Enabling SSL for Openfire chat server
Complete the following steps to enable a secure sockets layer (SSL) for the Openfire chat server that runs with Smart IT.
To configure SSL for Openfire
- Obtain a valid, signed certificate from a trusted certificate authority (CA). The certificate can be in any format, such as .pem, .cer, or .crt.
- Import the certificate provided by the CA. Do these steps for all Openfire nodes, if installed in a cluster.
- Import the signed root certificate and private key to the Openfire keystore, located by default in <Openfire_installation_directory>/resources/security/keystore.
Import the Smart IT server certificate to the Openfire truststore, located by default in <Openfire_installation_directory>/resources/security/truststore. Also import the Smart IT certificate to the client.truststore, if available (<Openfire_installation_directory>/resources/security/client.truststore).
Notes
If Openfire is installed on the same server as Smart IT, the keystore and truststore are located under the Smart IT installation folder.
If you have specified a truststore file in the Apache server.xml file, you must import the root and intermediate certificates there.
Tip
You can use one of the following methods to import the certificate:
- (Recommended) By using a keytool, such as KeyStore Explorer:
a. Download and install KeyStore Explorer from http://www.keystore-explorer.org/downloads.php.
b. Choose Tools > Import Trust Certificate to import the certificate to the keystore and truststore. - By using the OpenSSL command line:
Example (keystore import):<JAVA_HOME>\bin\keytool -import -keystore keystore -alias example.com -file signed_certificate_file
Example (trustore import): <JAVA_HOME>\bin\keytool -import -keystore truststore -alias user_name -file certificate_file
Note: Make sure that the alias does not already have an associated key, or you will receive an error.
- (Recommended) By using a keytool, such as KeyStore Explorer:
Import the the Openfire root certificate to the installed JRE location used by Smart IT for the mutual handshake: <JRE_installation_directory>/lib/security/cacerts.
Note
This should be the same JRE that Apache Tomcat uses.Change the following statements from the Centralized Configuration (CCS).
chat.server.cm.host = <Fully qualified domain name (FQDN)> chat.server.client.port = 5222 chat.server.admin.login = chat.server.admin.password = chat.server.groupChatService = conference chat.server.admin.pool.size = 6 chat.server.boshUrl = https://<Fully qualified domain name (FQDN)>:<port>/http-bind/ chat.server.domain = <Fully qualified domain name (FQDN)>
Example:
chat.server.cm.host = ofchat-vm.calbro.com chat.server.client.port = 5222 chat.server.admin.login = admin chat.server.admin.password = fdNSxb1XU5a%2F184s3OkhcA%3D%3D chat.server.groupChatService = conference chat.server.admin.pool.size = 6 chat.server.boshUrl = https://ofchat-vm.calbro.com:7443/http-bind/ chat.server.domain = ofchat-vm.calbro.com
Tip
To locate the port number for
chat.server.boshUrl
, from the Openfire Admin Console, go to Server > Server Settings > HTTP Binding:- From the Openfire Admin Console, go to Server > Server Manager > System Properties.
- Change the provider.auth.authResource property to https://<Smart_IT_host>:<Smart_IT_port>/smartit/rest/users/chat/.
Example: https://smartit-vm2.calbro.com:8443/smartit/rest/users/chat/ - Restart the Openfire service.
If the Openfire or SSL services do not start, look for errors in the Openfire logs to confirm that the certificate imports were correct. - Restart the Smart IT service.
Comments