<Parameter name="frevvo.default.login.tenant.id" value="your_tenant_id" override="false"/>
<Parameter name="frevvo.login.username.placeholder" value="user@<your_tenant_name>" override="false"/>

#Custom Tenant Id and Placeholder
frevvo.default.login.tenant.id=<your_tenant_id>
frevvo.login.username.placeholder=<@<your tenant name>

frevvo.filesystem.connector.url=http(s)://<your server>:port/filesystem 
insight.enabled=true insight.service.url=http(s)://<your server>:port/insight 
frevvo.sharepoint.connector.url=http(s)://<your server>:port/sharepoint 
logging.level.root=DEBUG

set CATALINA_OPTS=%CATALINA_OPTS% -Dspring.config.location="file:///%CATALINA_HOME%/conf/,file:///%CATALINA_HOME%/conf/frevvo-config.properties"

Changing the admin password

• Login to your  server your frevvo server as user admin@d, password admin.
• On the page that is displayed, click the Manage Tenants link.
• Click the icon to manage tenant named d (Default tenant)
• Click Manage Users
• Click the edit admin user icon for the admin user. This displays a profile form.
• Change the password as desired and submit the form.

...

The forgot password functionality and form submissions sent via email both require proper configuration of of frevvo' smtp component.

1. Edit <frevvo-home>\tomcat\conf\server.xml
2. Configure the Mail Resource
3. Save the file

...

A stable version of chrome or chromium browser needs to be installed on same server where  is frevvo is installed. Use one of the following links to install Chrome or a Chromium browser.

...

If the browser is not installed at any of these path paths then set the CHROME_PATH environment variable to point to the correct path of the browser binary or set frevvo.chrome.path property in frevvo-config.properties file.

...

1. Stop frevvo if it is running.
2. Navigate to the <frevvo-home>\tomcat\conf directory
3. Open the frevvo-config.properties file with a text editor.

4. Add the frevvo.snapshot.generator.timeout property to the <frevvo-home>\tomcat\conf\frevvo-config.properties file and set the value to the number of seconds before timeout.

   Code Block
   title frevvo-config.properties
   frevvo.snapshot.generator.timeout=<Number of Seconds> //example frevvo.snapshot.generator.timeout=20

   
   

5. Save the file
6. Restart frevvo.

Default the Tenant Login

 is frevvo is a multi-tenant application. See the administration section on Manage Tenants. However, it is possible that all you need is a single tenant. If this is your case, it simplifies the  server the frevvo server login if you default the @<tenantname> so the user only needs to enter their username to login. Customers who default the tenant login normally would also Customizingtheplaceholderontheloginscreen. Please read that topic for details.

1. Stop frevvo if it is running.
2. Navigate to the <frevvo-home>\tomcat\conf directory
3. Open the frevvo-config.properties file with a text editor.

4. Add the frevvo.default.login.tenant.id property to the <frevvo-home>\tomcat\conf\frevvo-config.properties file and set the param-value to the name of your one tenant.

   Code Block
   title frevvo-config.properties
   frevvo.default.login.tenant.id=<your_tenant_id>

   
   

5. Save the file
6. Restart frevvo.
   

In-house customers, logging in as the frevvo' server superuser admin, must still login with username admin@d.

...

You may want to customize the user@tenant placeholder on the login screen to reflect the name of your tenant frevvo tenant to minimize confusion for your users or to remove the @tenant from the placeholder if you have DefaulttheTenantLogindefaulted the tenant login. 

In-house customers can change the default placeholder on the login screen by modifying the values for the frevvo.login.username.placeholder property.

...

1. Stop frevvo if it is running.
2. Navigate to <frevvo-home>\tomcat\conf
3. Open the frevvo-config.properties file with a text editor.

4. Add the property shown below with your modified value then save the file.

   Code Block
   title frevvo-config.properties
   frevvo.login.username.placeholder=user@mycompany

   
   

5. Restart frevvo.
   

Turn on the Unsaved Changes Warning

...

1. Stop frevvo if it is running.
2. Navigate to <frevvo-home>\tomcat\conf
3. Open the frevvo-config.properties file with a text editor.

4. Add the the frevvo.unsaved.warning property with a value of true then save the file.

5. Restart Restart frevvo
   
   

frevvo.unsaved.warning=true

...

• The "Insight.enabled" property with a value of true enables Insight Server by default.

  Warning
  The Insight Server MUST be enabled for submissions, the Task List and Report features to work. Do NOT disable it if you are using any of these features.

  
  

• The "Insight.server-url" property points to the location of the Insight Server. The Insignt Server is included in the tomcat bundIe. In the unlikely scenario where the Insight Server (Solr) is in a different location than than frevvo, the <server:<port>> in this property can be changed to point to the location of the Insight Server (Solr) software.

...

If you are using the frevvo tomcat bundle, the Refresh Searchable Fields process is already configured. The insight.war web app is located in the <frevvo-home>\tomcat\webapps\frevvo.war.  Insight.war is a web app that contains a batch process that extracts all the latest submissions from  and from frevvo and creates Solr Documents for them. The indexed submission data from the batch is stored in <frevvo-home>\data\solr directory and is used by the frevvo Reports feature. The batch job is automatically run when you upgrade but frevvo but it can also be run manually if necessary.

...

Configuration properties that affect the Submission frevvo Submission view are discussed below. You can hide the Delete submission button, hide the Edit Submissions link and configure the maximum number of Searchable fields allowed per form/flow.

...

1. Stop frevvo if it is running.
2. Navigate to <frevvo-home>\tomcat\conf
3. Open the frevvo-config.properties file with a text editor.

4. Add the properties with your modified values then save the file.

5. Restart Restart frevvo

Set a Maximum Number for Searchable Fields

...

Administration of reCAPTCHA Keys

provides frevvo provides a default reCAPTCHA key. No other configuration steps are required for on-premise customers that choose to use the default key. This default reCAPTCHA key is:

• NOT configured to a particular host/domain server
• NOT configured for Google to perform any host/domain name checking on the challenge step. However,  will  frevvo will perform a host/domain verification on the verification step so that any attempts at site key spoofing are blocked.
• Considered secure.

...

The frevvo.recaptcha.hostcheck property controls the domain/host verification on the verification step that is done by frevvo. The values for this property can be set to true or false. If you use a custom key with Domain Name Validation configured, add this property to the frevvo-config.properties file with a value of false. Otherwise, add it to frevvo-config.properties with a value of true.

...

• Unable to contact license server
• Unable to renew license. Your license will expire in <n> day(s)

External URLs

The External URL should always be set up when frevvo tomcat is running behind a proxy. Setting the correct external URL is necessary when frevvo either redirects to an external system that is sensitive to the originating address e.g. SAML Identity Provider, OAuth server, etc. or generates a URL for external use e.g. a share URL. 

Tomcat is already configured to accept the standard x-forwarded headers. If the proxy is providing these in the request then nothing needs to be done. If the headers are custom, then frevvo can be configured to do the translation. If these headers are not being provided, then you need to configure the tomcat connector proxy attributes.

...

This is the most flexible setup. You do not need to make any changes in frevvo to use this as tomcat is already configured to handle the standard x-forwarded headers which are as follows:

• X-Forwarded-Proto: the protocol of the incoming request (http or https).
• X-Forwarded-Host: the host name of the incoming request
• X-Forwarded-Port: the port of the incoming request

In the event you use non-standard header names, you will have to configure the the frevvo's <frevvohome>\tomcat\conf\frevvo-config.properties file to handle the translation.

//Defaults - replace values with your custom headers
server.tomcat.host-header=X-Forwarded-Host
server.tomcat.port-header=X-Forwarded-Port
server.tomcat.remote-ip-header=X-Forwarded-For
server.tomcat.protocol-header=X-Forwarded-Proto

//Example of a non-standard header name
server.tomcat.protocol-header=X-Fwd-Scheme

Configure a Tomcat Proxy

Proxy attributes are set up on the tomcat connector that the proxy is forwarding requests to, which could be the HTTPS or the HTTP connector of the <frevvo-home>\tomcat\conf\server.xml file. For example, if SSL is being terminated in the proxy then it forwards to the HTTP connector (as shown below). Add the properties proxyName, proxyPort, scheme and secure. 

<Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="40000"
maxHttpHeaderSize="32768"
useBodyEncodingForURI="true"
proxyName="<myexternalhost>"
proxyPort="<myexternalport>"
scheme="https"
secure="true" /> <!-- makes sure that uri parameter are decoded as utf-8 -->

 will frevvo will always redirect to this server. Captcha requests will use the same protocol (HTTP or HTTPS) as the external URL.

Default Internal Port

 uses frevvo uses a connector on port 8081 for internal requests. As indicated in the server.xml, changing the frevvo internal connector 8081 settings in the server.xml file can cause unexpected changes, and is not advised. 

The connector with port 8081 is configured in the server.xml file. Please ensure this port is available for  to for frevvo to use. 

<!-- A "Connector" used for internal frevvo calls: DO NOT MODIFY IT! -->
    <Connector address="127.0.0.1" port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol"
               connectionTimeout="40000"
               maxHttpHeaderSize="32768"
               useBodyEncodingForURI="true" /> <!-- makes sure that uri parameter are decoded as utf-8 -->

If you need to change the internal port, follow these instructions. The only case where frevvo.internal.port may need to be changed is if port 8081 is already in use by another application.

1. In the server.xml, replace port 8081 in all locations with the port number of your choice. Make sure the new port is open and available for for frevvo's use.

   Code Block
   <Connector address="127.0.0.1" port="<port>" protocol="org.apache.coyote.http11.Http11NioProtocol"                connectionTimeout="40000"                maxHttpHeaderSize="32768"                useBodyEncodingForURI="true" />

   
   

2. In the frevvo-config.properties file, add the frevvo.internal.port property and set it to the same port number used in step 1.
   

   Code Block
   frevvo.internal.port=<port>

   
   

Default External Port

 uses frevvo uses a connector on port 8082 for external requests. By default the  tomcat frevvo tomcat bundle is configured to bind to port 8082. Please ensure this port is available for  to for frevvo to use. You can change the port by:

1. Editing the <frevvo-home>/tomcat/conf/server.xml file.

2. Search for this line in the file:

   Code Block
   <Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol"

   
   

3. Change the Connector port.

4. You can also change the default https connector port.

   Code Block
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true"

   
   

Browser Support

 does frevvo does not support BETA versions of browsers and there is often a delay so that we can test newly released browser versions before they are supported. In previous releases,  was frevvo was configured to use a list of supported browsers. An error message and a link to override the error would display if the system was accessed using an unsupported browser. If you want to warn users if they access  using access frevvo using an uncertified browser, configure a list of allowed browsers using the the frevvo.supported.browsers parameter in the <frevvo-home>\tomcat\conf\frevvo-config.properties file

1. Stop frevvo if it is running.
2. Navigate to <frevvo-home>\tomcat\conf
3. Open the frevvo-config.properties file with a text editor.

4. Add the properties with your modified values then save the file.

5. Restart Restart frevvo

Add the user agent for the browsers you want to support '''in lower case only'''. For example, to allow all versions of Firefox, add the string 'firefox' (without the quotes) to the property value. It will match all versions of the Firefox browser. Separate the values with a comma.

...

The tomcat manager is accessible in the bundle at  http://<server-name>:8082/manager/html. The default Tomcat Manager user name/password are preset to frevvo/frevvo. If you wish to change the password, you may do so by editing the file <frevvo-home>\tomcat\conf\tomcat-users.xml.

Tomcat SSL

 can frevvo can be configured to handle HTTPS connections from users. The  tomcat frevvo tomcat bundle you downloaded from www.frevvo.com is pre-configured with a self-signed certificate for development and testing. This self-signed certificate enables  to enables frevvo to handle HTTPS connections out of the box. However before deploying your forms to production you may want to replace this with your own certificate.

...

<!-- HTTPS Connector
-->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true" clientAuth="false"
        sslProtocol="TLS" keystoreFile="${catalina.home}/conf/keystore" keystorePass="password"
        connectionTimeout="20000" maxHttpHeaderSize="32768"
        useBodyEncodingForURI="true" />

 recommends frevvo recommends reviewing your Certificate Authority's documentation for detailed steps to configure your certificate in Apache Tomcat. Additional info on how to use SSL on tomcat can be found on the Apache/Tomcat website. 

There are multiple ways of configuring certificates depending on their format. For example, a PKCS#12 (pfx or p12) certificate doesn't have to be imported into the keystore. It can be configured directly as:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
       scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2"
       keystoreFile=C:\CERTDIRECTORY\CERT.pfx" keystorePass="YourPassword" keystoreType="PKCS12" 
       connectionTimeout="40000" maxHttpHeaderSize="32768" useBodyEncodingForURI="true"/>

However, PKCS#7 or P7B formats require importing the certificate chain into the keystore. The Certificate Authority needs to provide all the intermediate certificates to be imported. 

Currently, you must not disable disable frevvo's HTTP port. In a future release this will be allowed. Disabling Disabling frevvo's HTTP port will cause your form server to malfunction as  requires as frevvo requires this port. For most cases, it is sufficient to share the HTTPS version of your form/workflow's URL and leave HTTP open. However, if you want to force all form usage to be over HTTPS and feel it is not enough to simply share the HTTPS form URLs (as a user can switch to HTTP as long as that port is open), we recommend that you deploy  behind deploy frevvo behind an Apache or IIS server. Close the HTTP port on Apache or IIS but leave tomcat's HTTP port open so that  can that frevvo can POST back to itself when needed over HTTP but no one outside can access it.

...

...

no longer supports the web.xml parameters for frevvo.xforwarded.protocol.header, frevvo.xforwarded.host.header, and frevvo.xforwarded.port.headers. The general recommendation is to rely on the Servlet Container for handling dynamic proxies. A better approach is to use tomcat's RemoteIp Valve instead.  Please see this documentation on the Apache Tomcat website for information about the RemoteIp valve functionality. This tomcat valve has been incorporated into our tomcat bundle.

 <Valve className="org.apache.catalina.valves.RemoteIpValve"
            internalProxies=".*" 
            remoteIpHeader="x-forwarded-for" 
            proxiesHeader ="x-forwarded-by" 
            protocolHeader="x-forwarded-proto" />

...

The frevvo API uses an http connection pool which implies that connections are reused for a given route. In some cases, an API call (such as a rule or doc action) may fail intermittently due to a connection reset or a socket read timeout. Setting the property http.connection.maxidletime in the frevvo-config.properties file may resolve this issue. This property sets the idle time in milliseconds beyond which the connection will be closed by the monitor. By default, it is not set and hence there is no monitor running. Once it is configured with a positive value e.g. 30000, the monitor runs every 1 second looking for expired idle connections and closes them.

...

Skew error when logging into an Azure SAML tenant

Users logging into a Azure SAML tenant may encounter the error "Access Denied.  Authorization Required". Examination of the frevvo.log shows the following entry:

Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z

This error is typically caused by a clock synchronization issue between the Service Provider (frevvo) and the Identity Provider (Azure) or a genuine delay in the connection. If you get this error, adding the com.frevvo.security.saml.response.skew property can be used to specify the time in seconds allowed between the request and the response from Azure to a value greater than the default value of 60 seocnds.

Follow these steps:

1. Stop frevvo if it is running.
2. Navigate to <frevvo-home>\tomcat\conf
3. Open the frevvo-config.properties file with a text editor.

4. Add the parameter shown below with a value greater than the default value of 60 seconds. The example shown increases the timer to 120 seconds.
   

   Code Block
   com.frevvo.security.saml.response.skew=120

   
   

5. Save the file.

6. Restart .
7. Retry the login.
   

...

Changing the Default Task Notification Email Message

If you want to change the default subject and body of the task notification email for your  server, add these properties to the frevvo-config.properties file.

frevvo.task.notification.email.subject=New task
frevvo.task.notification.email.message=You can access your task list by clicking <a href="{task.perform.url}">this link</a>

Change the value in this parameter to anything you want. The task.perform.url template {task.perform.url} is a built-in template in  and it will always point to the specific task. Refer to the Task Notification Email Link topic for some other options. If you wrap the templates in an HTML <a> tag, it will generate a clickable link in the email.

If you do not want the link in your task notification emails to go there, you can remove it. The default message can include form control templates. 

Non-default Database Schema

If you use a custom schema (anything other than 'dbo'), you must add the following property to the <frevvo home>/tomcat/conf/frevvo-config.properties file. This property's default value is 'dbo'.

...

Secure Passwords in Tomcat

Security audits may point out that some secrets are stored in clear text in tomcat configuration files. Here is a list of (known) secrets that are currently stored in clear text by default:

• Tomcat JDBC and SMTP configurations in Tomcat’s <frevvo-home>\tomcat\conf\server.xml

• Database password in <frevvo-home>\tomcat\conf\dbconnector.properties

• Google Connector’s Client Secret in <frevvo-home>\tomcat\conf\frevvo-config.properties

• frevvo’s SAML keystore password in <frevvo-home>\tomcat\bin\setenv.bat and the service.bat files for the Windows OS or setenv.sh for UNIX/Linux OS

Tomcat, and thereby , does not support encryption out of the box. There are two main options for securing this information.

Limit access to Tomcat files

The first option is limiting access to the file so that it can only be read by the user that Tomcat process runs as and root (or the administrator on Windows). Here are two relevant articles about Tomcat passwords that provide suggestions for limiting access and masking sensitive information:

• https://cwiki.apache.org/confluence/display/TOMCAT/Password. 
• https://wiki.owasp.org/index.php/Securing_tomcat#Cleartext_Passwords_in_CATALINA_HOME.2Fconf.2Fserver.xml

For the Database Connector, you can define the data source at the container (tomcat) level for some added security. Please see this documentation which explains how.

OS Environment Variables

Starting in Tomcat v9.0.34 ( v9.0.15+) Tomcat introduced support for environment variables in server.xml. (See Apache Tomcat 9 (9.0.54) - Changelog for details.) This new capability is disabled by default in Tomcat but can be enabled by adding the following property to conf/catalina.properties.

...