Secure RMI Server Configuration
This topic has details on enabling SSL or TLS encryption for RMI server configurations, ensuring secure communication across Windchill clusters and components. Follow the process given below to configure secure RMI.
• Stop the Windchill server.
• Obtain a CA signed certificate. For details, see Process for Creating Self-Signed Server Certificate.
• Import the certificate into the keystore and the truststore.
• Import Java public certificates into the keystore.
• To configure SSL for RMI, add below mentioned properties in wt.properties file. Do not modify the wt.properties file directly. Instead, override the property using a custom XCONF file and declare the file in the declarations.xconf or site.xconf file. Alternatively, you can manage the XCONF file in wtSafeArea or use the xconfmanager -s command to set the property in site.xconf. For more information, see Adding a Custom Service Provider Property File, Setting Up a Directory Structure for Managing Customized Files and Text Tailoring, and Setting Specific Property Values
|
Property Name
|
Attributes of the Property
|
Value
|
Type
|
|---|---|---|---|
|
wt.rmi.secure.args
|
wt.rmi.secure
|
Default value is False. For secured RMI configuration, you must set the value of this attribute to True.
|
Mandatory
|
|
javax.net.ssl.keyStore
|
This is the keystore path.
|
Mandatory
|
|
|
javax.net.ssl.keyStorePassword
|
This is the keystore password.
|
Mandatory
|
|
|
javax.net.ssl.keyStoreType
|
This is the keystore type.
|
Mandatory
|
|
|
javax.net.ssl.trustStore
|
This is the truststore path.
|
Mandatory
|
|
|
javax.net.ssl.trustStorePassword
|
This is the truststore password.
|
Mandatory
|
|
|
javax.net.ssl.trustStoreType
|
This is the truststore type.
|
Mandatory
|
|
|
wt.rmi.provider
|
This is the RMI provider. For example: SunJSSE and BCJSSE.
|
Optional
|
|
|
wt.rmi.algorithm
|
This is the algorithm used. For example: PKIX and SunX509.
|
Optional
|
|
|
javax.rmi.ssl.client.enabledCipherSuites
|
This is value of the Cipher to be configured. For example: TLS_AES_256_GCM_SHA384.
|
Optional
|
|
|
jdk.tls.server.protocols
|
This is the secure TLS version for configuring the server. Default value is TLSv1.2.
|
Optional
|
|
|
jdk.tls.client.protocols
|
This is the secure TLS version for configuring the client. Default value is TLSv1.2.
|
Optional
|
|
|
wt.rmi.serverSocketFactory
|
wt.boot.WTRMIMasterSocketFactory
|
Mandatory
|
• An example of the the properties for secure RMI is:
wt.rmi.secure.args=-Dwt.rmi.secure=true -Djavax.net.ssl.keyStore=/opt/ptc/server_keystore.p12 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/opt/ptc/server_keystore.p12 -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.rmi.ssl.client.enabledCipherSuites=TLS_AES_256_GCM_SHA384 -Dwt.rmi.provider=SunJSSE -Dwt.rmi.algorithm=SunX509 -Djdk.tls.server.protocols=TLSv1.3 -Djdk.tls.client.protocols=TLSv1.3
• An example of the properties for secure RMI with FIPS compliance configuration is:
wt.rmi.secure.args=-Dwt.rmi.secure=true -Djavax.net.ssl.keyStore=/opt/ptc/server_keystore.bcfks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStoreType=BCFKS -Djavax.net.ssl.trustStore=/opt/ptc/truststore.bcfks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.trustStoreType=BCFKS -Dwt.rmi.provider=BCJSSE -Dwt.rmi.algorithm=PKIX -Djavax.rmi.ssl.client.enabledCipherSuites=TLS_AES_256_GCM_SHA384 -Djdk.tls.server.protocols=TLSv1.3 -Djdk.tls.client.protocols=TLSv1.3
• Restart Windchill server.
 |
For cluster setup, make sure that the keystore contains private key, public certificate and certificate chain for all the nodes. Similarly, the truststore must contain trusted CA certificate and optional peer certificates for all the nodes.
|