Configuring HTTPS for PTC HTTP Server and Windchill
To complete these instructions, Windchill Services must be installed because it delivers the site.xconf file which is needed to complete an HTTPS configuration.
Out-of-the-box Windchill is configured for HTTP; however, Windchill is prepared to support HTTPS with the idea that minimal steps are required for you to implement HTTPS. The instructions provided in this section only support HTTPS with HTTP Server (the default Web server packaged with Windchill). Instructions for HTTPS for other Web servers must be obtained from the product vendor.
To enable Windchill to support HTTPS for other Web servers, you would:
• Use the xconfmanager to set the wt.server.codebase property in wt.properties to use HTTPS. This is the same instruction performed for HTTP Server.
• Restart the Web server, servlet engine and Windchill to effect the changes.
Configurations for HTTPS require the use of a commercial certificate of authority. Third-party vendors distribute certificates of authority. There are several configuration methods that can be implemented using certificates of authority. The instructions provided here should require a minimum of effort to implement HTTPS for your installation.
1. Obtain a certificate of authority.
The first step is to obtain a certificate of authority. Third-party vendors provide certificates. Windchill requires that the certificate be trusted by Java. If you elect to use a certificate that is not trusted by Java, then you must configure Java to trust this certificate. Certificates provided by Verisign and Thawte, for example, are Java trusted certificates of authority.
If the Web server certificate of authority is not trusted by Java, then the certificate of authority must be added to the jssecacerts keystore. Before executing the following command, the default JDK cacerts file must be copied to the filename jssecacerts. The cacerts file is located in the <JAVA_HOME>/lib/security directory.
keytool -import -alias <some alias name>
-file <path to certificateAuthority.cert> -storetype jks -keystore /<JAVA_HOME>/lib/security/jssecacerts
-file <path to certificateAuthority.cert> -storetype jks -keystore /<JAVA_HOME>/lib/security/jssecacerts
This must be configured for the JDK that is used by the servlet engine, the Windchill server, and any other Java application that would access the Web server.
To list the default certificate of authority trusted by your JDK, execute:
keytool -list -v -keystore /<JAVA_HOME>/lib/security/cacerts
Additional information about Java security can be found at:
http://java.sun.com/products/jsse
2. Configure HTTP Server to recognize the certificate of authority.
The certificate file and the private key are added to HTTP Server. By default, two files have been provided as a reference specifically for the purpose of security access configurations.
For PTC HTTP Server
a. Install the certificate file server.crt into the <Apache>/conf/ directory.
b. Install the private key server.key into the <Apache>/conf/ directory.
3. On PTC HTTP Server 2.4, the following command in HTTPSERVER_HOME enables SSL:
ant -DHTTPS_ENABLED=true -f config.xml reconfigure
4. Configure Windchill for HTTPS by changing the URL to HTTPS.
Using the xconfmanager change the following two properties to the appropriate values:
a. wt.webserver.port=<port used for HTTPS>. The protocol default port is 443.
b. wt.webserver.protocol=https
5. Restart HTTP Server.
The HTTP Server start commands are the same for SSL or non-SSL servers:
◦ For Windows:
<httpserver_home>\bin\httpd.exe
◦ For Unix:
<httpserver_home>/bin/apachectl
6. Restart Embedded Servlet Engine.
7. Restart Windchill.
Other Windchill products such as the workgroup managers may also support HTTPS and would require additional configurations to convert to HTTPS. See the workgroup manager documentation for those instructions.
Additional information about HTTPS can be found at http://httpd.apache.org/docs/current/ssl/
HTTP Strict-Transport-Security (HSTS) Configuration
HSTS helps to protect web sites against protocol downgrade attacks and cookie hijacking. HSTS configuration will be set OOTB on Windchill server configured with HTTPS from Windchill 12.0.1.0. For secure deployments HTTPS should always be configured on site.
• For deployment of HTTP Server with Preserve configuration Option, see the section Updating the HTTP Server configuration files in the help topic section Post-Update Options in the Windchill Installation and Configuration Guide — Update Existing Installation
• For deployment of HTTP Server with Preserve configuration Option, see the section Updating the HTTP Server configuration files in the help topic Post-Update Options.
 |
PTC strongly recommends that you configure HTTP Strict-Transport-Security (HSTS) in your Windchill installation.
|
For enabling HSTS for IIS use the following instructions:
1. Configure IIS with HTTPS.
2. From the left pane of the IIS Manager, select the node <ComputerName/Site>.
3. In the middle pane, click HTTP Response Headers.
4. Click Add... in the Actions panel.
5. Enter the following values in the Add Custom HTTP Response Headers dialog box:
◦ Name: Strict-Transport-Security
◦ Value: max-age=10368000; includeSubDomains;
6. Restart the site.
HTTP/2 Configuration for Windchill
Before enabling HTTP/2, ensure that network security considerations are in place to support it, such as WAF configurations. It is recommended that you check with your own network security team regarding any specific security requirements or concerns prior to configuring HTTP/2.
|
|
To learn how to protect Windchill against a potential Denial of Service (DoS) attack, see point 14 of the topic Best Practices for Securing Your Windchill Solution.
|
HTTP/1.1 will continue to be available for Windchill as the default method. HTTP/2 is still growing and building its maturity across browsers and clients. Therefore, if the HTTP/2 communication fails post configuration in Windchill, it automatically falls back to the default HTTP/1.1.
Configuring HTTP/2 is provided to enhance Windchill performance. However, results may vary depending on the client and workload.
|
|
HTTP/2 requires SSL to be enabled.
If Apache HTTP Server is reconfigured, enable HTTP/2 again with the steps listed below.
|
Enabling HTTP/2 Configuration
1. Stop the Apache HTTP server.
2. Create a backup of <Apache_Home>/conf/conf.d.
3. Run the following target from a Windchill shell from the location <Apache_Home>.
ant -f config.xml enableHTTP2
After you have run the ant script, verify the updates in the following locations:
◦ <APACHE_HOME>/conf/httpd.conf is updated to have the following configuration at the end of the file:
Protocols h2 http/1.1
◦ <APACHE_HOME>/conf/conf.d/00-modules-load.conf is updated to have the following configuration at the end of the file:
#Enable the http2 module
<IfModule !http2_module>
LoadModule http2_module modules/mod_http2.so
</IfModule>
<IfModule !http2_module>
LoadModule http2_module modules/mod_http2.so
</IfModule>
4. Start the Apache HTTP server.
Removing HTTP/2 from the Apache configuration
1. Stop the Apache HTTP server.
2. Run the following target from a Windchill shell from the location <Apache_Home>.
ant -f config.xml reconfigure
3. Start Apache HTTP server.