Web Server Configuration
For Apache-based web servers (including PTC HTTP Server), the CA certificate must be in PEM-encoded format. Documentation for configuring Apache 2.4 for SSL/TLS client certificate authentication can be found on Apache web site using the following URLs:
For a simple case, the SSLCACertificateFile directive in Apache can specify the CA certificate file that is used to validate the client SSL certificate. For example:
SSLCACertificateFile<httpserver_home>/<location_to>/ca.crt.
If the SSL CA certificate is a certificate chain, you may need to set the SSLVerifyDepth directive to specify the number of certificates in the chain to check. For more information about SSL CA certificates, consult with your SSL expert.
The previous two configuration directives can be placed in httpd.conf or in any file in the conf/conf.d directory. However, PTC highly recommends that you create a new site-specific CONF file and add this file to httpserver_home/conf/sslvhostsconf.d directory. This file will be automatically added to the default SSL virtualhost configuration. Creating a new file will assist in managing these configuration directives and will ensure that PTC updates do not overwrite any specific configuration values.
After these values are configured, the web server must know which URLs require authentication. This is normally configured in the
<httpserver_home>/conf/conf.d/30-app-[webappname]-Auth.conf file. The file is automatically generated; therefore, any changes can be lost. To avoid overwriting these configured values, add them to the site-specific CONF file previously created in the
httpserver_home/conf/sslvhostsconf.d directory. For details on how to configure changes to automatically generated files from PTC, see
PTC HTTP Server Configuration Layout.
Within each LocationMatch block, the default file configures at least the LDAP authentication.
The directives in this block can be entirely replaced with the appropriate SSL directives. At a minimum, the following directives are necessary:
• SSLVerifyClient require
• SSLUserName [varname]
The value of the SSLUserName varname argument depends on site security requirements and certificate configuration. The SSLUserName directive is required to set the REMOTE_USER variable. As an alternative to SSLUserName, the FakeBasic SSL option can be used as documented in the Apache mod_ssl documentation. This alternative is recommended as it provides a fake HTTP Basic authentication header that the Windchill component can attempt to use.
Some Windchill clients do not natively support SSL authentication. This requires specific authentication mechanisms or anonymous access to be allowed on certain Windchill URLs. By default these URL resources are declared in the <ptc_httpserver_home>/conf/app-<webAppName>-AuthRes.xml> file. Any resource with the type anonymous or protocolAuth needs to be accessible without SSL client verification. The LocationMatch rules for those URLs must include the directive SSLVerifyClient none. If your authentication requirements mandate that all URLs must be configured for SSL authentication, then you can alternatively configure the Apache server so that those URLs are accessed with a certificate.
Client Compatibility
The following clients require configuration to enable SSL authentication with Windchill.
• Windchill Business Reporting
• Mozilla Firefox Browser
• Creo Parametric 2.0, 3.0 and 4.0
1. Import the user-specific certificate in the web browser
▪ Internet Explorer: > >
.
▪ Chrome: > > .
2. Launch Creo Parametric and go to Configuration Editor
3. For Creo 3.0 and 4.0 M010 Chrome embedded browsers, add dm_pki_authentication_url with the value set to the URL of the Windchill server
|
SSL certificate authentication is for Chromium embedded browser in Creo 4.0 F000 is not supported, however this is supported in Creo 4.0 M010.
This step is not needed for Creo 2.0 as Chromium embedded browser is not supported for that release.
|
4. Save config.pro file to be reloaded at next Creo Parametric launch
|
For Creo 4.0, the new config.pro option will only be supported in Creo 4.0 M010.
|
5. Close and relaunch Creo Parametric
6. Register PKI configured Windchill server from > or using the Workspace user interface of the same server.
7. Login is processed with the certificate in the browser
• Windchill Workgroup Manager browsers
1. Import the user-specific certificate in the web browser
▪ Internet Explorer: > >
▪ Chrome: > >
2. Configure embedded browsers. From Windchill Workgroup Manager installation point, open the wgmclient.ini file in a text editor
3. Find the preference pki.authentication.url and set it to the value to the URL of the Windchill server.
4. Save wgmclient.ini and launch Windchill Workgroup Manager
5. Register PKI configured Windchill server from >
6. Login is processed with the certificate in the browser
Configuring some clients for SSL client certificate authentication is unsupported. Before you implement SSL authentication at your site, you should examine the extent to which these clients are used and whether these client exclusions are an impediment to using SSL authentication. PTC does not support SSL authentication configurations for the following clients:
• Windchill Archive
• Windchill Gateway for Cadence Allegro Design Workbench
• Windchill Gateway for Creo Elements/Direct Model Manager
• Windchill Gateway for FORAN
• Windchill STEP Connector
For up-to-date information about client compatibility with SSL/TLS authentication, refer to the following article:
https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS250038.