Mac OS X Server iChat Service Administration For Version 10.
K Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software might reproduce this publication for the purpose of learning to use such software. No part of this publication might be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to guarantee that the information in this manual is correct. Apple Inc.
1 Preface 5 5 6 6 7 8 8 9 9 Contents About This Guide What’s New in Version 10.
22 22 23 23 24 25 25 25 Setting Access Control for iChat Setting SACL Permissions for Users and Groups Setting SACL Permissions for Administrators Using SSL for iChat Locating iChat Configuration Files Viewing iChat Logs Turning Auto-Buddy Support On Stopping iChat Chapter 3 27 27 27 28 28 29 30 30 31 Setting Up Advanced iChat Service Configurations Linking Multiple Chat Servers (S2S) Setting Up S2S Communication Securing S2S Connections Using Certificates to Secure S2S Communication Creating an Appr
Preface About This Guide This guide provides instructions for setting up, configuring, and administering iChat service on Mac OS X Server. Instant messaging involves live interactions between computer users exchanging text, pictures, audio, and video. Instant messaging is also known as chatting, because of its spontaneous, conversation-like qualities. iChat is the Apple instant messaging service that promotes real-time communication and information-sharing between diverse user groups.
What’s in this Guide This guide includes the following chapters: Â Chapter 1, “Understanding iChat Service,” highlights key concepts and provides basic information about iChat messaging in action, iChat messaging in organizations, and overviews of the iChat service. Â Chapter 2, “Setting Up and Managing iChat Service,” describes how to set up your iChat service for the first time and how to manage iChat settings and components.
Advanced Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.
This guide... tells you how to: User Management Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Web Technologies Administration Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Xgrid Administration and High Performance Computing Set up and manage computational clusters of Xserve systems and Mac computers.
Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides. Â To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click “Latest help topics” or “Staying current” in the main help page for the application. Â To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.
Preface About This Guide
1 Understanding iChat Service 1 Mac OS X iChat service provides secure instant messaging for users supported by Mac OS X Server. iChat is a service that permits users to collaborate by chatting and sharing information using instant messaging and data transfer. This real-time interaction between computer users promotes collaboration without the delay of mail responses and blog postings or the expense of telephone communication or face-to-face meetings.
Apple uses the jabberd software, which implements the Jabber protocol. Jabber is a trademarked term given to this XMPP protocol by the Jabber Software Foundation. iChat provides peer-file transfer between users that can’t establish direct connections to a network because of intervening firewalls that block such connections. In the case of firewalls, iChat acts as a file-transfer proxy, using the Jabber Proxy65 module.
Step 1: Initiating a chat To start a chat with another user, you must first know the user’s short name and the domain name that iChat is configured to use. Step 2: Verifying identity iChat verifies the identity of users by using Open Directory authentication. Users are authenticated only if they’re defined in a directory domain in the server’s Open Directory search path. Step 3: Authorizing the user iChat makes sure that users are authorized to use the service.
You can also use Server Admin to create customized iChat configurations depending on your organizations requiremenets. For more details, see Chapter 3, “Setting Up Advanced iChat Service Configurations.” This includes setting up a server-to-server federation. When the server-to-server federation is enabled, communication with most other XMPP-compliant chat servers is also established, including the ability to federate with Google Talk.
Workgroup Manager Workgroup Manager provides comprehensive management of Mac OS X Server clients and users. For basic information about using Workgroup Manager, see User Management. This includes information such as:  Opening and authenticating in Workgroup Manager  Administering accounts  Customizing the Workgroup Manager environment Workgroup Manager is installed in the /Applications/Server/ folder.
Chapter 1 Understanding iChat Service
2 Setting Up and Managing iChat Service 2 This chapter describes how to set up and manage iChat in Mac OS X Server. This chapter helps you perform the initial iChat service setup and provides information about using, managing, and administering iChat. Understanding iChat Screen Names iChat screen names are Jabber IDs and use the general format user-short-name@iChatdomain-name (for example, nancy@ichat.example.com).
Setup Overview Here is an overview of the steps for setting up iChat service: Step 1: Configure and start Open Directory iChat uses Open Directory to authenticate users and must be configured before setting up iChat. See “Configuring and Starting Open Directory” on page 18. Step 2: (Optional) Set up Firewall service If you are using a firewall, iChat requires specific ports to be open for iChat features to function. See “Opening Firewall Ports for iChat Service” on page 19.
Opening Firewall Ports for iChat Service iChat requires specific ports to be open on your server. If you have a firewall configured or you are using the Mac OS X Server firewall, you must enable these ports before you can use iChat. Depending on the iChat functions you require, make sure the following ports are open.
 General. Use to set host domains, SSL certificate, authentication method, and XMPP server-to-server federation for iChat.  Logging. Use to configure message log settings for iChat. The following sections describe how to configure these settings, and a final section tells you how to start iChat when you finish.
9 If you are using a certificate with iChat, select “Require secure server-to-server federation.” This option requires an SSL certificate to be installed, which is used to secure the server-to-server federation. For more information, see “Securing S2S Connections” on page 28. 10 To permit unrestricted server-to-server communication, select “Allow federation with all domains.” 11 To restrict server-to-server communication to servers that are listed, select “Allow federation with the following domains.
To start iChat service: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 In the expanded Servers list, click iChat. 4 Click Start iChat (below the Servers list). Managing iChat In this section you learn about day-to-day tasks you might perform after you set up iChat on your server. Initial setup information appears in “Setting up iChat” on page 19.
5 Select the level of restriction you want for the services: To restrict access to all services, select “For all services.” To set access permissions for individual services, select “For selected services below” and select the services from the Service list. 6 Select the level of restriction you want for users and groups: To provide unrestricted access, click “Allow all users and groups.
The digital certificate can be a self-signed certificate or a certificate imported from a certificate authority. For information about defining, obtaining, and installing certificates on your server, see Server Administration. iChat uses SSL to encrypt your chat messages that are sent over the network. However, if your iChat server is logging chat messages, the messages are stored on the server in an unencrypted format. These unencrypted chat messages can be easily viewed by your server administrator.
Viewing iChat Logs You can view iChat logs using Server Admin. iChat logs are located in the following locations: Â The iChat service log is located in /var/log/system.log. Â The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log. Â The iChat multiuser conference log is located in /var/jabberd/log/jcr.log. To view iChat logs: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 Click iChat.
Chapter 2 Setting Up and Managing iChat Service
3 Setting Up Advanced iChat Service Configurations 3 This chapter tells you how to customize iChat to create advanced configurations.
Using Server Admin, you can take advantage of additional options for securing S2S communications. These options include filtering domains where servers are matched against a given list. To enable or disable S2S communication: 1 Open Server Admin and connect to the server. 2 Click the triangle to the left of the server. The list of services appears. 3 From the expanded Servers list, select iChat. 4 Click Settings, then click General. 5 Select or deselect “Enable XMPP server-to-server federation.
By default, iChat selects a port using a preinstalled, self-signed SSL certificate. You can select your own certificate. The selected certificate is used for client-to-server communications on ports 5222 and 5223 and for server-to-server communications. Jabber provides the following ports:  5222 accepts TLS encryption  5223 accepts SSL encryption SSL encrypts your chat message over the network between client-to-server and serverto-server connections.
5 Select “Allow federation with the following domains” to restrict S2S communication to those servers listed. You can add or remove domains using the Add (+) or Delete (–) buttons below the list. The entries can be complete host names or domains (this can be a mix of servers and domains). The server software does the rule-matching to see if these domains can interact. Any domain or host not in the approved list cannot communicate with your iChat server. 6 Click Save.
Setting Up iChat on Virtually Hosted Domains iChat requires that your host have a host name to be used as the Jabber realm by the iChat server that is resolvable using DNS. This host name is used as the Jabber realm by the iChat server, and clients use this realm to connect to the service. Clients use a Jabber Identifier (JID) to authenticate and interact with the server. The JID is in the format @ (for example, chatuser@chatserver.example.com).
Chapter 3 Setting Up Advanced iChat Service Configurations
Glossary Glossary AFP Apple Filing Protocol. A client/server protocol used by Apple file service to share files and network services. AFP uses TCP/IP and other protocols to support communication between computers on a network. address A number or other identifier that uniquely identifies a computer on a network, a block of data stored on a disk, or a location in a computer’s memory. See also IP address, MAC address. administrator A user with server or directory domain administration privileges.
daemon A program that runs in the background and provides important system services, such as processing incoming email or handling requests from the network. DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribute IP addresses to client computers. Each time a client computer starts up, the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds.
file server A computer that serves files to clients. A file server may be a generalpurpose computer that’s capable of hosting additional applications or a computer capable only of serving files. file system A scheme for storing data on storage devices that allows applications to read and write files without having to deal with lower-level details. File Transfer Protocol See FTP. FTP File Transfer Protocol. A protocol that allows computers to transfer files over a network.
IP subnet A portion of an IP network, which may be a physically independent network segment, that shares a network address with other portions of the network and is identified by a subnet number. Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time.
nfsd daemon An NFS server process that runs continuously behind the scenes and processes NFS protocol and mount protocol requests from clients. nfsd can have multiple threads. The more NFS server threads, the better concurrency. Open Directory The Apple directory services architecture, which can access authoritative information about users and network resources from directory domains that use LDAP, Active Directory protocols, or BSD configuration files, and network services.
protocol A set of rules that determines how data is sent back and forth between two applications. QTSS QuickTime Streaming Server. A technology that lets you deliver media over the Internet in real time. queue An orderly waiting area where items wait for some type of attention from the system. See also print queue. QuickTime A set of Macintosh system extensions or a Windows dynamic-link library that supports the composition and playing of movies. QuickTime Streaming Server See QTSS.
ticket, Kerberos A temporary credential that proves a Kerberos client’s identity to a service. Transmission Control Protocol See TCP. UDP User Datagram Protocol. A communications method that uses the Internet Protocol (IP) to send a data unit (called a datagram) from one computer to another on a network. Network applications that have very small data units to exchange may use UDP rather than TCP. UID User ID. A number that uniquely identifies a user within a file system.
Glossary
Index Index A F access, service 30 accounts, adding 17 administrator 30 administrator, privileges of 23 administrator computer 14 AFP (Apple Filing Protocol) service management of 22 After 17 approved list, domain 29, 30 authentication 12, 30 auto-buddy support 25 file transfer services 12 firewalls, file transfer through 12 B buddies 17, 25 business size and iChat 13, 14 C certificates 12, 24, 29 chat service.
administrator 23 ports, encryption 29 privileges, administrator 23 public key certificates. See certificates R realms. See Kerberos S S2S connections 12 SACLs (service access control lists) 22 screen names, iChat 17 Secure Sockets Layer.
