EFR Additional Functions
The API is a generic interface that can be used for all countries. If there are additional country-specific requirements, these are described in the country-specific guides. The generic interface is available from EFR version 2.5.0. The changes to the interface are backwards compatible.
Transaction Requests
POST /restart – Restart Transaction
| Query | RN | Optional RN, default: def |
| TaxId | Optional TaxId |
Formal identically to /register, to be used on system restart/recovery.
POST /register/void – Void Transaction
Supply the original transaction data in the request body. EFR will invert amount and quantity fields, add reference information and register as negative transaction.
The original transaction is not deleted!
Voiding the transaction of another EFR or client is basically permitted. TL, TT and TN contained in original data are used as reference (RTL, RTT, RTN), for the current post local TL and TT settings are used, also automatic TN.
If TN comes from the sender system, it has to be determined in "Sender ESR" (in addition to the original data):
<Tra>
<SESR TN="1234"/>
<ESR TN="0456"…
Use GET /last – Last for querying the last response, GET /find?\_=Tra for the complete last transaction.
In Online mode use GET /tra?TL=…TT=…TN=… to fetch a transaction, even of another local EFR (within LAN period keys - needed for decryption - are exchanged). As reference transactions are assigned, voiding the same transaction twice can be prevented.
http://localhost:5618/register/void/last
voids the last transaction registered, in this case the request body is empty (or contains <SESR> only). If required, an ESR.Rsn value can be specified with ?rsn=...
PUT /repo – Register Configuration Change into Audit trail
| Query | RN | Optional RN, default: def |
| file | Mandatory, [path], filename Upload configuration file, which is analysed for changes relative to a last version of that file, if applicable. Changes are calculated per line, entered into the audit trail [FR]  , and returned. | |
| Request Header | accept | xml (optional) In this case a XML document is returned instead of a JSON object |
| Request Example | http://localhost:5618/repo?file=test.dat | |
| Request Body | plain/txt, UTF-8 | |
| Response Status | 200 OK, 400 Bad Request=BAD, 406 Not Acceptable=NO | |
| Response Body | XML or JSON transaction, UTF-8 |
Response Example JSON:
{"AuditC":{
"SQ":8274,
"Result":{"RC":"OK"},
"TY":"Repo","Method":"PUT","File":"test.dat",
"Diff":\[
"+\[0\]: Aurea prima sata est aetas, quae vindice nullo,",
"+\[1\]: sponte sua, sine lege fidem rectumque colebat. ",
"+\[2\]: etc.etc."\],
"Fis":{"Payload":"141,300,Repo,20170905183326,,0014/0001,N,oeZrvtZkwQX…,
"Signature":"\_OodHQgZHeDHj51p…}}}
GET /repo – Register Configuration Change into Audit trail
| Query | RN | Optional RN, default: def |
| file | Mandatory, filename Retrieve current documented configuration state for a given filename. | |
| Request Header | Accept | xml (optional) |
| Response Status | 200 OK, 404 No file of this name found | |
| Response Body | XML or JSON transaction, UTF8 |
Informational Requests
GET /cer – Certificate
Get public certificate from file /EFR/cer/{Serial}.pem.
Example:
http://localhost:5618/cer/fa814462362ea68d1a0d
Content-Type:
application/x-pem-file
GET /recorder/lastdh – Last Document Handle
Use this request after /register to get the Document Handle to this transaction for download of the Digital Receipt from efsta cloud. If you show this URL as QR code on the POS customer display, the bill can be fetched onto a smartphone.
Try out http://localhost:5618/demo/register.html, see "Your Bill" after [Register]).
Here, it is implemented as HTML <img src="http://localhost:5618/recorder/lastdh/qr"/>.
To achieve a small QR code use
http://localhost:5618/recorder/lastdh/qr?small=true&ec_level=L
- With the "small" option, the 5 char Transaction Handle TH is omitted, what may cause longer loading time for bill.efsta.net/dh
ec_level=Lforces an QR code with low error correction- Possible QR options:
ec_level: L|M|Q|H,size: default 5,margin: default 4,fmt: png|pc437|bmp|svc|pdf|eps - Attention: when using
<img src= a browser might cache image data – use ?dummy=(https://stackoverflow.com/questions/728616/disable-cache-for-some-images).
As an alternative to actively fetch DH you can set Attribute Tra_DH to have DH always included in the /register <Tra> response.
GET /log – Realtime Logging
| Query | iid | Instance id (e.g. computer name), keep static for one client used to respond with the latest log lines only |
| Request Example | http://localhost:5618/log?iid=HUGO23 |
Response Example:
{
"Lines":\["16:14:37.083 Checkin {\\"log\\":{\\"TY\\":\\"START_EFR\\",…
Used for interactive log viewer.
Journal
POST /render – Show Transaction
To render a specific transaction, JSON {"\_":"Tra"… or XML <Tra>… data (fetched using /find or /tra before)
can be posted.
GET /retrieve – Retrieve Journal Records
| Query | RN | Optional, journal to use, default: 'def' |
| last | Required, SQ to start reading behind last=0 from beginning | |
| endSQ | End point | |
| target | Folder to store retrieved #######.json | |
| Further filter options see 5.4.4 GET /find – Find Journal Record | ||
| Request Example | http://localhost:5618/retrieve?rn=210&_=Tra | |
| Authentication | Local operation only (localhost) or Profile.Password authorization | |
| Response Body | XML or JSON data stream |
This request is intended to do periodical retrieval of records for backup or closure/balance reporting. Retrieval is started with SQ behind the last query parameter, for contiguous processing send the last SQ recently processed.
POST|GET /jou/reprintcnt – Reprint Count
| Query | RN | Journal to use, default: 'def' do not specify if parameter RN_TT is set (see 6 Configuration) |
| TL, TT, TN, ESR | Properties used as identification key | |
| Request Example | http://localhost:5618/jou/reprintcnt?tl=001&tt=1&tn=4711 | |
| Authentication | None | |
| Response Body | Text/plain containing counter only |
In some countries each transaction reprint has to be marked with a counter; use this function to GET or POST (=increment) this count. In [FR] a fiscal signature is delivered upon POST, for details see EFR Guide FR.
As with version 1.5.2 the counter data is stored locally, a common cloud enumeration will be implemented in a future version of EFR.
Maintainance
POST /service/restart – Restart App
Request Example:
http://localhost:5618/service/restart?password=mypwd
Authentication:
local operation only (localhost) or Profile.Password authorization
Response:
http status code 200, empty body
GET|POST /service/config – Service Configuration
Browser URL:
http://localhost:5618/service/config
Web form to configure incremental backup storage path and retrieve last backup result.
GET /backup – Download Backup .zip
| Query | RN | Optional, backup for RN, default: 'def' |
| from | Optional date | |
| last | Optional, name of last backup file received Used for incremental backup, default: full backup | |
| Request Example | http://localhost:5618/backup?rn=4711&last=0023 | |
| Authentication | Local operation only (localhost) or Profile.Password authorization | |
| Response Header | Content-type | application/zip |
| Content-disposition | attachment; filename=####.zip The filename is derived from the latest .jou file used. Therefore identical filenames may be delivered for subsequent backup jobs, files may be replaced on target directory. | |
| Response Body | binary .zip file |
For retrieving EFR log files http://localhost:5618/backup/log or set flag /backup?log.
GET /backup/incremental – Incremental Backup onto Storage Directory
| Query | RN | Optional, backup for RN, default: 'def' |
Path specify path to backup storage root directory, where backup .zip files are stored under the corresponding RN subdirectory; example: path=D:/mybackup => D:/mybackup/def/0000.zip May be preset using /service/config API. | ||
| Request Example | http://localhost:5618/backup/incremental?path=D:/mybackup | |
| Authentication | Local operation only (localhost) or Profile.Password authorization | |
| Response Header | Content-type | text/plain |
| Response Body | Processing info Processing time depends on data volume stored and storage access speed. |
GET|POST /backup/restore – Restore onto new (unused) EFR Installation
| Query | RN | Name of RN to restore, default: 'def' |
| path | Path to backup storage | |
| Browser URL | http://localhost:5618/backup/restore |
ONLINE
Restore may be used on offline systems (not connected to efsta cloud) only.
IN_USE
RN folders in use may not be overwritten.
After hitting the [RESTORE] backup .zip files from path are restored.
Progress of restauration is displayed on screen or may be fetched using GET /backup/info.
GET /backup/log – Download Logging .zip
| Query | RN | Optional, backup for RN, default: def |
| from | Optional, JSON date, deliver .log from date | |
| till | Optional, JSON date, deliver .log to date | |
| Request Example | http://localhost:5618/backup/log?rn=4711&last=0023 | |
| Authentication | No permission required, only .log processing information without business data is delivered | |
| Response Header | Content-type | application/zip |
| Response Body | binary .zip file |
This request may be used to fetch logs from an EFR for support purposes. In online configurations an uploadlog request may be triggered from cloud.
ET /disk – Storage Information
Request Example:
http://localhost:5618/disk
Response Example:
{"Usage":5.215046,
"Path":{
"cer":{"dirs":3,"files":33,"size":2929363},
"gbl":{"dirs":1,"files":7,"size":11084},
"log":{"dirs":0,"files":59,"size":2039365},
"rn/def":{"dirs":4,"files":120,"size":235234}}}
Usage states the total storage used in MB.
GET /disk/dir – Remote DIR Request
Request Example:
http://localhost:5618/disk/dir
Delivers a directory list (text/plain) with last modification timestamp and size in bytes.
POST /disk/clean – Clean Storage
| Query | quota | Disk quota allowed in MB in case of overrun cleaning is done to 80% of this value does not affect DiskQuota Profile setting |
| keep | Date, from which files have to be kept 3 full months by default, i.e. on 2017-12-24 keep=2017-09-01 is used a numeric value is interpreted as days, e.g. keep=90 | |
| Request Example | http://localhost:5618/disk/clean?quota=800 | |
| Response Body | XML or JSON Storage Information according to GET /disk |
POST /lic – Activate License
| Query | rn | Target client (by default "def") |
| key | License key retrieved from efsta Portal | |
| Request Example | http://localhost:5618/lic?key=%20demo.cde.e202005.mzk5iv |
Utility
ET /authorization – Authorization for Third Party Cloud Access
| Request Example | http://localhost:5618/authorization | |
| Response | JWT | Signed using EFR communication certificate |
| Content-type | text/plain | |
| Authentication | local | Operation only (localhost) or Profile.Password authorization |
GET /qr – QR Image
| Query | text | QR source data (encodeURIComponent) |
| type | png (default), bmp, svg, pc437 | |
| size | Module size in pixels | |
| margin | In modules, default: 1 | |
| Request Example | http://localhost:5618/qr?text=... | |
| Response Header | Content-type | image/png for image types |
| Content-type | text/plain for type=pc437 |
Windows PowerShell example:
PS C:\\> curl
Uri: <http://localhost:5618/qr?text=hello%20world>
StatusCode : 200
StatusDescription : OK
Content : {137, 80, 78, 71...}
JavaScript example (simplified, text in URL):
C:\\> node
\> var http = require('http')
\> var req = http.request({ host:'localhost', port:5618, path:'/qr/'+encodeURI('hello world') }, res=>{
res.on('data', data=>{ console.log(data) }) // expected: <Buffer 89 50 4e ... >
})
\> req.end()
PC437 can be used to print a QR within HTML or a text file. For this PC437 block characters ' ▀▄█' (unicode  ▀▄█) are used. For negative rendering (e.g. on screen) invert to [219, 220, 223, 32]. VB-Script example (querystring parameters):
Set Http = CreateObject("Msxml2.ServerXMLHTTP")
Http.open "GET", "<http://localhost:5618/qr?type=pc437&text=>" & Fis_Code, True
Http.send ""
Do While Http.readyState <> 4
Http.waitForResponse 10
Loop
If Http.Status = 200 Then
Printer.Font.Name = "Courier New"
Printer.Font.Size = 3
Printer.Font.Charset = 255 ' OEM_CHARSET PC437
Printer.Print Http.responseBody
End If
Telemetry and Telecommanding
EFR infrastructure includes functionality for detailed tracing of the program flow, which usually is enabled on demand during development and testing (e.g. with Profile Attribute Fiscal_log). But it also can be enabled programmatically for test automation or to collect telemetry data for support cases.
The following endpoints are used to control the program behaviour, although for usual customer projects they don't need to be implemented.
GET /trace/{module}/enable and /disable
Turn on/off module tracing into /ProgramData/EFR/log/{yyyymmdd}${module}.log.
GET /trace/{module}/listen
Instantly listen to tracing in browser (implicit enable of module tracing).
GET /trace/{module}/log
Supply latest records from /ProgramData/EFR/log/{yyyymmdd}${module}.log.
POST /trace/{module}/push?
POST /trace/{module}/push?
Insert a record into module trace.
POST /cmd?
Telecommands are received in the cloud heartbeat response (interval 15 min), e.g. to launch a program update. They usually are triggered over the cloud Portal, therefore no detailed syntax is given here.
File Interface
Instead of using a webservice, transactions can be registered using a file interface. In this case a request file is provided on the request directory, with the response being delivered as response file.
As first step, the communication directories have to be created. The FileWatch operation will only be started if the following exists on EFR startup:
C:\\> mkdir C:\\ProgramData\\EFR\\req
C:\\> mkdir C:\\ProgramData\\EFR\\res
Directory req serves as 'request' container, res is for response files.
As soon as a file req\1234.req is created (XML or JSON formatted), the response is provided in res\1234.res and the .req is deleted. After processing, the .res file has to be removed by the foreground application. The files have to be uniquely named (e.g. corresponding to Transaction Number TN, UUID, time stamp), if multiple clients are handled in one EFR, also add client ID 'RN'.
Query parameters usually set in /register webrequest (RN, TaxId) can be set within request data, e.g.:
<Tra TaxId="DE999999999">
<ESR TL="001" TT="2" …
FileWatch can also supply image files for fiscal QR codes. If attribute Fis_QR=type=bmp&size=4 is set (>> Attributes p.), a file 1234.bmp is created in \res.
The proper function of FileWatch depends on the underlying file system. If this does not support native watching, the program will switch to directory polling (300ms interval). On some systems, files are not locked during writing and parser errors may occur. In this case, creating a temporary file 1234.tmp and renaming it to 1234.req is recommended.
Attributes
In profile.cfg Attributes field flags can be set for transaction processing. Attributes is parsed as space delimited list according to HTML element definition, Attr names are case insensitive. Formally valid declarations:
myattr myattr=hello myattr="hello world" myattr='hello "world"'
Declaration without attribute value is interpreted as true.
Attributes affecting general program behaviour may require EFR restart to get into action.
Table of Attributes
| Attribute | Countries | Module | Remarks |
|---|---|---|---|
| App_restartAt | app | Perform automatically a daily restart at hh:mm:ss (default 3:00) | |
| Device_Auth | Authorization with external devices with username and password e.g.: Device_Auth=username:password | ||
| EFR_test | Cloud | Handle EFR instance as test system reports are not forwarded to the Fiscal Authority (or marked as 'test' resp.) | |
| FileWatch_path | FileWatch | Network path to watched folder example: FileWatch_path=\\share\EFR | |
| Fiscal_ApiKey | [PT]  | Fiscal | Fiscal partner reference restart EFR for activation |
| Fiscal_BackupAt | [DE]  | Fiscal | Time at which the daily TSE backup should be performed default: 04:00 |
| Fiscal_acceptUnauthorized | [CZ]  | Messenger | Not to be used generally, workaround for Error: unable to verify the first certificate This occurs, if the Fiscal System does not supply the whole SSL certificate chain on startup of a TLS connection. |
| Fiscal_Log | Fiscal, Messenger | Write /rn/def/log/yyyymmdd_hhmmss.log files (containing fiscal XML) for all transactions, not only in case of error use this option to check the fiscal representation of special business cases | |
| Fiscal_Rules | [FR] [SK]  | Fiscal | Fiscalization rules to follow, e.g. Fiscal_Rules=LNE |
| Fiscal_Test | [AT]  | Fiscal | Interpret transactions as NFS="Training" transactions are processed as "Training" according to fiscal law |
| Fiscal_Test | [CZ] [DE] [FR] [HR] [SI] [SK]   | Fiscal | Report transaction to Fiscal Authority's playground system< set this attribute during test phase |
| Fiscal_Timeout | [AT] [CZ] [DE] [HR] [IT] [SI]  [SK] | Fiscal, Messenger, TSE_* | Timeout in ms for fiscal processing (request to fiscal system, local signature creation or remote sign request) timeout testing: fiscal_timeout=1 |
| Fiscal_YearEnd | [FR] | Fiscal | Specify month, when audit code 60 "Clôture d’exercice" shall be reported (01-12, default: 12) |
| Fiscal_Z | Launch | If set a balance transaction (ESR.NFS="BAL") is inserted before registration of a transaction for a new date (ESR.D) IT: /register response may be retarded by closure printout | |
| Fis_Certification | [FR] | Fiscal | Number of software certification (issued e.g. by INFOCERT) by default B0000 is used |
| Fis_Code | [CZ] | Fiscal | Deliver PKP in <Fis><Code> |
| Fis_OCR | [AT] | Fiscal | Add OCR string to <Fis> element in response (BASE32 coded) |
| Fis_QR | [AT] [DE] [SI] | Fiscal | Add QR image (base64) to <Fis> element in response specify type and size according to /control/qr example: fis_qr=type=png&size=2&ec_level=L |
| Fis_Tot | Checkout | Include fiscal grand totals in responses <Fis> element | |
| FN_series | [PT] | Fiscal | Series ("A"-"Z", excluding "M") to be used after replacement and initialization of a POS system to avoid duplicates with previously issued documents |
| HttpServer_Disable | app | Do not start webserver, transaction registration may be done using the file interface directories /req and /res | |
| HttpServer_IPv4 | HttpServer | Use IPv4 addressing instead of IPv6 Windows XP: automatically set to true, reset with httpserver_ipv4=6 | |
| HttpServer_respond102 | HttpServer | During request processing (e.g. completion of fiscal printout) respond intermediate HTTP-Status 102 (after ms specified, default 9000) | |
| HttpServer_respond200 | HttpServer | Respond HTTP-Status 200 also in case of BAD and NO some requestors can parse a success response only | |
| HttpServer_AllowOrigin | HttpServer | Set HTTP-Header Access-Control-Allow-Origin on all requests (CORS) example: HttpServer_AllowOrigin=localhost | |
| IO_debug | IO | Request additional IO logging | |
| IO_nosync | IO | Do not sync onto hard disk setting this attribute on systems with UPS improves transaction throughput | |
| IO_DeferTimeout | IO | Defer .jou writing (in ms, default 1000) | |
| Log_debug | Log | Log without .log file size limits | |
| Log_length | Log | Length of log lines into /EFR/log/\*.log | |
| Log_remove | Log | RegExp to specify items to be removed from log lines example to remove amounts: Log_remove=[=:]"?\d*\.\d+"? | |
| Normalize_D | Normalize | Number of days for ESR.D date validation (default 7) example approx. 1 month: Normalize_D=31 | |
| Print_Log | Creates check file /EFR/rn/def/print.log (intermediate html) | ||
| Printer | Deliver | Specify printer driver (in directory /Peri/driver) for transaction printing example: Printer=Epson_TM | |
| Printer_Port | Fiscal printer modules | Connection port assignment example: COM1:9600 ETH:192.168.0.2 | |
| Printer_Log | fiscal printer modules | Printer communication is traced into /EFR/log/yyyymmddp.log | |
| Recorder_init | Recorder | Delay for initialization of cloud connection in ms (default 10000) adjust this parameter in case of specific system startup behaviour example: recorder_init=60000 (1 minute) | |
| Recorder_Log | Recorder | Log online cloud communication into /log/{date}r.log | |
| Recorder_staging | Recorder | efsta internal: use cloud staging instance restart EFR to take effect | |
| Register_disable | [AT] | app | Not a registration EFR instance set on SignServer instances |
| SC_disable | app | Do not use local smartcards | |
| SC_ignore | [AT] | SC | Do not connect the smartcard reader specified, so it can be used by other applications – specify reader name (RegExp, cas insensitive) example: SC_ignore=gemplus |
| SC_Log | [AT] | SC | Smartcard APDU command tracing into /log/{date}s.log |
| Sign_debug | [AT] | A-Trust Prime-Sign | Additional web request logging |
| SignServer | [AT] [DE] | SignServer TSE | EFR SignServer operation, other EFRs in the same LAN may use the smartcards or TSEs of this server |
| SoftwareProvider | Cloud | Provider of POS software used in efsta cloud for hierarchial EFR management, if a company is served by different software providers | |
| TEST_Verify_err | [CZ] [SI] [SK] | Messenger | For testing an invalid signed response from fiscal system |
| TEST_RC | Normalize | For testing a BAD or NO response example: test_rc=NO | |
| Tra_DH | Checkout | Include Document Handle DH in /register <Tra> response for bill.efsta.net access (EFR in Online mode required) | |
| TSE_AdminPin | [DE] | TSE | Set the AdminPin for the TSE. See EFR Guide DE |
| TSE_AdminPuk | [DE] | TSE | Set the AdminPuk for the TSE. See EFR Guide DE |
| TSE_BackupAt | [DE] | TSE | Configure TSE backup time for local and remote TSE (default randomized between 03:10:00 and 04:10:00) set TSE_BackupAt=NO to disable automatic backup |
| TSE_BackupDelete | [DE] | TSE | Set this flag to enable TSE export backup for manufacturer TSE server drivers like Diebold-Nixdorf or Epson (local and network): export/backup and delete is performed after each Z Report (NFS=Z) |
| TSE_install | [DE] | TSE_DF, TSE_SBC | Set TSE_install=NO to block automatic driver installation from efsta cloud, the driver manually installed is used valid for Deutsche Fiskal cloud TSE |
| TSE_KeepAlive | [DE] | TSE_SB | Set device polling interval in sec (default 10), which may be required to block automatic USB power off by system’s energy management valid for Swissbit local TSE |
| TSE_MountPoint | [DE] | TSE | Set path to TSE mount points on Linux, e.g. TSE_MountPoint=/mnt/ or specify devices to scan on Windows, e.g. TSE_MountPoint=D:,E: |
| TSE_PortScan | [DE] | TSE | Example: TSE_PortScan=10.0.0.10-20:10001,10.0.0.255:20001 see “TSE Assignment” for details |
| TSE_SelfTestAt | [DE] | TSE_SB | Configure auto selfTest time (default 03:05:00) valid for Swissbit local TSE |
| TSE_TimePin | [DE] | TSE | Set the TimePin for the TSE. See EFR Guide DE |
| TSE_TimePuk | [DE] | TSE | Set the TimePin for the TSE. See EFR Guide DE |
| UdpServer_disable | [AT] | app | Block SignServer action (as server) and signature (as client) |
EFR as HTTPS Server
Server Identity
If a certificate /EFR/cer/ssl.pfx (PKCS12) is found on EFR startup, it is loaded for HTTPS server authentication. The certificate must have an empty ("") password. Depending on the client's server verification method, the certificate file should contain intermediate certificates.
If HTTPS is enabled, it is effective also for web requests (e.g. https://localhost:5618/control). If (for inhouse communication only) a self signed certificate is used, this will cause a security alert from the browser:
- in Google Chrome navigate here and click
[Enabled]
(source: stackoverflow.com) - in Mozilla Firefox, upon security warning click on
[Extended],[Add Exception]and confirm the certificate.
Client Verification
Enablling HTTPS forces encrypted communication, but does not secure EFR against third party access. This can be achieved by TLS client certificate authentication. Here, the browser (e.g. https://.../control) and programmatic (e.g. https://.../register) requests need to be authenticated by a client certificate.
Whitelist Method
Provide the respective public certificates in the folder /EFR/cer/client (as .pem, .crt, .cer or .der, PEM or DER format).
CA Certificate
More elegant client certificates can be derived from a common 'CA' certificate, which is declared as /EFR/cer/client/ca\*.pem. Client certificates are verified to be issued by the CA certificate then.
Example
Example of generating CA and client certificates using openssl (openssl.org"):
openssl req -x509 -newkey rsa:4096 -days 3650 –nodes -keyout ca.key -out ca.pem
-subj "/O=efsta/OU=EFR/CN=EFR SSL client CA"
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
-subj "/O=efsta/OU=EFR/CN=EFR SSL client"
openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key
-set_serial 01 -out client.pem
openssl verify -CAfile ca.pem client.pem
openssl pkcs12 -export -in client.pem -inkey client.key -password pass:
-out client.pfx
Setting it into action:
COPY myservercertificate.pfx C:\\ProgramData\\EFR\\cer\\ssl.pfx
MD C:\\ProgramData\\EFR\\client
COPY ca.pem C:\\ProgramData\\EFR\\client\\ca.pem
For requests (browser and program), client.pfx is used as client certificate.
Network Configuration
Of course, access restriction can be configured using the server's firewall.
Browser Authentication
Basic Authentication
Sensible parts of EFR configuration like http://localhost:5618/control can be protected by setting an EFR system password in profile form:
Upon browser access, username and password have to be entered, then only the password is verified. To have a password upon installation, you can provide an initial configuration file /EFR/gbl/profile.cfg.
Please be aware, when accessing EFR over network using HTTP protocol, the entered password is transferred unencrypted – instead switch to HTTPS or use Digest Access Authentication.
Digest Access Authentication
For appropriate username/password configuration according to RFC 2617, a userlist file /EFR/gbl/.htdigest can be provided. This is a text file according to Apache WebServer specification, containing ${username}:${realm}:${hash} per line.
Example
user1:EFR:2f72912bba017d9352a753df2fdf946d
user1:EFR.001_1:a498cdc760ca554cf44b85c846a1bef5
user2:EFR.001_2:73946a4756fdaff0c0d24e66c28357d3
The second field 'realm' is "EFR" by default, but for multi client operation a separate username/password combination can be set for each realm "EFR.${RN}". In the example above, user1 could access RN 001_1 (line 2) and e.g. 001_3, as for this RN no specific user is assigned. 001_2 can be accessed by user2 only.
The third field 'hash' is defined as
hash = md5(username+":"+realm+":"+password)
For convenience, the Apache password manager htdigest may be used to create a .htdigest file on Linux.
$ htdigest .htdigest EFR user1
Adding user user1 in realm EFR
New password: