In order to allow users to reset their passwords or invite users by email to create an account, the server administrator needs to configure an email account that will be used for email notifications. Please note that this is optional and you should configure an email account only if you need these features.
-
Go to ,
-
Click on the Email Notification tab and then click the account link to enter your settings.
Password reset links are valid by default for 15 minutes. As a server administrator, you can change this setting manually. The following example changes it to 30 minutes.
server.password.reset.token.lifetime.minutes=30
A Fanurio server can encrypt communications to and from clients with SSL (Secure Sockets Layer) to protect your data from being intercepted by others. To do this, it needs to be configured with a keystore that contains your SSL certificates.
There are two types of certificates, depending on who signed them:
-
CA-signed certificates
These are certificates that have been digitally signed by a Certificate Authority (CA).
A Certificate Authority is a third-party entity that issues digital certificates to organizations or individuals after verifying their identity. Many CAs simply verify the domain name and issue the certificate, whereas others verify the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, providing a higher standard of authentication. See this page for a list of CAs.
CA-signed certificates are recommended for production servers.
-
Self-signed certificates
These are certificates that have not been digitally signed by a Certificate Authority (CA).
A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key. If a server uses a self-signed certificate, a warning is displayed when you're connecting to it informing you that its identity was not verified by a trusted authority.
Self-signed certificates are recommended for test and internal servers.
Very Important: Although SSL is not enabled by default, you should enable it. Even if you don't have a keystore with CA-signed certificate, you can create a self-signed certificate from the application. Using a self-signed certificate is better than not enabling SSL at all because all communication between the server and the clients will be encrypted.
SSL can be enabled on the server from Server | Server Settings.
We highly recommend that you enable SSL to encrypt all communication between clients and the server.
In order for SSL to work, you need a keystore file with SSL certificates. Fanurio supports only keystores in the JKS format. Just to be sure, Fanurio encrypts the keystore password when it saves it in the settings file.
 |
Server settings - SSL
If you don't have a keystore file, you can create one using the keytool command or you can create a keystore with a self-signed certificate by clicking the Create button.
Self-signed certificate warning
When using a self-signed certificate, clients will display a warning but clicking Continue will trust the certificate and no longer complain about it.
When you enable SSL, the server can only be accessed over HTTPS. Fanurio does not support both HTTP and HTTPS at the same time. If you have clients that connected to the server over HTTP, once you enable SSL they will have to connect over HTTPS (change the server address from HTTP to HTTPS).
A keystore with a self-signed certificate can be created on the server from Server | Server Settings by clicking the Create button. This is a lot easier than using the keytool command but it has only the minimal fields required for a certificate.
Create a keystore with a self-signed certificate
The New Keystore dialog automatically fills-in all fields with default values:
-
The server IP address is used for the Common Name (CN) and IP Addresses fields
-
The business name is used for the Organization (O) field
-
The current time is set as the time when the certificate was issued
The created keystore is saved to a file from the repository folder. Its password is automatically set in the Server Settings window.
This section shows how to create self-signed or CA-signed certificates using the Java keytool command. If you prefer an open source GUI tool, you can use KeyStore Explorer instead (third-party guides are available on YouTube).
About Java keytool
To generate a keystore, you need a JDK installed and the keytool utility on your PATH. You can verify this setup by typing keytool at the shell prompt. You should see a list with all the keytool commands, similar to this:
$keytool Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name
Creating a keystore with a self-signed certificate
To generate a private key and add it to a keystore, you need to use the genkeypair keytool command. The following command creates a keystore file called fanurio.jks in the current directory.
-
The "-ext SAN=..." option allows you to specify all the DNS names and/or IP addresses that will be allowed during hostname verification. In addition to localhost and 127.0.0.1, this example includes a LAN IP address 192.168.2.105 for the machine the server will be running on.
-
The -dname option contains the server identity, called the Common Name (CN), as well as other relevant information about your Organizational Unit (OU), Organization (O), Locality (L), State (S) and Country (C). If you are using a specific hostname for your server (e.g. fanurio.mydomain.com), use it in the CN field (e.g. CN=fanurio.mydomain.com ...).
-
The -keypass and -storepass options must specify the same password.
keytool -genkeypair -alias fanurio -keyalg RSA -keysize 2048 -keypass changeit -storepass changeit -validity 365 -keystore fanurio.jks -ext SAN=DNS:localhost,IP:192.168.2.101,IP:127.0.0.1 -dname "CN=localhost, OU=Development, O=Fanurio Time Tracking SRL, L=Craiova, ST=Dolj, C=RO"
You can verify its contents using the list keytool command:
keytool -list -v -keystore fanurio.jks
The resulting keystore file contains a self-signed certificate that can be used to configure the server.
Creating a keystore with a CA-signed certificate
To create a CA-signed certificate for your server, you need a self-signed certificate (read above). Then you need to follow these steps:
-
Generate CSR
First, you need to generate a Certificate Signing Request (CSR) for the CA to sign and confirm the identity of the certificate. To do so, issue the following command:
keytool -certreq -v -alias fanurio -file fanurio.csr -keystore fanurio.jks
It will create a file called fanurio.csr in your current directory.
-
Submit CSR to CA
Then you need to submit the contents of fanurio.csr to a CA for signing. They will provide a signed certificate (CA reply) and a set of root/intermediate CA certificates that you need to import in the keystore.
If you want to create CA-signed certificate for tests, you can get a free trial certificate from Comodo.
-
Import root certificate from CA
The following command imports the root certificate provided by the CA to your keystore. It expects the root certificate to be saved in a file called root-cert.pem.
keytool -importcert -v -noprompt -trustcacerts -alias cacert -file root-cert.pem -keystore fanurio.jks
-
Import signed certificate (CA reply)
The following command imports the signed certificate provided by the CA to your keystore. It expects the signed certificate to be saved in a file called signed-cert.pem.
keytool -importcert -v -alias fanurio -file signed-cert.pem -keystore fanurio.jks
The keystore file now contains a CA-signed certificate that can be used to configure the server.
Setting up a list of trusted IP addresses (whitelist) allows you to control the IPs from which the server can be accessed. This is an optional security measure that should be used with care because you risk blocking access for your users especially if they need to connect to the server from dynamic IP addresses.
To whitelist IP addresses:
-
Go to and then
-
Click on the tab.
Once enabled, you need to enter one or more IP addresses (e.g. 192.168.2.105) or ranges of IP addresses (e.g. 192.168.2.105/24) separated by commas. Wildcards are not supported for IP addresses while ranges of IP addresses must be provided in Classless Inter-Domain Routing (CIDR) notation.
You can use a CIDR calculator to see the IP address range.
|
Copyright © 2006-2024 Fanurio Time Tracking SRL |