Cannot get OpenRMF interface to come up

[superken4169]

I've installed a standalone instance of OpenRMF on an Ubuntu 19 server VM. Followed the instructions on Installing Docker, KeyCloak, MongoDB, OpenRMF and OpenRMF realm within Keycloak. When I try to get to the web interface (http://openrmf_IP:8080), the interface comes up then immediately redirects to http://openrmf_IP::9001/auth/realms/openrmf/protocol/openid-connect/auth?client_id=openrmf&redirect_uri=http. OpenRMF and Keycloak are on the same VM. The share the IP but none of the same ports. I set the bind offset in Keycloak to 100 so that the Keycloak port is 8180 instead of 8080. I have no idea what I'm doing wrong. Please help

Installation Instruction sources: https://nspeaks.com/install-docker-on-ubuntu-19-10/ https://computingforgeeks.com/how-to-install-latest-docker-compose-on-linux/ installed version 8 instead of version 6

https://medium.com/@hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9

https://github.com/Cingulara/openrmf-docs

https://github.com/Cingulara/openrmf-docs/blob/master/keycloak.md

[Cingulara]

If you pulled down the latest release zip file, there is a .env file where you run the docker-compose start.sh file. It is this file here: https://raw.githubusercontent.com/Cingulara/openrmf-docs/master/scripts/.env

Make sure that is pointing to your correct name/ip for Keycloak. That ENV is used in the APIs to authenticate correctly the JWT. Check that first and let me know.

You will want to run ./stop.sh, then edit that .env file with VI or NANO, then ./start.sh and log back in. Kill your browser cache. And you can log into the :9001 keycloak, go to the openrmf realm, then find your user and remove any active sessions as well just to make sure it forces you to log in again.

[Cingulara]

also, I believe for docker-compose the web interface is going to use 8080 by default. In Kubernetes, I do a config mapping to make the api.js point to a specific URL and port. If you want to change 8080, you may need to do a similar volume mount on the api.js and change the file.

The file inside the openrmf web container is at /usr/share/nginx/html/js/apis.js. If you understand docker-compose you can do a mount to change that file and have the file locally. The raw file is at https://raw.githubusercontent.com/Cingulara/openrmf-web/develop/js/apis.js. Not sure that is a problem but could be.

The 8180 should be the same in the keycloak setup for the client as well as what you are accessing in the docker-compose top of the file for the port you open externally for the web container.

[Cingulara]

FYI, I actually run Keycloak locally using Docker. I have that info in here: https://github.com/Cingulara/openrmf-docs/tree/master/scripts/keycloak

If that helps at all.

[degthat8412]

What ever machine you are running this on should have a static IP. If not put a reservation in for DHCP. The IP address is what should go in your env file.

[superken4169]

I am a Linux, Docker novice. I am somewhat familiar with Linux but this is the very first time using Docker.

The server has a static IP address.

My .env file says JWT-AUTHORITY=http://:9001/auth/realms/openrmf JWT-CLIENT=openrmf

After creating my Ubuntu VM then giving it a new address and updating the hostname I followed the instructions below

sudo apt -y update

sudo apt -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common unzip default-jdk mongodb-server

** Docker sudo apt remove docker docker-engine docker.io containerd runc

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

sudo apt update

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo apt-key fingerprint 0EBFCD88

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu disco stable"

sudo apt update

sudo apt install -y docker-ce

sudo apt-get install -y docker-compose

** Keycloak cd /opt

sudo wget https://downloads.jboss.org/keycloak/8.0.1/keycloak-8.0.1.tar.gz

sudo tar -xvzf keycloak-8.0.1.tar.gz

sudo mv keycloak-8.0.1 /opt/keycloak

sudo groupadd keycloak

sudo useradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak

sudo chown -R keycloak: keycloak

sudo chmod o+x /opt/keycloak/bin/

cd /etc/

sudo mkdir keycloak

sudo cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.conf /etc/keycloak/keycloak.conf

sudo cp /opt/keycloak/docs/contrib/scripts/systemd/launch.sh /opt/keycloak/bin/

sudo chown keycloak: /opt/keycloak/bin/launch.sh

sudo nano /opt/keycloak/bin/launch.sh

WILDFLY_HOME-"/opt/keycloak" sudo cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system/keycloak.service sudo nano /etc/systemd/system/keycloak.service "Description=The Keycloak Server? After=syslog.target network.target Before=httpd.service [Service] Environment=LAUNCH_JBOSS_IN_BACKGROUND=1 "EnvironmentFile=/etc/keycloak/keycloak.conf" "User=keycloak" "Group=keycloak" LimitNOFILE=102642 "PIDFile=/var/run/keycloak/keycloak.pid" "ExecStart=/opt/keycloak/bin/launch.sh $WILDFLY_MODE" StandardOutput=null [Install] WantedBy=multi-user.target sudo systemctl daemon-reload sudo systemctl enable keycloak sudo systemctl start keycloak Sudo nano standalone.xml socket-binding-group sudo /opt/keycloak/bin/add-user-keycloak.sh -r master -u -p sudo /opt/keycloak/bin/add-user-keycloak.sh -r master -u -p sudo systemctl restart keycloak sudo nano /etc/keycloak/keycloak.conf "# The address console to bind to" "WILDFLY_MANAGEMENT_CONSOLE_BIND=0.0.0.0" sudo nano /opt/keycloak/launch.sh sudo nano /etc/systemd/system/keycloak.service sudo systemctl daemon-reload sudo systemctl restart keycloak sudo /opt/keycloak/bin/add-user.sh sudo systemctl restart keycloak Log in to your Keycloak instance, whether online or within containers (docker, kubernetes) or natively on your machine Create a new Realm for openrmf In General update the Display Name and make sure Enabled is turn to ON Click Save Go to Login and set User Registration to ON if you wish Set Require SSL appropriately (i.e. none for development locally only) Set any other options you wish and click Save Click on Authentication in the left menu Click the Password Policy tab and set all appropriate policies (digits, special characters, upper and lower case, expiration, etc.) Click Save to set all password policies Click Roles on the far left menu Add the following roles: Administrator, Assessor, Download, Editor, Reader (use proper case) Go to the Default Roles tab and add the Reader role, so new users can at least get Reader (if you wish) Click on Clients on the far left menu Click the Create Button to make a new client Name it openrmf and make sure openid-connect is the client protocol Click the Save button Add the Name and Description fields Set the access type to public Disable the Direct Access Grants Setup the Valid Redirect URIs to where your OpenRMF main root URL is (i.e. http://{ip-address}:8080/*) Set the Web Origins appropriately for CORS (i.e. development could be * or your specific URL) Click the Save button to save this initial setup Click on the Client Scopes tab to ensure the roles scope is in the right hand box to pass to OpenRMF upon login Click on the Mappers tab under the openrmf Client Click the Create button Add a roles mapper to use just the roles name to pass roles to our application (we do this just in case Keycloak changes something...ours remains as this) Enter 'roles' as the Name for the mapper. Make sure 'User Realm Role' is selected as the Mapper Type. Use 'roles' as the Token Claim Name. Make the JSON type a String (see image below) Save the mapper Create user in OpenRMF realm On the Left colum under Manage select user On the top right select add user Add username at the minumum and verify that the user is enabled Press save On right select Credentials tab Give the user a password that conforms to the realm password standard Select Role Mappings From the Available roles box select the additional roles for the user then press Add selected ++ Optional: I created a group called OpenRMF so that I could create users and and them to the group. Give the groups the role mappings that you want the user to have so you do not have to give directly to the user. Create multiple groups if you are going to have multiple users with different rights ++ To add a user to a group under the user settings select the Groups tab ++ Select the group you want the user added ++ Select Join **OpenRMF cd /home/ wget https://github.com/Cingulara/openrmf-docs/releases/download/0.10/openrmf-0.10.zip sudo unzip openrmf-0.10.zip Sudo nano .env JWT-AUTHORITY=http://:9001/auth/realms/openrmf JWT-CLIENT=openrmf Sudo ./start.sh ** Sources https://nspeaks.com/install-docker-on-ubuntu-19-10/ https://computingforgeeks.com/how-to-install-latest-docker-compose-on-linux/ https://medium.com/@hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9 https://stackoverflow.com/questions/27922219/how-to-change-default-port-8080-in-wildfly https://github.com/Cingulara/openrmf-docs/blob/master/keycloak.md https://github.com/Cingulara/openrmf-docs

[superken4169]

i don't know if this will help or not, but thought I should include it. This is the exact link that I it's redirecting. "http://<my keycloak/openrmf IP>:9001/auth/realms/openrmf/protocol/openid-connect/auth?client_id=openrmf&redirect_uri=http%3A%2F%2F<keycloak/openrmf IP>%3A8080%2F&state=d50957aa-ad7f-4b61-8298-765fbe056b3b&response_mode=fragment&response_type=code&scope=openid&nonce=abb6698c-b016-4b20-8dc2-71e0e4a0a787"

[Cingulara]

Since your Keycloak came up correctly, I believe you have this setup right. We can work through this and then I can update the documentation to make sure I have it right.

Have you added a new user / registered a user in Keycloak to use with OpenRMF? You can do that 1 of two ways. If you setup the keycloak information like https://github.com/Cingulara/openrmf-docs/blob/master/keycloak.md talks on, then you should be able to register a new user. And it would automatically have the Reader role if you have auto assign roles setup.

The other way would be to go into the Keycloak UI, go to the openrmf realm, and then go to the Users area in Keycloak. Add a new user, set the email and login information, set the password, and then under the roles add the Administrator role. That would give you all permissions.

[superken4169]

Yes, I have created 2 users, both users contain all of the roles available.

[Cingulara]

So you go to OpenRMF, you get redirected to Keycloak, you log in, and what happens? Are you allowed to do a screenshot?

Does it redirect back to OpenRMF but not show data?

And can you view the Javascript Console Log to see if it is giving you any errors? If in Chrome, you can right-click the screen and choose "Inspect". I think IE/Edge it is F11 or F12.

[superken4169]

If I go to port 8080, the OpenRMF dashboard displays briefly before going to that URL that I uploaded earlier and displays The site cannot be reached on the screen. At no point to I receive a screen to login to OpenRMF

If I go to the same IP address port 8180, I can change Keycloak settings, change anything want.

When go to inspect on Chrome under network There are some errors

Request URL: http://<IP of keycloak/openrmf>:9001/auth/realms/openrmf/protocol/openid-connect/auth?client_id=openrmf&redirect_uri=http%3A%2F%2F<IP of keycloak/openrmf>%3A8080%2F&state=e8525a45-9e65-4cf9-8460-7cb48dbd6b16&response_mode=fragment&response_type=code&scope=openid&nonce=1d78d55c-92ed-403c-8d9d-e9738d6a9f89 Referrer Policy: no-referrer-when-downgrade Provisional headers are shown DNT: 1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Mobile Safari/537.36 client_id: openrmf redirect_uri: http://1<IP of keycloak/openrmf>:8080/ state: e8525a45-9e65-4cf9-8460-7cb48dbd6b16 response_mode: fragment response_type: code scope: openid nonce: 1d78d55c-92ed-403c-8d9d-e9738d6a9f89

[Cingulara]

The line below should have your local IP or name or whatever you have locally to access it. If this is the right thing below you put earlier. I have my 192.168 type IP in there for local stuff redirecting to keycloak. The web UI is setup this file https://github.com/Cingulara/openrmf-web/blob/master/js/auth.js w/in the container to go to port 9001 on whatever you access the web UI through. And it should get you a login page just like the login page on the https://demo.openrmf.io/ once we get all this worked out.

JWT-AUTHORITY=http://:9001/auth/realms/openrmf

You definitely need to get to a login page though. The redirection on that auth.js goes from the OpenRMF page right to a login page in Keycloak. This JWT-AUTHORITY above is for the APIs to validate your calls. The Web UI logs you in to Keycloak and then redirects you back to the calling page in OpenRMF you were looking to access.

[Cingulara]

Without being able to see your screen, I would dbl check the 2 lines in the .env file, and then double check your Keycloak screens against the screenshots at the bottom of the https://github.com/Cingulara/openrmf-docs/blob/master/keycloak.md. I have had a couple people recently pull this down and have it work so we just need to see what small tweak is needed here. You have a lot of the main pieces already working.

[superken4169]

copied and pasted directly from the .env file. I will verify the Keycloak screens right now. thank you.

JWT-AUTHORITY=http://:9001/auth/realms/openrmf JWT-CLIENT=openrmf

[Cingulara]

JWT-AUTHORITY=http://:9001/auth/realms/openrmf

That is not right. It should be something like the below with an IP or name. And that should match the name you are doing to OpenRMF with.

JWT-AUTHORITY=http://192.168.1.23:9001/auth/realms/openrmf

And if all on one box, the IP should match the return URL on the Valid Redirect URIs in Keycloak. The valid redirect URIs ends in /* to allow any path to use Keycloak. So /systems.html, /charts.html, /checklists.html, etc.

[Cingulara]

But those are for the APIs to communicate with the web UI. The Web UI should redirect to keycloak when setup and give you a login page to use.

i.e. the steps when this is all working are like so:

1. Go to http://my-ip-address:8080/
2. Redirects quickly to http://my-ip-address:9001/auth/relams/openrmf/x/x/x/x/x/x and presents a login page
3. you login or create an account and log in successfully
4. Goes back to the OpenRMF dashboard
5. If you have "Admin" rights, it lets you go to Upload and add checklists, DISA XCCDF SCAP files, etc.

[superken4169]

the IP does show up, I redacted it before I sent the comment.
JWT-AUTHORITY=http://xxx.xx.xx.xxx:9001/auth/realms/openrmf JWT-CLIENT=openrmf

All of my Keycloak screens looks like the screenshots in the documentation.

Do the instructions I used to install everything look right? I'm going to try wiping this VM out and creating a new one. This is the best alternative to using that abysmal STIG Viewer.

[Cingulara]

Yes I hate that stupid viewer. It literally makes my eyes roll in the back of my head twice before I can ever even used.

You could also look at the kecloak information I have under the scripts directory in the docs repo. I run mine under docker, and just expose port 9001 so I can connect to it. I’ve had a few people do it that way and it seems to work. And I keep a named volume for the database so that the data will persist even after shutting it down and starting a back up.

You could try using that separately just to get that working. And then fire up the tool separate start shell script.

On Thu, Jan 2, 2020 at 11:36 AM superken4169 notifications@github.com wrote:

the IP does show up, I redacted it before I sent the comment. JWT-AUTHORITY=http://xxx.xx.xx.xxx:9001/auth/realms/openrmf JWT-CLIENT=openrmf

All of my Keycloak screens looks like the screenshots in the documentation.

Do the instructions I used to install everything look right? I'm going to try wiping this VM out and creating a new one. This is the best alternative to using that abysmal STIG Viewer.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openrmf-docs/issues/69?email_source=notifications&email_token=AK776OJ3V3FLYWXEOD2C4XTQ3YJYXA5CNFSM4KBYAOL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH6YJDI#issuecomment-570262669, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK776OIZ2VM5WQRI5J7BIOLQ3YJYXANCNFSM4KBYAOLQ .

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001

[superken4169]

I will run it from the Docker then. What do I need to do to get that script on to my server?

[Cingulara]

Copy these three files into their own directory. run chmod +x *.sh in that directory to make those shell scripts executable. run ./start.sh

It will load up on port 9001

• https://raw.githubusercontent.com/Cingulara/openrmf-docs/master/scripts/keycloak/docker-compose.yml
• https://raw.githubusercontent.com/Cingulara/openrmf-docs/master/scripts/keycloak/start.sh
• https://raw.githubusercontent.com/Cingulara/openrmf-docs/master/scripts/keycloak/stop.sh

[superken4169]

Thank you. I will let you know the outcome.

[Cingulara]

Also, make sure Keycloak is running on 9001 as all this script setup assumes it is. that may be the culprit after talking to @degthat8412

[Cingulara]

The auth.js assumes 9001 in the redirection to log into keycloak w/in the JS. That is one hard port that is in there. I have to redo some things to allow that to change. So for now, it is 9001.

[Cingulara]

FYI @superken4169 I have a slack channel just for this tool. If you want to shoot me an email dale.bingham@cingulara.com w/ your good email address to use I can send you an invite. There are a few smart people in there that can help you as well.

[superken4169]

Ok, we are cooking with fire now. It worked much better that way and significantly shortened my installation guide for this project. It's updating Checklists right now. It's been running for a little while now, about 5 minutes. How long is it supposed to take?

[Cingulara]

hmmmm when you upload checklists it should only take seconds actually.

[Cingulara]

Did you upload CKL files? or XCCDF DISA SCAP scan files? You may want to again do the developer tools in Chrome and see if the JS is telling you an error message. OR if there is something else not working right.

If you upload Nessus SCAP scan files, they do not parse YET and I am working on that now.

[superken4169]

Nope, I just logged in. Then it came up saying that it was updating checklists and has been that way ever since.

Here are the errors in the order that they appear. I think they are errors because the text is red.

General: Request URL: https://cdn.datatables.net/1.10.16/css/dataTables.bootstrap4.min.css Referrer Policy: no-referrer-when-downgrade Request Headers Provisional headers are shown DNT: 1 Referer: http://:8080/ User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Mobile Safari/537.36

General: Request URL: https://cdn.datatables.net/1.10.16/js/jquery.dataTables.min.js Referrer Policy: no-referrer-when-downgrade Request Headers Provisional headers are shown DNT: 1 Referer: http://:8080/ User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Mobile Safari/537.36

General: Request URL: https://cdn.datatables.net/1.10.16/js/dataTables.bootstrap4.min.js Referrer Policy: no-referrer-when-downgrade Request Headers: Provisional headers are shown DNT: 1 Referer: http://:8080/ User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Mobile Safari/537.36

General: Request URL: http://:8080/android-icon-144x144.png Request Method: GET Status Code: 404 Not Found Remote Address: :8080 Referrer Policy: no-referrer-when-downgrade Response Headers: Connection: keep-alive Content-Length: 555 Content-Type: text/html Date: Thu, 02 Jan 2020 18:30:37 GMT Server: nginx/1.15.9 Request Headers: Accept: image/webp,image/apng,image/,/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Connection: keep-alive DNT: 1 Host: :8080 Pragma: no-cache Referer: http://:8080/ User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Mobile Safari/537.36

[superken4169]

The IP was redacted on the last comment

[Cingulara]

are you at ALL hooked to the Internet? I believe there are 1 or 2 referenced JS or CSS files that are pointing to their HTTPS:// online locations from the looks of it.

If not then I will have to find them, put them locally, and update the docker containers. I do not think you are but I need to fix those to be local anyway..

You also can get the latest by doing a stop.sh for only OpenRMF, copy the contents from here https://raw.githubusercontent.com/Cingulara/openrmf-docs/develop/scripts/docker-compose.yml into your current docker-compose.yml (or just save overtop the old one) and then run start.sh to run the latest code fixes and updates.

You may want to kill your browser cache/images/cookies and then reload to see the latest setup and fixes for this tool. I apologize for all the back-and-forth. I have been making a lot of updates lately and want to make sure you have the latest and most stable version.

[Cingulara]

Another option: try going right to http://{ip address}:8080/upload.html and seeing if you can just upload 1 checklist and add it to a new system. You probably have to click the 'add system' link on the Upload page. Then follow the information from https://cingulara.github.io/openrmf-docs/uploading.html to upload a single CKL file or DISA SCAP XCCDF file and see what you get.

I am curious if having 0 data in there is making it fault somehow. It does not with mine locally but I have 0.10.7 running.

[superken4169]

I've rebooted and it still does the same thing with Chrome. I tried IE and it does not look right at all. Finally, I tried Firefox and it comes up correctly. I've uploaded 20 checklist and everything looks good. I just need to find out why I cannot open it in Chrome at this time. Can you recommend an Open-source SCAP/STIG scanner that can scan Windows clients and servers? Thank you so much for all your assistance. I currently use OpenVAS (Alienvault version) for vulnerability scanning. It does not specifically look for SCAP compliance, but do you think I can use the vulnerability reports from that??

[Cingulara]

DISA has a SCAP scanner but you may need a license for it? @degthat8412 may know better.

https://www.open-scap.org/tools/scap-workbench/ works however I am not 100% sure the out from it. https://www.open-scap.org/tools/scap-workbench/#download has information on downloading it.

I would be curious how their "export" looks in open scap.

---

as for the Chrome on Ubuntu 19 server running this tool, I am not sure why it would fail if Firefox worked fine. Unless you had to kill cache/etc. and restart chrome to see. If FF worked Chrome should. I use Chrome all day long and it should be fine.

IE is horrible and needs to die off. Vulnerability hell. It and Flash. MS Edge though I need to test drive and see what has to be tweaked.

[Cingulara]

I did not answer your OpenVAS question. I have never heard of that and will have to check that one out. If it does the same XCCDF format export as the DISA SCAP tool then it may work. Otherwise we would need to write a connector for that.

[superken4169]

The server is Ubuntu. The client I am using to access is Windows. I'm sure it's a setting. When figure out what the setting causing my problem is, I will let you know. I don't use IE if I can possibly help it. For me, IE stands for Is Extinct. Just to verify, in order to create systems, I need to upload a Nessus Scan file or a file with the same XCCDF format as the DISA SCAP tool. I don't actually have the DISA SCAP tool. That's why I am looking for a different scanner. I really appreciate all of your help. Thank you so much.

[degthat8412]

DISA has a SCAP scanner does not require a license but you do need a CaC card. MS Edge is supposed to be using Chromium so that might make it a possible browser. :) I have heard of OpenVAS but have not had time to play with it. This also says it can perform SCAP scans. https://sourceforge.net/projects/retinacommunity/

[Cingulara]

@superken4169 Yes, to make a new system you can just upload a new CKL file or XCCDF DISA SCAP scan file. Or in the newest version 0.10.7 of OpenRMF, you can go to Systems and click the "Add" button. Fill in fields and save. Then upload a CKL file or XCCDF file as spoken on earlier after you save a new System. And if you want, email me as I said above and I can add you do our Slack channel for this tool.

[superken4169]

I'm going to see about downloading version 0.10.7 and installing it. I don't have a CaC, I retired before they started issuing CAC cards.

[Cingulara]

Ok, well if you are going to use 0.10.7, run ./stop.sh in the directory where you are using OpenRMF, then overwrite the docker-compose file with the 0.10.7 version, then ./start.sh to pull the latest updates and run. https://raw.githubusercontent.com/Cingulara/openrmf-docs/develop/scripts/docker-compose.yml is the file to use.

Also, clear cache and then reload the web browser to it.