Configure Miscellaneous Settings for Web Applications

You can use web.config files to configure certain settings for the CSM Web Applications, including the Browser Client, Portal, and, in some cases, the Cherwell® REST API.

These web.config files can be found in the Cherwell directory on the server where you installed the web applications. For example, the web.config file for the Portal is located in Cherwell Browser Applications\Portal; for the Browser Client, the web.config file is located in Cherwell Browser Applications\Browser Client.

For best results, restart Internet Information Services (IIS) after you modify a web.config file.

Good to Know

There are several web.config files used by CSM.
When an application starts, the web.config file is backed up in a separate folder.
Content of the web.config files is retained during both upgrade and reinstallation, so any changes you make to web.config files are preserved.

Change Prompt Time-out Period

Prompts generated by a One-Step Action, Expression, or Stored Search remain open in the web applications for 2 minutes by default. If users do not respond to the Prompt within that time frame, the Prompt closes.

To change the default time-out period, modify the following key in the web.config file:

                                <add key="UIInteractionTimeoutInSeconds" value="number of seconds"/>

Configure Service Monitor

For Service Monitor authentication, the Cherwell REST API configuration may need to be changed after installing the Service Monitor. If using HTTP only, the cookie setting needs to be changed in the Service Monitor configuration.

Service Monitor Web.config

Service Monitor configuration file location:

C:\Program Files (x86)\Cherwell Service Management\CherwellMonitor\Web.config

Under the system.web settings, use the following settings for HTTP only:

<httpCookies domain=""
requireSSL="false"
httpOnlyCookies="true"/>

In production environments, we strongly recommend using HTTPS.

Under appSettings, point the Service Monitor to the Cherwell database.

First, remove the following block of code:

                            <add key="CherwellRestApiRootUrl" value="http://localhost/CherwellApi" /><!-- CherwellRestApiClientId is set in the API - exclusively for this use don't need to change on deployment--><add key="CherwellRestApiClientId" value="0A2C78D1-CB59-4F42-BD96-BD8BF7DBC758" /><!-- CherwellRestApiLoginUrl need to point to the location that the login page is setup for the client. --><add key="CherwellRestApiLoginUrlPath" value="auth/authorize" /><add key="CherwellRestApiLogoutUrlPath" value="api/V1/logout" /><add key="CherwellRestApiTokenUrlPath" value="token" />

Add the following new block of code:

                            <add key="TrebuchetDataSource" value="[Common]Cherwell Browser" />

By default, the Service Monitor URL uses HTTPS. To use HTTP, change the URL value for both the Service Monitor and the Cherwell REST API. The Cherwell REST API configuration file may need to be edited after installing the Service Monitor.

Rest API web.config

Rest API config file location:

C:\Program Files (x86)\Cherwell Browser Applications\CherwellAPI

The following configurations are pulled over from the SAML integration (See Configure SAML in CSM):

SAML redirect:

<add key="UseSAMLADFSRedirect" value="false"/>

IDP:
```
<add key="IDPisADFS" value="true"/>
```

Disable Label Resizing

While not recommended, to disable the resizing of labels that are set to dynamically auto-size in the Browser Client, add the following key to <appSettings> section of the web.config file:

                            <add key="AutoSizeLabels" value="False"/>

Disable Scripts in Reports

By default, Users can run a Report that contains scripts if they have rights to run the Report. You can disable scripts from running in all Reports, however. This may cause errors when Users run Reports that contain scripts, but may improve security.

By default, scripts are enabled for Reports.

To disable scripts in all Reports, change the value in the following key to "False":

                                <add key="AllowScriptsInReports" value ="true"/>

Execute Embedded HTML and Script

While not recommended, to allow HTML and script embedded in labels to be executed in the Browser Client, add the following key to <appSettings> section of the web.config file:

                            <add key = "AllowUnsafeLabels" value="True" />

                            <add key="AuthLogFile" value="c:\temp\webauthlog.log"/>

HTTPS-Only Cookies

In production environments, it is strongly recommended that sensitive cookies (like those used to maintain your session) be marked as "Secure," meaning they will only be transferred with requests that are made over HTTPS, and HTTP-only. They will not be accessible to Javascript running in the browser.

In order to take advantage of this configuration, perform the following steps:

Ensure the web application is running on an IIS instance that listens on both :80 (HTTP) and :443 (HTTPS).
Ensure IIS (or a web.config file, or some other handler) is set up to automatically redirect http://hostname/path to https://hostname/path.
Add the following line to these web.config files:
- C:\Program Files (x86)\Cherwell Browser Applications\Portal
- C:\Program Files (x86)\Cherwell Browser Applications\CherwellClient
- C:\Program Files (x86)\Cherwell Browser Applications\CherwellService
```
<httpCookies
httpOnlyCookies="true"
requireSSL="true" />
```

For more details, see https://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx.

In-line Browser Display Extensions

To specify other in-line browser display extensions that should open inside of a browser window, add the following key to the <appSettings> section of the web.config file:

                            <add key="InlineBrowserDisplayExtensions" value=".pdf,.xml"/>

Browsers that are not Microsoft Edge (ex: Chrome™, Mozilla Firefox®, etc.) handle in-line browser display extensions more automatically, but Edge requires this to be set. PDF and XML files are handled this way by default.