====== Openfire XMPP Server Setup ======
Openfire is not in the Debian repositories, but it is easy to install and configure because they provide an official ''.deb'' package. You can download the packages from [[https://www.igniterealtime.org/downloads/]].
After downloading the ''.deb'' package, install it with ''apt''. Openfire doesn't come with a JRE, sothe installer will also install the ''default-jre-headless'' package to run openfire.
# Download
curl -L -o openfire_4.6.2_all.deb \
"https://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.6.2_all.deb"
# Install
apt install ./openfire_4.6.2_all.deb
# Confirm it's running
systemctl status openfire
# Verify it's listening on port 9090
netstat -ntlp # apt install net-tools
It will only be listening on port 9090 until you finish setting it up. Visit your host in a web-browser on port 9090. For example [[http://xmpp.devdungeon.com:9090]] and follow the setup wizard. If you want to use an external database like MySQL or [[databases:postgresql|PostgreSQL]], you'll have to set that up first.
After you run setup, restart to enable HTTPS on 9091 by default.
To disable HTTP and force HTTPS only, edit ''/etc/openfire/openfire.xml'' and set the ''9090'' port to ''-1''. The HTTPS port is ''9091'' by default. Restart the server.
To enable the [[https://www.igniterealtime.org/projects/openfire/plugins/1.3.8/restAPI/readme.html|REST API]], go to the admin web portal and to ''Plugins | Available Plugins'' and enable ''REST API''. Then go to ''Server | Server Settings | REST API'' and set to ''Enabled''.
To enable a web chat client ([[https://conversejs.org|Converse.js]]) enable the inVerse plugin. Then go to ''Web Clients'' in the main menu after enabling and it will give you the URL to use.
If you need to re-run setup to redo how you setup user profiles, edit ''/etc/openfire/openfire.xml'' and set the value for ''true'' to false and restart server.
If you need to recover access because you lost the admin password, edit ''/etc/openfire/openfire.xml'' and uncomment the line ''secretToken'' and restart. Provide a secret token, and then the web portal will have a special prompt waiting for that special token. After logging in with the secret token, you can reset the admin password. It will automatically delete that one time token from the config once consumed, so leave in a commented version for reference.
If you're setting up OpenLDAP, the user id might need to be changed from ''uid'' to ''cn'' and the group mapping might need to be changed from ''cn'' to ''ou''. When asked to provide an admin username, provide the simple username after LDAP mapping, e.g. ''nanodano''. There are some more docs at [[https://www.igniterealtime.org/projects/openfire/documentation.jsp]] including a [[https://download.igniterealtime.org/openfire/docs/latest/documentation/ldap-guide.html|dedicated LDAP]] guide there.
After finishing the setup through the web interface, you can login to the web portal using the admin you setup, and the server is ready for use. You'll also see a lot more stuff listening.
# Openfire will open many ports
netstat -ntlp
The landing page of the admin web portal will have a full list of all ports and what they are for.
Also refer to the section below about DNS Entries for more tips.
To turn on HTTP File uploads (PEP-0378) go to plugins and enable ''HTTP File Upload'' plugin.
To setup custom SSL certs, follow instructions at [[https://meetrix.io/blog/xmpp/openfire_ssl.html]]: Go to plugins and enable ''Certificate Manager''. Then go to Server -> TLS/SSL Settings and click 'Manage Store Contents' and click on the text 'imported here'. Then paste in the contents of your key and certificate files. If using LetsEncrypt.org/certbot, they'll be in somewhere like ''/etc/letsencrypt/live/example.com/''. The private key file is ''privkey.pem'' and the certificate file is ''cert.pem'' (or wait, ''fullchain.pem'' is better?). Click save. You can remove the self-signed cert afterwards.