Please be advised that this guide is intended for use by an IT professional with experience in Internet security and networking.
The ClockOn Web portal is a self-contained Webservice that is installed on the ClockOn server. It is designed to give employees a greater level of self-service and being self-contained it does not rely on IIS, Apache or other web hosting platforms to run.
This guide contains information regarding the following;
Getting Started
In order to use the Web portal you will first need to ensure that some basic elements are in place for your setup, these include items such as an adequate ClockOn license, a purchased and manageable DNS record, and an SSL certificate (optional but highly recommended).
ClockOn License
The first step in the setup is to check to ensure that your ClockOn licence currently includes the ClockOn Web portal.
You can do this by clicking the blue ClockOn icon in the top left of ClockOn.
This will display your current ClockOn and Web portal licence details.
If your ClockOn Web portal has been enabled previously it can be accessed using the loop-back address on the ClockOn server http://127.0.0.1:8888, and from other machines within the site replacing "127.0.0.1" with either the server's host name or IP address.
If you are not able to connect using the server's IP address or hostname it is likely that there is a firewall blocking the port required for the Web portal. If you are still having issues please contact the ClockOn support team for further assistance.
In order to successfully setup the Web portal for external access and to enable SSL you will need the following
- A Static WAN IP address is provided by your ISP.
- Access to and the ability to edit Port Forwarding settings at the head office site.
- A registered DNS address.
- A verified SSL certificate (either linked to the DNS record or a wildcard to cover the entire domain).
Enabling External Access
In order for users to reliably connect to the Web portal when working away from the head office a Static IP address will be necessary, please check with your Internet service provider (ISP) to determine whether this has been allocated to your Internet account.
Once this has been done you will need to enable Port forwarding, for the Web portal on the modem\router at your head office to direct the Web portal traffic through to your ClockOn server's IP address. By default, the Web portal uses the ports 8888, and 4444 for SSL, however, this can be adjusted as per your needs, if you need this to be changed please contact the ClockOn support team.
Once these steps have been done you should be able to connect to the Web portal on http://{your WAN IP address}:8888
For secured access, you will need to purchase an SSL certificate that is capable of www webpage authentication.
DNS setup
If you prefer to provide your users with a written address under your pre-existing domain name you can do this by adding an "A record" to point to the WAN IP address for the ClockOn server site.
For instructions on how to do this please contact your DNS provider.
SSL certificates
We strongly recommend the use of an SSL certificate to encrypt the traffic to the Webportal site and to do this you will need to purchase an SSL certificate for the domain that you intend to host the Webportal from.
TIP: If you would like to avoid the additional cost of an SSL certificate the site Lets Encrypt provides free use SSL certificates that have been tested as usable with the ClockOn Webportal. If you would like to investigate this further we recommend contacting your IT provider for assistance as this will require firewall exceptions and custom network configuration as well as scripts to automate the processing of certificate renewals. The application win-acme to create the certificate can be found at https://www.win-acme.com/
If you do not already have a certificate, you can use either IIS or another external tool such as OpenSSL or XCA (a free alternative with minimal setup) to generate a CSR file.
This guide focuses on certificate generation using the IIS method.
The CSR file is used in the purchase process for the certificate and will need to be generated prior to this point.
IMPORTANT: Please be aware that when purchasing the certificate there are usually several different types on offer, you will need to assess the pros and cons of each as per the business's requirements, for example, some of the cheaper ones do not include a www component as they designed to be used for server access only we strongly recommend contacting an SSL provider and request assistance them to assess your business need.
Generating Certificate Requests Using IIS
To generate your CSR file and complete the request process through IIS follow the steps below.
- Open the Internet Information Services (IIS) Manager console.
- Under the server name option select the option for Server Certificate
- Next, use the option "Create Certificate Request".
- From there add the details for the business and click next
- The next step details the type and bit length for the certificate request, please ensure that you select Microsoft RSA SChannel Cryptographic Provider and ensure that the Bit length is set to 2048 as shown below.
- As a final step, you will need to specify a name and file location for the certificate request
- The next step is to contact your chosen SSL provider and provide them with the generated CSR file.
Once this process has been completed they will provide you with another file in which you will need to load into the Complete Certificate Request wizard - Load in the file that you received from your SSL provider, assign a friendly name (the name that it will show as on this machine) and set it to be saved in the Personal certificate store.
Once you have received the SSL certificate you will need to use the export wizard and then use the resulting pfx file.
To do this via IIS use the steps below.
- Open the Internet Information Services (IIS) Manager console.
- Under the server name option select the option for Server Certificate
- Right-click on the previously imported certificate and select the Export option.
- Set where you would like to export the pfx file to and provide and confirm a password for the certificate, please be aware that this will need to be provided to the ClockOn support team in order to complete the setup.
Preparing the certificate for the Webportal
The next step is to generate the to generate 3 files required for the Web portal.
- root.pem
- cert.pem
- key.pem
These files will need to be added to the root directory of your ClockOn web portal folder.
The default location for this is C:\Program Files (x86)\ClockOn Services\Web Server.
To generate these files we recommend using the OpenSSL. There are many different variants of OpenSSL, attached is a link to a version that we have tested with from Shining Light Productions.
Before running the commands to generate your files from OpenSSL, you will need to set the link to the configuration file this can be done using the following command.
Set OPENSSL_CONF={local location of the openssl.cfg file the default is c:\openssl-win32\bin\openssl.cfg}
TIP: If the OpenSSL commands are not working, it is likely that you are not in the correct working directory. In your command prompt navigate to where the openssl.exe file resides, by default this is "C:\Program Files\OpenSSL-Win64\bin"
Please note that in order to successfully generate the files for use with the ClockOn Web Portal, you will need both the password that was applied to the PFX file and the P7B file from your SSL provider.
ROOT.PEM
The root certificate is the reference back to your SSL provider to authenticate your record against the 3rd party. With your certificate download you should have received a P7B file. With this file run the following command;
openssl pkcs7 -print_certs -in "{your p7b file}" -out "{save location}\root.pem"
If your SSL provider only supplied a PFX file The root certificate can be generated using the following;
openssl pkcs12 -in "{your pfx file}" -nodes -nokeys -cacerts -out "{save location}\root.pem"
CERT.PEM
The other essential file that you will need is the cert.pem file, these two should have been provided by your SSL provider, like the root.pem file some providers issue the raw file for this this would likely be labelled ServerCertificate.cer or ServerCertificate.txt
If this was not provided you can retrieve this from your PFX file using the following OpenSSL command;
openssl pkcs12 -in "{your pfx file}" -nokeys -clcerts -out "{save location}\cert.pem"
You will need the password that you applied to your pfx to successfully create the file.
KEY.PEM
The final file that you will require is key.pem. To generate this you will need to export the private key that you used when creating the original certificate request.
You can retrieve this from your PFX file using the following OpenSSL command;
openssl pkcs12 -in "{your pfx file}" -nocerts -out "{save location}\key.pem"
When running this command you will be required to enter the following
- The password that you applied to your pfx file
- A new password (PEM) to encrypt the key so it is not stored in plain text
- Repeat the previous password to ensure that it was entered correctly
Please note that the PEM password will be required by ClockOn to complete your signing process.
Once you have retrieved these files please contact ClockOn support for assistance with the remainder of the setup