Configuring the web browser allowlist (system.properties)

In Niagara, using Workbench in a web browser is governed by the use of a allowlist, which adds security and customizability. The allowlist specifies exactly to which web addresses Workbench can navigate. Consequently, you can no longer use Workbench to freely browse external web addresses unless you configure the allowlist to allow it.

You are aware of any security implications or organizational policies before allowing Workbench to browse the web unrestricted.

You configure the whitelist with approved hostnames, domains, and subdomains, optionally filtering on protocol, port, and path. For more customized filtering, you may also use the regex: prefix. If desired, you can completely disable the web browser.

  1. To navigate to the !defaults/system.properties file, expand My Host > My File System > Sys Home > defaults in the Nav tree and double-click system.properties.
    The Text Editor view opens.

  2. Scroll to the niagara.webbrowser.urlWhitelist property.
  3. Enter a comma-separated list of URL patterns that you have decided are acceptable for Workbench to navigate to.
    To allow navigation to:Enter the following value:
    Web pages served by a particular hostname such as your localhostniagara.webbrowser.urlWhitelist=hostname
    Web server on any subdomain of a given domain such as domain.com, www.domain.com, subdomain.domain.comniagara.webbrowser.urlWhitelist=domain.com
    Specific subdomain such as allowing www.domain.com, but not domain.comniagara.webbrowser.urlWhitelist=www.domain.com
    Localhost but using only the specified protocol and port number, for example, using port 8088niagara.webbrowser.urlWhitelist=https://localhost:8088
    Any URL at domain.com, but filtering with a partial path such as /public/niagara.webbrowser.urlWhitelist=domain.com/public/
    Additional customizing is possible using regex syntax. The regex will match on any substring of the URL. For example, regex:a would match any URL that contains the letter “a”. Similarly, to match on any file ending in .htm at domain.com, but no other filesniagara.webbrowser.urlWhitelist=regex:domain.com/.*/\\w+\\.htm$
    To specify multiple URL patterns, enter them in a comma-separated list For example:niagara.webbrowser.urlWhitelist=localhost,niagara-central.com,bacnet.org
    To effectively disable the whitelist, set it to an empty regex, which will match on any URL. Workbench can then be used to navigate to any URL. To set the property to an empty regex, enter:niagara.webbrowser.urlWhitelist=regex:
    To disable the web browser altogether, set the niagara.webbrowser.disabled property. Disabling the web browser, not only disables access to external URLs, but to all HTML content including the Workbench splash screen, the Px Editor Browser Preview mode, and all Web Widgets such as Property Sheet and Web Chart. To set the property enter:niagara.webbrowser.disabled=true
    Other configuration options:
    Starting in Niagara 4.10u7, hyperlinks to certain ORDs containing queries may resolve to an optimized ORD form for a given result, which can sometimes avoid hyperlink ORDs that grow too large. For example, Niagara may replace a query ORD with a (more efficient) Nav ORD that resolves to the same result when the hyperlink is processed. The main side effect of this optimization is that the path bar (or URL in the browser) may look different (uses the optimized Nav ORD form) for the same result. To disable this optimization and side effect, set this system property to true.

    niagara.hyperlink.ord.substitution.disabled=false

    Lockout settings for failed attempts to update password due to incorrect current password. The default value is 5 minutes, 5 times within 1-minute window and in seconds.

    niagara.updatePassword.lockoutWindowUpdatePasswordFail=60

    niagara.updatePassword.lockoutPeriodUpdatePasswordFail=300

    niagara.updatePassword.maxBadAttemptCurrentPassword=5

    This system property, when set to true, will configure Bouncy Castle JSSE to include server name parameters in the TLS handshake for outgoing (client) connections. This is required for FOXS connections that must traverse a reverse proxy that routes requests to hosts based on the SNI extension contained in the ClientHello message. If a target host is specified by IP address, and this property is set to true, a reverse DNS lookup may be used to obtain the hostname. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to man-in-the-middle attacks.org.bouncycastle.jsse.client.assumeOriginalHostName=false
    Niagara 4.14 introduces a Web CategoryBrowser feature that can be used to view and modify categories from the browser. This system property can be turned on to hide this view.niagara.hideWebCategoryBrowser=true
    This system property specifies a ';' separated list of Signature Algorithms, and is used to determine if a certificate chain's root certificate should be excluded when presented to a client during a TLS handshake. If a certificate chain root certificate has a key purpose of Certificate Authority, and it's signature algorithm matches a value specified in this list, it will be removed from the certificate chain sent to a client in the ServerHello message.

    niagara.web.excludeRootCAFromCertChainForSigAlgs=SHA1WITHRSA

    These properties allow you to increase the size limits of the various key store types from the default value of 500. Caution: Ensure that a larger value does not overload the Niagara daemon or station.

    niagara.crypto.maxKeyStoreEntries=500

    niagara.crypto.maxUserTrustStoreEntries=500

    niagara.crypto.maxExemptionStoreEntries=500

  4. On completion, save your configuration changes.
  5. For your changes to take effect, exit Workbench by selecting File > Exit and restart it.
  6. To use the allowlist, navigate to a URL using Workbench.
  7. If the site is not allowed by the allowlist, click the Open In Desktop Browser command () in the toolbar to access the site in your desktop web browser.
    The desktop browser opens.