System Settings

The user interface of System Settings is based on HTML pages and can be accessed both locally on the HMI device screen and remotely using a Web browser.

Administrator username with full access right is "admin" with default password "admin". Generic username is “user” with default password “user”

WARNING: For security reasons, change the default passwords for both usernames (passwords can be modified from the “System Settings -> Authentication” command)

Accessing at the system settings from the HMI device do not require to enter a password until the default "admin" password is not changed.

System Setting access from Web browser

To access System Settings using a Web browser, enter the IP address of the device, in the following format:

https://IP/machine_config

Note the remote access use encrypted https protocol on port 443. When the connection is established, the HMI device send a certificate to use for the encryption. Since the certificate is not signed from a Certificate Authority you will get a warning message. Please, click on advanced options and choice to proceeding.

Browse through the options available in the menu on the left: the active item is highlighted and related information is displayed on the right.

Default security protocols proposed by the HTTPS server in the Linux HMI device are:

SSLv3 256 bits ECDHE-RSA-AES256-SHA
TLSv1 256 bits ECDHE-RSA-AES256-SHA

WARNING: We discourage usage of CBC cyber suites in the context of SSL3 or TLSv1.0 connections since potentially affected by some vulnerabilities.

System Setting access from HMI device

When Runtime is not installed, the System Settings is accessible from the Runtime Loader screen,

When Runtime is installed the System Settings is accessible selecting “Show System Settings” option of Context Menu,

Enter System Settings via tap-tap procedure

Tap-tap consists in a sequence of several touch activations by simple means of the finger tapping the touch screen performed during the power-up phase and started immediately after the HMI is powered on.

When “tap-tap detected” message appears on the top of the screen. Wait for 5 seconds (without touching the screen) to enter System Settings sub menu

Wait for 5 more seconds (without touching the screen) to enter Default Mode

Select "System Setting" from the HMI Default Mode screen

System Settings Sections

To change system settings values, enter in edit mode by click the edit button on the right top.

The edit button is available only inside the dialogs that contains modifiable parameters.

Localization

Set the below parameters to adapt the device to your country.

Country Code (only needed on 5G devices)
Language for the system settings interface
Layout of the virtual keyboard

Country Code is required for the WLAN Regulatory Domain and the device will not use the WiFi until this parameter will not have been set.

The country settings are required for operation complying with the approvals. Selecting a country that does not match the country in which the device is operated may be punishable by law. After selecting the Country Code, the corresponding channels allocation and setting and for power level will be automatic.

System

Parameter	Description
Info	Device information
Status	Device status (Free RAM, Up time, CPU Load)
Timers	Device timers (System on, Back light on)
PlugIn	Hardware plugins information

Logs

Set the persistent log option if you want maintain the log files saved after a power reset.

Use save button to export a copy of the log files.

The log files manager cyclically fill 3 files of 4Mb

Date & Time

Device date and time.

Parameter	Description
Current Timezone	Timezone region
Current Date Local Time	Date and Time can set manually only when the Automatic Update is disabled.
Automatic Update (NTP)	Enable to keep date and time synchronized from a remote server NTP Server Specify the Internet NTP Server address The NTP Client of the HMI Device is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The poll process sends NTP packets at intervals determined by the clock discipline algorithm. The process is designed to provide a sufficient update rate to maximize accuracy while minimizing network overhead. The process is designed to operate in a changeable mode between 8 sec and 36 hr.
Accept NTP requests	When enabled the device will accepts NTP requests from outside. When automatic update is not enabled the device will share the local RTC clock time.

Networks

Network parameters. Available parameter in edit mode:

Parameter Description

General Settings

Parameter	Description
General Settings	Device hostname Avahi Hostname (see "Avahi Daemon")
Network Interface	Network parameters of the available interfaces DHCP IP Address Net Mask Gateway By default, the network interface is set with DHCP turned on to retrieve network parameters from the DHCP server. If the DHCP server is not found, the avahi-autoip service is used to set an IP address in the range 169.256.x.x.
DNS	DNS Servers Generally provided from the DHCP servers, but can be modified in edit mode Search Domains Optional domains that will be used in concatenation with the provided urls

Device hostname

Avahi Hostname (see "Avahi Daemon")

Network Interface

Network parameters of the available interfaces

DHCP
IP Address
Net Mask
Gateway

By default, the network interface is set with DHCP turned on to retrieve network parameters from the DHCP server. If the DHCP server is not found, the avahi-autoip service is used to set an IP address in the range 169.256.x.x.

DNS

DNS Servers
Generally provided from the DHCP servers, but can be modified in edit mode

Search Domains
Optional domains that will be used in concatenation with the provided urls

Security

Services are available only when logged as admin.

The security area contains passwords and certificates, required by applications.

Parameter	Description
Domain	Identifies a set of secret information that can be used by installed applications that have the rights to use it. The preconfigured domains are: General This space is available for third party applications System This space is used from the services embedded in the device (e.g. the VNC Server) HMI Runtime This space is used from the JMobile HMI Runtime application
Secret ID	Name used to identify each secret information included in the selected domain.
Type	Type of information to be stored. Text Password Certificate File
Secret Info	The secret information to keep stored.. In case of text or password, type the text or the password to store. In case of certificate or file use the "Update" button to upload the file to store.
Description	A free text that you can insert at will.

Import/Export

Using the Import/Export commands, it is possible to export the stored information and import it, e.g., into other devices. Note that the export command will prompt you to define a password which will then be required in order to import the exported file.

Applications

The applications page is listing the applications loaded on the HMI devices. From this page is possible to manage the applications.

Parameter	Description
Name	Application name
Autostart	If selected, the application will start when the operator panel is turned on

App Management

Press the "App Manager" button to enter the application management mode from where you can:

upload new applications
update existing applications
remove application
define the startup sequence.

Services

Services are available only when logged as admin.

Mouse click on the enable button to enable/disable the service. Click the service name to list the associate parameters.

Autorun scripts from external storage

Enable/Disable the possibility to run the "autoexec.sh" script file when a USB key is plugged into the device. Disable this service if you want to prevent unauthorized access through the USB interface.

Required BSP v1.0.212 or greater

Avahi Daemon

Avahi is a system which enables programs to publish and discover services and hosts running on a local network. When it is enabled, the HMI device can be reached even using the device's host name (in alternative to the IP Address).

Avahi Daemon runs on UDP port 5353

On Linux and Apple PCs, the Avahi service comes for free with the OS. On Windows PCs instead, you need to install an Avahi service to be able to reach the panel by his Avahi host name (e.g. you need to install the Apple Bonjour application - Bonjour is a trademark of Apple inc.).

Bridge/Switch Service

Using the bridge service is possible connect together the WAN (eth0) network adapter with the other network interfaces. When used, the two Ethernet interfaces are bridged and both Ethernet interfaces are sharing the same IP address.

Bridge Service creates a Linux-based layer-2 Network Bridge between two or more network interfaces. If both WAN and endpoint devices are attached to such bridge, the two networks will be physically joined and endpoints will be available as if they were directly connected to the WAN (Note: Cloud scenario still requires Router Service to be active)

Cloud / VPN Service

Allow to manage remote HMI devices connected to a centralized server through gateways.

See "Cloud / VPN Service" for additional details.

DHCP Server

Provide the DHCP Server on the selected interfaces.

Parameter	Description
Enabled	Enable the DHCP Server on the selected interface
Start IP Stop IP	IP addresses distributed from the DHCP Server
Gateway	The gateway address
Netmask	The provided netmask
DNS Server	The DNS server address
Lease Time (seconds)	Lease time, default is 86400s (1 day) Acceptable values are from 60s to 864000s (10 days)

Enable device restore via TAP TAP option

When enabled, it gives the possibility to reset the operator panel in case the administrator password is forgotten. (See.: "Forgot password")

This option is enabled by default. You can disable it to increase the security of the device (this will remove the possibility of recovering a forgotten password)..

Fast Boot

When fast boot is enabled, at the power up the HMI device will start the HMI application as fast as possible. In this mode, there are not showed diagnostic information (e.g. the loading bar) but only the minimum necessary features are loaded before loading the User Interface (e.g. System Settings, VNC, SSH, etc. will be load after loading the HMI application).

To obtain best performance, in addition of enabling the fast boot mode, it is recommended to:

disable any service that is not necessary
avoid keeping enabled the persistent log
use static IP address instead of DHCP service

Required BSP v1.0.242 or greater

Firewall Service

When the firewall is enabled, only connections matching the defined rules are allowed. Note that some rules must be enabled for the HMI can to work properly.

Notes:

The firewall is based on IP tables which operates only at layer 3 (layer 2 packets won't be filtered, e.g. ARP)
Only INPUT and FORWARD packets are filtered, not OUTPUT
PING/ICMP echo reply packets are always allowed
Internet sharing scenarios (e.g. 3g or wifi connection to endpoints) are not supported
Packets filtered by the firewall are dropped

Source IP or Network

If this field is unspecified, access will be allowed from any source host. Otherwise, access can be restricted to a single IP address (e.g. 192.168.100.123) or a range of IP addresses in CIDR format (e.g. 192.168.100.0/24). For details on valid subnet specifications following such format, please refer to: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

If you enable the Firewall and you need to use the FTP passive mode with JMobile HMI Runtime older than version 2.10.0.280 then you need to open the ports 1024-2048/tcp and 16384-17407/tcp. From version 2.10.0.280 instead, JMobile HMI Runtime uses the ports 18756-18760/tcp that are proposed into Firewall settings by default.

Firewall is available from BSP v1.0.532
If you are updating from an old BSP version and you don't see the default rules, you have to reset the system settings (see "Update System Components").

Router Service

This service uses IP Forwarding and Network Address Translation to share the connection from WAN (eth0) towards LAN (eth1 or eth2): connected endpoints may reach the same networks reachable by the gateway (including Internet if available). With Cloud Service active, endpoints can be reached via the gateway's LAN port (please refer to "Cloud / VPN Service" for more information)

Port Forwarding

Port forwarding redirects incoming TCP packets requests from WLAN interface from one address and port number combination to another combination of address and port number.

Available from BSP v1.0.507

1:1 NAT

1:1 NAT, create alias IP on WLAN and forward all packets (or given port range) with that destination IP to another device attached to a LAN

Available from BSP v1.0.507

Warning: make sure the value entered for “Source IP” is not the same as real IP address assigned to the physical Ethernet port specified as “Source Interface”.

Show loading bar during boot

Enable/Disable the display of the loading bar during the boot phase.

SNMP Server

SNMP is a network protocol that allow to manage network infrastructures. It is commonly used to monitor network devices as switches, routers, etc. connected to a LAN network.

When the SNMP service is enabled, an SNMP Manager can retrieve information from the HMI device using the SNMP protocol. Currently, there are not proprietary MIBs available. Only the standard public community MIBs are available in read only mode.

Example:
	System Name: System Description: System UpTime: Total RAM used: Total RAM Free: Idle CPU time (%):	.1.3.6.1.2.1.1.5.0 .1.3.6.1.2.1.1.1.0 .1.3.6.1.2.1.1.3.0 .1.3.6.1.4.1.2021.4.6.0 .1.3.6.1.4.1.2021.4.11.0 .1.3.6.1.4.1.2021.11.11.0

SNMP Server runs on UDP port 161

For security reasons, do not enable the service if you do not need it.

SSH Server

SSH service has been designed only for advanced users. It provides remote login to HMI device using the secure shell protocol. On PC you can run a SSH Client as, for example, PuTTY that is an open source software distributed under the MIT license.

The default password for the username the admin is “admin”. See the "Authentication" chapter to additional information.

SSH Server runs on TCP port 22

This service is designed to be used during the development phase. For security reasons, remember to disable the service before switch to production.

VNC Service

VNC is a service that allows remote access to the display of the HMI device. VNC clients can be used to get the remote control of the HMI device.

VNC should be disabled after use and autostart is not recommended.

Parameter	Description
Enable	Enable the VNC server
Autostart	Keep the VNC server enabled when HMI device starts
Port	VNC Server listens for connections on TCP port 5900 (default)
Inactivity timeout (seconds)	“Inactivity timeout” occurs if no user interaction is detected (via keyboard, mouse, transfers or other RFB protocol interactions). The special value 0 indicates that idle timeout is disabled. Default value is 600 (10 minutes).
Multiple clients	Allow multiple sessions on the same port (if disabled, previously logged clients are disconnected upon a new incoming connection)
View only	Do not allow active user interactions (clients can only watch)
Encryption	Activate SSL encryption of connections Custom certificate (Security/VNC KeyPair) The HMI device certificate that is necessary to permit the remote VNC client to verify the authenticity of the HMI device. The certificate must contain both the private and the public keys and can be .pem format. The encryption features are not widely supported, check your VNC client compatibility
Authentication	Whether users are authenticated upon session creation. A custom VNC specific password can be set or system passwords can be used (this option is only available if also Encryption is enabled)

Example of how to generate a certificate using OpenSSL library:

@echo off set OpenSSL="C:\Program Files\OpenSSL-Win64\bin\openssl.exe" set CertificateName=HMI-Certificate set DeviceIP=192.168.1.56 rem Create the certificate keys %OpenSSL% req -x509 -newkey rsa -days 365 -nodes -keyout private.pem -out public.pem -subj "/ST=NY/C=US/L=New York/O=CompanyName/OU=Department/CN=%CertificateName%" -addext "subjectAltName=IP:%DeviceIP%" rem Create .pem file copy private.pem + public.pem hmi-certificate.pem echo. echo. pause

Web Server

This page will show the parameters available to configure the Web Server. Note that it is not possible to disable the Web Server because it is necessary to allow access to the System Settings of the device.

Allow only Secure HTTPS connections

Disabled by default to maintain backward compatibility, but it is recommended to enable it to improve the HMI device security.

CORS domains enabled

When disabled (default), access to external domains is not allowed. When enabled, access to external domains listed in the "CORS domains filter" is allowed.

CORS domains filter

You can enter the domain to which access is allowed or use a regular expression to define multiple domains. The regular expression must have the prefix "re:".

Leave the filter blank (default) if you want to maintain compatibility with older versions and allow access to all domains (this is not recommended).

Examples of "CORS domains filter":
- www.test.com
- re:(www.test1.com|www.test2.com)
- re:(www.test.(com|org))
- re:(www.test[1-9]+.com)

Plugins

This page will show the parameters available to configure the optional plugins modules attached to the HMI device. See the description of the each plug-in module to additional information.

Management

Management is available only when logged as admin.

From the management area is possible "Update System Components" of the HMI device.

CAUTION: Working in the Management area is a critical operation and, when not performed correctly, may cause product damages requiring service of the product. Contact technical support for assistance.

Use the “Clear” command inside the “Data” section to remove HMI Runtime from the device (Factory Restore)

Display

Parameter	Description
Brightness	Brightness level of the display
Back light timeout	Backlight inactivity timeout
Orientation	Display orientation

Authentication

Enter in edit mode to change the authentication passwords or to personalize the x.509 certificate of the HMI device.

Users

There are two usernames:

Administrator username with full access rights is "admin"
Generic username with basic access rights is “user”

x.509 Certificate

HMI Device use a self-certificate to encrypt the Internet communication trough the HTTPS protocol. You can personalize the certificate with the data of your Company and ask to a Certificate Authority to firm it.

The procedure to personalize and firm your certificate is:

Enter in edit mode and fill the necessary parameters, then push GENERATE button to generate a self-signed certificate with your data.
Export the “Certificate Signed Request”
Sent the “Certificate Signed Request” to a Certificate Authority to firm it (general this is a paid service)
Import the signed certificate into the HMI device

Certificate's parameters

Parameter	Description
Device Name	The name of your device
Organization	The legal name of your organization
Unit	The division of your organization handling the certificate
State	The state/region where your organization is located
Location	The city where your organization is located
Country	The two-letter ISO code for the country where your organization is location
Valid (days)	Validity of the certificate
Key Length	Number of bits of the key used from the cryptographic algorithm

Managed certificates are base64 encoding

Required BSP v1.0.239 or greater

Restart

HMI device restart command

EXIT

Exit from the System Setting tool.