Jabber Service

We've very little docs on this, so as I come across things, I'll add them here.

  • If the jabber service dies, or you reboot it, you need to tell the nagios notification bot to rejoin. Do this by running om jnotify stop/start on the nagios server (and backup nagios server).
  • Persistent jabber stuff seems to be stored in /var/lib/jabberd/, which is mirrored and should be restored or moved if moving the service to another machine (along with the logs in /var/www/jabberd/html
)

  • You don't need any specific roles/entitlements to access jabber, but some rooms have individual config "/config" in an existing chat. eg the "cos" room is invite only. You do need the jabber/muc/cos entitlement to see the logs on the web though
    • From pidgin (or similar) to invite someone, join the room yourself and issue "/invite uun@inf.ed.ac.uk" (optionally followed by a welcome message). It won't work with an unqualified uun.

Some jabber client docs:

x509 Certificates

There are 3 certificates involved. At the time of writing they were:

/etc/jabberd/comodo-xmpp.pem - seems to be the actual jabber xmpp cert
Subject: C=GB, ST=City of Edinburgh, L=EDINBURGH, O=University of Edinburgh, OU\
=Informatics, CN=inf.ed.ac.uk
Used in: /etc/jabberd/c2s.xml 
Configured by: jabberd.c2s_pemfile and c2s_oldpemfile
c2s_oldpemfile=/etc/jabberd/comodo-xmpp.pem
c2s_pemfile=/etc/jabberd/comodo-xmpp.pem


 /etc/pki/tls/certs/le-jabber.crt - https://jabber.inf.ed.ac.uk
Subject: C=GB, ST=City of Edinburgh, L=EDINBURGH, O=University of Edinburgh, OU\
=Informatics, CN=jabber.inf.ed.ac.uk
This cert is now an Lets Encrypt x509 component certificate
Used in: /etc/httpd/lcfg.sites.d/jabber.conf
Configured by: apacheconf.vhostsslcert_jabber
apacheconf.vhostsslcert_jabber		<%x509.certfile_jabhttps%>
apacheconf.vhostsslkey_jabber		<%x509.keyfile_jabhttps%>
apacheconf.vhostsslchain_jabber		<%x509.chainfile_jabhttps%>


/etc/pki/tls/certs/jabcos.crt - cosign channel
Subject: CN=jabber.inf.ed.ac.uk, OU=Informatics, O=The University of Edinburgh, L=Edinburgh, ST=Scotland, C=GB
Used in: /etc/httpd/conf.d/cosign-client
Configured by: cosign.file_filter_crt
file_filter_crt=/etc/pki/tls/certs/jabcos.crt
file_filter_key=/etc/pki/tls/private/jabcos.key
path_filter_ca=/etc/pki/tls/certs/x509.CA

So the HTTPS and the Cosign certs are generated by the x509 component, using Lets Encrypt where appropriate.

We'd like to use LE for the actual xmpp cert, but it is named "inf.ed.ac.uk", so it might be a bit tricky to get LE to generate that. Toby is going to have a look.

18/2/2020

It was simpler to get an old style Quovadis cert for inf.ed.ac.uk. Toby obtained a .crt .key and quovadis-ev-g3.chain file.

To be of use for jabber, they all need cat'd together into a single .pem, and then etc/jabberd/c2s.xml pointed at it. =cat .crt .pem .chain > xmpp.pem

-- NeilBrown - 03 Feb 2020

Topic revision: r7 - 16 Apr 2020 - 14:55:22 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies