diff --git a/build-doc.sh b/build-doc.sh
index fcdb739a5cf16c93aba81a855725e6e51ea091bd..5b25686073cf6e78df04c1e8a61f7652bd1ba254 100755
--- a/build-doc.sh
+++ b/build-doc.sh
@@ -1,5 +1,12 @@
 #!/bin/bash
 mkdir -p jams
 cd userguide || exit
-#/var/lib/jenkins/.local/bin/mkdocs build || exit 0
+#cp docs/img/cover.jpg src/mkpdfs-mkdocs-plugin/mkpdfs_mkdocs/design/
+#cd src/mkpdfs-mkdocs-plugin/mkpdfs_mkdocs/design/
+#npm i
+#npm install -g sass
+#sass report.scss > report.css
+#cd ../../../..
+#pip3 install mkdocs
+#/home/$USER/.local/bin/mkdocs build || exit 0
 cp site/pdf/combined.pdf ../jams/userguide.pdf
\ No newline at end of file
diff --git a/userguide/docs/admin.md b/userguide/docs/admin.md
index 757e232d4ed5c8b6f66b8cf977009f3e487e24b6..7a33cce3d6ebff5927cd661ef89dbd7db662023e 100644
--- a/userguide/docs/admin.md
+++ b/userguide/docs/admin.md
@@ -14,7 +14,7 @@ By default JAMS runs an embedded tomcat server visible on port 8080, however thi
 It is generally not recommended to expose JAMS directly to the outside world and while it is required to run JAMS in SSL mode, we usually
 recommend users to place it behind Nginx or a similar web server which proxies requests between the outside world and Jams.
 
-The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxying solution):
+The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxy solution):
 
 
 ![alt text][map]
@@ -40,7 +40,7 @@ Typically you would add a new site called ``jams-site.conf`` to your nginx confi
         }
 }</b></pre>
 
-This is the preferred setup method by most admins, as local traffic is usually ran unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link.
+This is the preferred setup method by most admins, as local traffic is usually run unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link.
 
 ## Troubleshooting and resetting
 
@@ -59,13 +59,13 @@ This will reset the server to its original state and you will be able to run the
 
 ### Download and install JAMS
 
-Visit [https://jami.biz/](https://jami.biz/) and downalod JAMS.
+Visit [https://jami.biz/](https://jami.biz/) and download JAMS.
 
 Extract JAMS to c:\jams
 
 ### Download and install JDK 11 
 
-Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the conresponding architecture of your VM)
+Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the corresponding architecture of your VM)
 
 Install it using the install wizard.
 
@@ -154,7 +154,7 @@ subjectKeyIdentifier			= hash
 </b>
 </pre>
 
-### Add OpenSSL to Sytem Environment variables
+### Add OpenSSL to System Environment variables
 Go to Edit the system environment variables -> Environment Variables, then in System variables edit Path and add c:\openssl\
 
 ### Configure OpenSSL
@@ -197,7 +197,7 @@ java -jar jams-launcher.jar PORT_NUMBER (eg. 8443 or 443) server.pem server.key
 
 Open a navigator on the server and visite https://localhost:443 or https://localhost:8443 to validate that it's working.
 
-Click CTRL + C to close the application
+Type CTRL + C to close the application
 
 ### Expose your localhost to the internet
 
@@ -223,7 +223,7 @@ Leave all of Domain Private and Public select and click next.
 
 Name you Rule JAMS Outbound and click Finish.
 
-You are all set. You can now visit you application trought the server domain name or ip address on port 443 or 8443.
+You are all set. You can now visit your application through the server domain name or IP address on port 443 or 8443.
 
 ### Create a JAMS Windows Service (Embed Tomcat Server Windows Service) to start JAMS with the server
 
diff --git a/userguide/docs/clients.md b/userguide/docs/clients.md
index 905e3b49555f281e72c20eec22173e99906c7d2d..3e0e30783a6087ef8f42eea7198edf95c111a946 100644
--- a/userguide/docs/clients.md
+++ b/userguide/docs/clients.md
@@ -48,20 +48,20 @@ Select the option **"Connect to a JAMS server"** which will lead you to the foll
 
 The **Jami Account Management Server URL** in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.
 
-## Connect from a MacOS device
+## Connect from a macOS device
 
 Open Jami, go to the login page. Click on "Advanced":
 
 ![alt text][macosstep1]
 
-[macosstep1]: https://static.savoirfairelinux.com/img/jams/client/macos/macos-step1.png "MacOS step 1"
+[macosstep1]: https://static.savoirfairelinux.com/img/jams/client/macos/macos-step1.png "macOS step 1"
 
 
 Select the option **"Connect to account manager"** which will lead you to the following screen:
 
 ![alt text][macosstep2]
 
-[macosstep2]: https://static.savoirfairelinux.com/img/jams/client/macos/macos-step2.png "MacOS step 2"
+[macosstep2]: https://static.savoirfairelinux.com/img/jams/client/macos/macos-step2.png "macOS step 2"
 
 The **Jami Account Management Server URL** in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.
 
diff --git a/userguide/docs/img/cover.jpg b/userguide/docs/img/cover.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..8fb5fd64da815af5727dd3e89f418b42e1d36715
Binary files /dev/null and b/userguide/docs/img/cover.jpg differ
diff --git a/userguide/docs/index.md b/userguide/docs/index.md
index a94e88574ee11de9c450643f04593fc5f5b1f742..75ccb385adc0b8a3c9a0fa8b517acdc76778216e 100644
--- a/userguide/docs/index.md
+++ b/userguide/docs/index.md
@@ -49,7 +49,7 @@ You must have a domain name in order to request a key and a certificate.
 
 Once you have purchased you domain name and pointed it to you server you can proceed to the next step.
 
-You can purchase a pair of key certificate from any online provider such as Godaddy, OVH, Hostgator, etc. We recommand getting a free pair using Let's encrypt.
+You can purchase a pair of key certificate from any online provider such as GoDaddy, OVH, HostGator , etc. We recommend getting a free pair using Let's encrypt.
 
 In order to generate a pair of key certificate you can use Certbot using instructions in the following page https://certbot.eff.org/.
 
@@ -61,7 +61,7 @@ Install Certbot using snap: sudo snap install --classic certbot
 
 Ensure that the cerbot command can be run: sudo ln -s /snap/bin/certbot /usr/bin/certbot
 
-In order to get a certificate execute: sudo certbot certonly and follow instrcuctions.
+In order to get a certificate execute: sudo certbot certonly and follow instructions.
 
 The Certificate and Key are generated in a specific folder, please see the output from Certbot to locate them.
 
@@ -86,7 +86,7 @@ An example of the command would be:
 
 Please note that any port above 1024 can be safely used to run JAMS.
 
-## Step 1: create your admininistrator account
+## Step 1: create your administrator account
 
 This account will have administrative control and the rights to manage your users and group of Jami users.
 
@@ -98,7 +98,7 @@ This account will have administrative control and the rights to manage your user
 
 The second step is to define your Certification Authority. 
 
-**Important:** a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by godaddy, letsencrypt, etc... ) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server.
+**Important:** a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by GoDaddy, Let’s Encrypt, etc…) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server.
 
 ![alt text][step1-1]
 
@@ -109,7 +109,7 @@ The second step is to define your Certification Authority.
 [step1-2]: https://static.savoirfairelinux.com/img/jams/step2-2.png "Certification Authority Import"
 
 
-This certificate will be used to sign the enrollement requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following
+This certificate will be used to sign the enrollment requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following
 articles to get familiar with the processes and practices which surround it:
 
 <https://www.securew2.com/blog/public-key-infrastructure-explained/>
@@ -127,7 +127,7 @@ JAMS supports 3 different sources for the authentication of users:
 
 ### Option 1: LDAP authentication
 
-If your company provides you with LDAP directory for user management, you will need to know its access information and a automated account which has read-only rights to do use look-ups.
+If your company provides you with LDAP directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups.
 
 ![alt text][ldap]
 
@@ -178,7 +178,7 @@ The local database does not require any additional configuration, everything in
 
 **Advanced settings:** by default, the option "Use public nameserver" is disabled. Usernames of your Jami users will not be stored on the public Jami nameserver and your users will only be able to communicate with users from your organization.
 
-If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option,
+If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option.
 
 ## Step 4: setup the server parameters
 
@@ -190,8 +190,8 @@ If you want your users to be searchable by external users and allow them to comm
 | ------------- |-------------  |
 | **CORS Domain Name**      | The domain on which the JAMS client and administration UI will be running. |
 | **Certificate Revocation List Lifetime**     | The frequency at which the CRL is updated in memory |
-| **Device Lifetime** | How long a device's certificate is valid before being considered stale and requiring re-enrollement      |
-| **User Account Lifetime** | How long a user account is valid before being considered stale and requiring re-enrollement  |
+| **Device Lifetime** | How long a device's certificate is valid before being considered stale and requiring re-enrollment      |
+| **User Account Lifetime** | How long a user account is valid before being considered stale and requiring re-enrollment  |
 
 
 **Important** The *CORS Domain Name* corresponds to the web address used to access the Web UI. By default, it is set to the same URL as the one where you deploy JAMS. Only set a different URL if the Web UI has a different URL to the one where JAMS is deployed.
@@ -205,4 +205,4 @@ You will be redirected to the JAMS interface.
 
 [jamsdashboard]: https://static.savoirfairelinux.com/img/jams/jams-dashboard.png "Jams dashboard"
 
-If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization shoud be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on "Create User"
\ No newline at end of file
+If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization should be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on "Create User".
\ No newline at end of file
diff --git a/userguide/mkdocs.yml b/userguide/mkdocs.yml
index a5a94c2037ffcb5f8adf05aa84e24062791805c3..5c77a4ea2c5c4497d0e721d73efc08e33caafad3 100644
--- a/userguide/mkdocs.yml
+++ b/userguide/mkdocs.yml
@@ -5,4 +5,7 @@ nav:
   - Clients: clients.md
 plugins:
   - search
-  - mkpdfs
+  - mkpdfs:
+      company: Savoir-faire Linux
+      author: Savoir-faire Linux
+      toc_title: Table of content
\ No newline at end of file
diff --git a/userguide/package-lock.json b/userguide/package-lock.json
new file mode 100644
index 0000000000000000000000000000000000000000..48e341a0954d5f8c2accf3a6731be28e5bb9c0de
--- /dev/null
+++ b/userguide/package-lock.json
@@ -0,0 +1,3 @@
+{
+  "lockfileVersion": 1
+}
diff --git a/userguide/site/admin/index.html b/userguide/site/admin/index.html
index 83034bcc7fbb1a6c0ed59486932fad54814e9f81..18dadef6a513fdc508ac18dd1d5a3bdbe8753667 100644
--- a/userguide/site/admin/index.html
+++ b/userguide/site/admin/index.html
@@ -102,7 +102,7 @@ height:400px;
 <h2 id="jams-nginx">JAMS &amp; Nginx</h2>
 <p>It is generally not recommended to expose JAMS directly to the outside world and while it is required to run JAMS in SSL mode, we usually
 recommend users to place it behind Nginx or a similar web server which proxies requests between the outside world and Jams.</p>
-<p>The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxying solution):</p>
+<p>The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxy solution):</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/map.png" title="Create an admin account"/></p>
 <p>The IP 10.10.0.1 is random, and should be seen as an example.</p>
 <p>Typically you would add a new site called <code>jams-site.conf</code> to your nginx configurations which would contain the following entries if you wanted to place an SSL certificate at the Nginx level:    <pre>
@@ -120,7 +120,7 @@ recommend users to place it behind Nginx or a similar web server which proxies r
                 proxy_set_header        Host $http_host;
         }
 }</b></pre></p>
-<p>This is the preferred setup method by most admins, as local traffic is usually ran unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link.</p>
+<p>This is the preferred setup method by most admins, as local traffic is usually run unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link.</p>
 <h2 id="troubleshooting-and-resetting">Troubleshooting and resetting</h2>
 <p>If you ever need to restart from 0 (i.e. reset everything and drop existing data) you can do so by deleting the following files in the distribution folder (<your folder="" project="" root="">/jams):    <pre>
 <b>The internal jams folder: <your folder="" project="" root="">/jams/jams
@@ -132,10 +132,10 @@ config.json
 <p>This will reset the server to its original state and you will be able to run the configuration wizard again. Before performing this operation, please make sure to shutdown the server.</p>
 <h2 id="running-jams-as-windows-service">Running JAMS as Windows Service</h2>
 <h3 id="download-and-install-jams">Download and install JAMS</h3>
-<p>Visit <a href="https://jami.biz/">https://jami.biz/</a> and downalod JAMS.</p>
+<p>Visit <a href="https://jami.biz/">https://jami.biz/</a> and download JAMS.</p>
 <p>Extract JAMS to c:\jams</p>
 <h3 id="download-and-install-jdk-11">Download and install JDK 11</h3>
-<p>Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the conresponding architecture of your VM)</p>
+<p>Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the corresponding architecture of your VM)</p>
 <p>Install it using the install wizard.</p>
 <h3 id="download-openssl-to-generate-a-key-and-a-certificate">Download openssl to generate a key and a certificate</h3>
 <p>Download OpenSSL from https://kb.firedaemon.com/support/solutions/articles/4000121705 (or choose another source https://wiki.openssl.org/index.php/Binaries)</p>
@@ -217,7 +217,7 @@ basicConstraints            = CA:FALSE
 subjectKeyIdentifier            = hash
 </b>
 </pre>
-<h3 id="add-openssl-to-sytem-environment-variables">Add OpenSSL to Sytem Environment variables</h3>
+<h3 id="add-openssl-to-system-environment-variables">Add OpenSSL to System Environment variables</h3>
 <p>Go to Edit the system environment variables -&gt; Environment Variables, then in System variables edit Path and add c:\openssl\</p>
 <h3 id="configure-openssl">Configure OpenSSL</h3>
 <p>Execute the following command to set the path to OpenSSL configuration.</p>
@@ -249,7 +249,7 @@ c:\jams&gt;dir
 <p>Now execute the following command tot start JAMS</p>
 <p>java -jar jams-launcher.jar PORT_NUMBER (eg. 8443 or 443) server.pem server.key</p>
 <p>Open a navigator on the server and visite https://localhost:443 or https://localhost:8443 to validate that it's working.</p>
-<p>Click CTRL + C to close the application</p>
+<p>Type CTRL + C to close the application</p>
 <h3 id="expose-your-localhost-to-the-internet">Expose your localhost to the internet</h3>
 <p>Click on Windows ans search for Windows Defender Firewall with Advanced Security.</p>
 <p>Right click on Inbound Rules and click on New Rule...</p>
@@ -262,7 +262,7 @@ c:\jams&gt;dir
 <p>Click next and select Allow the connection and click next.</p>
 <p>Leave all of Domain Private and Public select and click next.</p>
 <p>Name you Rule JAMS Outbound and click Finish.</p>
-<p>You are all set. You can now visit you application trought the server domain name or ip address on port 443 or 8443.</p>
+<p>You are all set. You can now visit your application through the server domain name or IP address on port 443 or 8443.</p>
 <h3 id="create-a-jams-windows-service-embed-tomcat-server-windows-service-to-start-jams-with-the-server">Create a JAMS Windows Service (Embed Tomcat Server Windows Service) to start JAMS with the server</h3>
 <p>In order to create a JAMS Windows Service you can use the tool NSSM provided on http://nssm.cc/download <a href="https://github.com/kirillkovalenko/nssm">https://github.com/kirillkovalenko/nssm</a></p>
 <p>Once downloaded open a command prompt and change directory to nssm-2.24\win64 then execute:</p>
@@ -270,13 +270,13 @@ c:\jams&gt;dir
 nssm.exe install JAMS
 </pre>
 <p>A GUI interface will open.</p>
-<p>In the Path field specify the path to the Java executable example:
-<pre>"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe".</pre></p>
+<p>In the Path field specify the path to the Java executable example:</p>
+<pre>"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe".</pre>
 <p>In the Startup directory put the <pre>"C:\jams" installation folder path.</pre></p>
-<p>In the last field Arguments add the following arguments:
+<p>In the last field Arguments add the following arguments:</p>
 <pre>
 -classpath "c:\jams" -jar jams-launcher.jar PORT_NUMBER server.pem server.key
-</pre></p>
+</pre>
 <p>where PORT_NUMBER is the port number you want to use to serve the application example 443 or 8443</p>
 <p>Now your JAMS application will start with the server.</p>
 <p>Source: <a href="https://medium.com/@lk.snatch/jar-file-as-windows-service-bonus-jar-to-exe-1b7b179053e4">https://medium.com/@lk.snatch/jar-file-as-windows-service-bonus-jar-to-exe-1b7b179053e4</a></p>
@@ -290,10 +290,10 @@ WorkingDirectory=[DIRECTORY WHERE JAMS WAS UNZIPPED]
 ExecStart=/usr/bin/java -jar [DIRECTORY WHERE JAMS WAS UNZIPPED]/jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY</p>
 <p>[Install]
 WantedBy=multi-user.target
-</p></div></div></div></body></html>
-The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (however, PORT can be used alone whereas the SSL_CERTIFICATE comes in pair with SSL_CERTIFICATE_KEY)
-
 
+The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (however, PORT can be used alone whereas the SSL_CERTIFICATE comes in pair with SSL_CERTIFICATE_KEY)</p></div>
+</div>
+</div>
 <footer class="col-md-12">
 <hr/>
 <p>Documentation built with <a href="https://www.mkdocs.org/">MkDocs</a>.</p>
@@ -367,5 +367,5 @@ The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (howev
 </div>
 </div>
 </div>
-
-
+</body>
+</html>
diff --git a/userguide/site/clients/index.html b/userguide/site/clients/index.html
index 2cf0de26c9e8590acc3c42f34a1e16b5ab9543b4..0f00843440e91740fd5867053f9aa2b494595314 100644
--- a/userguide/site/clients/index.html
+++ b/userguide/site/clients/index.html
@@ -78,7 +78,7 @@
 <ul class="nav flex-column">
 </ul>
 </li>
-<li class="nav-item" data-level="2"><a class="nav-link" href="#connect-from-a-macos-device">Connect from a MacOS device</a>
+<li class="nav-item" data-level="2"><a class="nav-link" href="#connect-from-a-macos-device">Connect from a macOS device</a>
 <ul class="nav flex-column">
 </ul>
 </li>
@@ -124,11 +124,11 @@ height:400px;
 <p>Select the option <strong>"Connect to a JAMS server"</strong> which will lead you to the following screen:</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/client/windows/windows-step2.png" title="Windows step 2"/></p>
 <p>The <strong>Jami Account Management Server URL</strong> in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.</p>
-<h2 id="connect-from-a-macos-device">Connect from a MacOS device</h2>
+<h2 id="connect-from-a-macos-device">Connect from a macOS device</h2>
 <p>Open Jami, go to the login page. Click on "Advanced":</p>
-<p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/client/macos/macos-step1.png" title="MacOS step 1"/></p>
+<p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/client/macos/macos-step1.png" title="macOS step 1"/></p>
 <p>Select the option <strong>"Connect to account manager"</strong> which will lead you to the following screen:</p>
-<p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/client/macos/macos-step2.png" title="MacOS step 2"/></p>
+<p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/client/macos/macos-step2.png" title="macOS step 2"/></p>
 <p>The <strong>Jami Account Management Server URL</strong> in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.</p>
 <h2 id="connect-from-an-android-device">Connect from an Android device</h2>
 <p>Open Jami, go to the login page.</p>
diff --git a/userguide/site/img/cover.jpg b/userguide/site/img/cover.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..8fb5fd64da815af5727dd3e89f418b42e1d36715
Binary files /dev/null and b/userguide/site/img/cover.jpg differ
diff --git a/userguide/site/index.html b/userguide/site/index.html
index be1ab004eafcbd062e8d6e5fcb52eb45a80ecfc0..c7bdff0bdc2c11a5bd3ed773b8cee6db1489f0da 100644
--- a/userguide/site/index.html
+++ b/userguide/site/index.html
@@ -87,7 +87,7 @@
 <ul class="nav flex-column">
 </ul>
 </li>
-<li class="nav-item" data-level="2"><a class="nav-link" href="#step-1-create-your-admininistrator-account">Step 1: create your admininistrator account</a>
+<li class="nav-item" data-level="2"><a class="nav-link" href="#step-1-create-your-administrator-account">Step 1: create your administrator account</a>
 <ul class="nav flex-column">
 </ul>
 </li>
@@ -148,13 +148,13 @@ The source code is available at <a href="https://git.jami.net/savoirfairelinux/j
 </ol>
 <p>You must have a domain name in order to request a key and a certificate.</p>
 <p>Once you have purchased you domain name and pointed it to you server you can proceed to the next step.</p>
-<p>You can purchase a pair of key certificate from any online provider such as Godaddy, OVH, Hostgator, etc. We recommand getting a free pair using Let's encrypt.</p>
+<p>You can purchase a pair of key certificate from any online provider such as GoDaddy, OVH, HostGator , etc. We recommend getting a free pair using Let's encrypt.</p>
 <p>In order to generate a pair of key certificate you can use Certbot using instructions in the following page https://certbot.eff.org/.</p>
 <p>You can choose the web server software and operating system to get specific instructions.</p>
 <p>Here is an example for an Nginx web server on Ubuntu 20.04: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx</p>
 <p>Install Certbot using snap: sudo snap install --classic certbot</p>
 <p>Ensure that the cerbot command can be run: sudo ln -s /snap/bin/certbot /usr/bin/certbot</p>
-<p>In order to get a certificate execute: sudo certbot certonly and follow instrcuctions.</p>
+<p>In order to get a certificate execute: sudo certbot certonly and follow instructions.</p>
 <p>The Certificate and Key are generated in a specific folder, please see the output from Certbot to locate them.</p>
 <p>We need to copy them in the current folder where our jams-launcher.jar file is located.</p>
 <p><strong>Current limitation:</strong> JAMS does not support reading encrypted private keys which require a password unlock.</p>
@@ -188,15 +188,15 @@ The source code is available at <a href="https://git.jami.net/savoirfairelinux/j
 An example of the command would be: </p>
 <p><code>java -jar jams-launcher 443 server.pem server.key</code></p>
 <p>Please note that any port above 1024 can be safely used to run JAMS.</p>
-<h2 id="step-1-create-your-admininistrator-account">Step 1: create your admininistrator account</h2>
+<h2 id="step-1-create-your-administrator-account">Step 1: create your administrator account</h2>
 <p>This account will have administrative control and the rights to manage your users and group of Jami users.</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/step1.png" title="Create an admin account"/></p>
 <h2 id="step-2-setup-the-certification-authority">Step 2: setup the Certification Authority</h2>
 <p>The second step is to define your Certification Authority. </p>
-<p><strong>Important:</strong> a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by godaddy, letsencrypt, etc... ) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server.</p>
+<p><strong>Important:</strong> a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by GoDaddy, Let’s Encrypt, etc…) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server.</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/step2-1.png" title="Certification Authority Create"/></p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/step2-2.png" title="Certification Authority Import"/></p>
-<p>This certificate will be used to sign the enrollement requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following
+<p>This certificate will be used to sign the enrollment requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following
 articles to get familiar with the processes and practices which surround it:</p>
 <p><a href="https://www.securew2.com/blog/public-key-infrastructure-explained/">https://www.securew2.com/blog/public-key-infrastructure-explained/</a>
 <a href="https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/">https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/</a> </p>
@@ -209,7 +209,7 @@ articles to get familiar with the processes and practices which surround it:</p>
 </ul>
 <p><br/></p>
 <h3 id="option-1-ldap-authentication">Option 1: LDAP authentication</h3>
-<p>If your company provides you with LDAP directory for user management, you will need to know its access information and a automated account which has read-only rights to do use look-ups.</p>
+<p>If your company provides you with LDAP directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups.</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/ldap.png" title="LDAP"/></p>
 <p>Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help:</p>
 <table>
@@ -290,7 +290,7 @@ articles to get familiar with the processes and practices which surround it:</p>
 <p>The local database does not require any additional configuration, everything in the process is automated. This option allows you to create Jami users on the fly directly from the JAMS interface.</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/local.png" title="Local"/></p>
 <p><strong>Advanced settings:</strong> by default, the option "Use public nameserver" is disabled. Usernames of your Jami users will not be stored on the public Jami nameserver and your users will only be able to communicate with users from your organization.</p>
-<p>If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option,</p>
+<p>If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option.</p>
 <h2 id="step-4-setup-the-server-parameters">Step 4: setup the server parameters</h2>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/step4.png" title="Setup server parameters"/></p>
 <table>
@@ -311,11 +311,11 @@ articles to get familiar with the processes and practices which surround it:</p>
 </tr>
 <tr>
 <td><strong>Device Lifetime</strong></td>
-<td>How long a device's certificate is valid before being considered stale and requiring re-enrollement</td>
+<td>How long a device's certificate is valid before being considered stale and requiring re-enrollment</td>
 </tr>
 <tr>
 <td><strong>User Account Lifetime</strong></td>
-<td>How long a user account is valid before being considered stale and requiring re-enrollement</td>
+<td>How long a user account is valid before being considered stale and requiring re-enrollment</td>
 </tr>
 </tbody>
 </table>
@@ -324,7 +324,7 @@ articles to get familiar with the processes and practices which surround it:</p>
 <p>Click on "Set Server Parameters" to finalize the configuration.
 You will be redirected to the JAMS interface.</p>
 <p><img alt="alt text" src="https://static.savoirfairelinux.com/img/jams/jams-dashboard.png" title="Jams dashboard"/></p>
-<p>If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization shoud be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on "Create User"</p></div>
+<p>If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization should be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on "Create User".</p></div>
 </div>
 </div>
 <footer class="col-md-12">
@@ -404,5 +404,5 @@ You will be redirected to the JAMS interface.</p>
 </html>
 <!--
 MkDocs version : 1.1.2
-Build Date UTC : 2021-02-18 22:13:12.355629+00:00
+Build Date UTC : 2021-04-20 13:35:56.860377+00:00
 -->
diff --git a/userguide/site/pdf/combined.pdf b/userguide/site/pdf/combined.pdf
index f98666c5bd2173e6fd5358e90c7e8a91962597c2..9700a77e74566e0371b55bdb2ba7f0a94eba9381 100644
Binary files a/userguide/site/pdf/combined.pdf and b/userguide/site/pdf/combined.pdf differ
diff --git a/userguide/site/search/search_index.json b/userguide/site/search/search_index.json
index 68820aa5879215164333dbf4e90534e9c290f2f2..fd6925aa28737aa8f64f0d96a4a15c93c47d1d64 100644
--- a/userguide/site/search/search_index.json
+++ b/userguide/site/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"img{ height:400px; } Getting Started JAMS is a server application used to enroll Jami clients into an Enterprise context. Currently, JAMS supports 3 sources for user authentication: LDAP, Active Directory and an embedded database. Obtaining JAMS The latest version of JAMS can be downloaded at: https://jami.biz/ The source code is available at https://git.jami.net/savoirfairelinux/jami-jams System Requirements Windows, Linux or Mac OS operating system Java 11 or higher 4 GB RAM 1 CPU JAMS Concepts JAMS was built with security in mind, therefore it is intimately related to the X509 certificate management workflows. The central concepts which are used in JAMS are the Certification Authority (CA) and the Certificate Signing Requests (CSR). In the JAMS paradigm, a device (Jami client) requests a certificate to the server then presents it to other devices to be recognized as a valid member of the organization. Therefore, JAMS must be provided with a certificate authority in order to work properly. In order to be completely secure, JAMS does not generate certificates for devices, but instead issues certificates based on a certificate signing request sent to it by the device, therefore removing the need to send a private key over the wire. The diagram below shows the entire process of how a device enrolls with JAMS: \u200b Getting Started Download the latest version of JAMS from: https://jami.biz/ Unpack the .tar file to a directory of your choice. It is mandatory to run JAMS using a secure SSL connection. You must have a domain name in order to request a key and a certificate. Once you have purchased you domain name and pointed it to you server you can proceed to the next step. You can purchase a pair of key certificate from any online provider such as Godaddy, OVH, Hostgator, etc. We recommand getting a free pair using Let's encrypt. In order to generate a pair of key certificate you can use Certbot using instructions in the following page https://certbot.eff.org/. You can choose the web server software and operating system to get specific instructions. Here is an example for an Nginx web server on Ubuntu 20.04: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx Install Certbot using snap: sudo snap install --classic certbot Ensure that the cerbot command can be run: sudo ln -s /snap/bin/certbot /usr/bin/certbot In order to get a certificate execute: sudo certbot certonly and follow instrcuctions. The Certificate and Key are generated in a specific folder, please see the output from Certbot to locate them. We need to copy them in the current folder where our jams-launcher.jar file is located. Current limitation: JAMS does not support reading encrypted private keys which require a password unlock. Navigate to the directory where you have extracted the JAMS package and execute the following command: java -jar jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY Argument Details PORT The TCP port on which you want JAMS to listen for incoming connections SSL_CERTIFICATE The location of the PEM-formatted SSL Certificate file SSL_CERTIFICATE_KEY The location of the PEM-formatted key file which is used with the SSL Certificate file from above An example of the command would be: java -jar jams-launcher 443 server.pem server.key Please note that any port above 1024 can be safely used to run JAMS. Step 1: create your admininistrator account This account will have administrative control and the rights to manage your users and group of Jami users. Step 2: setup the Certification Authority The second step is to define your Certification Authority. Important: a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by godaddy, letsencrypt, etc... ) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server. This certificate will be used to sign the enrollement requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following articles to get familiar with the processes and practices which surround it: https://www.securew2.com/blog/public-key-infrastructure-explained/ https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/ Step 3: setup the user database JAMS supports 3 different sources for the authentication of users: LDAP-compatible directory (such as OpenLDAP) Microsoft Active Directory Local embedded database Option 1: LDAP authentication If your company provides you with LDAP directory for user management, you will need to know its access information and a automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Use StartTLS Your LDAP server can be configured to use either TLS/STARTTLS or PLAIN sockets, if STARTTLS is used you should mark this as true Server Address The address of your server with respect to the JAMS server, your LDAP does not need to be publicly accessible but should be accessible to JAMS. You should have either ldap:// or ldaps:// preceding the address. Port The port on which the LDAP server is listening for requests (usually 389 for PLAIN/STARTTLS and 636 for SSL/TLS) Administrator Username This is NOT the LDAP's administration account credentials, but the credentials of the account which has Read permissions to the LDAP database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=org Password The password used by the account above. BaseDN The base realm where the users accounts are located, in most cases it is ou=users,dc=company,dc=org Option 2: Microsoft Active Directory If your company provides you with Active Directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Port The port on which Active Directory is listening (generally it is either 389 or 636) Host The address of your server with respect to the JAMS server, your Active Directory does not need to be publicly accessible but should be accessible to JAMS. Administrator Username This is NOT the Active Directory's administration account credentials, but the credentials of the account which has Read permissions to the Active Directory database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=net Password The password used by the account above. Use SSL Whenever this server uses SSL for data transmission Domain Name This is the legacy-formatted Windows Domain Name (i.e. WINDOMAIN ) Option 3: local embedded database The local database does not require any additional configuration, everything in the process is automated. This option allows you to create Jami users on the fly directly from the JAMS interface. Advanced settings: by default, the option \"Use public nameserver\" is disabled. Usernames of your Jami users will not be stored on the public Jami nameserver and your users will only be able to communicate with users from your organization. If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option, Step 4: setup the server parameters Parameter Details CORS Domain Name The domain on which the JAMS client and administration UI will be running. Certificate Revocation List Lifetime The frequency at which the CRL is updated in memory Device Lifetime How long a device's certificate is valid before being considered stale and requiring re-enrollement User Account Lifetime How long a user account is valid before being considered stale and requiring re-enrollement Important The CORS Domain Name corresponds to the web address used to access the Web UI. By default, it is set to the same URL as the one where you deploy JAMS. Only set a different URL if the Web UI has a different URL to the one where JAMS is deployed. Click on \"Set Server Parameters\" to finalize the configuration. You will be redirected to the JAMS interface. If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization shoud be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on \"Create User\"","title":"Home"},{"location":"#getting-started","text":"JAMS is a server application used to enroll Jami clients into an Enterprise context. Currently, JAMS supports 3 sources for user authentication: LDAP, Active Directory and an embedded database.","title":"Getting Started"},{"location":"#obtaining-jams","text":"The latest version of JAMS can be downloaded at: https://jami.biz/ The source code is available at https://git.jami.net/savoirfairelinux/jami-jams","title":"Obtaining JAMS"},{"location":"#system-requirements","text":"Windows, Linux or Mac OS operating system Java 11 or higher 4 GB RAM 1 CPU","title":"System Requirements"},{"location":"#jams-concepts","text":"JAMS was built with security in mind, therefore it is intimately related to the X509 certificate management workflows. The central concepts which are used in JAMS are the Certification Authority (CA) and the Certificate Signing Requests (CSR). In the JAMS paradigm, a device (Jami client) requests a certificate to the server then presents it to other devices to be recognized as a valid member of the organization. Therefore, JAMS must be provided with a certificate authority in order to work properly. In order to be completely secure, JAMS does not generate certificates for devices, but instead issues certificates based on a certificate signing request sent to it by the device, therefore removing the need to send a private key over the wire. The diagram below shows the entire process of how a device enrolls with JAMS: \u200b","title":"JAMS Concepts"},{"location":"#getting-started_1","text":"Download the latest version of JAMS from: https://jami.biz/ Unpack the .tar file to a directory of your choice. It is mandatory to run JAMS using a secure SSL connection. You must have a domain name in order to request a key and a certificate. Once you have purchased you domain name and pointed it to you server you can proceed to the next step. You can purchase a pair of key certificate from any online provider such as Godaddy, OVH, Hostgator, etc. We recommand getting a free pair using Let's encrypt. In order to generate a pair of key certificate you can use Certbot using instructions in the following page https://certbot.eff.org/. You can choose the web server software and operating system to get specific instructions. Here is an example for an Nginx web server on Ubuntu 20.04: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx Install Certbot using snap: sudo snap install --classic certbot Ensure that the cerbot command can be run: sudo ln -s /snap/bin/certbot /usr/bin/certbot In order to get a certificate execute: sudo certbot certonly and follow instrcuctions. The Certificate and Key are generated in a specific folder, please see the output from Certbot to locate them. We need to copy them in the current folder where our jams-launcher.jar file is located. Current limitation: JAMS does not support reading encrypted private keys which require a password unlock. Navigate to the directory where you have extracted the JAMS package and execute the following command: java -jar jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY Argument Details PORT The TCP port on which you want JAMS to listen for incoming connections SSL_CERTIFICATE The location of the PEM-formatted SSL Certificate file SSL_CERTIFICATE_KEY The location of the PEM-formatted key file which is used with the SSL Certificate file from above An example of the command would be: java -jar jams-launcher 443 server.pem server.key Please note that any port above 1024 can be safely used to run JAMS.","title":"Getting Started"},{"location":"#step-1-create-your-admininistrator-account","text":"This account will have administrative control and the rights to manage your users and group of Jami users.","title":"Step 1: create your admininistrator account"},{"location":"#step-2-setup-the-certification-authority","text":"The second step is to define your Certification Authority. Important: a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by godaddy, letsencrypt, etc... ) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server. This certificate will be used to sign the enrollement requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following articles to get familiar with the processes and practices which surround it: https://www.securew2.com/blog/public-key-infrastructure-explained/ https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/","title":"Step 2: setup the Certification Authority"},{"location":"#step-3-setup-the-user-database","text":"JAMS supports 3 different sources for the authentication of users: LDAP-compatible directory (such as OpenLDAP) Microsoft Active Directory Local embedded database","title":"Step 3: setup the user database"},{"location":"#option-1-ldap-authentication","text":"If your company provides you with LDAP directory for user management, you will need to know its access information and a automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Use StartTLS Your LDAP server can be configured to use either TLS/STARTTLS or PLAIN sockets, if STARTTLS is used you should mark this as true Server Address The address of your server with respect to the JAMS server, your LDAP does not need to be publicly accessible but should be accessible to JAMS. You should have either ldap:// or ldaps:// preceding the address. Port The port on which the LDAP server is listening for requests (usually 389 for PLAIN/STARTTLS and 636 for SSL/TLS) Administrator Username This is NOT the LDAP's administration account credentials, but the credentials of the account which has Read permissions to the LDAP database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=org Password The password used by the account above. BaseDN The base realm where the users accounts are located, in most cases it is ou=users,dc=company,dc=org","title":"Option 1: LDAP authentication"},{"location":"#option-2-microsoft-active-directory","text":"If your company provides you with Active Directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Port The port on which Active Directory is listening (generally it is either 389 or 636) Host The address of your server with respect to the JAMS server, your Active Directory does not need to be publicly accessible but should be accessible to JAMS. Administrator Username This is NOT the Active Directory's administration account credentials, but the credentials of the account which has Read permissions to the Active Directory database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=net Password The password used by the account above. Use SSL Whenever this server uses SSL for data transmission Domain Name This is the legacy-formatted Windows Domain Name (i.e. WINDOMAIN )","title":"Option 2: Microsoft Active Directory"},{"location":"#option-3-local-embedded-database","text":"The local database does not require any additional configuration, everything in the process is automated. This option allows you to create Jami users on the fly directly from the JAMS interface. Advanced settings: by default, the option \"Use public nameserver\" is disabled. Usernames of your Jami users will not be stored on the public Jami nameserver and your users will only be able to communicate with users from your organization. If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option,","title":"Option 3: local embedded database"},{"location":"#step-4-setup-the-server-parameters","text":"Parameter Details CORS Domain Name The domain on which the JAMS client and administration UI will be running. Certificate Revocation List Lifetime The frequency at which the CRL is updated in memory Device Lifetime How long a device's certificate is valid before being considered stale and requiring re-enrollement User Account Lifetime How long a user account is valid before being considered stale and requiring re-enrollement Important The CORS Domain Name corresponds to the web address used to access the Web UI. By default, it is set to the same URL as the one where you deploy JAMS. Only set a different URL if the Web UI has a different URL to the one where JAMS is deployed. Click on \"Set Server Parameters\" to finalize the configuration. You will be redirected to the JAMS interface. If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization shoud be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on \"Create User\"","title":"Step 4: setup the server parameters"},{"location":"admin/","text":"img{ height:400px; } Admin Guide By default JAMS runs an embedded tomcat server visible on port 8080, however this is not practical for many reasons. This guide is designed to help you setup Jams to run in a production environment. JAMS & Nginx It is generally not recommended to expose JAMS directly to the outside world and while it is required to run JAMS in SSL mode, we usually recommend users to place it behind Nginx or a similar web server which proxies requests between the outside world and Jams. The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxying solution): The IP 10.10.0.1 is random, and should be seen as an example. Typically you would add a new site called jams-site.conf to your nginx configurations which would contain the following entries if you wanted to place an SSL certificate at the Nginx level: server { listen 443 ssl; listen [::]:443 ssl; ssl on; ssl_certificate /etc/certificates/mycertificate.pem ssl_certificate_key /etc/certificates/mycertificatekey.pem client_max_body_size 100M; server_name jams.mycompany.com; location / { proxy_pass http://10.10.0.1:8080/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; } } This is the preferred setup method by most admins, as local traffic is usually ran unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link. Troubleshooting and resetting If you ever need to restart from 0 (i.e. reset everything and drop existing data) you can do so by deleting the following files in the distribution folder ( /jams): The internal jams folder: /jams/jams derby.log oauth.key oauth.pub config.json This will reset the server to its original state and you will be able to run the configuration wizard again. Before performing this operation, please make sure to shutdown the server. Running JAMS as Windows Service Download and install JAMS Visit https://jami.biz/ and downalod JAMS. Extract JAMS to c:\\jams Download and install JDK 11 Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the conresponding architecture of your VM) Install it using the install wizard. Download openssl to generate a key and a certificate Download OpenSSL from https://kb.firedaemon.com/support/solutions/articles/4000121705 (or choose another source https://wiki.openssl.org/index.php/Binaries) Once downloaded extract it to c:\\openssl then create a folder bin inside c:\\openssl\\bin Create a new file inside bin named openssl.cnf (make sure that the file extension is .cnd and not .cnd.txt) and copy past the following default configuration http://www.flatmtn.com/article/setting-openssl-create-certificates.html # # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value ------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash Add OpenSSL to Sytem Environment variables Go to Edit the system environment variables -> Environment Variables, then in System variables edit Path and add c:\\openssl\\ Configure OpenSSL Execute the following command to set the path to OpenSSL configuration. set OPENSSL_CONF=c:\\openssl\\bin\\openssl.cnf Open the command prompt and cd c:\\jams ans generate the Key and Certificate: openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout server.key -out server.pem Follow the wizard. Once the key and certificate are generated execute the dir command you should see an output like this: c:\\jams>dir Volume in drive C has no label. Volume Serial Number is BC94-9EF2 Directory of c:\\jams 2020-11-10 12:38 PM . 2020-11-10 12:38 PM .. 2020-10-22 10:56 AM 5,186,016 jams-launcher.jar 2020-10-22 10:56 AM 33,413,882 jams-server.jar 2020-11-10 11:53 AM libs 2020-11-10 12:34 PM 1,732 server.key 2020-11-10 12:38 PM 1,336 server.pem 2020-10-22 04:05 PM 2,047,932 userguide.pdf 5 File(s) 40,650,898 bytes 3 Dir(s) 93,365,936,128 bytes free Now execute the following command tot start JAMS java -jar jams-launcher.jar PORT_NUMBER (eg. 8443 or 443) server.pem server.key Open a navigator on the server and visite https://localhost:443 or https://localhost:8443 to validate that it's working. Click CTRL + C to close the application Expose your localhost to the internet Click on Windows ans search for Windows Defender Firewall with Advanced Security. Right click on Inbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Inbound and click Finish Now right click on Outbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Outbound and click Finish. You are all set. You can now visit you application trought the server domain name or ip address on port 443 or 8443. Create a JAMS Windows Service (Embed Tomcat Server Windows Service) to start JAMS with the server In order to create a JAMS Windows Service you can use the tool NSSM provided on http://nssm.cc/download https://github.com/kirillkovalenko/nssm Once downloaded open a command prompt and change directory to nssm-2.24\\win64 then execute: nssm.exe install JAMS A GUI interface will open. In the Path field specify the path to the Java executable example: \"C:\\Program Files\\Common Files\\Oracle\\Java\\javapath\\java.exe\". In the Startup directory put the \"C:\\jams\" installation folder path. In the last field Arguments add the following arguments: -classpath \"c:\\jams\" -jar jams-launcher.jar PORT_NUMBER server.pem server.key where PORT_NUMBER is the port number you want to use to serve the application example 443 or 8443 Now your JAMS application will start with the server. Source: https://medium.com/@lk.snatch/jar-file-as-windows-service-bonus-jar-to-exe-1b7b179053e4 Running JAMS as a Linux Service Running JAMS as a Linux Service is fairly straightforward with systemd - you simply created a service unit file with the following structure: [Unit] Description=JAMS Server [Service] Type=simple WorkingDirectory=[DIRECTORY WHERE JAMS WAS UNZIPPED] ExecStart=/usr/bin/java -jar [DIRECTORY WHERE JAMS WAS UNZIPPED]/jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY [Install] WantedBy=multi-user.target The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (however, PORT can be used alone whereas the SSL_CERTIFICATE comes in pair with SSL_CERTIFICATE_KEY)","title":"Admin"},{"location":"admin/#admin-guide","text":"By default JAMS runs an embedded tomcat server visible on port 8080, however this is not practical for many reasons. This guide is designed to help you setup Jams to run in a production environment.","title":"Admin Guide"},{"location":"admin/#jams-nginx","text":"It is generally not recommended to expose JAMS directly to the outside world and while it is required to run JAMS in SSL mode, we usually recommend users to place it behind Nginx or a similar web server which proxies requests between the outside world and Jams. The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxying solution): The IP 10.10.0.1 is random, and should be seen as an example. Typically you would add a new site called jams-site.conf to your nginx configurations which would contain the following entries if you wanted to place an SSL certificate at the Nginx level: server { listen 443 ssl; listen [::]:443 ssl; ssl on; ssl_certificate /etc/certificates/mycertificate.pem ssl_certificate_key /etc/certificates/mycertificatekey.pem client_max_body_size 100M; server_name jams.mycompany.com; location / { proxy_pass http://10.10.0.1:8080/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; } } This is the preferred setup method by most admins, as local traffic is usually ran unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link.","title":"JAMS &amp; Nginx"},{"location":"admin/#troubleshooting-and-resetting","text":"If you ever need to restart from 0 (i.e. reset everything and drop existing data) you can do so by deleting the following files in the distribution folder ( /jams): The internal jams folder: /jams/jams derby.log oauth.key oauth.pub config.json This will reset the server to its original state and you will be able to run the configuration wizard again. Before performing this operation, please make sure to shutdown the server.","title":"Troubleshooting and resetting"},{"location":"admin/#running-jams-as-windows-service","text":"","title":"Running JAMS as Windows Service"},{"location":"admin/#download-and-install-jams","text":"Visit https://jami.biz/ and downalod JAMS. Extract JAMS to c:\\jams","title":"Download and install JAMS"},{"location":"admin/#download-and-install-jdk-11","text":"Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the conresponding architecture of your VM) Install it using the install wizard.","title":"Download and install JDK 11"},{"location":"admin/#download-openssl-to-generate-a-key-and-a-certificate","text":"Download OpenSSL from https://kb.firedaemon.com/support/solutions/articles/4000121705 (or choose another source https://wiki.openssl.org/index.php/Binaries) Once downloaded extract it to c:\\openssl then create a folder bin inside c:\\openssl\\bin Create a new file inside bin named openssl.cnf (make sure that the file extension is .cnd and not .cnd.txt) and copy past the following default configuration http://www.flatmtn.com/article/setting-openssl-create-certificates.html # # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value ------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash","title":"Download openssl to generate a key and a certificate"},{"location":"admin/#add-openssl-to-sytem-environment-variables","text":"Go to Edit the system environment variables -> Environment Variables, then in System variables edit Path and add c:\\openssl\\","title":"Add OpenSSL to Sytem Environment variables"},{"location":"admin/#configure-openssl","text":"Execute the following command to set the path to OpenSSL configuration. set OPENSSL_CONF=c:\\openssl\\bin\\openssl.cnf Open the command prompt and cd c:\\jams ans generate the Key and Certificate: openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout server.key -out server.pem Follow the wizard. Once the key and certificate are generated execute the dir command you should see an output like this: c:\\jams>dir Volume in drive C has no label. Volume Serial Number is BC94-9EF2 Directory of c:\\jams 2020-11-10 12:38 PM . 2020-11-10 12:38 PM .. 2020-10-22 10:56 AM 5,186,016 jams-launcher.jar 2020-10-22 10:56 AM 33,413,882 jams-server.jar 2020-11-10 11:53 AM libs 2020-11-10 12:34 PM 1,732 server.key 2020-11-10 12:38 PM 1,336 server.pem 2020-10-22 04:05 PM 2,047,932 userguide.pdf 5 File(s) 40,650,898 bytes 3 Dir(s) 93,365,936,128 bytes free Now execute the following command tot start JAMS java -jar jams-launcher.jar PORT_NUMBER (eg. 8443 or 443) server.pem server.key Open a navigator on the server and visite https://localhost:443 or https://localhost:8443 to validate that it's working. Click CTRL + C to close the application","title":"Configure OpenSSL"},{"location":"admin/#expose-your-localhost-to-the-internet","text":"Click on Windows ans search for Windows Defender Firewall with Advanced Security. Right click on Inbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Inbound and click Finish Now right click on Outbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Outbound and click Finish. You are all set. You can now visit you application trought the server domain name or ip address on port 443 or 8443.","title":"Expose your localhost to the internet"},{"location":"admin/#create-a-jams-windows-service-embed-tomcat-server-windows-service-to-start-jams-with-the-server","text":"In order to create a JAMS Windows Service you can use the tool NSSM provided on http://nssm.cc/download https://github.com/kirillkovalenko/nssm Once downloaded open a command prompt and change directory to nssm-2.24\\win64 then execute: nssm.exe install JAMS A GUI interface will open. In the Path field specify the path to the Java executable example: \"C:\\Program Files\\Common Files\\Oracle\\Java\\javapath\\java.exe\". In the Startup directory put the \"C:\\jams\" installation folder path. In the last field Arguments add the following arguments: -classpath \"c:\\jams\" -jar jams-launcher.jar PORT_NUMBER server.pem server.key where PORT_NUMBER is the port number you want to use to serve the application example 443 or 8443 Now your JAMS application will start with the server. Source: https://medium.com/@lk.snatch/jar-file-as-windows-service-bonus-jar-to-exe-1b7b179053e4","title":"Create a JAMS Windows Service (Embed Tomcat Server Windows Service) to start JAMS with the server"},{"location":"admin/#running-jams-as-a-linux-service","text":"Running JAMS as a Linux Service is fairly straightforward with systemd - you simply created a service unit file with the following structure: [Unit] Description=JAMS Server [Service] Type=simple WorkingDirectory=[DIRECTORY WHERE JAMS WAS UNZIPPED] ExecStart=/usr/bin/java -jar [DIRECTORY WHERE JAMS WAS UNZIPPED]/jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY [Install] WantedBy=multi-user.target The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (however, PORT can be used alone whereas the SSL_CERTIFICATE comes in pair with SSL_CERTIFICATE_KEY)","title":"Running JAMS as a Linux Service"},{"location":"clients/","text":"img{ height:400px; } Client Guide Depending on your operating system, we have included the tutorial on how to connect to the management server from the Windows, MacOS, Android and iOS clients. For the purposes of this tutorial, we assume that The server and the device trying to connect are either On the same network The server is publicly accessible to the outside world You have a valid username/password pair to connect to the server Connect from a Linux device Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from a Windows device Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from a MacOS device Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to account manager\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from an Android device Open Jami, go to the login page. Select the option \"Connect to management server\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from an iOS device Open Jami, go to the login page. Select the option \"Connect to account manager\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Clients"},{"location":"clients/#client-guide","text":"Depending on your operating system, we have included the tutorial on how to connect to the management server from the Windows, MacOS, Android and iOS clients. For the purposes of this tutorial, we assume that The server and the device trying to connect are either On the same network The server is publicly accessible to the outside world You have a valid username/password pair to connect to the server","title":"Client Guide"},{"location":"clients/#connect-from-a-linux-device","text":"Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from a Linux device"},{"location":"clients/#connect-from-a-windows-device","text":"Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from a Windows device"},{"location":"clients/#connect-from-a-macos-device","text":"Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to account manager\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from a MacOS device"},{"location":"clients/#connect-from-an-android-device","text":"Open Jami, go to the login page. Select the option \"Connect to management server\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from an Android device"},{"location":"clients/#connect-from-an-ios-device","text":"Open Jami, go to the login page. Select the option \"Connect to account manager\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from an iOS device"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"img{ height:400px; } Getting Started JAMS is a server application used to enroll Jami clients into an Enterprise context. Currently, JAMS supports 3 sources for user authentication: LDAP, Active Directory and an embedded database. Obtaining JAMS The latest version of JAMS can be downloaded at: https://jami.biz/ The source code is available at https://git.jami.net/savoirfairelinux/jami-jams System Requirements Windows, Linux or Mac OS operating system Java 11 or higher 4 GB RAM 1 CPU JAMS Concepts JAMS was built with security in mind, therefore it is intimately related to the X509 certificate management workflows. The central concepts which are used in JAMS are the Certification Authority (CA) and the Certificate Signing Requests (CSR). In the JAMS paradigm, a device (Jami client) requests a certificate to the server then presents it to other devices to be recognized as a valid member of the organization. Therefore, JAMS must be provided with a certificate authority in order to work properly. In order to be completely secure, JAMS does not generate certificates for devices, but instead issues certificates based on a certificate signing request sent to it by the device, therefore removing the need to send a private key over the wire. The diagram below shows the entire process of how a device enrolls with JAMS: \u200b Getting Started Download the latest version of JAMS from: https://jami.biz/ Unpack the .tar file to a directory of your choice. It is mandatory to run JAMS using a secure SSL connection. You must have a domain name in order to request a key and a certificate. Once you have purchased you domain name and pointed it to you server you can proceed to the next step. You can purchase a pair of key certificate from any online provider such as GoDaddy, OVH, HostGator , etc. We recommend getting a free pair using Let's encrypt. In order to generate a pair of key certificate you can use Certbot using instructions in the following page https://certbot.eff.org/. You can choose the web server software and operating system to get specific instructions. Here is an example for an Nginx web server on Ubuntu 20.04: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx Install Certbot using snap: sudo snap install --classic certbot Ensure that the cerbot command can be run: sudo ln -s /snap/bin/certbot /usr/bin/certbot In order to get a certificate execute: sudo certbot certonly and follow instructions. The Certificate and Key are generated in a specific folder, please see the output from Certbot to locate them. We need to copy them in the current folder where our jams-launcher.jar file is located. Current limitation: JAMS does not support reading encrypted private keys which require a password unlock. Navigate to the directory where you have extracted the JAMS package and execute the following command: java -jar jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY Argument Details PORT The TCP port on which you want JAMS to listen for incoming connections SSL_CERTIFICATE The location of the PEM-formatted SSL Certificate file SSL_CERTIFICATE_KEY The location of the PEM-formatted key file which is used with the SSL Certificate file from above An example of the command would be: java -jar jams-launcher 443 server.pem server.key Please note that any port above 1024 can be safely used to run JAMS. Step 1: create your administrator account This account will have administrative control and the rights to manage your users and group of Jami users. Step 2: setup the Certification Authority The second step is to define your Certification Authority. Important: a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by GoDaddy, Let\u2019s Encrypt, etc\u2026) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server. This certificate will be used to sign the enrollment requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following articles to get familiar with the processes and practices which surround it: https://www.securew2.com/blog/public-key-infrastructure-explained/ https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/ Step 3: setup the user database JAMS supports 3 different sources for the authentication of users: LDAP-compatible directory (such as OpenLDAP) Microsoft Active Directory Local embedded database Option 1: LDAP authentication If your company provides you with LDAP directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Use StartTLS Your LDAP server can be configured to use either TLS/STARTTLS or PLAIN sockets, if STARTTLS is used you should mark this as true Server Address The address of your server with respect to the JAMS server, your LDAP does not need to be publicly accessible but should be accessible to JAMS. You should have either ldap:// or ldaps:// preceding the address. Port The port on which the LDAP server is listening for requests (usually 389 for PLAIN/STARTTLS and 636 for SSL/TLS) Administrator Username This is NOT the LDAP's administration account credentials, but the credentials of the account which has Read permissions to the LDAP database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=org Password The password used by the account above. BaseDN The base realm where the users accounts are located, in most cases it is ou=users,dc=company,dc=org Option 2: Microsoft Active Directory If your company provides you with Active Directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Port The port on which Active Directory is listening (generally it is either 389 or 636) Host The address of your server with respect to the JAMS server, your Active Directory does not need to be publicly accessible but should be accessible to JAMS. Administrator Username This is NOT the Active Directory's administration account credentials, but the credentials of the account which has Read permissions to the Active Directory database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=net Password The password used by the account above. Use SSL Whenever this server uses SSL for data transmission Domain Name This is the legacy-formatted Windows Domain Name (i.e. WINDOMAIN ) Option 3: local embedded database The local database does not require any additional configuration, everything in the process is automated. This option allows you to create Jami users on the fly directly from the JAMS interface. Advanced settings: by default, the option \"Use public nameserver\" is disabled. Usernames of your Jami users will not be stored on the public Jami nameserver and your users will only be able to communicate with users from your organization. If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option. Step 4: setup the server parameters Parameter Details CORS Domain Name The domain on which the JAMS client and administration UI will be running. Certificate Revocation List Lifetime The frequency at which the CRL is updated in memory Device Lifetime How long a device's certificate is valid before being considered stale and requiring re-enrollment User Account Lifetime How long a user account is valid before being considered stale and requiring re-enrollment Important The CORS Domain Name corresponds to the web address used to access the Web UI. By default, it is set to the same URL as the one where you deploy JAMS. Only set a different URL if the Web UI has a different URL to the one where JAMS is deployed. Click on \"Set Server Parameters\" to finalize the configuration. You will be redirected to the JAMS interface. If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization should be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on \"Create User\".","title":"Home"},{"location":"#getting-started","text":"JAMS is a server application used to enroll Jami clients into an Enterprise context. Currently, JAMS supports 3 sources for user authentication: LDAP, Active Directory and an embedded database.","title":"Getting Started"},{"location":"#obtaining-jams","text":"The latest version of JAMS can be downloaded at: https://jami.biz/ The source code is available at https://git.jami.net/savoirfairelinux/jami-jams","title":"Obtaining JAMS"},{"location":"#system-requirements","text":"Windows, Linux or Mac OS operating system Java 11 or higher 4 GB RAM 1 CPU","title":"System Requirements"},{"location":"#jams-concepts","text":"JAMS was built with security in mind, therefore it is intimately related to the X509 certificate management workflows. The central concepts which are used in JAMS are the Certification Authority (CA) and the Certificate Signing Requests (CSR). In the JAMS paradigm, a device (Jami client) requests a certificate to the server then presents it to other devices to be recognized as a valid member of the organization. Therefore, JAMS must be provided with a certificate authority in order to work properly. In order to be completely secure, JAMS does not generate certificates for devices, but instead issues certificates based on a certificate signing request sent to it by the device, therefore removing the need to send a private key over the wire. The diagram below shows the entire process of how a device enrolls with JAMS: \u200b","title":"JAMS Concepts"},{"location":"#getting-started_1","text":"Download the latest version of JAMS from: https://jami.biz/ Unpack the .tar file to a directory of your choice. It is mandatory to run JAMS using a secure SSL connection. You must have a domain name in order to request a key and a certificate. Once you have purchased you domain name and pointed it to you server you can proceed to the next step. You can purchase a pair of key certificate from any online provider such as GoDaddy, OVH, HostGator , etc. We recommend getting a free pair using Let's encrypt. In order to generate a pair of key certificate you can use Certbot using instructions in the following page https://certbot.eff.org/. You can choose the web server software and operating system to get specific instructions. Here is an example for an Nginx web server on Ubuntu 20.04: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx Install Certbot using snap: sudo snap install --classic certbot Ensure that the cerbot command can be run: sudo ln -s /snap/bin/certbot /usr/bin/certbot In order to get a certificate execute: sudo certbot certonly and follow instructions. The Certificate and Key are generated in a specific folder, please see the output from Certbot to locate them. We need to copy them in the current folder where our jams-launcher.jar file is located. Current limitation: JAMS does not support reading encrypted private keys which require a password unlock. Navigate to the directory where you have extracted the JAMS package and execute the following command: java -jar jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY Argument Details PORT The TCP port on which you want JAMS to listen for incoming connections SSL_CERTIFICATE The location of the PEM-formatted SSL Certificate file SSL_CERTIFICATE_KEY The location of the PEM-formatted key file which is used with the SSL Certificate file from above An example of the command would be: java -jar jams-launcher 443 server.pem server.key Please note that any port above 1024 can be safely used to run JAMS.","title":"Getting Started"},{"location":"#step-1-create-your-administrator-account","text":"This account will have administrative control and the rights to manage your users and group of Jami users.","title":"Step 1: create your administrator account"},{"location":"#step-2-setup-the-certification-authority","text":"The second step is to define your Certification Authority. Important: a CA is not a server-side ssl certificate, it is a certificate which has the power to issue other certificates. Do not use the import option unless your company's security officer has issued you a CA certificate. Most commercially available certificates (i.e. those issued by GoDaddy, Let\u2019s Encrypt, etc\u2026) are not CA certificates. If you are an end-user we highly recommend you use to create a self-signed CA option as providing an incorrect certificate type will lead to a non-functional server. This certificate will be used to sign the enrollment requests which come from Jami devices. If you are not familiar with the X509 standard, we highly recommend you read the following articles to get familiar with the processes and practices which surround it: https://www.securew2.com/blog/public-key-infrastructure-explained/ https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/","title":"Step 2: setup the Certification Authority"},{"location":"#step-3-setup-the-user-database","text":"JAMS supports 3 different sources for the authentication of users: LDAP-compatible directory (such as OpenLDAP) Microsoft Active Directory Local embedded database","title":"Step 3: setup the user database"},{"location":"#option-1-ldap-authentication","text":"If your company provides you with LDAP directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Use StartTLS Your LDAP server can be configured to use either TLS/STARTTLS or PLAIN sockets, if STARTTLS is used you should mark this as true Server Address The address of your server with respect to the JAMS server, your LDAP does not need to be publicly accessible but should be accessible to JAMS. You should have either ldap:// or ldaps:// preceding the address. Port The port on which the LDAP server is listening for requests (usually 389 for PLAIN/STARTTLS and 636 for SSL/TLS) Administrator Username This is NOT the LDAP's administration account credentials, but the credentials of the account which has Read permissions to the LDAP database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=org Password The password used by the account above. BaseDN The base realm where the users accounts are located, in most cases it is ou=users,dc=company,dc=org","title":"Option 1: LDAP authentication"},{"location":"#option-2-microsoft-active-directory","text":"If your company provides you with Active Directory for user management, you will need to know its access information and an automated account which has read-only rights to do use look-ups. Your admin should provide you most of this information but we do provide a detailed overview over each field in case you need some extra help: Field Details Port The port on which Active Directory is listening (generally it is either 389 or 636) Host The address of your server with respect to the JAMS server, your Active Directory does not need to be publicly accessible but should be accessible to JAMS. Administrator Username This is NOT the Active Directory's administration account credentials, but the credentials of the account which has Read permissions to the Active Directory database in order to lookup users. The format is generally cn=bot,ou=robots,dc=domain,dc=net Password The password used by the account above. Use SSL Whenever this server uses SSL for data transmission Domain Name This is the legacy-formatted Windows Domain Name (i.e. WINDOMAIN )","title":"Option 2: Microsoft Active Directory"},{"location":"#option-3-local-embedded-database","text":"The local database does not require any additional configuration, everything in the process is automated. This option allows you to create Jami users on the fly directly from the JAMS interface. Advanced settings: by default, the option \"Use public nameserver\" is disabled. Usernames of your Jami users will not be stored on the public Jami nameserver and your users will only be able to communicate with users from your organization. If you want your users to be searchable by external users and allow them to communicate with any Jami users, and not only the one from your organization, enable this option.","title":"Option 3: local embedded database"},{"location":"#step-4-setup-the-server-parameters","text":"Parameter Details CORS Domain Name The domain on which the JAMS client and administration UI will be running. Certificate Revocation List Lifetime The frequency at which the CRL is updated in memory Device Lifetime How long a device's certificate is valid before being considered stale and requiring re-enrollment User Account Lifetime How long a user account is valid before being considered stale and requiring re-enrollment Important The CORS Domain Name corresponds to the web address used to access the Web UI. By default, it is set to the same URL as the one where you deploy JAMS. Only set a different URL if the Web UI has a different URL to the one where JAMS is deployed. Click on \"Set Server Parameters\" to finalize the configuration. You will be redirected to the JAMS interface. If you have configured JAMS with your LDAP or Active Directory, the list of users should of your organization should be visible in JAMS. If you have selected the local embedded database, you can now start creating new users by clicking on \"Create User\".","title":"Step 4: setup the server parameters"},{"location":"admin/","text":"img{ height:400px; } Admin Guide By default JAMS runs an embedded tomcat server visible on port 8080, however this is not practical for many reasons. This guide is designed to help you setup Jams to run in a production environment. JAMS & Nginx It is generally not recommended to expose JAMS directly to the outside world and while it is required to run JAMS in SSL mode, we usually recommend users to place it behind Nginx or a similar web server which proxies requests between the outside world and Jams. The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxy solution): The IP 10.10.0.1 is random, and should be seen as an example. Typically you would add a new site called jams-site.conf to your nginx configurations which would contain the following entries if you wanted to place an SSL certificate at the Nginx level: server { listen 443 ssl; listen [::]:443 ssl; ssl on; ssl_certificate /etc/certificates/mycertificate.pem ssl_certificate_key /etc/certificates/mycertificatekey.pem client_max_body_size 100M; server_name jams.mycompany.com; location / { proxy_pass http://10.10.0.1:8080/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; } } This is the preferred setup method by most admins, as local traffic is usually run unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link. Troubleshooting and resetting If you ever need to restart from 0 (i.e. reset everything and drop existing data) you can do so by deleting the following files in the distribution folder ( /jams): The internal jams folder: /jams/jams derby.log oauth.key oauth.pub config.json This will reset the server to its original state and you will be able to run the configuration wizard again. Before performing this operation, please make sure to shutdown the server. Running JAMS as Windows Service Download and install JAMS Visit https://jami.biz/ and download JAMS. Extract JAMS to c:\\jams Download and install JDK 11 Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the corresponding architecture of your VM) Install it using the install wizard. Download openssl to generate a key and a certificate Download OpenSSL from https://kb.firedaemon.com/support/solutions/articles/4000121705 (or choose another source https://wiki.openssl.org/index.php/Binaries) Once downloaded extract it to c:\\openssl then create a folder bin inside c:\\openssl\\bin Create a new file inside bin named openssl.cnf (make sure that the file extension is .cnd and not .cnd.txt) and copy past the following default configuration http://www.flatmtn.com/article/setting-openssl-create-certificates.html # # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value ------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash Add OpenSSL to System Environment variables Go to Edit the system environment variables -> Environment Variables, then in System variables edit Path and add c:\\openssl\\ Configure OpenSSL Execute the following command to set the path to OpenSSL configuration. set OPENSSL_CONF=c:\\openssl\\bin\\openssl.cnf Open the command prompt and cd c:\\jams ans generate the Key and Certificate: openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout server.key -out server.pem Follow the wizard. Once the key and certificate are generated execute the dir command you should see an output like this: c:\\jams>dir Volume in drive C has no label. Volume Serial Number is BC94-9EF2 Directory of c:\\jams 2020-11-10 12:38 PM . 2020-11-10 12:38 PM .. 2020-10-22 10:56 AM 5,186,016 jams-launcher.jar 2020-10-22 10:56 AM 33,413,882 jams-server.jar 2020-11-10 11:53 AM libs 2020-11-10 12:34 PM 1,732 server.key 2020-11-10 12:38 PM 1,336 server.pem 2020-10-22 04:05 PM 2,047,932 userguide.pdf 5 File(s) 40,650,898 bytes 3 Dir(s) 93,365,936,128 bytes free Now execute the following command tot start JAMS java -jar jams-launcher.jar PORT_NUMBER (eg. 8443 or 443) server.pem server.key Open a navigator on the server and visite https://localhost:443 or https://localhost:8443 to validate that it's working. Type CTRL + C to close the application Expose your localhost to the internet Click on Windows ans search for Windows Defender Firewall with Advanced Security. Right click on Inbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Inbound and click Finish Now right click on Outbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Outbound and click Finish. You are all set. You can now visit your application through the server domain name or IP address on port 443 or 8443. Create a JAMS Windows Service (Embed Tomcat Server Windows Service) to start JAMS with the server In order to create a JAMS Windows Service you can use the tool NSSM provided on http://nssm.cc/download https://github.com/kirillkovalenko/nssm Once downloaded open a command prompt and change directory to nssm-2.24\\win64 then execute: nssm.exe install JAMS A GUI interface will open. In the Path field specify the path to the Java executable example: \"C:\\Program Files\\Common Files\\Oracle\\Java\\javapath\\java.exe\". In the Startup directory put the \"C:\\jams\" installation folder path. In the last field Arguments add the following arguments: -classpath \"c:\\jams\" -jar jams-launcher.jar PORT_NUMBER server.pem server.key where PORT_NUMBER is the port number you want to use to serve the application example 443 or 8443 Now your JAMS application will start with the server. Source: https://medium.com/@lk.snatch/jar-file-as-windows-service-bonus-jar-to-exe-1b7b179053e4 Running JAMS as a Linux Service Running JAMS as a Linux Service is fairly straightforward with systemd - you simply created a service unit file with the following structure: [Unit] Description=JAMS Server [Service] Type=simple WorkingDirectory=[DIRECTORY WHERE JAMS WAS UNZIPPED] ExecStart=/usr/bin/java -jar [DIRECTORY WHERE JAMS WAS UNZIPPED]/jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY [Install] WantedBy=multi-user.target The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (however, PORT can be used alone whereas the SSL_CERTIFICATE comes in pair with SSL_CERTIFICATE_KEY)","title":"Admin"},{"location":"admin/#admin-guide","text":"By default JAMS runs an embedded tomcat server visible on port 8080, however this is not practical for many reasons. This guide is designed to help you setup Jams to run in a production environment.","title":"Admin Guide"},{"location":"admin/#jams-nginx","text":"It is generally not recommended to expose JAMS directly to the outside world and while it is required to run JAMS in SSL mode, we usually recommend users to place it behind Nginx or a similar web server which proxies requests between the outside world and Jams. The following is an example map of how you could configure JAMS behind Nginx (the process would be similar if you wanted to use any other type of proxy solution): The IP 10.10.0.1 is random, and should be seen as an example. Typically you would add a new site called jams-site.conf to your nginx configurations which would contain the following entries if you wanted to place an SSL certificate at the Nginx level: server { listen 443 ssl; listen [::]:443 ssl; ssl on; ssl_certificate /etc/certificates/mycertificate.pem ssl_certificate_key /etc/certificates/mycertificatekey.pem client_max_body_size 100M; server_name jams.mycompany.com; location / { proxy_pass http://10.10.0.1:8080/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; } } This is the preferred setup method by most admins, as local traffic is usually run unencrypted since it is usually either inter-VM connection, a VLAN or another dedicated link.","title":"JAMS &amp; Nginx"},{"location":"admin/#troubleshooting-and-resetting","text":"If you ever need to restart from 0 (i.e. reset everything and drop existing data) you can do so by deleting the following files in the distribution folder ( /jams): The internal jams folder: /jams/jams derby.log oauth.key oauth.pub config.json This will reset the server to its original state and you will be able to run the configuration wizard again. Before performing this operation, please make sure to shutdown the server.","title":"Troubleshooting and resetting"},{"location":"admin/#running-jams-as-windows-service","text":"","title":"Running JAMS as Windows Service"},{"location":"admin/#download-and-install-jams","text":"Visit https://jami.biz/ and download JAMS. Extract JAMS to c:\\jams","title":"Download and install JAMS"},{"location":"admin/#download-and-install-jdk-11","text":"Download JDK 11 from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html (choose the corresponding architecture of your VM) Install it using the install wizard.","title":"Download and install JDK 11"},{"location":"admin/#download-openssl-to-generate-a-key-and-a-certificate","text":"Download OpenSSL from https://kb.firedaemon.com/support/solutions/articles/4000121705 (or choose another source https://wiki.openssl.org/index.php/Binaries) Once downloaded extract it to c:\\openssl then create a folder bin inside c:\\openssl\\bin Create a new file inside bin named openssl.cnf (make sure that the file extension is .cnd and not .cnd.txt) and copy past the following default configuration http://www.flatmtn.com/article/setting-openssl-create-certificates.html # # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value ------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash","title":"Download openssl to generate a key and a certificate"},{"location":"admin/#add-openssl-to-system-environment-variables","text":"Go to Edit the system environment variables -> Environment Variables, then in System variables edit Path and add c:\\openssl\\","title":"Add OpenSSL to System Environment variables"},{"location":"admin/#configure-openssl","text":"Execute the following command to set the path to OpenSSL configuration. set OPENSSL_CONF=c:\\openssl\\bin\\openssl.cnf Open the command prompt and cd c:\\jams ans generate the Key and Certificate: openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout server.key -out server.pem Follow the wizard. Once the key and certificate are generated execute the dir command you should see an output like this: c:\\jams>dir Volume in drive C has no label. Volume Serial Number is BC94-9EF2 Directory of c:\\jams 2020-11-10 12:38 PM . 2020-11-10 12:38 PM .. 2020-10-22 10:56 AM 5,186,016 jams-launcher.jar 2020-10-22 10:56 AM 33,413,882 jams-server.jar 2020-11-10 11:53 AM libs 2020-11-10 12:34 PM 1,732 server.key 2020-11-10 12:38 PM 1,336 server.pem 2020-10-22 04:05 PM 2,047,932 userguide.pdf 5 File(s) 40,650,898 bytes 3 Dir(s) 93,365,936,128 bytes free Now execute the following command tot start JAMS java -jar jams-launcher.jar PORT_NUMBER (eg. 8443 or 443) server.pem server.key Open a navigator on the server and visite https://localhost:443 or https://localhost:8443 to validate that it's working. Type CTRL + C to close the application","title":"Configure OpenSSL"},{"location":"admin/#expose-your-localhost-to-the-internet","text":"Click on Windows ans search for Windows Defender Firewall with Advanced Security. Right click on Inbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Inbound and click Finish Now right click on Outbound Rules and click on New Rule... Select Port click next and specify the port you want to use example 443 or 8443. Click next and select Allow the connection and click next. Leave all of Domain Private and Public select and click next. Name you Rule JAMS Outbound and click Finish. You are all set. You can now visit your application through the server domain name or IP address on port 443 or 8443.","title":"Expose your localhost to the internet"},{"location":"admin/#create-a-jams-windows-service-embed-tomcat-server-windows-service-to-start-jams-with-the-server","text":"In order to create a JAMS Windows Service you can use the tool NSSM provided on http://nssm.cc/download https://github.com/kirillkovalenko/nssm Once downloaded open a command prompt and change directory to nssm-2.24\\win64 then execute: nssm.exe install JAMS A GUI interface will open. In the Path field specify the path to the Java executable example: \"C:\\Program Files\\Common Files\\Oracle\\Java\\javapath\\java.exe\". In the Startup directory put the \"C:\\jams\" installation folder path. In the last field Arguments add the following arguments: -classpath \"c:\\jams\" -jar jams-launcher.jar PORT_NUMBER server.pem server.key where PORT_NUMBER is the port number you want to use to serve the application example 443 or 8443 Now your JAMS application will start with the server. Source: https://medium.com/@lk.snatch/jar-file-as-windows-service-bonus-jar-to-exe-1b7b179053e4","title":"Create a JAMS Windows Service (Embed Tomcat Server Windows Service) to start JAMS with the server"},{"location":"admin/#running-jams-as-a-linux-service","text":"Running JAMS as a Linux Service is fairly straightforward with systemd - you simply created a service unit file with the following structure: [Unit] Description=JAMS Server [Service] Type=simple WorkingDirectory=[DIRECTORY WHERE JAMS WAS UNZIPPED] ExecStart=/usr/bin/java -jar [DIRECTORY WHERE JAMS WAS UNZIPPED]/jams-launcher.jar PORT SSL_CERTIFICATE SSL_CERTIFICATE_KEY [Install] WantedBy=multi-user.target The parameters PORT, SSL_CERTIFICATE and SSL_CERTIFICATE_KEY are optional (however, PORT can be used alone whereas the SSL_CERTIFICATE comes in pair with SSL_CERTIFICATE_KEY)","title":"Running JAMS as a Linux Service"},{"location":"clients/","text":"img{ height:400px; } Client Guide Depending on your operating system, we have included the tutorial on how to connect to the management server from the Windows, MacOS, Android and iOS clients. For the purposes of this tutorial, we assume that The server and the device trying to connect are either On the same network The server is publicly accessible to the outside world You have a valid username/password pair to connect to the server Connect from a Linux device Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from a Windows device Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from a macOS device Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to account manager\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from an Android device Open Jami, go to the login page. Select the option \"Connect to management server\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password. Connect from an iOS device Open Jami, go to the login page. Select the option \"Connect to account manager\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Clients"},{"location":"clients/#client-guide","text":"Depending on your operating system, we have included the tutorial on how to connect to the management server from the Windows, MacOS, Android and iOS clients. For the purposes of this tutorial, we assume that The server and the device trying to connect are either On the same network The server is publicly accessible to the outside world You have a valid username/password pair to connect to the server","title":"Client Guide"},{"location":"clients/#connect-from-a-linux-device","text":"Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from a Linux device"},{"location":"clients/#connect-from-a-windows-device","text":"Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to a JAMS server\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from a Windows device"},{"location":"clients/#connect-from-a-macos-device","text":"Open Jami, go to the login page. Click on \"Advanced\": Select the option \"Connect to account manager\" which will lead you to the following screen: The Jami Account Management Server URL in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from a macOS device"},{"location":"clients/#connect-from-an-android-device","text":"Open Jami, go to the login page. Select the option \"Connect to management server\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from an Android device"},{"location":"clients/#connect-from-an-ios-device","text":"Open Jami, go to the login page. Select the option \"Connect to account manager\" which will lead you to the following screen: The server in this case would be the DNS address of your server and the username and password which correspond to your account. If you have configured the server with an LDAP/AD backend, it would be your LDAP/AD username and password.","title":"Connect from an iOS device"}]}
\ No newline at end of file
diff --git a/userguide/site/sitemap.xml b/userguide/site/sitemap.xml
index 1146ffe778ffa9fa5e16fc07d1ab48498dbd637c..ce9df379eed29a00ebe449383190d6845f3b0136 100644
--- a/userguide/site/sitemap.xml
+++ b/userguide/site/sitemap.xml
@@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"><url>
      <loc>None</loc>
-     <lastmod>2021-02-18</lastmod>
+     <lastmod>2021-04-20</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-02-18</lastmod>
+     <lastmod>2021-04-20</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-02-18</lastmod>
+     <lastmod>2021-04-20</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file
diff --git a/userguide/site/sitemap.xml.gz b/userguide/site/sitemap.xml.gz
index 2f5db0e72d9f7e23977550a91370318ea2bc32d9..a1192e65bd6aafeb5c287b1ddfde412f321b5a41 100644
Binary files a/userguide/site/sitemap.xml.gz and b/userguide/site/sitemap.xml.gz differ
diff --git a/userguide/src/mkpdfs-mkdocs-plugin b/userguide/src/mkpdfs-mkdocs-plugin
index 655bea6fd66933876e5b93bca63f430935aa6b5b..07c2164ab829656f1e08c7eebf4fe683011e9fa2 160000
--- a/userguide/src/mkpdfs-mkdocs-plugin
+++ b/userguide/src/mkpdfs-mkdocs-plugin
@@ -1 +1 @@
-Subproject commit 655bea6fd66933876e5b93bca63f430935aa6b5b
+Subproject commit 07c2164ab829656f1e08c7eebf4fe683011e9fa2