Building tigase-server on Fedora/RHEL

32 posts / 0 new
Last post
Anonymous
Building tigase-server on Fedora/RHEL

Hi,

I am trying to make standard-complying Fedora packages of tigase-{xmltools,utils,server}. There are two problems I have:

a) we cannot ship any embedded libraries inside of the package, so many Java packages run in their building process

find . -name \*.jar -delete

or something similar. Therefore I have to wait until all libraries in libs/ are part of Fedora. But that's not that much problem, at least I can test my preliminary version with all libraries included (BTW, why Derby and not Java DB ... when you mean Derby just as a smallest possible DB, anybody with serious requirements would use some standalone SQL DB anyway, why not the one which is part of Java 1.6.0?).

However, I need to move all parts to its proper places anyway (jars to /usr/share/java, non-executable stuff to /usr/share/tigase, configuration to /etc/tigase, working data and $HOME to /var/lib/tigase, and logs to /var/log/tigase ... I may give up here and allow other logs in /var/lib/tigase/logs).

Current state of my package and logs is on http://mcepl.fedorapeople.org/rpms/tigase/. It includes all RPM packages, logs (see below), and tigase-server-RH-build.patch includes all changes I needed to do to the code to make it compliant with Fedora standards.

b) much worse is that my current package doesn't work for me ... I managed to create a Derby database, and start the server with /usr/share/tigase/scripts/tigase.sh, it does open xmpp-client port on my server, it tries connect for s2s, but when I try telnet localhost xmpp-client I don't get anything meaningful response (ejabberd at least generates an error message) and gajim cannot make a connection either. All logs are in tigase-logs.zip in the above mentioned URL.

Do you have any idea, how to make tigase work for me on my server, please?

Thank you

Application: 
Anonymous

sorry, forgot to follow my own commentary

Hi, thank you for the effort to create a package for Fedora Linux distribution. Here are answers to your questions:

  1. The jars included in the SVN repository are only for developers' convenience and they do not necessarily must be included in the build. You can use libraries found in the operating system instead.
  2. I do not remember why exactly Debry has been chosen over the database embedded in JDK-6 but I think your point is very valid and I will consider including support for it in the future.
  3. It is easy to configure Tigase to keep logs in certain location. All you need to do is to set the location in the init.properties file. As an example here are a few lines of configuration which set log file size to 100MB, number of log rotated files to 20 and location for log files to /var/log/tigase:
    basic-conf/logging/java.util.logging.FileHandler.limit=100000000
    basic-conf/logging/java.util.logging.FileHandler.count=20
    basic-conf/logging/java.util.logging.FileHandler.pattern=/var/log/tigase/tigase.log
    
  4. And the last problem. Looks like your installation is misconfigured as it cannot find essential files at the startup time. Have a look at the log file to find:

    2010-05-27 17:05:31 SSLContextContainer.init()
    SEVERE: Can not initialize SSL libraryjava.io.FileNotFoundException:
    certs/rsa-keystore (No such file or directory)

I hope this helps.

Anonymous

Thanks for the reply, but concerning that certs:

a) shouldn't symlink from /usr/share/tigase/certs to /var/lib/tigase/certs (/var/lib/tigase being a $TIGASE_HOME) be sufficient?
b) why do you carry your own certs anyway? Isn't it a problematic from the security point of view? I would prefer if you just used whatever certs are already installed in my Java.
c) Isn't there just some configuration variable I could set to store those certs somewhere else? (Thinking about it, couldn't I just point tigase to the system-wide ones? Or if not, /etc/tigase/certs seems like a more appropriate place)

and thanks for the point about logging, I will try it out.

I am afraid the whole certificate stuff in Tigase is done in a way far from simple and easy to control. I am working on this right now and hopefully in the Tigase 5.1.x and later there will be much more sensible implementation for this.

  1. Unfortunately link is not enough. The Tigase expect certificate directory to be in a location relative to the startup directory. You should be able to alter this using init.properties and settings like this:
    c2s/connections/tls/keys-store=/usr/share/tigase/certs/rsa-keystore
    c2s/connections/tls/trusts-store=/usr/share/tigase/certs/truststore
    
  2. SSL certificates are required to provide XMPP service over encrypted connections - SSL or TLS. Normally the user installing XMPP server should obtain SSL certificate for his service for the domain he uses. Optionally Tigase could use, however, existing certificates installing perhaps for HTTP, or E-Mail services on the machine.
  3. The next version will offer a simple way to point to a location with certificates.
Anonymous

Well, that configuration for logs works well, the one for certs doesn't seem to have much effects. However, when I give up on this and move certs to $TIGASE_HOME, I still get errors with tigase claiming it is not able to connect to the derby database, I have just created for it. Logs are http://mcepl.fedorapeople.org/tmp/tigase-logs.zip ... are there any special rights, ownership, which needs to be taken care of?

The log says:

Caused by: java.sql.SQLException: No suitable driver found for jdbc:derby:/var/lib/tigase/derby

So either the JAR file for Derby database is not in the classpath for the Tigase server or the driver is not set.
Make sure you have the derby jar file in the program classpath. How do you start the Tigase server? I mean, what exact command do you use?

Anonymous

Thanks for the hint, it shows how much newbie I am. However, with this /etc/tigase/tigase.conf:

source /usr/share/java-utils/java-functions # in the end almost useless
# just for JAVA_HOME

ENC="-Dfile.encoding=UTF-8 -Dsun.jnu.encoding=UTF-8"
DRV="-Djdbc.drivers=com.mysql.jdbc.Driver:org.postgresql.Driver:org.apache.derby.jdbc.EmbeddedDriver"
#GC="-XX:+UseBiasedLocking -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:ParallelCMSThreads=2"
JAVA="$(which java)"
CLASSPATH=$(build-classpath tigase-utils tigase-xmltools groovy-all-1.5.7 groovy-engine derby derbytools jdbc-mysql jdbc-postgresql)
JAVA_OPTIONS="${GC} ${ENC} ${DRV} -server -Xms100M -Xmx200M -XX:PermSize=32m -XX:MaxPermSize=256m -XX:MaxDirectMemorySize=128m "
TIGASE_CONFIG="/etc/tigase/tigase.xml"
TIGASE_OPTIONS=" --property-file /etc/tigase/init.properties "
TIGASE_HOME="/var/lib/tigase"
TIGASE_CONSOLE_LOG="/var/log/tigase/tigase-console.log"
TIGASE_JAR="/usr/share/java/tigase-server.jar"

and this init.properties:

config-type=--gen-config-def
--admins=admin@DOMAIN
--virt-hosts = DOMAIN
--debug=server
--user-db-uri=jdbc:derby:/var/lib/tigase/derby
s2s/connections/tls/keys-store=/etc/tigase/certs/rsa-keystore
s2s/connections/tls/trusts-store=/etc/tigase/certs/truststore
c2s/connections/tls/keys-store=/etc/tigase/certs/rsa-keystore
c2s/connections/tls/trusts-store=/etc/tigase/certs/truststore
bosh/connections/tls/keys-store=/etc/tigase/certs/rsa-keystore
bosh/connections/tls/trusts-store=/etc/tigase/certs/truststore
basic-conf/logging/java.util.logging.FileHandler.limit=100000000
basic-conf/logging/java.util.logging.FileHandler.count=20
basic-conf/logging/java.util.logging.FileHandler.pattern=/var/log/tigase/tigase.log

I've got a working server! Yay! Now, the question remains ... what about database. I still don't like the idea of DerbyDB (and no, JavaDB is actually not part of J2SE, it just happens to be packaged together with Sun's and only Sun's JRE; it is not in any Linux OpenJDK package AFAIK), so I was thinking about something else. Tried just --user-db=xml but it complained that it doesn't have a driver for xml (???), so another alternative which comes to my mind is HsqlDB, due to OpenOffice.org packaged absolutely everywhere. I was looking at database/derby* files and I haven't made head and tail of it. How difficult it would be to add hsqldb schemas? Which files I should start with?

Thank you very much

No, the support for XML based data storage has been dropped. It was not reliable enough. It was quite good for quick tests in development environment but people used to use it as DB for production environments which was totally wrong.

I do not know HsqlDB so it is hard to tell how hard would be adding support for it. If you are keen on working on support for it then, yes database/ directory is a place to look at.
There are exaples for MySQL, PostgreSQL and Derby database. You need to leek at version '4' of the schema files.

Matěj Cepl

If you have answer to this question then I am at least able to create tigase databases with hsqldb.

Unfortunately I don't know and I have no experience with hsqldb database. I am sorry I can't help.

Matěj Cepl

OK, back to the drawing board. In the end that it seems to be most simple to use MySQL

I have created a simple mysql-db-create.sh:

#!/bin/sh
set -e

export LIBS=/usr/share/java
export DATADIR=/etc/tigase/database

read -sp "Enter mysql admin password: " MSQLPSWD
echo
read -sp "Enter tigase_user password: " TIGASEPSWD
echo

mysqladmin -p$MSQLPSWD create tigasedb
mysql -u root -p$MSQLPSWD <
But when I run it I get this error:
ERROR 1054 (42S22) at line 155: Unknown column 'sha1_user_id' in 'field list'

when loading mysql-schema-4.sql. Do you have any idea, what's wrong?

Matěj Cepl

damn, forum got broken by piping. The script should be:

#!/bin/sh
set -e

export LIBS=/usr/share/java
export DATADIR=/etc/tigase/database

read -sp "Enter mysql admin password: " MSQLPSWD
echo
read -sp "Enter tigase_user password: " TIGASEPSWD
echo

mysqladmin -p$MSQLPSWD create tigasedb
mysql -u root -p$MSQLPSWD <

The only explanation I have for this that you must have somehow messed up mysql-schema.sql and mysql-schema-4.sql files. The first one is the old Tigase schema which does not have the sha1_user_id field and the second one is the schema with this field and a few other changes.

There is also mysql-schema-upgrade-to-4.sql which provides the DB upgrade to the most recent version. Make sure you do not use either any files without '4' in its name or the upgrade file. Your script should look like this:

{syntaxhighlighter brush: bash;fontsize: 100; first-line: 1; }#!/bin/sh set -e export LIBS=/usr/share/java export DATADIR=/etc/tigase/database read -sp "Enter mysql admin password: " MSQLPSWD echo read -sp "Enter tigase_user password: " TIGASEPSWD echo mysqladmin -p$MSQLPSWD create tigasedb mysql -u root -p$MSQLPSWD < database/mysql-schema-4.sql {/syntaxhighlighter}

Make sure you have all, correct and unmodified SQL files from the Tigase package in the 'database' directory.

I hope this helps, if you have any problems, please do not hesitate to contact me.

Matěj Cepl

OK, so in the end the script should look like this

#!/bin/sh
set -e

export DATADIR=/etc/tigase/database

read -sp "Enter mysql admin password: " MYSQLPSWD
echo
read -sp "Enter tigase_user password: " TIGASEPSWD
echo

mysqladmin --password=$MYSQLPSWD create tigasedb
mysql --password=$MYSQLPSWD <

Matěj Cepl

Hmm, so I was able to install tigase, make MySQL database, but when I tried to run it, I've got tigase not able to connect to the database, although rhino on the same computer with same JDBC drivers and same JDBC uri, has no problems to connect.

Do you see any ideas in logs on http://mcepl.fedorapeople.org/tmp/tigase-logs.zip (I still cannot chew upon Java backtraces well enough and it doesn't seem to say in many many words more than it failed).

Thank you very much for your support.

The good news is that you are almost there. Everything seems to be fine except the DB user permissions.
The error message says: "User does not have access to metadata required to determine stored procedure parameter types. If rights can not be granted, configure connection with "noAccessToProcedureBodies=true" to have driver generate parameters that represent INOUT strings irregardless of actual parameter types."
So you have 2 options here, either extend the DB user permissions for the mysql.proc table as described in this article or do what suggest the error message, add "noAccessToProcedureBodies=true" to the DB connection string.

Matěj Cepl

I will try the parameter, but I thought that with GRANT ALL commands I should give the user what it needs. Confused ....

Yes, you did GRANT ALL but only to the 'tigasedb' database. However the DB user needs also some access to 'mysql' data to 'proc' table. Or you can avoid giving it permission to access to this table by passing the extra parameter to the connection string.

Matěj Cepl

https://bugzilla.redhat.com/show_bug.cgi?id=619928, that means that in my opinion the package is ready and needs to be reviewed.

Thank you very much, I wouldn't certainly make it without your help.

I thank you for making the effort to create the package and continuing work on this despite all the problems.

Matěj Cepl

What are the passwords for keystores? When I try to do anything with keystores I get asked for password:

[root@luther downloads]# keytool -list -keystore ../rsa-keystore 
Enter keystore password:  
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
[root@luther downloads]# mc

I have a .pem certificate from startssl which I used with ejabberd and I don't how to import it from .pem file? When I try to wipe out all files and recreate truststore and rsa-keystore by importing startsll root certs and my server cert, server doesn't start correctly and complains that keystore was tampered with.

http://www.tigase.org/content/server-certificate-using-keytool-and-keystore doesn't mention anything about passwords.

Matěj Cepl

My problem probably also relates to the fact that all my contacts in roster have no authorization to see me and I have this error message in log, right?

2010-08-30 16:01:09  MessageRouter.processPacket()       FINEST:   Processing packet: from=sess-man@luther.ceplovi.cz, to=landovska@gmail.com/gmail.B142C432, data=<presence to="landovska@gmail.com/gmail.B142C432" from="mcepl@ceplovi.cz" type="error"><error code="403" type="auth"><forbidden xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/><text xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" xml:lang="en">CData size: 34</text></error></presence>, XMLNS=null, priority=PRESENCE

A default keystore password is.... keystore. You can of course create own keystore and set a different password. The default 'keystore' password however is used by the Tigase server, so if you change the password you have to update Tigase's configuration and provide a new password.
This part of the Tigase server is being worked on to provide easy to use tools for managing SSL certificates and make the overall process much simpler.

You might prefer to load SSL certificates from pem files by the Tigase server instead of storing them in keystore. Here are instructions how to set the Tigase up to load pem files instead of keystore: http://www.tigase.org/content/creating-and-loading-server-certificate-pem-files

Your conclusion is probably correct. You should look at the roster packet to see what presence subscription is set for your contacts. If it is 'none' then you get this kind of errors, if it is 'both' (on both sides) then you should not receive such an error.

Matěj Cepl

I've made progress. I wiped out whole /etc/pki/tigase and recreated my own truststore and rsa-keystore and set these values in the init.properties:

# Change locations of certificates to be in line with the rest of the system
s2s/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
s2s/connections/tls/keys-store-password=verysecret
s2s/connections/tls/trusts-store=/etc/pki/tigase/truststore
s2s/connections/tls/trusts-store-password=verysecret
c2s/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
c2s/connections/tls/keys-store-password=verysecret
c2s/connections/tls/trusts-store=/etc/pki/tigase/truststore
c2s/connections/tls/trusts-store-password=verysecret
bosh/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
bosh/connections/tls/keys-store-password=verysecret
bosh/connections/tls/trusts-store=/etc/pki/tigase/truststore
bosh/connections/tls/trusts-store-password=verysecret

and now tigase starts correctly (no further testing was done yet).

Next step was to add external components (I use spectrum from http://spectrum.im) and I have four components ... icq, irc, twitter, and identica. So following http://www.tigase.org/content/basic-configuration-options I have added this (all those *.ceplovi.cz are just aliases to localhost set in /etc/hosts, not present in DNS):

# external components
--comp-name-1 = icq.ceplovi.cz
--comp-class-1 = tigase.server.ext.ComponentProtocol
--comp-name-2 = irc.ceplovi.cz
--comp-class-2 = tigase.server.ext.ComponentProtocol
--comp-name-3 = twitter.ceplovi.cz
--comp-class-3 = tigase.server.ext.ComponentProtocol
--comp-name-4 = identica.ceplovi.cz
--comp-class-4 = tigase.server.ext.ComponentProtocol
--external = icq.ceplovi.cz:passwd1:listen:6668,irc.ceplovi.cz:passwd2:listen:6667,twitter.ceplovi.cz:passwd3:listen:6669,identica.ceplovi.cz:passwd4:listen:6670

Now when I restart tigase, I get following issues in the log. First, this backtrace:

2010-08-30 18:12:52  SSLContextContainer.init()          SEVERE:   Can not initialize SSL libraryjava.io.FileNotFoundException: certs/rsa-keystore (No such file or directory)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.(FileInputStream.java:137)
        at java.io.FileInputStream.(FileInputStream.java:96)
        at tigase.io.SSLContextContainer.init(SSLContextContainer.java:104)
        at tigase.io.SSLContextContainer.init(SSLContextContainer.java:89)
        at tigase.io.TLSUtil.configureSSLContext(TLSUtil.java:56)
        at tigase.server.ConnectionManager.setProperties(ConnectionManager.java:556)
        at tigase.server.ext.ComponentProtocol.setProperties(ComponentProtocol.java:654)
        at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:655)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:174)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:67)
        at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:127)
        at tigase.server.MessageRouter.addComponent(MessageRouter.java:125)
        at tigase.server.MessageRouter.addRouter(MessageRouter.java:165)
        at tigase.server.MessageRouter.setProperties(MessageRouter.java:665)
        at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:655)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:174)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:67)
        at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:127)
        at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:151)
        at tigase.server.MessageRouter.setConfig(MessageRouter.java:565)
        at tigase.server.XMPPServer.main(XMPPServer.java:135)

I guess there is one more class of certificates which needs to be set, right? However, I cannot find anywhere what are all available types for certificates storage.

The second problem is that I get a lot of errors like:

2010-08-30 18:12:57  ConnectionOpenThread.addAllWaiting()  WARNING: Error: java.net.BindException: Address already in use creating connection for: {port-no=6668, local-host=icq.ceplovi.cz, type=accept, socket=plain, ifc=[Ljava.lang.String;@50a649, max-reconnects=7200000, repo-item=icq.ceplovi.cz:passwd1:accept:6668:null:null}

What am I missing?

Matěj Cepl

Frankly, I don't care much about .pem format ... keytool seems to do just fine with importing them. Or am I missing something?

The pem files are much more useful when you have multiple virtual domains. Then you just copy pem file for a particular domain to a correct location and the server loads it automatically.
It really does not matter, it is just a convenience, whichever you prefer to use.

What version of the Tigase server do you use? Because if you use a version 5.0.0 or later you can setup external components (and Spectrum transports for that matter) in much simpler way:
http://www.tigase.org/content/basic-configuration-options

Matěj Cepl

Obviously I am using my own package (tigase-server-5.0.0-0.3.20100527svn.el5; is there any later official tarball?). I haven’t understood correctly those configuration options apparently. Is this the correct way?

# external components
--comp-name-1 = spectrum
--comp-class-1 = tigase.server.ext.ComponentProtocol
--external = icq.ceplovi.cz:passwd1:listen:6668,irc.ceplovi.cz:passwd2:listen:6667,twitter.ceplovi.cz:passwd3:listen:6669,identica.ceplovi.cz:passwd4:listen:6670

I don't see any other errors in logs than:

2010-09-01 21:44:24  ConfiguratorAbstract.parseArgs()    CONFIG:   Added default
 config parameter: (--external=icq.ceplovi.cz:lJjm5o1LqBlQJWpRRupLPO9ZlDyuxyjXOi
bUUENQHy4jl0t31C2CejMSWjGrspk:listen:6668,irc.ceplovi.cz:B439BA17F9C77228FBD655A
B27CE58E01B225EFBD15EE898409FA00FC604D70E:listen:6667,twitter.ceplovi.cz:Qd8LMxY
OFbT0lfphOGfgBvTNCl5DGNthvht7Lf9VfQNI2src0UNSBbtzAstbfUd:listen:6669,identica.ce
plovi.cz:6w5wU8SDnSNO8cGbep6A2E8M4vL3vEPgTTQekn8XrMykEBhV2urudUpNWqj6H6s:listen:
6670)
2010-09-01 21:44:24  ConfiguratorAbstract.parseArgs()    CONFIG:   Added default
 config parameter: (--debug=server)
2010-09-01 21:44:25  MessageRouter.addRegistrator()      INFO:     Adding regist
rator: Configurator
2010-09-01 21:44:25  MessageRouter.addComponent()        INFO:     Adding compon
ent: Configurator
2010-09-01 21:44:25  ConfiguratorAbstract.componentAdded()  CONFIG:  component: 
basic-conf
2010-09-01 21:44:29  SocketReadThread.getInstance()      WARNING:  1 SocketReadT
hreads started.
Loading plugin: jabber:iq:register=2 ...
Loading plugin: jabber:iq:auth=1 ...
Loading plugin: urn:ietf:params:xml:ns:xmpp-sasl=1 ...
Loading plugin: urn:ietf:params:xml:ns:xmpp-bind=2 ...
Loading plugin: urn:ietf:params:xml:ns:xmpp-session=2 ...
Loading plugin: roster-presence=2 ...
Loading plugin: jabber:iq:privacy=2 ...
Loading plugin: jabber:iq:version=2 ...
Loading plugin: http://jabber.org/protocol/stats=2 ...
Loading plugin: starttls=2 ...
Loading plugin: msgoffline=1 ...
Loading plugin: vcard-temp=2 ...
Loading plugin: http://jabber.org/protocol/commands=2 ...
Loading plugin: jabber:iq:private=2 ...
Loading plugin: urn:xmpp:ping=2 ...
Loading plugin: domain-filter=0 ...
Loading plugin: disco=2 ...
2010-09-01 21:44:32  BasicComponent.loadScripts()        WARNING:  Admin scripts directory is missing: scripts/admin/spectrum, creating...
2010-09-01 21:44:32  SSLContextContainer.init()          SEVERE:   Can not initialize SSL libraryjava.io.FileNotFoundException: certs/rsa-keystore (No such file or directory)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.(FileInputStream.java:137)
        at java.io.FileInputStream.(FileInputStream.java:96)
        at tigase.io.SSLContextContainer.init(SSLContextContainer.java:104)
        at tigase.io.SSLContextContainer.init(SSLContextContainer.java:89)
        at tigase.io.TLSUtil.configureSSLContext(TLSUtil.java:56)
        at tigase.server.ConnectionManager.setProperties(ConnectionManager.java:556)
        at tigase.server.ext.ComponentProtocol.setProperties(ComponentProtocol.java:654)
        at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:655)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:174)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:67)
        at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:127)
        at tigase.server.MessageRouter.addComponent(MessageRouter.java:125)
        at tigase.server.MessageRouter.addRouter(MessageRouter.java:165)
        at tigase.server.MessageRouter.setProperties(MessageRouter.java:665)
        at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:655)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:174)
        at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:67)
        at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:127)
        at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:151)
        at tigase.server.MessageRouter.setConfig(MessageRouter.java:565)
        at tigase.server.XMPPServer.main(XMPPServer.java:135)

What configuration option I am missing to tell tigase, that it should use still the same rsa-keystore as defined here for other components:

s2s/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
s2s/connections/tls/keys-store-password=verySecret
s2s/connections/tls/trusts-store=/etc/pki/tigase/truststore
s2s/connections/tls/trusts-store-password=verySecret
c2s/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
c2s/connections/tls/keys-store-password=verySecret
c2s/connections/tls/trusts-store=/etc/pki/tigase/truststore
c2s/connections/tls/trusts-store-password=verySecret
bosh/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
bosh/connections/tls/keys-store-password=verySecret
bosh/connections/tls/trusts-store=/etc/pki/tigase/truststore
bosh/connections/tls/trusts-store-password=verySecret

For the spectrum external component - you can have all transports working on a single port, hence, you can skip port numbers for irc, twitter and identica.

As for the error in your logfiles, I think you are missing TLS settings for the spectrum component. Unfortunately TLS settings must be specified for all connection managers. So the missing part is:

spectrum/connections/tls/keys-store=/etc/pki/tigase/rsa-keystore
spectrum/connections/tls/keys-store-password=verySecret
spectrum/connections/tls/trusts-store=/etc/pki/tigase/truststore
spectrum/connections/tls/trusts-store-password=verySecret
Matěj Cepl

Awesome! Thanks a lot ... I have now working tigase server and spectrum. I have to find out why gajim still claims that the certificate is expired, but I think this thread can be finally closed!

Thanks a lot