SSL setup help

Hi,

I have been trying to setup SSL on Openfire using the guide from here - http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html

As an initial test run, I used the default certificates which were provided upon installation and did not change the password to the keystore. I added the system properties as directed in step 7 and restarted the server.

However, after restarting, there was a red cross at the Server Information tab page beside the server name and mousing over that gave the following error:

“Unable to access certificate store. The keystore may be corrupt.”

As mentioned earlier, I did not change the default password, so the value for the property xmpp.socket.ssl.keypass was “changeit” and I left the value for the property xmpp.socket.ssl.keystore blank (so that it uses the default path).

Can someone help me figure out the problem?

Thanks.

I’ve had the same problems when using keytool to manually import certificates into the keystore. It seems to be better to not use keytool for anything dealing with the keystore as Openfire doesn’t seem to like it, even if you never change the password or anything else…

Let Openfire handle it internally; I myself had to revert to a backup of the keystore after I tried it, there was no way for it to be fixed in my case.

The only time I used the keytool was to import the cacerts into the truststore after getting them CA signed, and used the openfire admin interface to import the signed certificate into the keystore through the server certificates screen.

Hi,

Thanks for your reply. I actually did not use keytool to import certificates as I wanted to try a simple setup first, so I left everything as it is and only used keytool to view the certs in the keystore (is that enough to corrupt the keystore?).

Can you share with me the steps that you did to setup SSL, I just want to get it working as a first step.

Thanks

Just viewing the certificates should be fine. I’m a little puzzled about that one…

The steps to get basic SSL working for clients are very simple, really. If you go through the setup process for Openfire, it, by default, will create 2 self-signed certificates (one RSA and one DSA). You can view these certificates through Sever >server settings>server certificates.

For TLS for clients on port 5222, this is all you have to do - you can check if clients use encryption in the session overview (small padlock).

Getting the old (depreciated) SSL method working usually requires getting a CA signed certificate, self-signed certificates may or may not work in that case.

What I did myself for this was to get registered at XMPP.net with my server, and use their interface to Startcom SSL to get a certificate created and issued to me. (meaning, I didn’t use the Openfire CSR creation method, but let Startcom generate the private key and CSR internally).

After getting my certificate issued, I made sure to import the Intermediate CA certificate (sub.class1.xmpp.ca.crt) and CA root certificate (ca.crt) into my truststore with keytool (root one first!):

keytool -import -v -trustcacerts -file ca.crt -alias xmpproot -keystore truststore

keytool -import -v -trustcacerts -file sub.class1.xmpp.ca.crt -alias xmppica -keystore truststore

after that was done, I went to the server certificates page in the admin console, and used the “import” link from there, pasting the private key (after decrypting it with openssl), typing my password, and pasting the certificate. After that, I removed the self-signed RSA certificate.

The result being that old style SSL (5223) works, and the admin console SSL properly encrypts to the CA signed certificate, so does the TLS on 5222. Unfortunately, server 2 server encryption doesn’t seem to work because of some problem with the certificate I got from xmpp.net in openfire.

Hope this helps!

Ok, thanks, I discovered the problem. It has to do with the values of the system properties that I added to Openfire not being set properly.

I left the properties xmpp.socket.ssl.storeType and xmpp.socket.ssl.keystore blank as according to the setup document Openfire would use the defaults. But it seems that that doesn’t work and I have to fill them in with proper values.

After setting the properties to “JKS” and “resources\security\keystore” respectively, the error no longer appears and the small padlock shows when I used Spark to connect as a test.

Theodore wrote:

Ok, thanks, I discovered the problem. It has to do with the values of the system properties that I added to Openfire not being set properly.

I left the properties xmpp.socket.ssl.storeType and xmpp.socket.ssl.keystore blank as according to the setup document Openfire would use the defaults. But it seems that that doesn’t work and I have to fill them in with proper values.

After setting the properties to “JKS” and “resources\security\keystore” respectively, the error no longer appears and the small padlock shows when I used Spark to connect as a test.

That is strange, those values aren’t set in my case and it works fine. Unless the properties were actually defined and blank; I think that might be a problem as it would try to use the empty values instead of defaults…