Enhanced Security Measures in Worker Configuration
As a security measure the mandatory WVS property provides extra protection for the worker executables. A worker is enabled only if its executable’s path matches one of the prefixes specified in the property; otherwise, the worker is disabled.
The prefix containing the command must be configured in wvs.properties by adding the appropriate values to the site.xconf file. The details of the property settings can be found in the wvs.properties file in the WORKER EXECUTABLE PREFIX SETTINGS section.
• Use the property worker.exe.allowlist.prefixes to provide a list of worker executable path prefix that can be used for any worker on any host.
◦ Using site.xconf:
< Property name= "worker.exe.allowlist.prefixes" overridable="true"
targetFile="codebase/WEB-INF/conf/wvs.properties"
value="C:\PTC\CAD_Workers|nohup /PTC/CAD_Workers"/>
targetFile="codebase/WEB-INF/conf/wvs.properties"
value="C:\PTC\CAD_Workers|nohup /PTC/CAD_Workers"/>
◦ Using xconfmanager :
xconfmanager -s "worker.exe.allowlist.prefixes=C:\\PTC\\CAD_Workers|nohup /PTC/CAD_Workers" -t codebase/WEB-INF/conf/wvs.properties -p
• Alternatively, properties of the form worker.exe.allowlist.prefixes.<worker_host> can be used to provide a list of command prefixes on a per-worker host basis.
The following sample use case illustrates the configuration of the worker.exe.allowlist.prefixes property.
<Property name="worker.exe.allowlist.prefixes" overridable="true"
targetFile="codebase/WEB-INF/conf/wvs.properties"
value=" C:\|D:\|G:\|/|nohup /"/>
targetFile="codebase/WEB-INF/conf/wvs.properties"
value=" C:\|D:\|G:\|/|nohup /"/>
This configuration honors all Windows workers residing on the C, D, and G drives, along with all the Unix/Linux workers. The vertical bar (pipe) is used to separate the prefixes.
 |
• The intent of this property is to restrict the scripts that can be executed by Windchill on your remote worker machines (as either the GS Worker Daemon service account for Windows or the configured Telnet login account for UNIX).
• Try to avoid using root folder paths, like C:\ or D:\ for Windows and / for UNIX, as this provides little protection against hackers with malicious intent. Instead, decide where you will create your Creo View Adapters setup folders, e.g.C:\PTC\CAD_Workers and specify this parent folder as the value in the generic or worker host specific whitelist properties.
• If using multiple system and different locations for the Creo View Adapters setup folder specify the vertical bar (pipe) character as a delimiter to separate multiple worker command or prefixes. e.g. D:\apps\remoteworkers|D:\apps\localworkers|/disk1/wvsworkers".
|
For more information refer article CS140965.