What’s new in FileMaker Server 19.6?

A lot of attention in the FileMaker 19.6 release will undoubtedly go to the Transactions feature. However, there are some important changes to FileMaker Server as well, and we want to highlight these here for you.



Linux

There are two noteworthy changes that are relevant only to the Linux version of FileMaker Server.

only Ubuntu 20.04 LTS

With FileMaker Server 19.5, you could pick either Ubuntu 18.04 LTS or 20.04 LTS; now, you need to use Ubuntu 20.04.  If you are upgrading your server from 19.5 to 19.6, we suggest that you install Ubuntu 20 fresh instead of upgrading the OS from 18 to 20.

Ubuntu 20 LTS (Long Term Support) will be supported through 2030 with security patches and until 2025 with active updates:

Gantt chart showing the Ubuntu 20 LTS (Long Term Support) timeline
Ubuntu 20 LTS and active updates timeline

XML API

The XML API is now available in the Linux version of FileMaker Server. That brings the Linux version closer to feature parity with its macOS and Windows siblings.

Bringing back the XML API is a surprise move, and it is unknown at this point what effect this has on the Data API allotment.

There is no setting on the Admin Console to enable the XML API; you have to make an Admin API call or enable/disable it from the Admin CLI.  The XML API is off by default.

In FIleMaker Server 19.6, the Admin Console does not have a setting to enable the XML API
The Admin Console does not have a setting to enable the XML API

To enable:

In FileMaker Server 19.6, enable XML API by making an Admin API call
Enable the XML API by making an Admin API call
In FileMaker Server 19.6 the XML API is off by default in the Admin CLI
By default, the XML API is off in the Admin CLI

To enable:

Enable the XML API in the Admin CLI in FileMaker Server 19.6
Enabling the XML API in the Admin CLI

There are some other Linux-specific feature changes in the other sections below.

An Old Feature Brought Back: Administrator Groups

And speaking of old features: in prior versions of FileMaker Server up to and including version 16, you could specify groups of sub-administrators and assign them certain privileges on files hosted from a particular folder on your server.  FileMaker Server 19.6 brings this feature back so you can give groups of people control over files, segregated by folder, without having to give out the master password of your FileMaker Server or adding them to a single External Authentication group that gives them access to everything.

In FileMake Server 19.6, Administrator Groups allow groups of people control over files, segrated by folder
Administrator Groups allow groups of people control over files, segregated by folder
In FileMaker Server 19.6, add people to a single External Authentication group that gives them access to everything
Add people to a single External Authentication group that gives them access to everything

There are some caveats:

  1. These groups only have rights to the Admin Console. Their privilege does not extend to the Admin CLI or the Admin API.
  2. If your server is on Ubuntu, then you cannot use local accounts and local groups that exist in the OS of the server.  While this works for macOS and Windows, it does not for Linux.  This limitation is not just for sub-admin groups but for external authentication as a whole.
  3. When you let a group view the logs, they will see the full logs, not just log entries related to the files in their folder.

Key-pair-based Login to the Admin API

Along the same lines of providing access to a FileMaker Server without giving away the master password or adding someone to your external authentication group that provides full access, you can now use private/public key pairs to grant access and restrict the validity of that access to the Admin API.

This type of access is extremely well suited for any type of automation; however, it cannot be used for logging into the Admin Console or for taking actions through the Admin Command Line Interface.

In FileMaker Server 19.6, you can use private/public key pairs to grant access and restrict the validity of that access to the Admin API
Now you can use private/public key pairs to grant access and restrict the validity of that access to the Admin API

This works as follows:

  • One-time setup: You generate a key pair: a private key and a public key as well as a JSON Web Token (JWT) that is signed with the private key. That JWT contains the name you will use for this keypair and contains the number of days for which this token is valid.
  • You upload the public key to your FileMaker Server and specify the exact name that you used to name your JWT (the name that is also embedded in that JWT).
Using FileMaker Admin API Public Keys to upload the public key
Uploading the public key to your FileMaker Server
  • You hold on to the private key. It serves no further purpose except perhaps to regenerate the JWT if needed
  • When you make the initial login call to the Admin API, you will use the JWT token in the Authorization header, prefixed with “PKI.“ The JWT is basically just a long string of characters.
In FileMaker 19.6, use the JWT token in the Authorization header prefixed with 'PKI'
Use the JWT token in the Authorizen header, prefixed with ‘PKI’

How to Generate Those Keys and the JWT Token?

Your FileMaker Server has a new folder named Tools that has two Python example scripts (to generate the set of public and private keys) and one JWT token file.

FileMaker Server 19.6 has a new folder named Tools
New ‘Tools’ folder in FileMaker Server 19.6
In FileMaker Server 19.6, the new 'Tools' folder includes two Python example scripts
Two Python example scripts are included in the new ‘Tools’ folder

Python is not installed by default on your Windows or Linux server and I do not recommend installing Python on your server to run this code. Rather I suggest copying these python files over to a machine that has Python or where you can install Python.

You only need fmadminapi_pki_token_example.py. The other python file (fmadminapi_pki_request_example.py) is just to show how you can use the JWT token to log into the Admin API. Instead of that python file, you can use Postman or Insomnia, as shown above, to accomplish this more easily.

Since generating key pairs and JWT tokens is fairly standard, at Soliant, we have created the same logic in JavaScript using a simple NodeJS microservice that you can download from GitHub.

Admin API Changes

Besides the new method for logging into the Admin API with the PKI prefix and the JWT token, the Admin API has also been updated to list, add, change and remove key pairs.

Adding a new key requires you to send the name of the JWT token (remember that the name is embedded in the JWT token that you’ll use to log into the Admin API and it has to match exactly), and the public key part of the pair:

In FileMaker Server 19.6, you are required to send the name of the JWT token to add a new key
Send the name of the JWT token when adding a new key

Note that when sending the public key through the Admin API, you need to remove all line breaks.

For some reason, FileMaker Server does not like the public key in its original format with line endings every 65 characters.

Sign in with Apple in Claris FileMaker 19.6

Still on the topic of authentication, FileMaker Server has a new addition to its list of pre-canned external identity providers: Sign in with Apple (SIWA).

In FileMaker Server 19.6, Sign-in with Apple has been added to the pre-canned list of external identity providers
Sign in with Apple has been added to the pre-canned list of external identity providers
Databse Sign In showing Apple enabled
Sign in with Apple enabled for Database Sign In

The ability to use your Apple ID to log into your FileMaker solution is not new.  In fact, over two years ago, Steven Blackwell and I authored a white paper that shows how to do this.  After all, it is just another OpenID Connect/OAuth authentication flow.

The main difference is that this version allows for Apple’s Hide My Email.  Well, at least to some extent as the user will still have to generate a random email ahead of time. That email needs to be added as an account to the FileMaker file before the user can log in using SIWA.  This user experience is different than most other places where Hide My Email can be chosen as part of the login process.

More about this in a separate blog post.

Three caveats:

  1. As with most external identity providers, the client secret (think: password) that allows interaction with the identity provider has an expiry date. With SIWA, that is a maximum of 180 days, after which you will need to generate a new client secret and update your FileMaker Server configuration.
  2. This feature requires you to enable the SMTP settings on FileMaker Server since Server has to email the user. If you cannot do that or have no desire to do so, you can still use the approach that Steven Blackwell and I outlined by adding Apple as a custom OAuth provider.
  3. Apple IDs are individual accounts; there is unfortunately no group-based login possible using SIWA. In that sense, it is the same as adding individual Google or Amazon accounts to your FileMaker solution and it is less desirable than group-based access.

Read-only Admin Console While Database Server is Stopped

Up to FileMaker Server 19.5, when you stop the Database server, the Admin Console stops displaying altogether in the web browser.

Admin Console up to FileMaker Server 19.5 stops displaying if the Database Server is stopped
Admin Console stops displaying if the Database Server is stopped when using FileMaker Server up to 19.5

All you see is this:

Message shown when the database server is stopped when using FileMaker Server up to 19.5
Message shown when the Database server is stopped and using FileMaker Server up to 19.5

In 19.6, the Admin Console remains visible so that you can navigate around and check your settings.

In FileMaker Server 19.6, the Admin Console remains visible when the Database Server is not running
Admin Console remains visible

Note that you cannot change any settings when the Database Server is stopped.

If you are like us and find yourself needing to check a particular setting right after you stop the database server, you will quickly come to love this feature.

Facilitating Go-lives and Deployments in Claris FileMaker 19.6

FileMaker Server 19.6 now bundles the matching version of the Data Migration Tool.  With that, you always have a place to grab it without having to scour the Claris website.  This bundling allows you to more easily automate your deployment tasks that involve moving data between different versions of your solution files.  You will find the DMT in the Database Server folder (or the /bin subfolder on macOS and Ubuntu).

In FileMaker Server 19.6 it now bundles the matching version of the Data Migration Tool
FileMaker Server 19.6 bundles the Matching version of the Data Migration Tool

Another feature that makes automating data migrations easier is the new –cloneonly (or -e for short) option to the fmsadmin backup command, and a matching option in the Admin Console itself when you create or edit a backup schedule:

Clone Only option added for 'Additional Settings' for Backup Schedules
‘Clone Only’ option added to the ‘Additional Settings’ for Backup Schedules

Previously, to generate a clone of your files, you had to run an full backup with the clone option enabled. If your solution was big, that then took a lot of time and potentially a lot of disk space just to produce clones.

Now you skip the backup part and have FileMaker Server just directly produce the clones. If you run the command in its simplest form:

fmsadmin backup --cloneonly

Then your clones will be in a new ClonesOnly folder directly in the Data folder:

Clones are located in a new ClonesOnly folder within the Data folder
New ‘ClonesOnly’ folder in the ‘Data’ folder

You can control the destination by using the existing destination -d or –dest option

Second Additional Database Folder

FileMaker Server 19.6 adds the ability to configure two additional database folders, each with their own remote container folder if needed.

In FIleMaker Server 19.6, you can now configure two additional database folders
Configure two additional database folders

Security

Restrict access to the Admin Console

Ever since the Admin Console started using port 443 for remote connections, there has been an increased demand for the ability to lock down access to the Admin Console.  This is primarily due to the fact that WebDirect and the Data and OData APIs use this same port 443.  If you want to use those but do not want anyone trying to and log into your Admin Console, you can now easily whitelist which IPs should have access to the Admin Console and the Admin API:

In FileMaker Server 19.6, whitelist which IPs have access to the Admin Console and Admin API
Whitelist which IPs have access to the Admin Console & Admin API

Anyone else will see this error message:

An error message will appear for IPs that are not whitelisted
Error message when for IPs not whitelisted

Note:

  • If you want to use multiple IP addresses, separate them with a comma
  • Localhost access on the server itself will always work, regardless of this setting. You do not need to add 127.0.0.1 to the allowed list.
  • You can also do this for older versions of FileMaker Server, but it requires you to modify the underlying config files. See the instructions in this Claris Engineering blog post.

The Admin API has also been updated to allow you to control these settings.

File-List-filtering as the New Default in Claris FileMaker 19.6

File-List-Filtering (FLF) is a feature that has been around for a long time. When you enable it, it will ask the user to authenticate first and only then show a filtered list of hosted files: those files to which this user has access (an active account in).

FLF is now toggled on by default in FileMaker Server 19.6.

In FIleMaker Server 19.6, File List Filtering is toggled on by default
File-List-Filtering is toggled on by default

And when you select the server from your list of Hosts, you will see a login prompt before you see any files:

In FileMaker Server 19.6, with FLF toggled on, a login prompt will appear before you can see any files
Login prompt appears before you can see any files

The Admin API also allows you to control this setting. Assisted Install file now contains the FLF setting (and enabled by default) so that you can control the setting at installation time:

In FileMaker Server 19.6, the FLF setting is contained in the Assisted Install file
FLF setting is contained in the Assisted Install file

The Admin API’s /databases endpoint also honors this setting.  When the filtering is enabled, you need to add credentials to the Admin API call to get data on any files.

OAuth Login Button and/or FileMaker credentials input

When you configure your FileMaker Server to support external authentication through an OAuth-compatible identity provider, then all files hosted on the server will show the identity provider’s login button – even if the file being accessed does not use any externally authenticated accounts.  This has been confusing, especially since the default behavior of a file is to hide the FileMaker credential input.

19.6 is now smart enough to always show those FileMaker credential input fields when the file does not use any externally authenticated accounts.

The table below shows the possible combinations of how your solution’s files are configured and how FileMaker Server is configured, when it comes to what is shown on the file’s login dialog.

With file options in the left-most column we are referring to this setting, which is toggled off by default in FileMaker versions up to and including 19.5.

'Show sign-in fields even when OAuth or AD FS is enabled' checkbox is off by default in File Options
File Options
What is shown on the login dialog? FileMaker Server HAS OAuth Configured FileMaker Server does NOT have OAuth Configured
File uses EA account and file options enabled to show FileMaker account fields Both FileMaker login fields and IdP button Only FileMaker login fields
File uses EA account and file options disabled to show FileMaker account fields Only IdP button Only FileMaker login fields
File does not use EA account and file options enabled to show FileMaker account fields Both FileMaker login fields and IdP button Only FileMaker login fields
File does not use EA account and file options disabled to show FileMaker account fields <= 19.5: Only IdP button
<=19.6: Both FileMaker login fields and IdP button
Only FileMaker login fields

The change in behavior is that FileMaker Pro and Server 19.6 override the default behavior as set in the FileMaker file and FileMaker Pro will show the FileMaker login fields if the file doesn’t have an externally authenticated account if file itself is configured to NOT show the FileMaker login fields.  This will avoid users getting confused by seeing only the Identity Provider’s login button but not being able to log into the file with it.

And related to this login experience, any new files created with 19.6 will now have the default option enabled that shows both the FileMaker account input fields and the identity provider’s button:

'Show sign-in fields even when OAuth or AD FS is enabled' checkbox is marked in FIle Options
‘Show sign-in fields even when OAuth or AD FS is enabled’ checkbox is marked

Data API No Longer Reveals the Version of FileMaker Server

The /productInfo endpoint is one that does not require authentication, and previous versions of FileMaker Server revealed what version of FileMaker Server was responding. This is information that can potentially be used to determine vulnerabilities.

The FileMaker Server version was revealed for the FileMaker Server responding in versions prior to 19.6
Previous versions of FileMaker Server revealed the version that was responding

In 19.6, the endpoint no longer returns this information:

In FileMaker Server 19.6 the endpoint no longer shows the version info for the FileMaker Server that is responding
FileMaker Server 19.6 the endpoint doesn’t show the version info for the FileMaker Server that is responding

HTTP Compression Disabled in Nginx

HTTP Compression can be a security risk and is therefore now disabled in Ubuntu’s Nginx web server.

Monitoring & Troubleshooting Improvements

We are big fans of all the logs that FileMaker Server keeps.  We think it is unfortunate that some of the important ones like the stats.log, topcallstats.log, and clientstats.log are not turned on by default. These logs contain invaluable data to monitor your solution and users and are indispensable when troubleshooting.

One nice addition to 19.6 is that you can now download all the enabled logs at once instead of having to select each log individually.  Downloading the logs includes both the current and any old logs.

In FileMaker Server 19.6 you can download all of the enabled logs at once
Download all the enabled logs at once

Performance Improvements in Claris FileMaker 19.6

This new version of FileMaker Server makes some tweaks to improve performance in a few specific areas:

  • Faster bitwise operations (NOT, AND, OR, XOR) by using hardware accelerator Streaming SIMD Extensions (SSE) for Intel processors and the ARM64 processors’ SIMD equivalent: Neon.  This is basically tapping into hardware capabilities that were unused before.  Some of this applies to internal FileMaker Server executions in addition to any bitwise operations we have in our solutions.
  • The Java Web Publishing Engine has better CSS caching
  • Parallel backups will now remember their backup sets after a server restart. This makes backups consistently faster since FileMaker Server can retain what it learns about what files are modified together.
  • If your solutions have the Guest account enabled, then you may find that Login performance is improved.
  • Viewing lists of records in WebDirect has been improved, both in performance and in user experience, to reduce UI flashing when other users manipulate records that are in your list view.
  • Also in WebDirect, more users can access the same records with fewer issues loading records or dialogs boxes.
  • If your company uses Nginx Plus for load balancing, then you can link that deployment with your Ubuntu FileMaker Server.  This is for WebDirect only and replaces FileMaker Server’s own native load balancer.

Miscellaneous Changes in Claris FileMaker 19.6

  1. If you are using WebDirect in a setup with multiple workers, you can now generate an SSL Certificate Signing Request (CSR) directly from the admin console of any worker machine.
  2. There are new Admin API endpoints for allowing Data API plugins and retrieving information about configured plugins for that scripting engine.
  3. The GET and FIND endpoints for the Data API have always returned dates in US format. In 19.6, you now have control over that by using the new dateformats option. When omitted or set to 0, it will behave like the Data API has always been: return dates in the US format. Use 1 to use the date format set in the file’s locale, or use 2 to return dates in the ISO8601 format (2022-11-03T14:23:10). This change will make it easier for node applications to interact with the Data API, since JavaScript serializes dates using ISO8601.
Date Format option has been added to FileMaker Server 19.6
New date format option added to FileMaker Server 19.6

Moving Forward in 19.6

There is a lot of updated and new functionality packed into FileMaker Server 19.6.  Our team is here to help answer any questions and support your implementation of new functionality. Contact us to get started.

About The Author

8 thoughts on “What’s new in FileMaker Server 19.6?”

  1. Hi Wim,
    thanks for this nice, clear overview.
    You have no idea how much time it saves me to find all important “new release” information clearly documented in 1 place.

  2. Wim,
    Quick clarification. In the Performace Improvements section above you say, “If your solutions have the Guest account enabled, then you may find that Login performance is improved.”

    Is there a security risk in enabling Guest?

    Tom

    1. Hi Tom,

      Yes – Allowing anonymous access into a solution is always a security concern; it’s why it is turned off by default so that it needs to become a deliberate and considered action.

  3. Hi Wim,

    thank you for the deep dive into the changes. As of today there is a new version (19.6.2) of FMS available. Do you still recommend to do a new install on Linux or is there a way to update. I’ve a hosted FMS 19.6.1 running with everything in place but promises of better speed for Webdirect let me look forward to an upgrade.

    best
    Holger

    1. Hi Holger,

      While FileMaker Server supports upgrade-in-place, from long habit and out of excess of caution I would do a full uninstall and reinstall. On Linux that’s completely scriptable, including migrating settings.

      Best regards,
      Wim

  4. Hi Wim
    caution always is smart 🙂 Btw. is there any documentation on migrating settings or at least location of the settings? On the Claris site I only found recommendations for a full install. That would mean deleting everything including SSL certs etc. While at this stage my install is only a testing environment this all the same would be a good exercise for a production setup.
    Thanks and best regards
    Holger

    1. You are right: not a lot of the settings and where they are stored is documented.
      We’re working on a blog post that will demonstrate how we do it and that includes the various locations where we read the settings from.

Leave a Comment

Your email address will not be published. Required fields are marked *