Customizing the Security Framework
When customizing the Arbortext Publishing Engine security framework, be aware of the following items.
• By default the Arbortext Publishing Engine security framework divides all of the requests that Arbortext Publishing Engine processes into 2 classes: administrative and non-administrative. The former processes are restricted, the latter are unrestricted. The framework can be made more precise by adding additional security constraints that are more finely grained; matching individual f=acl requests, f=java requests, an so on, rather than matching all requests.
• Some requests that Arbortext Publishing Engine supports should not be made restricted, because they are submitted by client programs that cannot process requests for IDs and passwords. For Arbortext Publishing Engine composition (in which Arbortext Editor submits publishing requests to the Arbortext PE Request Manager, the following requests must remain unrestricted:
◦ f=java class=com.arbortext.e3ci.Application
◦ f=java class=com.arbortext.e3c.Application
◦ f=qt-cancel
◦ f=qt-discard
◦ f=qt-list
◦ f=qt-retrieve
The final four f=qt- functions are only required if Arbortext Editor is submitting QUEUED transactions. If your site doesn't use queuing, you can restrict these four functions and disable queuing by setting the parameter com.arbortext.e3.queueCompositionOperations to never.
• For composition requests from the WVS Arbortext Publishing Engine Worker, the following request must remain unrestricted:
f=java class=com.arbortext.ptc.windchill.Compose
• For composition requests from the Windchill Service Information Manager Worker (also called the SIS Worker), the following request must remain unrestricted:
f=acl function=main::composeSisPE
• Be aware that, in addition to the controlling the security framework, the e3config.xml file restricts the ACL, APP, Java, JavaScript, and VBScript PE applications that can run.
• Besides configuring Arbortext Publishing Engine, several items can be configured in Apache Tomcat by modifying web.xml or Tomcat's servlet.xml.
In servlet.xml, you can configure the following items.
◦ Enable HTTPS with or without client-side certificate authentication
◦ Disable HTTP so that only HTTPS requests are accepted
◦ Control how session IDs are managed
For more information, refer to the documentation provided for Tomcat by the Apache Software Foundation.
In web.xml, you can configure the following items.
◦ Session timeouts
◦ The authentication method used
◦ How cookies are used
◦ Additional security roles
For more information, refer to the Java Servlet Standard.
|
You must also ensure that Tomcat is configured in line with current security best practices.
|
Disabling HTTPS
HTTPS is enabled by default in an Arbortext Publishing Engine installation. To disable it, edit web.xml and remove the following section:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
For more information about setting up Apache Tomcat using HTTPS, refer to the topic ‘SSL/TLS Configuration’ from the documentation provided for Tomcat by the Apache Software Foundation.