...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Section | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Changing the admin password
- Login to your server your frevvo server as user admin@d, password admin.
- On the page that is displayed, click the Manage Tenants link.
- Click the icon to manage tenant named d (Default tenant)
- Click Manage Users
- Click the edit admin user icon for the admin user. This displays a profile form.
- Change the password as desired and submit the form.
...
The forgot password functionality and form submissions sent via email both require proper configuration of of frevvo's smtp component.
- Edit <frevvo-home>\tomcat\conf\server.xml
- Configure the Mail Resource
- Save the file
...
If you are using tomcat, emails sent are tracked in the <frevvo-home>\tomcat\logs\frevvo.log file when the INFO DEBUG log level is enabled. Look for an entry like "Sending email to <email address> with subject <the subject of your email>. If an error occurs when sending, the message "Could not send email to <email address> with subject <the subject of your email> including the actual exception that caused the problem will be logged.
...
Code Block | ||
---|---|---|
| ||
mail.smtp.socketFactory.port="465" mail.smtp.socketFactory.class="javax.net.ssl.SSLSocketFactory" mail.smtp.socketFactory.fallback="false" |
Default the Tenant Login
is frevvo is a multi-tenant application. See the administration section on Manage Tenants. However, it is possible that all you need is a single tenant. If this is your case, it simplifies the server the frevvo server login if you default the @<tenantname> so the user only needs to enter their username to login. Customers who default the tenant login normally would also customize the placeholder on the login screen. Please read that topic for details.
- Stop frevvo if it is running.
- Navigate to the <frevvo-home>\tomcat\conf directory
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.default.login.tenant.id property to the <frevvo-home>\tomcat\conf\frevvo-config.properties file and set the param-value to the name of your one tenant.
Code Block title frevvo-config.properties frevvo.default.login.tenant.id=<your_tenant_id>
- Save the file
- Restart frevvo.
In-house customers, logging in as the frevvo's server superuser admin, must still login with username admin@d.
...
You may want to customize the user@tenant placeholder on the login screen to reflect the name of your tenant frevvo tenant to minimize confusion for your users or to remove the @tenant from the placeholder if you have defaulted the set a default tenant login.
In-house customers can change the default placeholder on the login screen by modifying the values for the frevvo.login.username.placeholder property.
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the property shown below with your modified value then save the file.
Code Block title frevvo-config.properties frevvo.login.username.placeholder=user@mycompany
- Restart frevvo.
Turn on the Unsaved Changes Warning
You may want to to turn on the browser-specific warning that displays if your users close their browser/tab before saving or submitting a formflowform/workflow. A description of the feature can be found here. Here is an example for the Chrome browser:
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the the frevvo.unsaved.warning property with a value of true then save the file.
- Restart Restart frevvo
Code Block |
---|
frevvo.unsaved.warning=true |
...
The "Insight.enabled" property with a value of true enables Insight Server by default.
Warning The Insight Server MUST be enabled for submissions, the Task List and Report features to work. Do NOT disable it if you are using any of these features.
- The "Insight.server-url" property points to the location of the Insight Server. The Insignt Server is included in the tomcat bundIe. In the unlikely scenario where the Insight Server (Solr) is in a different location than than frevvo, the <server:<port>> in this property can be changed to point to the location of the Insight Server (Solr) software.
...
If you are using the frevvo tomcat bundle, the Refresh Searchable Fields process is already configured. The insight.war web app is located in the <frevvo-home>\tomcat\webapps\frevvo.war. Insight.war is a web app that contains a batch process that extracts all the latest submissions from and from frevvo and creates Solr Documents for them. The indexed submission data from the batch is stored in <frevvo-home>\data\solr directory and is used by the frevvo Reports feature. The batch job is automatically run when you upgrade but frevvo but it can also be run manually if necessary.
...
There are some properties that can be added to the frevvo-config.properties file to override default values. Although , it is recommended to leave these properties with the default values, these properties can be added with different values if requested by frevvo support to troubleshoot an issue.
...
Configuration properties that affect the Submission frevvo Submission view are discussed below.You can turn off the Legacy Submissions view, hide the Delete submission button and the Edit Submissions link and configure the maximum number of Searchable fields allowed per form/flow.
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the properties with your modified values then save the file.
- Restart Restart frevvo
Turn Off the Legacy Submission View
...
Administration of reCAPTCHA Keys
provides frevvo provides a default reCAPTCHA key. No other configuration steps are required for on-premise customers that choose to use the default key. This default reCAPTCHA key is:
- NOT configured to a particular host/domain server
- NOT configured for Google to perform any host/domain name checking on the challenge step. However, will frevvo will perform a host/domain verification on the verification step so that any attempts at site key spoofing are blocked.
- Considered secure.
...
The frevvo.recaptcha.hostcheck property controls the domain/host verification on the verification step that is done by frevvo. The values for this property can be set to true or false. If you use a custom key with Domain Name Validation configured, add this property to the frevvo-config.properties file with a value of false. Otherwise, add it to frevvo-config.properties with a value of true.
...
- Unable to contact license server
- Unable to renew license. Your license will expire in <n> day(s)
External URLs
Sometimes running behind a proxy server can cause unintended changes to the form server's external URLs. To address this issue, configure a Tomcat proxy in the HTTP connector (port 8082) of the <frevvo-home>\tomcat\conf\server.xml file. Add the properties proxyName, proxyPort, scheme and secure as shown below.
Code Block | ||
---|---|---|
| ||
<Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="40000"
maxHttpHeaderSize="32768"
useBodyEncodingForURI="true"
proxyName="<myexternalhost>"
proxyPort="<proxy port>"
scheme="https"
secure="true" /> <!-- makes sure that uri parameter are decoded as utf-8 --> |
Default Internal Port
uses a connector on port 8081 for internal requests. As indicated in the server.xml, changing the frevvo internal connector 8081 settings in the server.xml file can cause unexpected changes, and is not advised.
The connector with port 8081 is configured in the server.xml file. Please ensure this port is available for to use.
Code Block |
---|
<!-- A "Connector" used for internal frevvo calls: DO NOT MODIFY IT! -->
<Connector address="127.0.0.1" port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="40000"
maxHttpHeaderSize="32768"
useBodyEncodingForURI="true" /> <!-- makes sure that uri parameter are decoded as utf-8 --> |
If you need to change the internal port, follow these instructions. The only case where frevvo.internal.port may need to be changed is if port 8081 is already in use by another application.
In the server.xml, replace port 8081 in all locations with the port number of your choice. Make sure the new port is open and available for 's use.
...
The External URL should always be set up when frevvo tomcat is running behind a proxy. Setting the correct external URL is necessary when frevvo either redirects to an external system that is sensitive to the originating address e.g. SAML Identity Provider, OAuth server, etc. or generates a URL for external use e.g. a share URL.
Tomcat is already configured to accept the standard x-forwarded headers. If the proxy is providing these in the request then nothing needs to be done. If the headers are custom, then frevvo can be configured to do the translation. If these headers are not being provided, then you need to configure the tomcat connector proxy attributes.
Proxy with X-Forwarded headers configured
This is the most flexible setup. You do not need to make any changes in frevvo to use this as tomcat is already configured to handle the standard x-forwarded headers which are as follows:
- X-Forwarded-Proto: the protocol of the incoming request (http or https).
- X-Forwarded-Host: the host name of the incoming request
- X-Forwarded-Port: the port of the incoming request
In the event you use non-standard header names, you will have to configure the frevvo's <frevvohome>\tomcat\conf\frevvo-config.properties file to handle the translation.
Expand | |||||
---|---|---|---|---|---|
| |||||
For example, if you prefer to use a parameter called X-Fwd-Scheme instead of X-Forwarded-Proto, simply add the appropriate context parameter and make sure that your proxy is setting a header with the new name. The defaults are shown below. Replace the values on the right side of the '=' with your corresponding custom header name.
|
Configure a Tomcat Proxy
Proxy attributes are set up on the tomcat connector that the proxy is forwarding requests to, which could be the HTTPS or the HTTP connector of the <frevvo-home>\tomcat\conf\server.xml file. For example, if SSL is being terminated in the proxy then it forwards to the HTTP connector (as shown below). Add the properties proxyName, proxyPort, scheme and secure.
Code Block | ||
---|---|---|
| ||
<Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" |
...
connectionTimeout="40000" |
...
maxHttpHeaderSize="32768" useBodyEncodingForURI="true" proxyName="<myexternalhost>" proxyPort="<myexternalport>" scheme="https" |
...
secure="true" |
...
/> |
...
In the frevvo-config.properties file, add the frevvo.internal.port property and set it to the same port number used in step 1.
Code Block |
---|
frevvo.internal.port=<port> |
Default External Port
uses a connector on port 8082 for external requests. By default the tomcat bundle is configured to bind to port 8082. Please ensure this port is available for to use. You can change the port by:
...
<!-- makes sure that uri parameter are decoded as utf-8 --> |
frevvo will always redirect to this server. Captcha requests will use the same protocol (HTTP or HTTPS) as the external URL.
Default Internal Port
frevvo uses a connector on port 8081 for internal requests. As indicated in the server.xml, changing the frevvo internal connector 8081 settings in the server.xml file can cause unexpected changes, and is not advised.
The connector with port 8081 is configured in the server.xml file. Please ensure this port is available for frevvo to use.
Code Block |
---|
<!-- A "Connector" used for internal frevvo calls: DO NOT MODIFY IT! --> <Connector address="127.0.0.1" port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="40000" maxHttpHeaderSize="32768" useBodyEncodingForURI="true" /> <!-- makes sure that uri parameter are decoded as utf-8 --> |
If you need to change the internal port, follow these instructions. The only case where frevvo.internal.port may need to be changed is if port 8081 is already in use by another application.
In the server.xml, replace port 8081 in all locations with the port number of your choice. Make sure the new port is open and available
forfor frevvo's use.
In the frevvo-config.properties file, add the frevvo.internal.
Code Block <Connector address="127.0.0.1" port="<port>" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="40000" maxHttpHeaderSize="32768" useBodyEncodingForURI="true" />
In the frevvo-config.properties file, add the frevvo.internal.port property and set it to the same port number used in step 1.
Code Block frevvo.internal.port=<port>
Please keep this in mind before changing frevvo.internal.port.
...
If you change frevvo.internal.port to 8082 then in this case also port 8081 will go unused, so you should remove the connector: port=8081 in the server.xml file. Changing the frevvo.internal.port to be 8082 (i.e. matching the default Tomcat connector port) will keep the internal routing enabled but will reuse the same Tomcat 8082 port.
If you change frevvo.internal.port to something different from 8082 then the user needs to set the same port for the internal connector in the server.xml file, as in this example:
...
Default External Port
frevvo uses a connector on port 8082 for external requests. By default the frevvo tomcat bundle is configured to bind to port 8082. Please ensure this port is available for frevvo to use. You can change the port by:
- Editing the <frevvo-home>/tomcat/conf/server.xml file.
Search for this line in the file:
Code Block <Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol"
- Change the Connector port.
You can also change the default https connector port.
Code Block <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
...
SSLEnabled="
...
true"
...
...
Default Port
By default the tomcat bundle is configured to bind to port 8082. You can change the port by:
- Editing the <frevvo-home>/tomcat/conf/server.xml file.
Search for this line in the file:
Code Block <Connector port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol"
- Change the Connector port.
You can also change the default https connector port.
Code Block <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true"
Browser Support
does frevvo does not support BETA versions of browsers and there is often a delay so that we can test newly released browser versions before they are supported. In previous releases, was frevvo was configured to use a list of supported browsers. An error message and a link to override the error would display if the system was accessed using an unsupported browser. If you want to warn users if they access using access frevvo using an uncertified browser, configure a list of allowed browsers using the the frevvo.supported.browsers parameter in the <frevvo-home>\tomcat\conf\frevvo-config.properties file
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the properties with your modified values then save the file.
- Restart Restart frevvo
Add the user agent for the browsers you want to support '''in lower case only'''. For example, to allow all versions of Firefox, add the string 'firefox' (without the quotes) to the property value. It will match all versions of the Firefox browser. Internet Explorer 11 requires the use of the agent identifier, trident/7. Separate the values with a comma.
...
The tomcat manager is accessible in the bundle at http://<server-name>:8082/manager/html. The default Tomcat Manager user name/password are preset to frevvo/frevvo. If you wish to change the password, you may do so by editing the file <frevvo-home>\tomcat\conf\tomcat-users.xml.
Tomcat SSL
can frevvo can be configured to handle HTTPS connections from users. The tomcat frevvo tomcat bundle you downloaded from www.frevvo.com is pre-configured with a self-signed certificate for development and testing. This self-signed certificate enables to enables frevvo to handle HTTPS connections out of the box. However before deploying your forms to production you may want to replace this with your own certificate.
The HTTPS connector on port 8443 is enabled by default . If you want to disable it, edit in the <frevvo-home>/tomcat/conf/server.xml and comment out the HTTPS connector:.
Code Block | ||
---|---|---|
| ||
<!-- HTTPS Connector --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${catalina.home}/conf/keystore" keystorePass="password" connectionTimeout="20000" maxHttpHeaderSize="32768" useBodyEncodingForURI="true" /> --> |
recommends frevvo recommends reviewing your Certificate Authority's documentation for detailed steps to configure your certificate in Apache Tomcat. Additional info on how to use SSL on tomcat can be found on the Apache/Tomcat website.
There are multiple ways of configuring certificates depending on their format. For example, a PKCS#12 (pfx or p12) certificate doesn't have to be imported into the keystore. It can be configured directly as:
Code Block |
---|
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2" keystoreFile=C:\CERTDIRECTORY\CERT.pfx" keystorePass="YourPassword" keystoreType="PKCS12" connectionTimeout="40000" maxHttpHeaderSize="32768" useBodyEncodingForURI="true"/> |
However, PKCS#7 or P7B formats require importing the certificate chain into the keystore. The Certificate Authority needs to provide all the intermediate certificates to be imported.
Currently you must not disable disable frevvo's http port. In a future release this will be allowed. Disabling Disabling frevvo's http port will cause your form server to malfunction as requires as frevvo requires this port. For most cases it is sufficient to share the https version of your form/flow's Url and leave http open. However, if you want to force all form usage to be over https and feel it is not enough to simply share the https form Urls (as a user can switch to http as long as that port is open), we recommend that you deploy behind deploy frevvo behind an Apache or IIS server. Close the http port on Apache or IIS but leave tomcat's http port open so that can that frevvo can POST back to itself when needed over http but no one outside can access it.
...
Tomcat Logfiles
By default, the server the frevvo server writes useful logging information to a daily logging file located here: <frevvo-home>/tomcat/logs. You will see the logfiles listed below in <frevvo-home>/tomcat/logs. The current date appends to the logfile names.
- catalina.YYYY-MM-DD.log - this log captures the stderr and stdout of the tomcat process including startup/shutdown messages. This is usually a small file.
- frevvo_YYYY-MM-DD.log - all messages frevvo messages are logged to this file. A new log with the current date appended to it is created daily.
- localhost.YYYY.MM.DD.log - this tomcat logfile should be empty.
localhost_access_log.YYYY - MM - DD.txt - is used to log all HTTP accesses to Tomcat. It is enabled by the following entry in <frevvo-home>/tomcat/conf/server.xml. Comment out the statement below to turn off logging to this file if it is not needed.
Code Block <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %{begin:dd/MM/yy:H:m:s.S}t "%r" %s %b "%{Referer}r" "%{User-Agent}r" [%I %{JSESSIONID}c %{X-Correlation-Id}o %{Location}o]" />
- host-manager.MM-DD-YYYY.log - this logfile is part of the tomcat distribution and is empty by default. It is a log file for the host-manager web application that is used to manage virtual hosts in tomcat. The host manager web-app is typically not needed because is frevvo is preconfigured. Messages are written to this log only if the host-manager web application is being used.
- manager.MM-DD.YYYY.log - this logfile is part of the tomcat distribution and is empty by default - this is the log file for the tomcat manager web application which is used to check the status of web apps, memory usage etc. Messages are written to this log only if the manager web app is being used.
...
Note |
---|
|
...
Debugging log file levels
By default log frevvo log levels are set to INFO. Loglevels are changed by adding properties to the <frevvo-home>\tomcat\conf\frevvo-config.properties file. Changing the loglevel to DEBUG provides more information when troubleshooting.
If you want to delete the logs, stop then frevvo then delete the logfiles. They will be recreated on start up.
...
- Create/Edit the frevvo-config.properties file in <frevvo-home>\tomcat\conf
- Add the properties shown below to the file.
- Save the file
- Restart Restart frevvo.
Code Block | ||
---|---|---|
| ||
logging.level.root=DEBUG logging.level.com.frevvo=DEBUG logging.level.com.gauss=DEBUG |
...
Tenant, superuser or additional admin(s) can manage user session via the UIfrevvo UI. Refer to the Manage Logged in User Sessions topic for the details.
...
Information can be accessed with jConsole, or a similar tool.
Session Timeout
frevvo's default web browser session timeout is 30 minutes. If a user is logged into the server frevvo server to design forms, or to view their task list, or is using a form frevvo form and filling in values but has not yet submitted the form, the session will expire after 30 minutes of inactivity. When the session expires the designer will have to re-login to to frevvo to continue designing forms and form users will have to get a new instance of the form and re-enter the values.
If the maximum number of concurrent users are logged in simultaneously, and any of them are idle for more than 30 minutes, the next person who tries to log in will be able to do so successfully.
The default server frevvo server session timeout can be overridden for each tenant. The tenant admin can edit the tenant and make the changes there.
When a person is using a form/flow then pauses for longer than the configured <session-timeout>, they will see the login frevvo login screen.
When a person is using a form/flow and then pauses for longer than the configured <session-timeout>, they will see the following error the next time they enter a value into the form or try to submit a form from a timed out session.
...
See the documentation on Tomcat Windows Service for more details.
TIFF Image Generator
All frevvo connector wizards allow you to select the form image attached to submission to be in TIFF image format. If the TIFF option doesn't appear in the wizard's Send Snapshot dropdown, follow these steps to install the necessary files:
- Stop Stop frevvo
- Download the jai-imageio-core-1.3.1.jar here.
- Add it to frevvo classpath i.e. tomcat/lib folder
- Make sure your Connector(s) is installed.
- Restart the serverfrevvo server. You will now see the TIFF option in the connector wizards Send Snapshot dropdown.
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.signature.date.format property with your modified value then save the file.
- Restart Restart frevvo
This property will change the date format for text signatures to day,month, year
Code Block | ||
---|---|---|
| ||
frevvo.signature.date.format=d MMM yyyy |
Timezones
concanocolizes frevvo standardizes all form submission data to UTC. In other words, no matter which timezone you are in when you submit a form with a date, date/time, or time control, the form server will convert and store those values in UTC. If your form submission data is not correctly converted and stored in UTC then you likely have to update the timezones in your installed JDK. Oracle provides a timezone update tool. Run the TZUpdater tool with the following command: java -jar tzupdate.jar -u
...
Uploading a CSV file to add or edit users normally runs quickly. However, if uploading a file in which the notifyIfNewUser property is TRUE for a large number of rows, this process may slow down on some email servers. Tenant Admins can configure to configure frevvo to run CSV-file user uploads in batches to improve upload time if needed. To adjust batch load size, configure the following property in <frevvo-home>\tomcat\conf\frevvo-config.properties.
...
Using frevvo with reverse-proxies/SSL-accelerators
If your goal is to use behind frevvo behind a reverse-proxy/load-balancer/SSL-accelerator you need to modify configuration settings to frevvo/tomcat to make sure generate frevvo generate correct external urls.
When using a reverse-proxy, the external host, IP and/or port visible to browsers may be different than the host, IP and/or port seen by Tomcat. This causes a problem since will frevvo will generate urls in pages and forms that are either completely invalid, which is an easy case to spot since forms will not render at all, or valid by bypassing the reverse-proxy altogether, which are harder to identify except for side effects such as forms not resizing properly, or blocked by browser security restrictions.
no frevvo no longer supports the web.xml parameters for frevvo.xforwarded.protocol.header, frevvo.xforwarded.host.header, and frevvo.xforwarded.port.headers. The general recommendation is to rely on the Servlet Container for handling dynamic proxies. A better approach is to use tomcat's RemoteIp Valve instead. Please see this documentation on the Apache Tomcat website for information about the RemoteIp valve functionality. This tomcat valve has been incorporated into our tomcat frevvo tomcat bundle.
Code Block |
---|
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies=".*" remoteIpHeader="x-forwarded-for" proxiesHeader ="x-forwarded-by" protocolHeader="x-forwarded-proto" /> |
...
- If the target tenant does not exist, create it by following these steps. For the sake of this document, the target tenant id is mytenant.
- Login to the target tenant as an admin and create a user with the same id as the user in the original tenant. In this example, the user id is john in the tenant mytenant.
- Transfer the applications to the new user account in the target tenant
- Login to the source tenant as a tenant admin, for instance admin@d.
- Navigate to Manage > Manage Users.
- Login as the user you want to move.
- Navigate to the user's applications page.
- Download each application for that user and save to a folder in your file system.
- Logout
- Login as the user in the new tenant: john@mytenannt.
- Upload the applications you've downloaded in the previous steps.
- Move the submissions in the submissions repository. You need to run these steps in the database where you persist the submissionsfrevvo submissions. Please back up your database before moving forward.
- Replace the word john with the id of the user you are migrating.
- Replace the tenant id d with the id of the source tenant. The default tenant in is frevvo is called d.
- Replace the word mytenant with the name of your target tenant
- Login to your database.
- Edit the script shown below to:
- Run the script shown below in your submissions frevvo submissions database.
Code Block |
---|
update formsubmission set tenantid='mytenant' where id in ( select fs.id from formsubmission fs, formsubmissiontype fst where fs.formsubmissiontype_formtype_id = fst.id and fst.ownerid='john' and fs.tenantid='d' )update formsubmissiontype set tenantid='mytenant' where ownerid='john' and tenantid='d' |
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.share.options property with your modified values separated by commas then save the file.
- Restart Restart frevvo
Code Block | ||
---|---|---|
| ||
frevvo.share.options=embed-script,embed-link,link,page,raw-iframe,raw-link |
Hide the "forgot password" button on the login screen
infrevvo in-house customers that wish to hide the "forgot password" field on the login screen can do so by adding the frevvo.login.forgot.password.enabled property to the frevvo-config.properties file with a value of false. This is only relevant to tenants using the Default the frevvo Default Security manager and could be helpful if you are using LDAP without SSO. To hide the field:
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.login.forgot.password.enabled property with a value of false then save the file.
- Restart Restart frevvo
Code Block | ||
---|---|---|
| ||
frevvo.login.forgot.password.enabled=false |
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.data.sources .top property with a value of true then save the file.
- Restart Restart frevvo
Code Block | ||
---|---|---|
| ||
frevvo.data.sources.top=true |
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.data.sources.add property with a value of false then save the file.
- Restart Restart frevvo
Code Block | ||
---|---|---|
| ||
frevvo.data.sources.add=false |
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.palette.controls property with the Control Names after the equal sign, separated by commas then save the file.
- Restart Restart frevvo
Here is an example of the property configured to show all the Palette controls.
...
The content types supported by are frevvo are configured with the frevvo.upload.file.types properties. The default file types are shown below. On-premise customers can override the defaults by adding properties to the frevvo-config.properties file
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.upload.file.types with the allowed mime types after the equal sign, separated by commas then save the file.
- Restart Restart frevvo
The Upload control provides a list of file type/extensions the designer can use to restrict the type of files uploaded. To add a new file type to this list, add it to the frevvo.upload.file.types values. In addition, there are properties for each supported mime type that corresponds to each context type. For example, the property that has the mime types corresponding to MS Word is: frevvo.upload.file.type.ms_word.mimes. Note the naming convention for the Mime type names part of the property - lower case and spaces replaced with _
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.rule.validation.timeout property with the timeout value in milliseconds after the equal sign then save the file
- Restart Restart frevvo
Code Block | ||
---|---|---|
| ||
frevvo.rule.validation.timeout=1000 |
...
The Rule evaluation timeout property is frevvo.rule.timeout with a default value of 30000 milliseconds. This is the amount of time will frevvo will attempt to run the rule before you see a timeout error in the debug console. Adding this property to the frevvo-config.properties file with a value of 2000 ms will show this error in the Rule debug console - ** Rule execution timed out after (timeout=20000 milliseconds).
...
The frevvo API uses an http connection pool which implies that connections are reused for a given route. In some cases, an API call (such as a rule or doc action) may fail intermittently due to a connection reset or a socket read timeout. Setting the property http.connection.maxidletime in the frevvo-config.properties file may resolve this issue. This property sets the idle time in milliseconds beyond which the connection will be closed by the monitor. By default, it is not set and hence there is no monitor running. Once it is configured with a positive value e.g. 30000, the monitor runs every 1 second looking for expired idle connections and closes them.
...
Code Block | ||
---|---|---|
| ||
frevvo.form.save.on.mapping=false |
XSS Cleaning
uses frevvo uses a whitelist approach to filter out XSS attacks. Only whitelisted tags will work if you are using HTML in labels, help, etc. Although the whitelist allows a full range of text and structural body HTML, it will restrict you from using some tags like the HTML comment.
...
There are three places to set the maximum size of attachments that can be uploaded to the Upload control in frevvo.
- You can set an upper bound limit server wide by adding the frevvo.attachment.maxsize property to the frevvo-config.properties file. If you do not add this property, then the max size for attachments will be 10 MB. This is the built-in default.
- The tenant admin can set the maximum file size per user by editing their profile
- Specify the max file size per the Max Size property of individual Upload Controls
...
To configure the max size for attachments on the server level, follow these steps:
- Stop if frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
- Add the frevvo.attachment.maxsize property with the max size for attachments in bytes as the value then save the file.
- Restart Restart frevvo.
Code Block | ||
---|---|---|
| ||
frevvo.attachment.maxsize=10485760 -> Replace the default value, 10485760 in this example, with the maximum size of the attachment that you want. The value must be entered in bytes. |
...
Info |
---|
If you are using MySQL, and you upload a large image or you are using a workflow that contains a large pdf, frevvo, you may see this error: The default value of the max_allowed_packet parameter in your MySQL server may not be large enough. Refer to this website for detailed information about the MySql configuration parameter. Increasing the max_allowed_packet variable setting in your MySQL Server from the default (1M) to something like 16M (16777125) fixes the issue. To fix the issue temporarily, run the following commands: |
...
Skew error when logging into an Azure SAML tenant
Users logging into a Azure frevvo Azure SAML tenant may encounter the error "Access Denied. Authorization Required". Examination of the frevvo.log shows the following entry:
Code Block |
---|
Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z |
This error is typically caused by a clock synchronization issue between the Service Provider (frevvo) and the Identity Provider (Azure) or a genuine delay in the connection. If you get this error, adding the com.frevvo.security.saml.response.skew property can be used to specify the time in seconds allowed between the request frevvo request and the response from Azure to a value greater than the default value of 60 seocnds.
Follow these steps:
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the parameter shown below with a value greater than the default value of 60 seconds. The example shown increases the timer to 120 seconds.
Code Block com.frevvo.security.saml.response.skew=120
Save the file.
- Restart frevvo.
- Retry the login.
Configure the max size for Images in your form/flow
In-house customers can change the maximum size for images uploaded to forms/flows using the Image control in the designers frevvo designers by adding the frevvo.asset.maxsize property to the frevvo-config.properties file. The default value is set to 2097152 bytes. Any uploaded file that exceeds the value in this parameter displays an error message to the designer so they can take corrective action.
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo-asset-maxsize property. Change the value to the maximum allowable image size in bytes.
Code Block frevvo.asset.maxsize=2097152
Save the file.
- Restart frevvo.
Changing the Default Task Notification Email Message
If you want to change the default subject and body of the task notification email for your serveryour frevvo server, add these properties to the frevvo-config.properties file.
Code Block |
---|
frevvo.task.notification.email.subject=New task
frevvo.task.notification.email.message=You can access your task list by clicking <a href="{task.perform.url}">this link</a> |
Change the value in this parameter to anything you want. The task.perform.url template {task.perform.url} is a built-in template in and it will always point to the specific task. Refer to the Task Notification Email Link topic for some other options. If you wrap the templates in an HTML <a> tag, it will generate a clickable link in the email.
If you do not want the link in your task notification emails to go there, you can remove it. The default message can include form control templates.
Security Vulnerabilities
The following security vulnerablities have been addressed as follows:
...
Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:
Code Block |
---|
<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/> |
X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).
Warning |
---|
Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOW-FROM instead. |
Click the appropriate link below for filter examples.
Code Block | ||||
---|---|---|---|---|
| ||||
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
|
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value> http://example.com:80/*</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping> |
...
...
.task.notification.email.subject=New task
frevvo.task.notification.email.message=You can access your task list by clicking <a href="{task.perform.url}">this link</a> |
Change the value in this parameter to anything you want. The task.perform.url template {task.perform.url} is a built-in template in frevvo and it will always point to the specific task. Refer to the Task Notification Email Link topic for some other options. If you wrap the templates in an HTML <a> tag, it will generate a clickable link in the email.
If you do not want the link in your task notification emails to go there, you can remove it. The default message can include form control templates.
Non-default Database Schema
If you use a custom schema (anything other than 'dbo'), you must add the following property to the <frevvo home>/tomcat/conf/frevvo-config.properties file. This property's default value is 'dbo'.
Code Block |
---|
spring.liquibase.parameters.mssql.schema=<your schema> |
Secure Passwords in Tomcat
Security audits may point out that some secrets are stored in clear text in tomcat configuration files. Here is a list of (known) secrets that are currently stored in clear text by default:
Tomcat JDBC and SMTP configurations in Tomcat’s <frevvo-home>\tomcat\conf\server.xml
Database password in <frevvo-home>\tomcat\conf\dbconnector.properties
Google Connector’s Client Secret in <frevvo-home>\tomcat\conf\frevvo-config.properties
frevvo’s SAML keystore password in <frevvo-home>\tomcat\bin\setenv.bat and the service.bat files for the Windows OS or setenv.sh for UNIX/Linux OS
Tomcat, and thereby thereby frevvo, does not support encryption out of the box. There are two main options for securing this information.
Limit access to Tomcat files
The first option is limiting access to the file so that it can only be read by the user that Tomcat process runs as and root (or the administrator on Windows). Here are two relevant articles about Tomcat passwords that provide suggestions for limiting access and masking sensitive information:
- https://cwiki.apache.org/confluence/display/TOMCAT/Password.
- https://wiki.owasp.org/index.php/Securing_tomcat#Cleartext_Passwords_in_CATALINA_HOME.2Fconf.2Fserver.xml
For the Database Connector, you can define the data source at the container (tomcat) level for some added security. Please see this documentation which explains how.
OS Environment Variables
Starting in Tomcat v9.0.34 ( v9frevvo v9.0.15+) Tomcat introduced support for environment variables in server.xml. (See Apache Tomcat 9 (9.0.54) - Changelog for details.) This new capability is disabled by default in Tomcat but can be enabled by adding the following property to conf/catalina.properties.
...
The same OS environment variable approach can also be used in the Database the frevvo Database Connector out of the box since it is a SpringBoot application. Consider the following dbconnector.properties snippet concerning the BIRT JDBC connection info:
...
SAML Keystore Password
SAML support in also in frevvo also requires a keystore, which is encrypted by default, and a keystore password used by frevvo to access the keystone. The SAML keystore password is currently set in clear text as a frevvo property, but can also be set using an OS environment variable (frevvo is a SpringBoot app like the DBC). So, instead of setting the com.frevvo.security.saml.password property in frevvo.properties, you can, instead, define an OS environment variable named COM_FREVVO_SECURITY_SAML_PASSWORD=mypassword. This will make sure the frevvo.properties file is free of this secret.
...
...
- Stop frevvo if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the frevvo-certificate.signature property with a value of true.
Code Block frevvo.certificate.signature=true
Save the file.
- Restart Restart frevvo.
mysql -u root
set global max_allowed_packet=16777216
To permanently set it, choose one of the two methods listed below:
You can add the parameter - max_allowed_packet=16M to the mysqld command line or (mysqld_safe command line) as shown:
mysqld --max_allowed_packet=16M
Edit the MySql configuration file (my.ini on Windows/ my.cnf on Mac OS) and add max_allowed_packet=16777216 to the [mysqld] section.
On Mac OS, you can access the my.cnf file by typing
The location of the my.ini/my.cnf file varies by configuration.