In this episode, I wanted to talk about setting up the Openfire XMPP server on CentOS. Lets say, for example, that you want to improve internal communication around the office. You might want to try an internal XMPP server, because it allows you to quickly chat with colleagues via instant messages. XMPP was originally named Jabber, and you might remember Jabber because it was extremely popular in the late 90s, and used for instant messaging, similar to MSN messenger. Okay, now that you know a little about XMPP, lets start the install.
In this demo, as a starting point I’m going to use a minimal version of CentOS 6.4 64-bit. I’m just going to cat the /etc/redhat-release file so that you can see the version I’m working with.
Before we install the openfire XMPP server we need to satisfy a couple requirements.
With a default CentOS release, iptables will be running by default, so we will open up a couple holes in the firewall to allow our XMPP traffic between the clients and our new server. Just to verify the firewall is active, I like to run “iptables -L -n”, which lists the current ruleset. If you are not running iptables, then you can skip this step.
iptables -L -n
We are going to add two additional firewall rules, we do this by opening /etc/sysconfig/iptables in our editor.
I’m just going to copy the line which allows incoming ssh connections, and modify it to suit our needs. Just change the destination port to 5222, this allows the XMPP traffic between the clients and server. Next, we will allow traffic to port 9090, this allows access to the administration console, which we will use to configure the openfire server. So, now that we have our two rules, lets go ahead and save the file.
You can run “iptables-restore < /etc/sysconfig/iptables”, which will feed in our new ruleset. Lets just run “service iptables reload” to refresh the rules. Now we can verify the changes took place by running “iptables -L -n” again, as you can see, our new rules are active.
iptables-restore < /etc/sysconfig/iptables service iptables reload iptables -L -n
Next, we will install and configure mysql-server. This step is not required, as you will see later, but I wanted to review it just in case you are interested.
First, you will run “yum install mysql-server”, which we will use to store login data amongst other things. Once you have mysql-server installed, we will need to start it, you do this by running “service mysqld start”. If you are doing this for the first time, a bunch of output will be displayed, the bulk relates to setting a default password for the root mysql account.
yum install mysql-server service mysqld start
Lets go ahead and set this passwords, I’ll start by copying this line, and entering a random string of numbers and letters.
/usr/bin/mysqladmin -u root password 'a4a6cb8b60695d718a902afaba4c2765'
Lets go ahead and login to mysql using the root account and our new password. We are going create a new database called openfire and configure a new account that can access it. This database will be used by the XMPP server. Lets get started by running:
CREATE DATABASE `openfire`; CREATE USER 'openfire'@'localhost' IDENTIFIED BY 'e1930b4927e6b6d92d120c7c1bba3421';
The next couple lines grant permissions to the openfire user on the openfire database. It’s nice to create roles accounts, rather than running this under the root account, simply because you can lock down access if required without disrupting other applications.
GRANT USAGE ON *.* TO 'openfire'@'localhost' IDENTIFIED BY 'e1930b4927e6b6d92d120c7c1bba3421' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0; GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON `openfire`.* TO 'openfire'@'localhost';
Then we will flush the privileges to the database and then logout.
I always like to verify that a service is listing on the ports I expect. You can do this by running “netstat -nap|grep LIST”. You can see that we have the mysql and ssh deamons running. This 0.0.0.0 mean they are listing on all available ipv4 addresses.
netstat -nap|grep LIST
If, I know that this mysql server is not going to have external access, I like to modify the my.cnf file to disable remote access. This is just a little security measure to help prevent accidentally exposing your database to the internet.
Lets open up the /etc/my.cnf file. We are going to add a bind-address equals localhost. Lets just restart mysqld to pick up out change. Next, lets run “netstat -nap|grep LIST” to verify our change. As you can see, mysql is now only listing on localhost:3306, so the change worked.
vi /etc/my.cnf # add "bind-address = 127.0.0.1" service mysqld restart netstat -nap|grep LIST
One last thing before we install the openfire XMPP server. If you are running a 64 bit system, like me, then you will need to install the glibc.i686 package. Included in this package are some required libraries not installed on a 64-bit machine, which openfire needs to operate.
yum install glibc.i686
Okay, we are now done with the prep work, lets get on to installing the openfire XMPP server.
Lets head over to the openfire website, see the episode notes below, for the website link. As you can see openfire is a real-time collaboration server, which uses the XMPP protocol, also referred to as Jabber. I chose openfire because of its great admin interface, its easy to install and configure, and because it has over 5 millions downloads and seems very stable.
Lets head over to the download page.
You can see that the openfire server supports windows, linux, and mac, but today we are going to download the linux rpm package, since we are using CentOS. I’m just going to copy this url and use wget from the terminal to download the package.
One you have the openfire rpm package downloaded, go ahead and install it by running rpm -ivh and then the package name.
rpm -ivh openfire-3.8.2-1.i386.rpm
I always like to run “rpm –query –list” and then the package name. This will tell us what files were installed with this package. Since the output can be quite large, we’ll pipe the output to less to make it easier to navigate.
rpm --query --list openfire-3.8.2-1.i386 | less
So, you can see there is an init script, a sysconfig file, likely for run-time configuration settings, and it looks like the bulk of the openfire application was installed into /opt/openfire. Lets just scroll down and see if anything else is of interest. Here you can see openfire comes with its own version of a java run time environment. Okay, thats about it.
Lets start openfire, by running “service openfire start”, and see what happens. You can also run “service openfire status” to see its current state. Yup, says it’s running. Lets verify by running “netstat -nap|grep LIST” again. Okay, so we see mysql, ssh, and something running on port 9090, this is the openfire administration interface.
service openfire start service openfire status netstat -nap|grep LIST
Lets go ahead and open up a browser and point it at localhost:9090 and see what happens. Great, we are presented with the openfire administration interface. This is basically a wizard that helps us configure the server.
First, we are asked to select our language.
Next you are asked to configure the domain, this will be the fully qualified domain name for your openfire server, for example, jabber.example.com. I’m going to use localhost since this is just a demo.
Next you are asked to configure a database. You can use this embedded database which allows you to use openfire without mysql or anything else, which can be great if you do not have a high number of users, but since we installed mysql lets choose “standard database connection”.
Down here we will pick mysql. Then these fields will be populated with some default values which we can edit. We are going to modify the hostname to be localhost, this is the machine you have mysql installed on, then update the database name field. We will use openfire, since that is the database we created earlier. Down here we will enter the openfire username and password we created in mysql earlier in the episode.
On the next page, you are asked what type of authentication mechanism you would like to use. Say, for example that your company has an existing LDAP directory, you would use that for authentication. We’re just going to use the default option, which stores the data in mysql.
Next, we are prompted to enter the admin credentials for managing this server, things like email and password. Okay, lets hit continue to save our configuration.
Great, it says setup is complete, lets login to the admin console. Lets login using admin and our password. We just login with the username admin and the password we specified earlier.
The default page will give you a little information about the openfire server and what ports it is listening on. You might remember that we open holes in the firewall for ports 5222 and 9090. The rest of the ports you do not really need to worry about, but can review to add additional functionally.
Lets jump over to the “server settings” page. Here there are many pages were we can configure the openfire server settings. We can also change any of the settings we defined during the setup. One of these pages is the “registration and login” page. The default settings are to allows users to automatically create accounts and to login anonymously.
Lets flip over to my desktop where I’ve installed pidgin, an open-source communications client, which supports many protocols, XMPP being one of them. Lets go an add a new account on our openfire server. did this by clicking Accounts > Manage Accounts, then clicking add. Select your protocol, in our case XMPP. Enter a username, the domain, this is the fully qualified domain name of your openfire server, in my case localhost, then choose a password. Then down here select the “create this new accounts on the server” checkbox, and click add.
Here we are asked if we would like to accept the servers SSL certificate. I trust this server since we just created it, so click accept. You can modify the SSL certificates via the openfire admin interface, say for example that you wanted to add one you have purchased or something.
No we are asked to fill in your “new account” details, things like your username, full name, email, and password. Cool, looks like we created the account of the server! I usually check this “enabled” checkbox so that my account will automatically connect when /I start pidgin, but you can configure this as you like. We are prompted for our password to connect. Okay, looks like we are on, it’s pretty lonely since we are the only users though!
Lets jump back to the openfire admin interface and see if anything changed.
Under the “Users/Groups” tab, you can see a new user called justin, and the little green icon show that I’m on-line. You can also jump over to the “Sessions” tab to see all currently connected users, both anonymous and those who have created accounts.
Alright, that about wraps this demo up. One thing that I usually will do is, make sure openfire and mysql are started on boot. I do this by running “chkconfig” the service name, and “on”. Then I’ll reboot that machine to make sure everything comes up as expected.
chkconfig mysqld on chkconfig openfire on reboot
I should mention that if you are looking for XMPP clients, you can check out jabber.org, where they have a listing of some very popular ones for, windows, linux, and mac. I’ve included the link in the episode notes below.