2024 Update Rollup 1

ConfigurationPermanent link for this heading

Fabasoft Folio uses socket connections to connect backend services and frontend clients.

The socket communication used between frontend and backend services may be encrypted and authenticated using SSL/TLS encryption.

Clients and server processes use certificate fingerprints to identify trusted peers. The default implementation uses keys and trusts per host. Every host acting as part of a Fabasoft installation has to have a key and the correct trusts to identify services and clients.

Environment Variable “TLSDIR”Permanent link for this heading

To enable encryption and authentication, the environment variable TLSDIR is used. This variable is configured as other environment variables used to configure the socket connection (e.g. HOST, PORT) for Fabasoft Services.

Once the variable is configured for a service or client process, the referenced directory and the required files must exist, otherwise the service or client will fail to work and report errors.

If the variable is added or changed, all services have to be restarted.

Default value of TLSDIR on Microsoft Windows

C:\>set TLSDIR=%ProgramData%\Fabasoft\TLS
C:\>set TLSDIR


To set the variable for Microsoft Windows, add the environment variable in the system properties as system variable.

Default value of TLSDIR on Linux

$ export TLSDIR="/var/opt/fabasoft/tls"
$ echo $TLSDIR


To set the variable for Linux, add the entry to the file /etc/fabasoft/base.conf.

Configuration Files “hostkey.pem” and “hosttrusts.cfg” Permanent link for this heading

Once the TLSDIR is set it must point to a directory containing a key and a trusts file per host.


This file contains the certificate and private key and is used to authenticate the peer (client or server) of a SSL/TLS protected socket connection.

Sample file hostkey.pem




This file contains fingerprints (SHA-256) of accepted peer certificates.

Sample file hosttrusts.cfg

# Trusted host certificates (sha256 fingerprint).
c0:88:b5:5a:d0:1d:8a:46:ed:78:5b:fd:2d:d4:89:9a:75:a7:e8:37:a7:22:3a:bf:c4:4c:99:49:24:6d:b0:67 # hostname

Text following a # is ignored and empty lines are ignored, too.

Configuration Utility “fsckeygen”Permanent link for this heading

To create new certificates, the utility fsckeygen may be used. The utility will create the files hostkey.pem (new certificate and key) and hosttrusts.cfg (fingerprint of the newly created certificate).

Any existing fingerprints of trusted peer certificates must be added manually.

Sample use of fsckeygen on Microsoft Windows

C:\>where fsckeygen
C:\Program Files\Fabasoft\Components\Management\fsckeygen.exe

C:\>set TLSDIR

Fabasoft Folio fsckeygen Version
Copyright (c) Fabasoft R&D GmbH, A-4020 Linz, 1988-2018.
Files exist, use option -f to overwrite.
Usage: fsckeygen [-q] [-f] [-d tlsdir]

C:\>fsckeygen f
Fabasoft Folio fsckeygen Version
Copyright (c) Fabasoft R&D GmbH, A-4020 Linz, 1988-2018.
File C:\ProgramData\Fabasoft\TLS\hostkey.pem written.
File C:\ProgramData\Fabasoft\TLS\hosttrusts.cfg written.

Reference Configuration Using opensslPermanent link for this heading

As reference the corresponding openssl commands are listed.

Reference bash commands to generate host key and trusts

HOSTNAME=$(hostname -s)
NEWCERTARGS="req -newkey rsa:4096 -days 9999 -nodes -x509 -subj /CN=$HOSTNAME"
FINGERPRINTARGS="x509 -noout -fingerprint -sha256"

openssl $NEWCERTARGS -keyout key.pem -out cert.pem
openssl $FINGERPRINTARGS -in cert.pem | sed 's/.*=//' | tr A-F a-f > certfp.cfg

# Host Key
cat cert.pem key.pem > hostkey.pem

# Host Trusts
echo "# Trusted host certificates (SHA-256 fingerprint)." > hosttrusts.cfg
echo "$(cat certfp.cfg) # $HOSTNAME"                     >> hosttrusts.cfg

rm cert.pem key.pem certfp.cfg

Using Multiple HostsPermanent link for this heading

A typical installation of Fabasoft Services uses multiple hosts.

To enable this scenario, the host key and host trust files may be copied to all connected machines or the host trust files of all connected machines have to be edited manually to contain all fingerprints of trusted host certificates.