous updates to this topic:

      1. Corrected the directory name.
      2. Provided "Tip" about how to import certificates (see step 2)
      3. Certificates go into both the keystore and truststore for mutual handshake/authentication.
      4. You can obtain the keystore default password from the Openfire online documentation. The admin might have changed it.
      5. See step 1 for info about the type of certificate to use. I will follow up on the second part of your question.




      Mar 23, 2016 12:17