Openfire is not in the Debian repositories, but it is easy to install and configure because they provide an official .deb package. You can download the packages from https://www.igniterealtime.org/downloads/.

After downloading the .deb package, install it with apt. Openfire doesn't come with a JRE, sothe installer will also install the default-jre-headless package to run openfire.

# Download
curl -L -o openfire_4.6.2_all.deb  \
 "https://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.6.2_all.deb"
# Install
apt install ./openfire_4.6.2_all.deb
 
# Confirm it's running
systemctl status openfire
# Verify it's listening on port 9090
netstat -ntlp  # apt install net-tools

It will only be listening on port 9090 until you finish setting it up. Visit your host in a web-browser on port 9090. For example http://xmpp.devdungeon.com:9090 and follow the setup wizard. If you want to use an external database like MySQL or PostgreSQL, you'll have to set that up first.

After you run setup, restart to enable HTTPS on 9091 by default. To disable HTTP and force HTTPS only, edit /etc/openfire/openfire.xml and set the 9090 port to -1. The HTTPS port is 9091 by default. Restart the server.

To enable the REST API, go to the admin web portal and to Plugins | Available Plugins and enable REST API. Then go to Server | Server Settings | REST API and set to Enabled.

To enable a web chat client (Converse.js) enable the inVerse plugin. Then go to Web Clients in the main menu after enabling and it will give you the URL to use.

If you need to re-run setup to redo how you setup user profiles, edit /etc/openfire/openfire.xml and set the value for <setup>true</setup> to false and restart server.

If you need to recover access because you lost the admin password, edit /etc/openfire/openfire.xml and uncomment the line <oneTimeAccessToken>secretToken</oneTimeAccessToken> and restart. Provide a secret token, and then the web portal will have a special prompt waiting for that special token. After logging in with the secret token, you can reset the admin password. It will automatically delete that one time token from the config once consumed, so leave in a commented version for reference.

If you're setting up OpenLDAP, the user id might need to be changed from uid to cn and the group mapping might need to be changed from cn to ou. When asked to provide an admin username, provide the simple username after LDAP mapping, e.g. nanodano. There are some more docs at https://www.igniterealtime.org/projects/openfire/documentation.jsp including a dedicated LDAP guide there.

After finishing the setup through the web interface, you can login to the web portal using the admin you setup, and the server is ready for use. You'll also see a lot more stuff listening.

# Openfire will open many ports
netstat -ntlp

The landing page of the admin web portal will have a full list of all ports and what they are for.

Also refer to the section below about DNS Entries for more tips.

To turn on HTTP File uploads (PEP-0378) go to plugins and enable HTTP File Upload plugin.

To setup custom SSL certs, follow instructions at https://meetrix.io/blog/xmpp/openfire_ssl.html: Go to plugins and enable Certificate Manager. Then go to Server → TLS/SSL Settings and click 'Manage Store Contents' and click on the text 'imported here'. Then paste in the contents of your key and certificate files. If using LetsEncrypt.org/certbot, they'll be in somewhere like /etc/letsencrypt/live/example.com/. The private key file is privkey.pem and the certificate file is cert.pem (or wait, fullchain.pem is better?). Click save. You can remove the self-signed cert afterwards.