How to only allow s2s connection between several servers and my tigase server
I setup two tigase servers, server1 and server2. I only want to enable s2s connection between these two tigase servers.
I create a truststore for each tigase server and put the truststore into /tigase/certs. The two tigase servers can talk to each other.
// create truststore for server2
keytool -import -alias ca -file domain1.pem -keystore truststore
// create truststore for server1
keytool -import -alias ca -file domain2.pem -keystore truststore
But I find that the user on my servers can add a user on rows.io. I don't have rows.io' certificate in my truststore. Why? How to fix it?
Added by Wojciech Kapcia about 3 years ago
Does those two tigase servers serve the same domain and are basically a cluster (two nodes of the same service)? If yes, then clustering is done on different port and it doesn't use S2S component in which case you can disable XMPP Federation (i.e. s2s connectivity) with following entry to the @etc/init.properties@:
If those are different servers serving different domains then you can utilize Packet Filtering and configure it to
WHITELIST only your domains.
Added by Alina Sun about 3 years ago
These two servers are in different domains and run by different companies. They are not in cluster.
I am just confused. According to my understanding, server A can create a s2s connection with server B only if :
Sever A installs server B's certificate into Server A's truststore and
Server B installs server A's certificate into Server B's trustsore.
The current situation is:
Server C's certification is not in server A's truststore and Server A's certificate is not in server C's truststore. Server A and server C are in different domain and run by different companies. But the user of server A can add the user on server C to contact and chat with each other.
Server A and server B are our internal server and we don't want sever A or server B create s2s connection with some other XMPP servers. But server A and server B can create s2s connection between them.
What should I do to make it happen? Packet Filtering does not seem to be the best choice.