Using SSL for a Secure Connection
Your site can use 2-way SSL to secure the communication between the ThingWorx server and the Windchill application. PTC recommends using SSL when working in a production environment. The extension can use SSL to both mutually authenticate the servers to each other and protect the communication itself.
An SSL connection requires that both systems trust each other; to do this, SwaggerConnector and ptc-windchill-Odata-connector must be configured to reference Java keystores and truststores held on the ThingWorx server which provide keys for the transaction. The HTTP Server on the Windchill server must be configured to trust those keys.
SSL configurations vary considerably and this topic does not attempt to describe all options available in an SSL configuration. Instead, the following steps give an overview of the process for configuring SSL.
This procedure assumes that both ThingWorx and Windchill are configured to use SSL for their standard communications. It also relies on configuration scripts that come with the most recent version of the PTC HTTP Server. The most recent PTC HTTP Server is included with Windchill11.0 M030 and later.
• You can use a commercial trusted wildcard certificate for Windchill.
• You can use a self-signed certificate or a commercial trusted wildcard certificate between ThingWorx and Windchill.
Configuring ThingWorx with KeyStore and TrustStore
ThingWorx requires Java keystores and truststores. Instructions for creating these files are in the topic
Create KeyStore and TrustStore Files for ThingWorx Navigate.
1. Create a TrustStore for ThingWorx and import the Windchill SSL certificate.
2. Create a KeyStore for ThingWorx, and generate KeyPair in the KeyStore.
3. Configure Windchill to trust ThingWorx.
4. Reference them in the configuration of the WindchillConnector Thing Template used to connect ThingWorx to the Windchill system being secured.
Configuring Windchill for Client Authentication
On the Windchill server, configure SSL authentication in the PTC HTTP Server to trust the ThingWorx key and certificate.
|
Code examples have been reformatted to fit the page and may contain line numbers, hidden editing characters (such as tabs and end-of-line characters) and extraneous spaces. If you cut and paste code, check for these characters and remove them before attempting to use the example in your application.
|
1. Update PTC HTTP Server configuration to reference the CA certificates file.
a. Create a file in <HTTPSERVER_HOME>\conf\ca-bundle.crt. This location is recommended but not required.
b. Save ca-bundle.crt.
c. Create a sslclientauth.conf file at <HTTPSERVER_HOME>\conf\sslvhostconf.d.
d. Add SSLCACertificateFile to <PATH_TO>\ca-bundle.crt so that it refers to the ca-bundle.crt file. For example:
SSLCACertificateFile
<HTTP_Server>\conf\ca-bundle.crt
e. Save changes.
2. Add the ThingWorx client certificate to PTC HTTP Server’s list of trusted CA certificates.
a. Edit the ca-bundle.crt file you pointed to previously in the SSLCACertificateFile entry.
|
If the file does not yet exist, create the file and any required directories.
|
b. Edit ca-bundle.crt and paste the PEM file content of ThingWorx client certificate.
c. Save changes.
3. Configure PTC HTTP Server for the sslClientAuth URL.
a. Find the Windchill web app name in <windchill-home>/codebase/wt.properties in the entry wt.webapp.name.
b. Open a shell or command prompt and enter the following:
cd <HTTPSERVER_HOME>ant -f webAppConfig.xml -DappName=[windchill-web-app] -Dresource=sslClientAuth -DresourceAuthType=sslClientAuth addAuthResource
c. Configure Windchill to trust the ThingWorx certificate.
i. Edit <windchill-home>/codebase/WEB-INF/web.xml.
ii. Find <filter-name>TrustedSSLAuthFilter</filtername>.
iii. Add an additional <init-param> element after the existing one, where [Subject] is the name of your certificate.
You can use the following example for reference:
<init-param>
<param-name>trustedSubjectPattern.1</param-name>
<param-value>[Subject]</param-value>
</init-param>
In the above example, replace [Subject] with the certificate name that is present in the Subject of your certificate. For instance, if the Subject of your certificate is CN=navigate.domain.com, replace [Subject] with CN=navigate.domain.com.
d. Save changes.
e. Restart Windchill and PTC HTTP Server.