Openfire is a real time collaboration (RTC) server supporting XMPP (Jabber) and WebRTC.
2018-03-02 New versions Openfire 4.2.2 / app-openfire 1.2.5
yum --enablerepo=clearos-contribs-testing install app-openfire
yum --enablerepo=clearos-contribs-testing upgrade openfire app-openfire
Openfire can be installed with the following command on a ClearOS 7.2 box:
1)yum --enablerepo=clearos-contribs-testing install app-openfire
2) Go to "System / Accounts / Users' in the menu to:
- Create some users (make sure the "Openfire User" is enabled in App policies for the user you create)
3) Go to "Server / Communication and Collaboration / Openfire' in the menu to:
- Click "Install and Initialize Built-in Directory" (Grab a coffee, this will take several minutes)
- Click "Configure security Certificates" (TODO: Document what happens when Lets encrypt is enabled : http://wikisuite.org/How-to-install-Let-s-Encrypt-SSL-certificates-on-ClearOS)
- Select the admin user
- Set the XMPP domain
- Set the Openfire hostname from one of the available SSL certificates on the system.
4) Follow the link and log in to Openfire
ClearOS integration includes:
- ClearOS Openfire app
- Openfire
- Plugins: Fastpath, Openfire meetings
- System database provisioning
- LDAP integration
- focus user (openfire-focus) for Openfire meetings
- Letsencrypt
To Install Openfire 4.x on ClearOS 7.x within the WikiSuite environment follow the next steps.
1.- Install a fresh ClearOS Server, be sure to run the latest Software updates to the core system
2.- Make sure the clearos-epel repository is enabled
3- Include in the installation of:
a. The Web Server
How to set domain name on ClearOS
1.-Login to your ClearOS via SSH using root
2.-Install the Openfire RPM
Type:
yum --enablerepo=clearos-contribs-testing install app-openfire
Go to "Server / Communication and Collaboration / Openfire' in the menu (https://yourserver.wikisuite.org:81/app/openfire):
1.-Click "Install and Initialize Built-in Directory" (Grab a coffee, this will take several minutes)
1.-Initialize your OpenLDAP service through the Webconfig-Open LDAP Directory Server Module (https://yourserver.wikisuite.org:81/app/openldap_directory).
2.-On the Directory Server Settings page set the server mode and Base Domain (https://yourserver.wikisuite.org:81/app/openldap_directory/settings/edit)
3.-On the Directory Server Policies page set the Publish Policy and Accounts access according to your requirements (https://yourserver.wikisuite.org:81/app/openldap_directory/policies/edit)
4.-Don't forget to create one or two users as they will be used in the Openfire configuration phase. Use: (https://yourserver.wikisuite.org:81/app/users/add)
Go to "Server / Communication and Collaboration / Openfire' in the menu (https://yourserver.wikisuite.org:81/app/openfire):
- Click "Configure security Certificates" to use a self-signed certificate.
- (TODO: Document what happens when Letsencrypt is enabled : http://wikisuite.org/How-to-install-Let-s-Encrypt-SSL-certificates-on-ClearOS)
The openfire app will take care of opening the following ports:
Port | TCP/UDP | Access Control | Application | Description |
5222 | TCP | Public | Openfire | The standard port for clients to connect to the server. |
5223 | TCP | Public | Openfire | Legacy SSL/TLS port for clients to connect to the server. |
7443 | TCP | Public | Openfire | The port used for secured HTTP client connections. |
9091 | TCP | Administrative | Openfire | The port used for secured (HTTPS) Admin Console access. |
However, you will probably want to open more than those. ClearOS's Firewall should configured to block all ports, and open the following:
Port | TCP/UDP | Access Control | Application | Description |
22 | TPC | Administrative | SSH | Terminal access |
25 | TCP | Public | OFMeet | SMTP: For emails for Openfire Meeting Planner |
80 | TCP | Public | (generic) | Web server (HTTP) |
81 | TCP | Administrative | ClearOS | Webconfig |
143 | TCP | Public | OFMeet | IMAP: For emails for Openfire Meeting Planner |
443 | TCP | Public | (generic) | Web server (HTTPS) |
587 | TCP | Public | OFMeet | SMTP For emails for Openfire Meeting Planner if you use Gmail |
993 | TCP | Public | OFMeet | IMAPS For emails for Openfire Meeting Planner |
4443 | TCP | Public | OFMeet | RTP over TCP for Jitsi Videobridge |
5000 | TCP | Public | OFMeet | Media proxy for video conference |
5222 | TCP | Public | Openfire | The standard port for clients to connect to the server. On this port plain-text connections are established, which, depending on configurable security settings, can (or must) be upgraded to encrypted connections. |
5223 | TCP | Public | Openfire | The port used for clients to connect to the server using the old SSL/TLS method. Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the security settings. |
5269 | TCP | Public | Openfire | The port used for remote servers to connect to this server. Connections established on this port are established using a pre-encrypted connection. This type of connectivity is commonly referred to as the "old-style" or "legacy" method of establishing encrypted connections. Configuration details can be modified in the security settings. |
7070 | TCP | Public | Openfire | The port used for unsecured HTTP client connections. |
7443 | TCP | Public | Openfire | The port used for secured HTTP client connections. |
8843 | (unknown) | Public | OFMeet | WOOT realtime collaborative editing |
9090 | TCP | Administrative | Openfire | The port used for unsecured (HTTP) Admin Console access. |
9091 | TCP | Administrative | Openfire | The port used for secured (HTTPS) Admin Console access. |
50000-60000 | UDP | Public | OFMeet | Media proxy for video conference |
Notes:
WARNING: 2018-03-12: In openfire 4.2.2, plugins don't upgrade properly: apparently fixed in 4.2.3 (https://issues.igniterealtime.org/browse/OF-1464), which isn't released as of this writing
1.- Use a web browser to connect to the admin console. The default port for the web-based Initial setup admin console is 9090. Initial setup and administration can be done from a remote computer using LAN IP address instead or hostname if it is resolvable by the remote computer. i.e. (https://yourserver.wikisuite.org:9090). Source: http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/install-guide.html
The openfire clearos app will have already installed and done basic setup of the following plugins:
1.- For security, Openfire Meetings Plugin creates an user focus. You need to create this user focus in ClearOS (https://yourserver.wikisuite.org:81/app/users). Then , go back in Openfire Meeting plugin tab, click on Setting in left menu and Security section for change the password for same that a ClearOS User's Focus.
Source: http://www.igniterealtime.org/projects/openfire/plugins/ofmeet/readme.html
1.- Once the plugin has been successfully installed, the Fastpath tab should be available, click on it to configure Workgroups (https://yourserver.wikisuite.org:9091/plugins/fastpath/workgroup-summary.jsp)
Notes:
1.- Login to your Openfire Admin Console with a administrator user.
2.- Click on the Plugins Tab to manage Plugins
3.- Click on the available plugins link and scroll down to find the plugin you want
4.- Click on then ¨+¨ to add the plugin to the Openfire server
Currently, the openfire clearos app only allows adding one admin user. As of this writing (2017-03-14), it will even clobber all other admins except the newly selected one if you change it.
To add more admins, you need to go into the openfire admin interface, and in
Server / Server Manager / System Properties edit property "admin.authorizedJIDs". It takes a coma-separated list of fully qualified openfire users.
To add more admin users,
To get a transparent authentication between ConverseJS and Openfire, we need
to configure Tiki and install the TikiToken plugin (https://github.com/fabiomontefuscolo/openfire-tikitoken/) in OpenFire.
1 - The Tiki Token plugin is now shipping as an optional plugin in Openfire 4.1.5 Just activate as you would for any Openfire plugin. (You may also find more recent snapshots at Download the latest tikitoken.jar at https://github.com/fabiomontefuscolo/openfire-tikitoken/releases)
2 - Go to server properties page at http://yourserver.wikisuite.org:9090/server-properties.jsp
and setup a new property with name org.tiki.tikitoken.baseUrl and property
value will be your tiki base url, let's suppose http://tiki.wikisuite.org.
3 - Configure Tiki to talk to OpenFire. Go to community page on admin panels (RTC page on Tiki 19+), select the XMPP tab,
and:
4 - Still on Tiki, go to "Admin Modules" panel (http://tiki.wikisuite.org/tiki-admin_modules.php);
5 - Click on "All modules" tab;
6 - On field Filter type xmpp;
7 - Drag the result to bottom of page, in the closest gray bordered box;
8 - Just save the popup will appear;
9 - Refresh the page to see the box at the bottom of the page;
Going to https://yourserver.demo.wikisuite.org/webmail to access to Roundcube, then login with your username and password.
https://example.org:81/app/smtp
https://example.org:81/app/imap
Edit the email setting in a server manager tab like on an image:
https://example.org:9091/system-email.jsp
Edit the email listener in a Meeting tab like on an image:
https://example.org:9091/plugins/ofmeet/ofmeet-email-listener.jsp
1.-There is no ClearOS group for the Openfire admins. Instead: Server -> Server Manager -> System Properties -> admin.authorizedJIDs
Edit server properties (https://yourserver.wikisuite.org:9091/server-properties.jsp)
2.- Find the admin.authorizedJIDs property, edit it and add comma separated full JIDs. In our specific case user at example.org. "Click on Save Property"
3.- Openfire needs a restart, Login to your ClearOS via SSH using root and type:
service openfire restart
As of Openfire 3.2 certificate management can be performed from the Admin Console. (And in 4.0, code has been revamped)
Once the setup process is completed Openfire will create self-signed certificates for the assigned Openfire's domain. Most users should either get the created certificates signed by a Certificate Authority or replace the created certificates with your own certificates. Source: http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guide.html
As ClearOS also manages SSL certificates, they can co-exist independently as their storage files are different and independent. i.e. Openfire generated certificates will only be used within Openfire applications.
In some contexts, (corporate environments, captive portals in Internet cafes, etc.), some ports can be blocked. Thus, if you want to get rid of port number, you can put the following apache configuration (Apache 2.4+ so you need ClearOS 7.x):
ProxyPass /ofmeet/ http://localhost:7070/ofmeet/ ProxyPassReverse /ofmeet/ http://localhost:7070/ofmeet/ ProxyPass /ofmeetws/ wss://localhost:7070/ofmeetws/ ProxyPassReverse /ofmeetws/ wss://localhost:7070/ofmeetws/
Then going to "create new room" on left menu.
Then fill out the appropriate fields (Minimum Room ID, Room Name and Description). Finish with click on save changes button.
Go on https://example.org:7443/ofmeet/candy.html
then login with your account access.
With https://example.org:7443/ofmeet/ (from which you can pick a room)
with Spark in a login session, click on "Action" tab then a "joint a chatroom" option. In a new pop up, double-click in a list on a right chatroom.
with Jitsi in a login session, click on "File" tab then a "joint a chatroom" option. In a new pop up, select a right account and write a chatroom name.
This requires users install an app on their desktop (Windows / GNU/Linux / MacOSX) and to have the Openfire plugin for Chrome plugin.
Specially when using any RedHat 7 based distribution, Java shiped in RPM has not all the required symbols. You must do this workaround.
yum install java-1.7.0-openjdk java-1.7.0-openjdk-devel cd /opt/openfire mv jre jre.1 ln -s /usr/lib/jvm/java/jre/ jre
https://github.com/igniterealtime/Pade
Server: example.org:7443
Domain: example.org
Openfire stores it's configuration in the database. On ClearOS, that is the system database.
Getting into the ClearOS system database can be a little confusing the first time. ClearOS typically runs two database servers. You will need the system database root password, and to connect to a non-default socket. Here is how:
cat /var/clearos/system_database/reports mysql -u root openfire -p --socket /var/lib/system-mysql/mysql.sock
You can then edit the openfire configuration, which is stored in the ofProperty table. (SELECT * FROM `ofProperty`)
One change you are likely to want to make during debugging is to enable ldap debugging
INSERT INTO `openfire`.`ofProperty` (`name`, `propValue`, `encrypted`) VALUES ('log.debug.enabled', 'true', NULL); exit service openfire restart tail -f /var/log/openfire/debug.log
Useful references:
* http://download.igniterealtime.org/openfire/docs/latest/documentation/ldap-guide.html" class="wiki wikinew text-danger tips">Openfire LDAP guide
* https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_troubleshooting_re-initialize_openldap_directory" class="wiki wikinew text-danger tips">ClearOS: Re-initialize your LDAP directory
The problem is most likely that your base domain changed.
OpenLdap on base ClearOs creates domains of the form:
dc=system,dc=lan
Unfortunately, if you install the clear os directory app AFTER openfire, your base domain is likely to change. It's going to be:
If "Base Domain" is your.domain.name,
your base DN will be:
dc=your,dc=domain,dc=name
Openfire will not update it's configuration automatically. You'll have to update the following ofProperty in openfire's database
* ldap.baseDN (as is)
* ldap.searchFilter (modify the value in the parenthesis as appropriate)
This should work:
ldapsearch -x -h localhost -b 'dc=your,dc=domain,dc=name' 'uid=your_openfire_admin_user'
If the above does not return your user, logging into the openfire admin console will NOT work.
This may help diagnose:
ldapsearch -x -h localhost
Should list all users. If you don't see yours, something is really wrong with your ldap configuration.