На офсайте OpenFire нашел мануал по настройке s2s:
Assumptions: You have a home network (intranet) behind a firewall. A openfire server is set up in this network. You also have access to a pc, that is connected to the internet.
Install your openfire server. Configure your server for s2s connections:
* The server name of the openfire (Server/Server Manager/Server Settings) has to be a name, that can be resolved by DNS (e.g. homebase.dyndns.org) * Check the Server to Server Port (Server/Server Manager/Server Settings). It should be 5269 * The xmpp.domain (Server/Server Manager/System properties) has to be a DNS resolveable name * Allow server to server connections by enabling the service (Server/Server Settings/Server to Server) * Allow anyone to connect. Ensure that you are not blocking any server * Check the Security Settings (Server/Server Manager/Security Setting). For Jabber.org you have to set the Server Connection Security to «optional» (as of 19.04.2007) * Switch on the debug log (Server/Server Manager/Logs-> Debug Tab)
Get a user at your Openfire server e.g. email@example.com.
Get a user at jabber.org by using your client e.g. firstname.lastname@example.org
Ensure IM connectivity to both servers from a client connected to your home network. Test logon, chat etc..
NOTE: The servers will try to establish a connection with each other on port 5269. This requires that this port is open on the firewall of your network. Also, the servers will try to resolve each others name by DNS. Hence you have to ensure, that both servers can be resolved by DNS. The request send from your server to jabber.org will be in the debug log. It looks somewhat like this (for add contact from Spark): <presence id=«aeAgv-42» to=«email@example.com» type=«subscribe» from=«firstname.lastname@example.org»/>. A failure of the DNS resolution for jabber.org or myserver.dyndns.org will make the s2s impossible.
Ensure connectivity on port 5269. Get a Telnet client on your PC (Windows users may use DTELNET from http://dtelnet.sourceforge.net) and install it (if necessary) on your notebook and the internal network client. Open a telnet session to your internal server on port 5269. You will get something like </stream:stream>. If not, there is an error (maybe a firewall?). Open a telnet session at jabber.org. Your should also get a statement containing </stream:stream>. This has to be done for an internal client and for a client connected to the internet. If successful, you know that jabber.org can resolve your server (e.g. myserver.dyndns.org) and connect to port 5269 and that your network can connect to jabber.org on port 5269.
Establish a server to server connection via myserver. Logon with myhomeuser to myserver via spark. Add the jabber.org contact to your rooster by entering the contact with a domain e.g. email@example.com. The server should establish a session. This can be checked in (Sessions/Server Sessions) and the logs.
Problem: The server names can not be DNS resolved. Resolution: Enter your server names in the DNS Servers of your intranet. Enter the server names in the file hosts of your operating system. Use dyndns.org or similar services, if you want to provide the chat service to others.
Problem: Port 5269 connectivity is missing. Resolution: Change the settings of your firewall. Make sure, that you control all firewalls (e.g. the WinXP internal firewall and the one of your DSL router).
Problem: Still no connection to Jabber.org. The security setting should be set to Optional.
Problem: Checked everything and still not working? Go to sleep and check again the next day. Use the logs and keep on trying.
Problem: The server is not accepting parameter changes. Don't just start/stop the server, stop it and quit Openfire.
Establish secure server to server communication
The methods above should also apply, if you set up several servers within your intranet. To establish a secure communication between servers, you do have to set the Server Connection Security (Server/Server Manager/Security Setting) to «Required». You have to check that TLS is enabled for s2s. The value of the property xmpp.server.tls.enabled (within Server/Server Manager/System properties) has to be «true». Also, if you are using self signed server certificats, you should ad a system property " xmpp.server.certificate.verify" and set it to «false». A properly working encrypted s2s session is shown with a lock in the server session view.
Please note the following articles regarding the use of signed certificates:
http://www.igniterealtime.org/community/docs/DOC-1243 http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html http://www.igniterealtime.org/community/docs/DOC-1552 http://www.igniterealtime.org/community/message/174498
A signature by a public Certificate Authority seems to be mandatory for secured connections to public servers because the acceptance depends on the ability of the public server to verify your certificate.
Это все хорошо. Но вот только юзеры не добавляются. Т.е. они в списке они появляются, но «не в сети» и с добавкой «Pending».
Это типа запроса авторизации что ли? Но запросов то не поступает.