So I enabled debugging, and here's the stuff I got:

2008.09.30 04:57:06 IQ stanza of type RESULT was discarded: <iq type="result" id="335-4" from="servepath.com" to="css/Connection Worker - 1"><session xmlns="http://jabber.org/protocol/connectionmanager" id="cssb0f9654b"><create><host name="69.59.136.172" address="69.59.136.172"/></create></session></iq>
2008.09.30 04:57:07
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:416)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
        at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
        at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
        at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:4 65)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:10 64)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1036)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
        at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:515)
        at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:306)
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
        ... 9 more
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshake r.java:638)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java :425)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.j ava:139)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)
        at org.apache.mina.filter.support.SSLHandler.doTasks(SSLHandler.java:686)
        at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:486)
        ... 11 more
2008.09.30 04:57:20 IQ stanza of type RESULT was discarded: <iq type="result" id="928-5" from="servepath.com" to="css/Connection Worker - 1"><session xmlns="http://jabber.org/protocol/connectionmanager" id="cssb0f9654b"><close/></session></iq>

This was after doing some working with keytool for both truststore and keystore.

I flushed both the intermediate certificate that I had and the certificate I first imported.  I then converted my certificate and key to DER formats from PEM.  I downloaded ImportKey.java and ImportKey.class and proceeded to import the cert/key combination from /opt/openfire/resources/security/ directory.  The message showed success, so I thought I was good, checked the keystore and noticed no certs, so I imported the DER format of the cert (keytool -import -keystore keystore -alias servepath.com -file servepath.com.crt.der).  Fired up my connection manager and I show a connection to my primary server, but again my client cannot connect to the connection manager server.  I'm hoping what I'm missing is stupidly obvious, but I am juggling too many things and arrived at this dead end.

Maybe i need to int vacation(struct myself);

The CMs take care of the lack of clustering availability with an architectural need for local and remote team members.  Effectively they're doing nothing other than providing a local system to my remote vendors to connect to which extends the current jabber domain to them via the CM.  I also wanted the client to have the ability to talk to one another locally through their local CM, instead of every time talking to the guy across the hall from him the packet traffic traveling around the world.

Basically, we have the local system which will function as the primary server and auth up to our AD infrastructure.  The CMs will be placed in three remote sites for use by our vendors.  I want connectivity between all clients and the AD server to be secured full and through.  I don't want any insecure connections, and my understanding from the SSL documentation was that its possible.

The trouble is... how?

The documentation is very vague on how this happens, or what are the requrements.  Certificates are auth'd by one method, and that's typically RSA.  I have a wildcard certificate for our domain; so I 've tried importing that (in PEM format) directly to the keystore; and the intermediate certificate to the truststore.  This doesn't appear to work correctly as I'm getting handshake errors.  Then I remembered from other documentation that I need to import the certificate and key in DER format, so I downloaded ImportKey.java and ImportKey.class, converted the key and cert, imported using the ImportKey method, and then specified the keystore; server wouldn't run.

So I'm at a little bit of a loss as to why the SSL documentation isn't adding up.  I'm also getting frequent disconnects... "You have lost your connection to the server due to item-not-found" - ????  I can't have frequent connects/disconnects.

Shouldn't communication between local CMs remain within that CM instead of going all the way back to the US?

i.e. vendor1 in bangalore can communicate with other members of that team, connected to that local CM with all traffic staying inside that CM?

And yes, I know the major server cannot go down - unfortunately Oracle Coherence charges about $20k to license the now dead clustering.jar plugin (what a rip)... I think we'll have to work in-house to develop our own clustering java solution to achieve redundancy and domain expansion across multiple openfire installations.

So there's still a connection level problem between my CM and the server, below are logs:

My users are complaining that they're getting disconnected frequently after a short time with a message from Spark of 'item not found' and here's the matching line:

what would be causing this problem?

I'm also wondering why they cannot connect via SSL encryption on port 5223 as specified by info.log:

Why can't it negotiate TLS?  are the keystore/truststores required?  I had problems getting these setup properly with our SSL certs before.

Thanks.

Through wireshark I did see that the connection was encrypted from the client to the CM, and couldn't read anything.  I just would feel better if they made sure the security traveled the whole length.

Due to my paranoid nature this wasn't going to fly; everyone now connects directly to our infrastructure and we've done away with local CMs in offices.  Thank you for the JM's, I have something to watch.