Encrypted Passwords
Background
Historically, Windchill has stored password values in plain-text in files on a file system and relied on appropriate access permissions to restrict access to those files. As of Windchill release 9.1 M050 these passwords can be optionally encrypted such that the plain-text value is no longer displayed when the file is viewed.
Windchill provides out of the box property values that can be encrypted. However, you can encrypt additional values for Windchill .xconf file managed properties, as well as, values that are not managed by .xconf files.
Once a value is encrypted, code must exist to properly decrypt this value prior to use or failures likely will result when the encrypted value is used by the system.
If you have created an .xconf property value that is a password or is otherwise sensitive information, consider encrypting the value. If you have customized code that extends base Windchill classes or reads Windchill .properties files directly, it may require updating to ensure proper handling of encrypted values.
For complete details regarding encryption, including the encryption mechanism, accompanying files, SOX compliance, and more, see
System Password Encryption Option
Scope/Applicability/Assumptions
• Assume you have code that adds a new .xconf property for Windchill use whose value contains sensitive information.
• Assume you have code that adds a property which isn’t managed by the Windchill xconf framework whose value contains sensitive information.
• Assume you have code that reads Windchill .properties files directly to access property values.
Intended Outcome
Once a property is encrypted the corresponding value for that property will no longer appear in plain text and instead, appear in an encrypted form.
For example, one of the out of the box property values that Windchill can optionally encrypt is the wt.pom.dbPassword .xconf property.
Prior to encryption, in <Windchill>/site.xconf this value appears as:
<Property name="wt.pom.dbPassword" overridable="true" targetFile="db/
db.properties"
value="my_password"/>
In the underlying <Windchill>/db/db.properties file, this value appears as:wt.pom.dbPassword=my_password
After encrypting the wt.pom.dbPassword property, each value appear as:
<Property name="wt.pom.dbPassword" overridable="true" targetFile="db/
db.properties"
value="encrypted.wt.pom.dbPassword"/>
wt.pom.dbPassword=encrypted.wt.pom.dbPassword
The encrypted values appear in the form of: “encrypted.<property_name>”.
Solution
Use Windchill’s encryption mechanism to provide a secure means to store sensitive property value information.
To ensure a standard practice, properties which require encryption should ideally be xconf managed, using xconfmanager set commands, if able. This ensures an easier process to encrypt the property. However, there may be design considerations or architecture issues which prevent the property from being xconf managed, such as the file not strictly containing key/value pairs or the xconf framework not being present in the classpath that can influence whether that is feasible.
Prerequisite knowledge
To apply this best practice, you need to have an understanding of the following:
• Basic development using Java
• Optionally Windchill xconf framework