Openfire Logo

Installation Guide

Introduction

Openfire is a powerful instant messaging (IM) and chat server that implements the XMPP protocol. This document will guide you through installing Openfire. For a full list of features and more information, please visit the Openfire website: https://www.igniterealtime.org/projects/openfire/

Note: Openfire installers do not contain a bundled Java runtime (JRE). Therefore, you must have a JDK or JRE installed on your system. Openfire 4.3 (also 4.2 and older versions) requires Java 8. Starting with 4.4 version Openfire also supports Java 11. Openfire 4.8 and later require Java 11 and no longer run with older versions of Java. Openfire 4.10 requires Java 17. You can check your java version by typing java -version at the command line.

To complete the installation of Openfire, you'll need to perform each of the following steps:

This document also includes information on:

Installation

Windows

Select Openfire installer that is better suiting you (x86 or x64). Run the installer. The application will be installed to C:\Program Files\Openfire by default.

Note: On Windows systems we suggest using a service to run Openfire (read the Windows Service section below). When using Openfire Launcher on Windows Vista or newer with UAC protection enabled, it has to be run with Run as administrator option, to be able to write changes to config and embedded database (if used) stored in C:\Program files\Openfire\ folder. If Openfire is running via the launcher without the 'Run as administrator' option from Program files, it can't get proper permissions to write changes. It shows errors (in red) when running the launcher and during the setup will require the current password for the administrator account (although this is a new installation. Normally it doesn't ask for it). This is an effect of missing permissions and Openfire not being able to initialize the database and other resources.

Since 4.1.5 Openfire installs and runs the service automatically (also opens the browser and loads the web setup page). The launcher (if one wants to use it) is also made to run in elevated mode, so one don't need to run it as administrator manually. But you shouldn't use the launcher, if the service is running. Because this will create a conflict.

Linux

Choose one of the provided installers (x86 or x64, rpm, deb or tar.gz).

If using rpm, run it using your package manager to install Openfire to /opt/openfire:

rpm -ivh openfire_X_Y_Z.rpm

If using deb, run it to install Openfire to /usr/share/openfire:

dpkg -i openfire_X_Y_Z.deb

If using the tar.gz, extract the archive to /opt or /usr/bin:

tar -xzvf openfire_X_Y_Z.tar.gz
mv openfire /opt

macOS

Install Openfire using dmg installer. This should install Openfire into /usr/local/openfire. Then you can run it via cmd or with the launcher.

Setup Overview

Files in the Distribution

The files in your distribution should be as follows (some subdirectories omitted for brevity):

Openfire distribution directory layout
openfire/
 |- readme.html
 |- license.html
 |- conf/
 |- bin/
 |- jre/
 |- lib/
 |- plugins/
 |    |- admin/
 |- resources/
 |    |-database/
 |    |-security/
 |- documentation/
  • The conf directory is where Openfire stores configuration files.
  • The bin directory contains the server executables. Depending on which distribution you installed, different executables will be available.
  • The jre directory contains a Java runtime that is bundled with the Windows and RPM versions of Openfire.
  • The lib directory contains libraries necessary for running Openfire.
  • The plugins directory contains server plugins. By default, Openfire ships with a web-based admin console plugin and a search plugin.
  • The resources/database directory contains SQL schema files to create new Openfire databases, as well as upgrade scripts for existing installations.
  • The resources/security directory is where Openfire maintains keystores to support SSL connection security.
  • The documentation directory contains server documentation.

Setup the Database

Openfire can store its data in an embedded database or you can choose to use an external database such as MySQL or Oracle. If you would like to use an external database, you must prepare it before proceeding with installation. View the database setup documentation for more information.

Setup the Server

A web-based, "wizard" driven setup and configuration tool is built into Openfire. Simply launch Openfire (platform-specific instructions below) and use a web browser to connect to the admin console. The default port for the web-based admin console is 9090. If you are on the same machine as Openfire, the following URL will usually work: http://127.0.0.1:9090. Windows Server administrators might need to add the http://127.0.0.1 address to browser's Trusted Sites list, if Enhanced Security Configuration is enabled, to prevent getting a blank screen.

As a security measure, the Openfire administration console is by default, only accessible from the server itself ("localhost"). Openfire can be reconfigured to also allow this to become accessible from a remote computer using LAN IP address instead or hostname if it is resolvable by the remote computer. To do so, modify the openfire.xml configuration file, and remove the line that holds the interface definition (or adjust it to an appropriate interface definition).

Admin console interface definition snippet of openfire.xml
<jive>
  <adminConsole>
    <!-- Disable either port by setting the value to -1 -->
    <port>9090</port>
    <securePort>9091</securePort>
    <interface>127.0.0.1</interface>
  </adminConsole>

After initial setup has been performed, access lists based on IP addresses and ranges can be configured for fine-grained control of access to the Admin Console. This configuration can be found on the page called "Admin Console Access" (under the "Server" / "Server Manager" tab).

Autosetup

As an alternative to the web-based "wizard" driven setup described above, Openfire can be configured by provisioning it with a specially crafted openfire.xml file.

If <setup>true<>/setup> does not exist in openfire.xml (i.e. setup is not complete), and a block does exist called <autosetup> with a <run>true</run> property inside it, that looks like this:

Example autosetup configuration in openfire.xml
<autosetup>
        <run>true</run>
        <locale>en</locale>
        <xmpp>
            <domain>localhost</domain>
            <fqdn>localhost</fqdn>
            <auth>
                <anonymous>true</anonymous>
            </auth>
            <socket>
                <ssl>
                    <active>true</active>
                </ssl>
            </socket>
        </xmpp>
        <encryption>
            <algorithm>AES</algorithm>
            <key>some-key</key>
        </encryption>
        <database>
            <mode>standard</mode>
            <defaultProvider>
                <driver>org.postgresql.Driver</driver>
                <serverURL>jdbc:postgresql://localhost:5432/a-database</serverURL>
                <username>a-database</username>
                <password>a-password</password>
                <minConnections>5</minConnections>
                <maxConnections>25</maxConnections>
                <connectionTimeout>1.0</connectionTimeout>
            </defaultProvider>
        </database>
        <admin>
            <email>admin@example.com</email>
        <password>admin</password>
        </admin>
        <authprovider>
            <mode>default</mode>
        </authprovider>
        <users>
            <user1> <!-- Use incremental numbers for more users, eg: user2, user3 -->
                <username>jane</username> <!-- Required -->
                <password>secret</password> <!-- Required -->
                <name>Jane Doe</name>
                <email>user1@example.org</email>
                <roster>
                    <item1> <!-- Use incremental numbers for more items, eg: item2, item3 -->
                        <jid>john@example.com</jid>
                        <nickname>John</nickname>
                    </item1>
                </roster>
            </user1>
        </users>
    </autosetup>

Then setup will be run on first launch, and the <autosetup/> section will be deleted from openfire.xml

Note that autosetup provides fewer options to setup Openfire as compared to using the setup wizard.

Admin Console

After completing the above steps, Openfire will be configured through, and you can use the web-based admin console to administer the server. The URL should be the same as you used to setup the server unless you changed the port during the setup.


Running Openfire on Windows

Since 4.1.5 version Openfire automatically installs and runs the service (and opens the browser with the web setup page). But you can also use the launcher, if you need to (service has to be stopped before running the launcher). If you used the Openfire installer, a shortcut for starting the graphical launcher is provided in your Start Menu. Otherwise, run openfire.exe in the bin/ directory of your Openfire installation. A button on the launcher allows you to automatically open your web browser to the correct URL to finish setting up the server: http://127.0.0.1:9090

Windows Service

Windows Service
Windows Service commands in a console windows.

As of 4.1.5 Openfire installs the service automatically. But if you are using older version or want to reinstall the service, you can use the openfire-service.exe executable in the bin directory of the installation to install or uninstall the service.

From a console window, you can run the following commands:

openfire-service /install
installs the service.
openfire-service /uninstall
uninstalls the service.
openfire-service /start
starts the service
openfire-service /stop
stops the service.

You can also use the Services tool in the Windows Control Panel to start and stop the service.

Note: the graphical launcher is not compatible with the Windows service. If you install the service, you should use service controls as described above to control the server rather than the graphical launcher.

Upgrading Note: you should stop Openfire service before running the installer to upgrade to the newer version. Starting with 4.1.5 version Openfire will automatically stop and reinstall the service when upgrading with the installer.

Custom Parameters

Advanced users may wish to pass in parameters to the Java virtual machine (VM) to customize the runtime environment of Openfire. You can do this by creating a openfire.vmoptions file in the bin/ directory of your Openfire installation. For the Windows service, you'd create a new text file called openfire-service.vmoptions.

Each parameter to the VM should be on a new line of the file. For example, to set the minimum heap size to 512 MB and max VM heap size to 1024 MB, you'd use:

-Xms512m
-Xmx1024m

To create parameters for the normal launcher, create a file called openfired.vmoptions (since the openfire.exe launcher invokes the openfired.exe executable to actually start the server).

Running Openfire in Linux/Unix

If you are running on a Red Hat or Red Hat like system (CentOS, Fedora, etc.), we recommend using the RPM distributable, as it contains some custom handling of the standard Red Hat like environment. Assuming that you have used the RPM, you can start and stop Openfire using the /etc/init.d/openfire script.

# /etc/init.d/openfire
Usage /etc/init.d/openfire {start|stop|restart|status|condrestart|reload}
# /etc/init.d/openfire start
Starting openfire:

If you are running on a different Linux/Unix variant, and/or you have used the .tar.gz 'installer', you can start and stop Openfire using the bin/openfire script in your Openfire installation:

# ./openfire

Usage: ./openfire {start|stop}
# ./openfire start
Starting openfire

If you would like to install Openfire as a service, two scripts are provided in the bin/extra directory:

It is not recommended that you use either of these scripts if you installed via RPM. The RPM has already taken care of what these scripts take care of.

Custom Parameters

Advanced users may wish to pass in parameters to the Java virtual machine (VM) to customize the runtime environment of Openfire. If you installed via RPM, you can customize this by editing /etc/sysconfig/openfire and looking at the OPENFIRE_OPTS option. If you installed via .tar.gz, you will need to tweak your startup script to fit your needs.

Plugins

Plugins add additional features and protocol support to Openfire. After setting up your Openfire installation, you may want to download and install plugins to enhance your server. Plugins can be downloaded from the plugins page on igniterealtime.org or directly inside the administration console.

Installing Plugins

If you download a plugin from inside the Openfire administration console, it will automatically be installed. If you manually download the plugin (packaged as a .jar file), you can deploy it by copying the plugin file to the plugins/ directory of your Openfire installation. A plugin monitor will automatically extract the plugin into a directory and install the plugin in Openfire. You may also use the "upload plugin" feature in the admin console (under the Plugins tab) to load a plugin from your local file system to the server.

Note: For nearly all plugins, a restart of the Openfire server software is not required. You should be able to install and remove plugins on-demand without impacting Openfire.

Managing Plugins

Plugins can be managed inside the Openfire admin console. You can also manually delete a plugin at any time by deleting its JAR file (Openfire will automatically remove the plugin from memory and delete its directory when you do so).

Firewall

Server's administrator should open TCP ports 5222 and 5223 for incoming connections for XMPP clients to be able to connect to Openfire.

For secure BOSH / (HTTP-bind) and websocket-based client connections ensure that TCP port 7443 is reachable. The unencrypted port equivalent for this port (which uses HTTP instead of HTTPS, or WS instead of WSS) is 7070. We recommend only using encrypted connections on port 7443.

For server to server connections one should also open ports TCP 5269 and 5270.

As a general rule, the Openfire Admin Console should not be exposed to the general internet. However, an administrator can choose to open TCP 9090 (for HTTP) and TCP 9091 (for HTTPS), if there is a need to remotely administrate Openfire connecting to its Admin Console. We recommend only using 9091 port as it is an encrypted connection, and we strongly recommend limiting access to a curated list of known, trusted network addresses, if any.

Port number can be different, if the default configuration has been changed by an administrator. Additional ports may also be in use by Openfire or by plugins to provide additional features. The full list of ports used by Openfire can be found on the first page of Admin Console in the Server Ports section.