Configure Miscellaneous Settings for Web Applications

You can use web.config files to configure certain settings for the CSM web applications, including the Browser Client, Portal, and, in some cases, the Cherwell REST API.

These web.config files can be found in the Cherwell directory on the server where you installed the web applications. For example, the web.config file for the Portal is located in Cherwell Browser Applications\Portal; for the Browser Client, the web.config file is located in Cherwell Browser Applications\Browser Client.

For best results, restart Internet Information Services (IIS) after you modify a web.config file.

Change Prompt Time-out Period

Prompts generated by a One-Step, Expression, or Stored Search remain open in the web applications for 2 minutes by default. If users do not respond to the Prompt within that time frame, the Prompt closes.

To change the default time-out period, modify the following key in the web.config file: 

<add key="UIInteractionTimeoutInSeconds" value="number of seconds"/>

Disable Label Resizing

While not recommended, to disable the resizing of labels that are set to dynamically auto-size in the Browser Client, add the following key to <appSettings> section of the web.config file: 

<add key="AutoSizeLabels" value="False"/>

Enable Lookup Button for Business Objects

By default, the Lookup button will enable only on Fields that support lookups. To enable the Lookup button whenever editing a Business Object, add the following key to <appSettings> section of the web.config file: 

<add key="LookupAlwaysEnabled" value="True"/>

Disable Scripts in Reports

By default, Users can run a Report that contains scripts if they have rights to run the Report. You can disable scripts from running in all Reports, however. This prevents may cause errors when Users run Reports that contain scripts, but may improve security.

By default, scripts are enabled for Reports.

To disable scripts in all Reports, change the value in the following key to "False": 

<add key="AllowScriptsInReports" value ="true"/>

Execute Embedded HTML and Script

While not recommended, to allow HTML and script embedded in labels to be executed in the Browser Client, add the following key to <appSettings> section of the web.config file: 

<add key = "AllowUnsafeLabels" value="True" />
<add key="AuthLogFile" value="c:\temp\webauthlog.log"/>

HTTPS-Only Cookies

In production environments, it is strongly recommended that sensitive cookies (like those used to maintain your session) be marked as "Secure," meaning they will only be transferred with requests that are made over HTTPS, and HTTP-only, meaning they will not be accessible to Javascript running in the browser.

In order to take advantage of this configuration, perform the following steps:

  1. Ensure the web application is running on an IIS instance that listens on both :80 (HTTP) and :443 (HTTPS).
  2. Ensure IIS (or a web.config file, or some other handler) is set up to automatically redirect http://hostname/path to https://hostname/path.
  3. Add the following line to these web.config files:
    • C:\Program Files (x86)\Cherwell Browser Applications\Portal
    • C:\Program Files (x86)\Cherwell Browser Applications\CherwellClient
    • C:\Program Files (x86)\Cherwell Browser Applications\CherwellService 
    <httpCookies
httpOnlyCookies="true"
requireSSL="true" />

For more details, see https://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx.

In-line Browser Display Extensions

To specify other in-line browser display extensions that should open inside of a browser window, add the following key to <appSettings> section of the web.config file: 

<add key="InlineBrowserDisplayExtensions" value=".pdf,.xml"/>
Note: Browsers that are not Internet Explorer (ex: Chrome™, Mozilla Firefox®, etc.) handle in-line browser display extensions more automatically, but Internet Explorer requires this to be set. PDF and XML files are handled this way by default.
© Copyright 2018 Cherwell Software, LLC. All rights reserved.