Enhanced Security Measures in Worker Configuration
When configuring a worker for WVS, the command used to start that worker, either on the Windchill server or on the remote worker machine, is configured in the agent.ini file by an administrator. A security update in Windchill 10.2 prevents malicious changes to that file that could allow other OS commands to be executed.
Beginning at Windchill 10.2, a new, mandatory WVS property called worker.exe.whitelist.prefixes is introduced to provide extra protection for the worker executables. A worker is used only if its executable matches one of the prefixes specified in the property; otherwise, the worker is ignored.
Before an OS command is executed, the prefix containing the command must be configured in wvs.properties by adding the appropriate values to the site.xconf file. The details of the property settings can be found in the wvs.properties.xconf file in the WORKER EXECUTABLE PREFIX SETTINGS section.
• The property worker.exe.whitelist.prefixes can be used to provide a list of command prefixes that can be used for any worker on any host.
• Additionally, properties of the form worker.exe.whitelist.prefixes.<worker_host> can be used to provide a list of command prefixes on a per-worker host basis.
The following sample use case illustrates the configuration of the worker.exe.whitelist.prefixes property.
<Property name="worker.exe.whitelist.prefixes" overridable="true"
targetFile="codebase/WEB-INF/conf/wvs.properties"
value=" C:\|D:\|G:\|/|nohup /"/>
This configuration honors all Windows workers residing on the C, D, and G drives, along with all the Unix/Linux workers. The vertical bar (pipe) is used to separate the prefixes.