Configuring SSO with PTC Arbortext Content Delivery
This topic provide details about the following steps for configuring SSO with PTC Arbortext Content Delivery:
• Configure Service Provider SSO Keystore and Signing Certificate
• Configure the SSL Certificate for PingFederate
• Configuring PingFederate as the Central Auth Server Automatically
• Update the PTC Arbortext Content Delivery SSO keystore with the exported PingFederate
• Import PingFederate SSL Certificate to Java CAcerts
• Deploy Service Provider Application WAR with SSO Keystore
Configure Service Provider SSO Keystore and Signing Certificate
To create SSO keystore and to export the certificate for PTC Arbortext Content Delivery service providers,
1. Navigate to the JAVA_HOME/jre/bin directory that is used by the PTC Arbortext Content Delivery application (refer to the JAVA_HOME path mentioned in <InS_HOME>\InS_SW\SW\3C.properties) and run the following commands.
◦ To create Keystore:
keytool.exe -genkey -alias <Alias Name> -keystore <KeystoreName.jks> -keyalg RSA -storepass <Password_To_Set> -keysize 2048 -validity 360 -dname "CN=ACD_Hostname, OU=ptcnet, O=ptc, L=pune, ST=mh, C=in"
 |
Specify the certificate artifacts per your machine, location, or configuration.
|
◦ To export the certificate:
keytool.exe -export -alias <Cert_Alias_Name> -keystore <Path_To_Keystore.jks> -rfc -file <Certificate_Name.crt>
◦ Mapping of the values used in certificate creation process with securityContext.properties:
|
Used by securityContext.properties
|
Referred in command above
|
Default Values
|
|
org.springframework.security.saml.key.JKSKeyManager.storeFile
|
Path to <KeystoreName.jks>
|
WEB-INF/security/config/samlKeystore.jks
|
|
org.springframework.security.saml.key.JKSKeyManager.storePass
|
<Password_To_Set>
|
wcadmin
|
|
org.springframework.security.saml.key.JKSKeyManager.passwords.key
|
<Cert_Alias_Name>
|
spcert
|
|
org.springframework.security.saml.key.JKSKeyManager.passwords.value
|
<Password_To_Set>
|
wcadmin
|
|
org.springframework.security.saml.key.JKSKeyManager.defaultKey
|
<Cert_Alias_Name>
|
spcert
|
You can use the default properties created while configuring through the Configurator and any update to these properties requires a manual change. For retaining these properties in the future, see Advance Configurations.
Configure the SSL Certificate for PingFederate
After the SSL certificate is created, see the Export certificate section of the Manage SSL client keys and certificates topic in the PingFederate documentation for more information on exporting and using the signing certificate.
Configure SSL Certificates for the Application Layer Encryption and Signing
Navigate to > > > . On the Manage Certificate screen, you can create and manage the signing certificates of your server. You can use these certificates to sign outgoing requests, responses, assertions, and access tokens. The same type of certificate is also used for decryption.
For more information about the purpose of the SSL certificates, see Configure the SSL Certificate for Application Layer Encryption and Signing. From the PTC Arbortext Content Delivery SSO perspective, any SP mentioned in this documentation is referred to as PTC Arbortext Content Delivery.
Any communication between SP and CAS is encrypted by the certificates. Each application creates their own public and private certificate for their interaction, and the public certificates are an exchange between SP and CAS.
Configuring PingFederate as the Central Auth Server Automatically
For automatic configuration of PingFederate, see Configuring PingFederate as the Central Auth Server Automatically.
Replace the user.properties and default.properties files in the downloaded script with the ones in the zip provided here.
Specify values for all properties in the user.properties file and review the properties in the default.properties file according to your IdP configuration.
You do not need to create RP using Auto configure scripts on PingFederate for ACD. Comment out following section in config.sh file before execution: ./bin/create_wnc_oauth_client.sh "$verboseArg" $userCurlSSLOption
In PingFederate, you can create client endpoints to the applications that your SSO solution connects to, when obtaining or verifying access tokens or authenticating users. PTC recommends that you create a separate client for each role that an application will perform within your SSO solution. This allows you to fine-tune the settings within the client for that role. For PTC Arbortext Content Delivery SSO, create the following clients in PingFederate for the three PTC Arbortext Content Delivery applications such as PTC Arbortext Content Delivery Delivery, PTC Arbortext Content Delivery Task Manager, and PTC Arbortext Content Delivery Configurator.
• SP Connection for service provider
• OAuth Client for the service provider
For detailed information about creating and configuring the PingFederate connections, see the PingFederate documentation or contact the PingIdentity customer support. The following procedures describe the settings that are required for PTC Arbortext Content Delivery SSO. Additional settings may be required for the SSO solution for your enterprise.
Update PTC Arbortext Content Delivery SSO keystore with PingFederate Certificate
Update the PTC Arbortext Content Delivery SSO keystore with the exported PingFederate signing certificate as follows:
keytool.exe -import -trustcacerts -alias <Siging_Cert_AliasName> -file <pingfed_signing_certificate.crt> -keystore <Path_To_Keystore.jks>
Import PingFederate SSL Certificate to Java CAcerts
Copy the exported PingFederate certificate as described in the Configure the SSL Certificate for PingFederate topic to Java_Home\jre\lib\security directory on the machine hosting PTC Arbortext Content Delivery application and run the following command:
keytool -import -alias <AliasName> -file <Path_to_PingfederateSSLCertificate.crt> -storetype jks –keystore <Java_Home>\jre\lib\security\caerts
Deploy Service Provider Application WAR with SSO Keystore
Copy the above created SSO keystore to the respective service provider WAR files. For PTC Arbortext Content Delivery, you must update the following application WAR files with keystore:
• PTC Arbortext Content Delivery Delivery: <InS_HOME>\InS_SW\SW\Applications\Windchill.ear\codebase.war\WEB-INF\security\config
• PTC Arbortext Content Delivery TaskManager: <InS_HOME>\InS_SW\SW\Applications\e3C.ear\TaskManager.war \WEB-INF\security\config
• PTC Arbortext Content Delivery Configurator: <InS_HOME>\ InS_SW\SW\Applications\ConfiguratorApp-1.0-SNAPSHOT.ear\ConfiguratorWebApp-1.0.war
SAML Signing and Signature Verification
On the PTC Arbortext Content Delivery side, the communication between the following is configured in the keystore file samlKeystore.jks referenced by the PTC Arbortext Content Delivery SSO configuration:
• SP and CAS
• PTC Arbortext Content Delivery application specific private certificate and PingFederate public certificate
Add this keystore to the application specific war file as mentioned in the Application section.
XML Encryption and Decryption
On the PingFederate side, the communication between SP and CAS, PTC Arbortext Content Delivery public certificate and PingFederate private certificate is configured in the service provider configuration section on the PingFederate server.