Please be advised that this guide is intended for use by an IT professional with experience in Internet security and networking.

The ClockOn Web portal is a self-contained Webservice that is installed on the ClockOn server. It is designed to give employees a greater level of self-service and being self-contained it does not rely on IIS, Apache or other web hosting platforms to run.

This guide contains information regarding the following;

1. Getting Started
   • ClockOn License
   • Enabling External Access
   • DNS setup
2. SSL certificates
3. Preparing the certificate for the Webportal
   • ROOT.PEM
   • CERT.PEM
   • KEY.PEM 

Getting Started

In order to use the Web portal you will first need to ensure that some basic elements are in place for your setup, these include items such as an adequate ClockOn license, a purchased and manageable DNS record, and an SSL certificate (optional but highly recommended).

ClockOn License

The first step in the setup is to check to ensure that your ClockOn licence currently includes the ClockOn Web portal. 

You can do this by clicking the blue ClockOn icon in the top left of ClockOn.

This will display your current ClockOn and Web portal licence details.

If your ClockOn Web portal has been enabled previously it can be accessed using the loop-back address on the ClockOn server http://127.0.0.1:8888, and from other machines within the site replacing "127.0.0.1" with either the server's host name or IP address.

If you are not able to connect using the server's IP address or hostname it is likely that there is a firewall blocking the port required for the Web portal. If you are still having issues please contact the ClockOn support team for further assistance.

In order to successfully setup the Web portal for external access and to enable SSL you will need the following

1. A Static WAN IP address is provided by your ISP.
2. Access to and the ability to edit Port Forwarding settings at the head office site.
3. A registered DNS address.
4. A verified SSL certificate (either linked to the DNS record or a wildcard to cover the entire domain).

Enabling External Access

In order for users to reliably connect to the Web portal when working away from the head office a Static IP address will be necessary, please check with your Internet service provider (ISP) to determine whether this has been allocated to your Internet account.

Once this has been done you will need to enable Port forwarding, for the Web portal on the modem\router at your head office to direct the Web portal traffic through to your ClockOn server's IP address. By default, the Web portal uses the ports 8888, and 4444 for SSL, however, this can be adjusted as per your needs, if you need this to be changed please contact the ClockOn support team.

Once these steps have been done you should be able to connect to the Web portal on  http://{your WAN IP address}:8888

For secured access, you will need to purchase an SSL certificate that is capable of www webpage authentication.

DNS setup

If you prefer to provide your users with a written address under your pre-existing domain name you can do this by adding an "A record" to point to the WAN IP address for the ClockOn server site. 

For instructions on how to do this please contact your DNS provider.

SSL certificates

We strongly recommend the use of an SSL certificate to encrypt the traffic to the Webportal site and to do this you will need to purchase an SSL certificate for the domain that you intend to host the Webportal from.

If you do not already have a certificate, you can use either IIS or another external tool such as OpenSSL or XCA (a free alternative with minimal setup) to generate a CSR file.

This guide focuses on certificate generation using the IIS method.

The CSR file is used in the purchase process for the certificate and will need to be generated prior to this point.

IMPORTANT: Please be aware that when purchasing the certificate there are usually several different types on offer, you will need to assess the pros and cons of each as per the business's requirements, for example, some of the cheaper ones do not include a www component as they designed to be used for server access only we strongly recommend contacting an SSL provider and request assistance them to assess your business need.

Generating Certificate Requests Using IIS

To generate your CSR  file and complete the request process through IIS follow the steps below.

1. Open the Internet Information Services (IIS) Manager console.
   
   
2. Under the server name option select the option for Server Certificate
   
   
   
3. Next, use the option "Create Certificate Request".
   
4.  From there add the details for the business and click next
   
   
   
5. The next step details the type and bit length for the certificate request, please ensure that you select Microsoft RSA SChannel Cryptographic Provider and ensure that the Bit length is set to 2048 as shown below.
   
   
   
6. As a final step, you will need to specify a name and file location for the certificate request
   
   
   
7. The next step is to contact your chosen SSL provider and provide them with the generated CSR file.
   Once this process has been completed they will provide you with another file in which you will need to load into the Complete Certificate Request wizard
   
   
   
8. Load in the file that you received from your SSL provider, assign a friendly name (the name that it will show as on this machine) and set it to be saved in the Personal certificate store.
   

Once you have received the SSL certificate you will need to use the export wizard and then use the resulting pfx file.
To do this via IIS use the steps below.

1. Open the Internet Information Services (IIS) Manager console.
2. Under the server name option select the option for Server Certificate
   
   
   
3. Right-click on the previously imported certificate and select the Export option.
   
   
   
4. Set where you would like to export the pfx file to and provide and confirm a password for the certificate, please be aware that this will need to be provided to the ClockOn support team in order to complete the setup.
   

Preparing the certificate for the Webportal

 The next step is to generate the to generate 3 files required for the Web portal.

1. root.pem
2. cert.pem
3. key.pem

These files will need to be added to the root directory of your ClockOn web portal folder.
The default location for this is C:\Program Files (x86)\ClockOn Services\Web Server.

To generate these files we recommend using the OpenSSL. There are many different variants of OpenSSL, attached is a link to a version that we have tested with from Shining Light Productions.

Before running the commands to generate your files from OpenSSL, you will need to set the link to the configuration file this can be done using the following command.

Set OPENSSL_CONF={local location of the openssl.cfg file the default is c:\openssl-win32\bin\openssl.cfg}

TIP: If the OpenSSL commands are not working, it is likely that you are not in the correct working directory. In your command prompt navigate to where the openssl.exe file resides, by default this is "C:\Program Files\OpenSSL-Win64\bin" 

Please note that in order to successfully generate the files for use with the ClockOn Web Portal, you will need both the password that was applied to the PFX file and the P7B file from your SSL provider.

ROOT.PEM

The root certificate is the reference back to your SSL provider to authenticate your record against the 3rd party. With your certificate download you should have received a P7B file. With this file run the following command;

openssl pkcs7 -print_certs -in "{location of your p7b file}" -out "{save location}\root.pem"

CERT.PEM

The other essential file that you will need is the cert.pem file, these two should have been provided by your SSL provider, like the root.pem file some providers issue the raw file for this this would likely be labelled ServerCertificate.cer or ServerCertificate.txt

If this was not provided you can retrieve this from your PFX file using the following OpenSSL command;

openssl pkcs12 -in "{location of your pfx file}" -nocerts -out "{save location}\key.pem

You will need the password that you applied to your pfx to successfully create the file.

KEY.PEM 

The final file that you will require is key.pem. To generate this you will need to export the private key that you used when creating the original certificate request.

You can retrieve this from your PFX file using the following OpenSSL command;

openssl pkcs12 -in "{location of your pfx file}" -nocerts -out "{save location}\key.pem"

When running this command you will be required to enter the following

1. The password that you applied to your pfx file
2. A new password (PEM) to encrypt the key so it is not stored in plain text
3. Repeat the previous password to ensure that it was entered correctly

Please note that the PEM password will be required by ClockOn to complete your signing process.

Once you have retrieved these files please contact ClockOn support for assistance with the remainder of the setup