Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

This is where the home Settings are found. It contains Email, Http, Host, Log, API, and User settings.

These settings are only available for the Super User (su)

Email

This is where the superuser can configure the SMTP settings to be able to send out emails from the system.

  • Server URI: SMTP server host and port formatted as smtp://host

  • SMTP Port: SMTP port number

  • USE TLS: Use TKS/SSL when connecting to SMTP server (enable if the SMTP server is using TLS)

  • Username: Username for authentication with SMTP server

  • From: From email address to use for emails

  • Password: Password of username account being used

The Super User is able to test the email configuration to make sure it's working properly by selecting on the Test button located on the top right.

HTTP

This is where the superuser can configure the HTTP settings and enable https if wanted. 

  • Site URI: Public HTTP or HTTPS URI to use when sharing links to the server. This field should be configured if running behind a proxy server where the local IP host or port isn't what is used for public access. Restart required.

  • Address: IP address to bind locally for HTTP ports. Restart required. 

  • HTTPS Enabled: If false all traffic is handled in plaintext on 'httpPort'. If set to true, then all traffic is forced to use HTTPS on 'httpsPort' and requests to 'httpPort' are redirected. Restart required.

    • Once enabled, the user will be prompted with the below popup to upload their certificate and key files if not already uploaded via the Certificate Files button. Then enter any password for the keystore. This password would be needed to access the files.

    • Once done, the user will need to restart their FIN service.

    • Then the FIN instance will be reachable via HTTPS.

      • Note: If using a self-signed certificate, seeing a “Not Secure” warning is expected.

HTTPS is enabled by default and using a self-signed certificate. When the user first logs in, they will be presented with the below left screen warning them that the connection is not private. The user can upload their own if they would like to switch it or disable HTTPS afterwards. To continue, select the Advanced button and then on the “Proceed to <host> (unsafe)”.

  • Certificate Files: Upload the certificate and key files needed for HTTPS. This is needed if HTTPS is to be enabled and used.

How to create a self-signed certificate and key files

  1. First the user will need a terminal that supports openssl. This is required to create the files. A couple example programs that have a terminal that supports openssl are Git and Cygwin, however there are other programs available that can do this as well.

  2. Once installed or already have an existing program, open the terminal (Git calls it “Git Bash”, different programs might name it differently).

  3. Then run this command below where “keyName” is the name you would like to use for the key, “365” is the amount of days you would like the certificate to be valid for, and “certificateName” is the name you would like to use for the certificate.
    Command: openssl req -newkey rsa:2048 -nodes -keyout keyName.key -x509 -days 365 -out certificateName.crt

    1. If the user would like to have the files created in a desired area rather than in the default user folder. Then they can specify the path before the key name or certificate name. Keep in mind, the folders to that path must already exist. If the folders don’t exist, it won’t work. For example saving the files inside a folder called test under our user folder name:
      Command: openssl req -newkey rsa:2048 -nodes -keyout C:/Users/J2/test/keyName.key -x509 -days 365 -out C:/Users/J2/test/certificateName.crt

  4. Once the command is executed, the user will be prompted to enter some information to incorporate into the certificate such as:

    1. Country Name (2 letter code)

    2. State or Province Name (full name)

    3. Locality Name (eg, city)

    4. Organization Name (eg, company)

    5. Organization Unit Name (eg, section)

    6. Common Name (eg, server FQDN or YOUR name)

    7. Email Address

  5. Once done, the files will be created in the user folder or wherever the terminal is pointing at or specified in the command. The user can then upload these files to use HTTPS.

  • HTTP Port: Port for HTTP traffic. Restart required.

  • HTTPS Port: Port for HTTPS (only applicable if 'httpsEnabled'). Restart required.

  • Disable Error Trace: Disable showing exception stack trace for 500 internal server errors.

Host

This is where the superuser can configure few host settings.

  • Host Dis: Display name for this host.

  • Timezone: Default system timezone. Values are from Olson TZ database. – Restart Required. This will automatically detect the system timezone. However, if the user would like to change it to something else, they can do so by selecting the preferred timezone.

  • Week Start Day: Change the start day of the week to Sunday or Monday. Warning this will overwrite for all locales. - Restart required.

  • Auto Logoff: Auto Logoff user after inactivity.

  • Auto Logoff Timeout: Auto Logoff timeout in minutes (default 5min, >1min).

  • Enable Password Protected Snapshots: Forces password protection for all snapshots.

  • Password: Passwords must be a minimum of ten characters and must contain all of the following requirements: mixture of uppercase letters, lowercase letters, numbers, and special characters. This is only available if "Enable Password Protected Snapshots" is enabled.

If password protected snapshots is disabled, the user cannot restore snapshots that are password protected. If password protected snapshots is enabled, the user cannot restore snapshots that are not password protected. Depending on the snapshot, the user will have to either disable or enable this feature.

Log

This is where the superuser can configure the log settings.

  • Buff. Max: Max number of log records to bugger in RAM - Restart Required

  • Max. Age: Mex number of days to maintain log files before deleting to free disk space

API

This is where the superuser can enable/disable API properties.

  • Allow Get with Side Effects: Allow GET HTTPS calls to be used for operations with side effects

    • Enabling this flag will allow GET to be used with any HTTP API operation. The most secure setting is No

  • Allow Text Plain: Allow "text/plain" to be used as an alias for "text/zinc". The most secure setting is No

  • Attest Cookies: Require cookie attestation

    • When enabled all non-GET requests which use a cookie as their authorization token must also include a separate HTTP header called SkyArc-Attest-Key bound to the session. The most secure setting is "Yes"

  • Disable Error Trace: Disable including stack trace when requests raise an exception

User

This is where the superuser can configure user settings.

  • Enable Password Reset: If enabled, users can reset their password via email. It's recommended to enable password reset to reduce the frequency of users accidentally locking their accounts due to forgetting their password. (Use with "Max Resets" to specify amount of resets. Only works with non-superusers)

  • Password Policy: Set the password complexity policy for all users.

  • Password Expiration (Days): Password expiration in days. Passwords are forced to change after this duration expires. A Zero value disables this feature.

  • Max Failed Login Attempts: A user's account will be automatically disabled if their failed login attempts exceed this value. A Zero value disables this feature.

Users must now have to be very cautious about how many incorrect password attempts are made if “Max Failed Login Attempts” is enabled. It is recommended that the user only attempts 3 tries (with default settings), then contact a superuser admin to help reset their password before being disabled and locked out. If the all the superuser admins themselves are locked out, there is no way to reset the password. A re-installation of FIN will be required and all users will have to be recreated. You can create a backup of the “user” folder in the var directory of FIN from time to time to be able to backup the users if needed. If the FIN instance is registered to Edge2Cloud, then a superuser from there can access FIN and re-enable the local FIN users.

It is also recommended to create and use a separate superuser account if using the same username as a credential on a Haystack connector to another FIN instance or disable this feature. The reason is if the same username is used and the password is changed, the connector will attempt to reconnect until it is successful. These attempts will count against the failed attempts and lock the user out.

  • Max Activity: The maximum number of activity entries to log per user. When the maximum is reached, the oldest entries are truncated. Setting to zero disables activity logging.

  • Max Resets: The maximum number of password resets that each user can request per day.

  • No labels