Connecting to a PTC Server Using HTTPS Client Authentication
The PTC Server connection enables you to connect to a PTC Server using HTTPS Client Authentication. When Arbortext Editor or Arbortext Publishing Engine uses the PTC Server connection to connect to a PTC Server that uses 2-way Secure Socket Layer (SSL) HTTPS client authentication you must import the SSL client certificate file into a Microsoft Windows certificate store. This support includes certificates stored on smart cards and similar devices through the certificate store. Note that if the PTC Server only optionally requests an SSL client certificate, the authentication proceeds whether a certificate is available or not.
The PTC Server connection supports certificate authentication in the same way as Internet Explorer. If your PTC Server uses HTTPS client authentication, follow either the Microsoft or your organization’s guidelines to configure Internet Explorer to access the PTC Server by importing SSL client certificates into the appropriate Microsoft Windows certificate store. Once Internet Explorer can successfully connect to the PTC Server, the PTC Server connection should also be able to connect successfully. Refer to the help for the Microsoft Management Console for more information about importing and viewing client certificates.
You configure details about the client certificate and the certificate store in the siteprefs.xml configuration file using the following parameters:
• SecurityCertificateSerialNumber — Specifies the serial number of a Secure Socket Layer (SSL) certificate that is stored in the certificate store.
This serial number is used to select the correct certificate from the store to authenticate with the specified PTC Server. You can have multiple SecurityCertificateSerialNumber entries, each representing a different PTC Server.
• SecurityCertificateStoreName — Specifies either the name of a specific certificate store that contains the SSL certificate used to authenticate with a PTC Server or indicates to search in all PTC supported certificate stores for the certificate.
You can have multiple SecurityCertificateStoreName entries, each representing a different PTC Server. Arbortext Editor and Arbortext Publishing Engine use different certificate stores, so their connection details should not be defined in the same siteprefs.xml file. You can also indicate to search for the certificate in all supported certificate stores by setting the parameter to the value PTC_SEARCH_IN_ALL_KEY_STORES.
By default, Arbortext Editor uses certificates stored in the Personal store, also known as the My store, where user certificates are stored. Arbortext Publishing Engine uses the Trusted Root Certification Authorities store, also known as the Root store by default. The PTC Server connection searches these stores by default, so you do not need to add a SecurityCertificateStoreName parameter entry to siteprefs.xml if you store your certificate in those stores. If you choose to use a store other than Personal or Root, you must either put the specific name of the store in the SecurityCertificateStoreName parameter or indicate to search all PTC supported certificate stores.
If a certificate serial number is provided and the name of a certificate store is not provided, the PTC Server connection searches for the certificate first in the My store and then in the Root store. If the My store is specified and the certificate cannot be located there, the PTC Server connection searches the Root store. If the Root store is specified and the certificate cannot be located there, the PTC Server connection searches the My store. If the SecurityCertificateStoreName parameter is set to PTC_SEARCH_IN_ALL_KEY_STORES, the PTC Server connection searches in all supported PTC stores. In any case, if the specified serial number cannot be located the connection to the PTC server fails.
If a certificate serial number is not provided, the PTC Server connection searches for certificates in either a specified store, one of the default stores, or all stores depending on the setting of the SecurityCertificateStoreName parameter. If certificates are found in one of these stores, the PTC Server connection tries to use the first certificate in the store. If the first certificate does not work, the connection to the PTC server fails.
When checking to see if a PTC Server uses forms-based authentication, the PTC Server connection uses certificate information from the siteprefs.xml file. If the PTC Server does use forms-based authentication, an HTML login form is embedded in the Connect dialog box. This login form does not use certificate information from the siteprefs.xml file, but will use a certificate stored in the My store. If the login succeeds, the PTC Server connection again uses certificate information from the siteprefs.xml file for further communication with the PTC Server.
For HTTPS client authentication, it is recommended that you set the UseNewAuthentication parameter in the userprefs.xml file to true to use the alternate authentication process. In this case, no authentication dialog box is shown when the PTC Server connection locates the specified certificate. In the case where there are multiple possible certificates, the Authentication Required dialog box displays those certificates enabling you to select the certificate to use for authentication.