Upgrading to Windchill 12.1.0.0 and above
Upgrading from Source System that is Windchill 12.0.1.0 or Prior
Starting with Windchill 12.0.1.0, Directory Server is not bundled with Windchill. Directory Server is still a part of the Windchill architecture. The de-coupling is done to allow you to select any LDAP V3 compliant Directory Server of your choice. This reduces the installation complexity and will makes future upgrade and update processes easier.
With this update in the Windchill architecture, the LDAP artifacts are moved from Windchill Directory Server, and the information is stored as follows:
• All OOTB Windchill Group and Organization artifacts are stored in the Windchill database.
• Info*Engine configurations and adapter definitions are now migrated to JSON files under <WT_HOME>\IEConf folder defined by com.infoengine.config.dir in the /codebase/WEB-INF/ie.properties file.
• Any LDAP V3 compliant Directory Server of your choice can be configured to have user information. You have the choice to migrate the groups from Windchill Directory Server to the Windchill database or the LDAP server of your choice. It is advised to store the groups in the database if the groups have a large number of participants.
After a successful upgrade or update from previous Windchill releases to 12.1.0.0 or later, you can choose to:
• Continue using Windchill Directory Server from previous releases. However, PTC recommends migrating to an alternate Directory Server after the upgrade or update process is complete and if you are using Windchill Directory Server as a local LDAP during the process. Windchill Directory Server is no longer a supported component.
PTC is not bound to provide support for any Directory Server related issues.
• Use any LDAP V3 compliant Directory Server of your choice that could be a corporate or dedicated Windchill LDAP.
For Directory Server configurations after the upgrade or update process, consider the following use cases:
• Upgrading to Windchill 12.1.0.0
The upgrade process involves the installation of the target Directory Server. You have the choice to use Windchill Directory Server from earlier releases during the upgrade process. The migration of the Windchill LDAP artifacts is handled by migrators during the upgrade process. You have the option to move the participants information (user and groups in a non-administrative LDAP of Windchill) to any V3 compliant LDAP of your choice after the upgrade process is complete. You are responsible for implementating a V3 compliant LDAP of your choice.
If you are upgrading or updating to Windchill 12.1.0.0 or later releases, all groups from the default LDAP of the source are moved to the database. Groups from a non-administrative LDAP of Windchill can be moved to the database or V3 compliant Directory Server of your choice. The Participant Administration utility provides the action Move Groups from Directory Server to Windchill to move the selected groups to the Windchill database. This action is introduced in Windchill 12.0.2.0.
Groups that are specific to Windchill can be moved to the database.
A command line utility is available for the bulk reconnection of the principals that are already migrated to other LDAP V3 compliant Directory Server. This utility is called
Principals Reconnect utility, and it can be used only by a
Windchill administrator. For more details, refer
Principals Reconnect Utility.
For details on how to use
Windchill Directory Server as a standalone component, refer
https://www.ptc.com/en/support/article/CS266290.
For more information on preparing the target system and merging the source and the target LDAP branches, refer to
https://www.ptc.com/en/support/article/CS337415.
For details on the upgrade process, see
Upgrade Guide.
For details on the update process, see
Update Guide• New Installation
During the Windchill installation using the PSI, you can select Directory sService as a V3 compliant LDAP or Active Directory Server.
◦ If you are opting for a V3 compliant LDAP server that is writable, you can use Windchill user interface to create users and groups in the LDAP.
◦ Active Directory Server (ADS) can be configured in read-only mode. In this case, you should add users and groups to ADS from outside Windchill.
User administration considerations:
◦ If you choose to install the demo data with the demo user, this user should not exist in the directory server. The PSI automatically creates the demo user when the option is selected.
Upgrading from Source System that is Windchill 12.0.1.0 or Later
• All OOTB Windchill Group and Organization artifacts are already stored in the Windchill database.
• Info*Engine configurations and adapter definitions are already configured in JSON files under <WT_HOME>\IEConf folder defined by com.infoengine.config.dir in the /codebase/WEB-INF/ie.properties file.
• Any LDAP V3 compliant Directory Server of your choice can be configured to store user information. For user migration to V3 compliant LDAP of your choice, follow the steps mentioned in the following section.
Migrating Users to Another LDAP
| The ownership and responsibility of maintaining the LDAP solution or migrating the user data to any LDAP solution lies entirely with the customer. |
Consider the following scenarios before selecting the Directory sServer for migrating the users:
• Migrating users from Windchill Directory Server to OpenDJ:
Below are the sample implementation steps for migrating the users to OpenDJ Community Edition:
a. Install OpenDJ Community Edition LDAP V3 compliant Directory Server.
b. Create the same BaseDN as in the Windchill.
c. Export the ldif file of the users from Windchill Directory Server.
d. Edit the ldif file in a text editor and replace:
▪ objectClass: ptcSubtree with objectClass: organizationalRole where ptcSubtree is a PTC custom object class used in Windchill Directory Server for Distinguished Name (DN) nodes starting with Configuration Name (CN). This must be changed while migrating the users to another Directory Server, while retaining the DN structure of the users. Check the example below for the CN configurations:
▪ cn=Windchill_11.1, o=ptc
▪ cn=AdministrativeLdap,cn=Windchill_11.1,o=ptc
e. Import the ldif file to OpenDJ Community Edition.
f. Update the connection information in JNDI adapter, mapCredentials.txt and Web Server configuration to point to the migrated LDAP Directory.
• Migrating the users from the Windchill Directory Server to ADS or any other V3 compliant LDAP:
A migration of this type should be considered as an independent project adopted for a specific need. The migration of the users to an Active Directory depends on the corporate policy implementation and attribute mapping for a system. Hence, PTC recommends engaging professional services to develop a migration process and tooling. For details on the command line utility that can be used for the user migration, see
Principals Reconnection Utility.
The various scenarios for moving the users to other LDAP V3 compliant Directory Server are described below. Before you start, make sure to discard the configuration node in the source Windchill LDAP from the previous release.
1. Case 1: Keeping the BaseDN same as the Windchill Directory Server and moving the users to the new LDAP V3 compliant directory server. As the BaseDN will change for ADS users, this scenario is not applicable for migration of users to the ADS:
a. Edit the ldif file in a text editor and replace "objectClass: ptcSubtree" with "objectClass: organizationalRole".
b. Export the ldif file for users from Windchill Directory Server.
c. Import the ldif file for users from Windchill Directory Server.
d. Update the connection information in:
▪ JNDI Adapters. Refer to following topics:
▪ MapCredentials.xml
▪ Web Server configuration files.
2. Case 2: Migrating to the LDAP V3 compliant Directory Server: The BaseDN where the users are to be migrated is different from the Windchill Directory Server BaseDN.
a. Edit the ldif file in a text editor and replace objectClass: ptcSubtree with objectClass: organizationalRole. Update the BaseDN in the ldif file.
b. Export the ldif file for users from Windchill Directory Server.
c. Import the ldif file to another LDAP.
d. Update the connection information in JNDI Adapter, MapCredentials.xml file and the Web Server configurations (refer to the topics provided in the section above) to point to another LDAP.
e. Remove the default Administrator user temporarily if the user is already added to any LDAP group.
f. Start the Method Server.
g. Browse to > > > . Verify that the user DN is updated in the database.
h. Run the
Principals Reconnection Utility to reconnect the groups. You can reconnect the groups from
Participant Administration page; the reconnection is done for one group at a time.
3. Case 3: Migrating users to aother LDAP V3 compliant Directory Server with a different node structure. Prerequisites are:
▪ Create the users in the LDAP V3 compliant Directory Server with the same user name as in the previous Windchill Directory Server.
▪ Follow either of the steps mentioned below to migrate the Administrator user ( with the alias as Administrator and that is persisted in WTUser table) from the previous Windchill release (12.0.1 0 or earlier):
▪ Make another user as the default Administrator:
a. From site > Administrators page, add another user.
b. Set the property value wt.admin.defaultAdministratorName to the new user in wt.properties file and propagate.
c. Restart the Windchill Server after the updates.
▪ Remove the Administrator alias and use the wcadmin alias.
1. Remove the Administrator alias for the wcadmin user from the Windchill Directory Server.
2. Run the following query in the Windchill database:
Update WTUser set name='wcadmin' where name='Administrator'
3. Set the property value wt.admin.defaultAdministratorName to wcadmin in wt.properties file and propagate.
4. Make sure that the Windchill Server is started after these updates.
1. From the Windchill User Interface, enable the preference value of Automatic Reconnect user.
2. Stop the Method Server and the Web Server.
3. Update the connection configurations in the JNDI Adapter to connect to the LDAP V3 compliant directory server.
4. Update the MapCredentials.xml file with the new LDAP configurations.
5. Update the Web Server configuration files to connect to the LDAP.
6. Login to Windchill as the Site Administrator and search for the migrated users.
7. Verify if the users are reconnected with the new LDAP. If wcadmin is still disconnected after the login, search for wcadmin in the Disconnected Participants wizard. Reconnect the same user in the LDAP.
4. Case 4: The Windchill Directory Server, from where users are to be migrated to the LDAP V3 compliant Directory Server, has two JNDI adapters configured:
a. Configure a new JNDI adapter for the LDAP V3 compliant Directory Server.
b. Create or move users from both adapter nodes of the
Windchill Directory Server to the LDAP, except the default Administrator (wcadmin). Administrator user is required to run the
Principals Reconnect Utility. When the users are moved to the LDAP, they should be deleted from
Windchill Directory Server.
c. Run the
Principals Reconnect Utility when the users are deleted from
Windchill Directory Server. All the Principals, except
wcadmin should be reconnected with the entries in the LDAP.
d. Assign any user from the LDAP as the Site Administrator (temporary assignment).
e. Delete wcadmin from Windchill Directory Server.
f. Login to Windchill using the temporary Site Administrator.
g. Search wcadmin in the Disconnected Participants wizard and reconnect the user with the entry in the LDAP.
h. Set the property value wt.admin.defaultAdministratorName to wcadmin in wt.properties file if the user name of the LDAP user is different than wcadmin.
i. Remove the JNDI Adapters from the Windchill Directory Server.
Points to be noted:
◦ For cluster configuration:
▪ <WT_HOME>/IEConf folder that is defined by the property com.infoengine.config.dir in the /codebase/WEB-INF/ie.properties file should to be shared and fully accessible by all nodes of the cluster, so that the updates made in Info*Engine Administration are available to the whole cluster.
◦ Migrating Site Administrator to the other LDAP using one of these methods:
▪ Customers could create or migrate the Site Administrator (for example, wcadmin) in the new Directory Server first, and then use an alternative administrator account to reconnect the Site Administrator to new DN using the Windchill Participant Administration utility. Configure wt.admin.defaultAdministratorName=wcadmin in thewt.properties file.
▪ Select another Windchill user and configure to wt.admin.defaultAdministratorName and wt.sysadm.administrators in wt.properties as the new Site Administrator.
For more clarifications on the
Windchill Directory Server removal, see
FAQs.