Set Up ThingWorx Navigate with Windchill Authentication
On the screens for Windchill authentication, we’ll enter the information for the Windchill server and for ThingWorx KeyStore and TrustStore files.
Before You Begin
Make sure your system meets the following prerequisites before you set up Windchill authentication.
• You have Windchill configured with SSL.
• ThingWorx—We recommend configuring ThingWorx with SSL.
• Your Windchill administrator has configured the allowList property for URL redirects. If this property is not configured, you will not be able to access ThingWorx Navigate.
To set wt.idp.allowlisturls in the wt.properties file, run the following command from the Windchill shell:
xconfmanager -s wt.idp.allowlisturls="url1 url2 url3" -t codebase/wt.properties -p
The name of the webapp should be included in the URL. For instance, https://hostxyz:8443/Thingworx.
Example of command:
xconfmanager -s wt.idp.allowlisturls="https://hostxyz:8443/Thingworx https://hostxyz:8449/Thingworx http://hostxyz:8080/Thingworx" -t codebase/wt.properties -p
This Windchill Help topic provides detailed information on Windchill configuration properties.
• You have created TrustStore and KeyStore files. The topic Create KeyStore and TrustStore Files for ThingWorx Navigate has instructions for generating these files.
• You have imported the Windchill SSL certificate to the ThingWorx TrustStore file. For more information on configuring SSL, see the topic Using SSL for Secure Communication.
Establish the Windchill Connection
On this page, provide the details for your Windchill connection.
1. Enter the Windchill Server URL:
◦ To connect to a single Windchill server—Make sure the URL follows the format [http or https]://[windchill-host]:[windchill-port]/[windchill-web-app]
◦ For cluster Windchill environments—Enter the URL of the load balancing router. For example, [https]://[LB-host]:[port]/[windchill-web-app].
The URL format depends on your system’s configuration. In Configure ThingWorx Navigate with a Clustered Windchill Environment, see the sections for Windchill Authentication.
◦ To connect to multiple Windchill systems—For now, connect to a single server. Then, after you complete the initial configuration, follow the manual steps in Configure ThingWorx Navigate to Connect to Multiple Windchill Systems.
2. Click Next or Forward.
Windchill Authentication Settings
Before you provide the information on this screen, prepare the correct KeyStore and TrustStore files for ThingWorx:
• KeyStore file—Create a new ThingWorx KeyStore file using the Java keytool utility. Make sure to include the ThingWorx Key Pair. This is a client certificate used for accessing data from Windchill using the 2-way SSL configuration on the ThingWorx Navigate and Windchill sides.
 | This ThingWorx KeyStore file is different than the Apache Tomcat KeyStore file that you may have created during the installation of ThingWorx Navigate. These separate KeyStore files serve different purposes, and it is important to provide the correct file in the correct location. |
• TrustStore file—Create a ThingWorx TrustStore file using the Java keytool utility, and then import the Windchill SSL certificate into the TrustStore file.
For details, see the topics Create KeyStore and TrustStore Files for ThingWorx Navigate and Using SSL for a Secure Connection.
Now that you have the correct files prepared, you can provide the information on the Windchill Authentication settings screen:
1. Next to KeyStore file, click 
, and then browse to the ThingWorx KeyStore file you created above.
, and then browse to the ThingWorx KeyStore file you created above.| | Remember, the ThingWorx KeyStore file is different than the Apache Tomcat KeyStore file. |
2. Enter the Password you defined when you created the KeyStore file.
3. Next to TrustStore File, click , and then browse to your ThingWorx TrustStore file.
, and then browse to your ThingWorx TrustStore file.4. Enter the Password.
5. Next to Session User Query Parameter, accept the default value.
| | In most cases, you should accept the default value for this parameter. Change the value only if the Windchill administrator changed this default setting in Windchill. |
6. Click Next or Forward. The Summary: Configuration settings page opens.
Summary: Configuration Settings
1. Review the settings, and then click Configure. ThingWorx Navigate is configured.
2. Select the check boxes to open one or both programs:
◦ Open ThingWorx Navigate
◦ Open ThingWorx Composer
Then, click Close.
Success!
ThingWorx Navigate is configured with Windchill Authentication. Select the programs to open:
• Open ThingWorx Navigate
• Open ThingWorx Composer
Then, click Close.
| | If configuration fails, select the Open the log file check box and review the log file for details on what went wrong. |
Verify Configuration
The administrator must have the same user name in Windchill and ThingWorx.
• If you have not made changes in Windchill, the administrator user, “Administrator”, was created when Windchill was installed. Using a configured ThingWorx system, you can authenticate as that user and have full access rights as the administrator user in ThingWorx.
• If you changed the administrator’s user name, then select a user name that is common to Windchill and ThingWorx, and then add that user to ThingWorx and the Administrators user group.
To verify the Windchill Authentication configuration:
1. Open the ThingWorx URL. You are routed to Windchill for authentication.
2. Provide the Windchill administrator credentials (or another user configured to be the ThingWorx administrator). The browser is routed back to ThingWorx, and ThingWorx Composer opens.
3. Verify that you are now running ThingWorx as the administrator.
Success! ThingWorx is properly configured with Windchill Authentication.
If you set authenticator to automatically create users, test that next:
1. Open the browser to ThingWorx URL. You are routed to Windchill for authentication.
2. Provide the Windchill credentials for a user that does not exist in ThingWorx.
3. Your browser is routed back to the ThingWorx home mashup page.
4. Verify that you are now running ThingWorx as the correct user. The user was automatically created.
| | If the tailoring options and the search results are not working as expected, restart Apache Tomcat and ThingWorx Integration Runtime. |
Next Steps
Your ThingWorx Navigate is installed and licensed, and the basic configuration is complete. The ThingWorx Navigate tasks are now ready to use. To sign in, users should use their Windchill user name and password.
The next required step is to grant permission to non-administrative users. Follow the steps in Modify ThingWorx Permissions: Users and Groups.
You can also move on to the optional configurations, such as these: