Configuring the OSLC Server
Windchill supports the following OSLC specifications:
• Core 3.0
• Configuration Management 1.0 (for exposing Windchill parts)
• Change Management 3.0 (for exposing Windchill change objects)
The Windchill OSLC Services map Windchill objects to corresponding OSLC resources and provide responses in the requested format. Following are the supported formats:
• RDF/XML (default)
• JSON-LD
• Turtle
Windchill OSLC Catalog
The Windchill OSLC Catalog can be accessed at https://<WINDCHILL-SERVER-URL>/Windchill/oslc/catalog.
Configuring OAuth Authorization
By default, Windchill OSLC Services use basic authorization. To enable OAuth authorization, an additional configuration step is required. See Configure OAuth Delegated Authorization for steps to configure Windchill to use OAuth.
When the OSLC OAuth properties are configured, the Windchill OSLC Catalog includes the OAuthConfiguration property, enabling OSLC clients to discover that they should use OAuth authorization.
After Windchill OAuth is configured, set the following Windchill properties:
|
Property Name
|
Description
|
|---|---|
|
oslc.authorizationURI
|
URI for obtaining OAuth authorization
|
|
oslc.oauthAccessTokenURI
|
URI for obtaining OAuth access token
|
|
oslc.oauthRequestTokenURI
|
URI for obtaining OAuth request token
|
 |
When using OAuth authorization, ensure all requests to OSLC endpoints are prefixed with the configured SpringSecurityFilterChain url pattern. For example, if SpringSecurityFilterChain is configured with the /oauth/* url pattern, all OSLC endpoints must have the /oauth/oslc/* url pattern.
|
Configuration Required to Enable Windchill OSLC Services
To enable Windchill OSLC services, perform the following steps:
1. Add the following entry to %WT_HOME%/codebase/WEB_INF/web.xml
<servlet-mapping>
<servlet-name>OSLCServlet</servlet-name>
<url-pattern>/oslc/*</url-pattern>
</servlet-mapping>
<servlet-name>OSLCServlet</servlet-name>
<url-pattern>/oslc/*</url-pattern>
</servlet-mapping>
2. To add the OSLC path to the Apache configuration, add the following entry to HTTPServer/conf/conf.d/30-app-Windchill-AJP.conf
JkMount /Windchill/oslc/* ajpWorker
3. To configure the OSLC catalog for anonymous access in the Apache configuration, add the following entry to HTTPServer/conf/conf.d/30-app-Windchill-Auth.conf
<LocationMatch ^/+Windchill/+oslc/catalog(;.*)?>
Require all granted
</LocationMatch>
Require all granted
</LocationMatch>
Configuration for Content Security Policy
To allow client sites from other sites to view OSLC previews, update the web.xml file to include the following OSLC Content Security servlet filter configurations:
<filter>
<filter-name>OSLCContentSecurityFilter</filter-name>
<description>Servlet request filter to set the Content Security Policy for previews</description>
<filter-class>com.ptc.oslc.windchill.filter.OSLCHttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>https://site1.domain.com,https://site2.domain.com </param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>OSLCContentSecurityFilter</filter-name>
<url-pattern>/oslc/*</url-pattern>
</filter-mapping>
<filter-name>OSLCContentSecurityFilter</filter-name>
<description>Servlet request filter to set the Content Security Policy for previews</description>
<filter-class>com.ptc.oslc.windchill.filter.OSLCHttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>https://site1.domain.com,https://site2.domain.com </param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>OSLCContentSecurityFilter</filter-name>
<url-pattern>/oslc/*</url-pattern>
</filter-mapping>
Configuration for Cross-Origin Resource Sharing (CORS) for OSLC
 |
For a more secure configuration, use the CORS filter for a cross-domain OSLC configuration only.
|
 |
When configuring Windchill to share OSLC content with other OSLC products, install these applications locally in the same domain.
|
To allow client sites from other sites to view OSLC services, update the web.xml file to include the following servlet filter configurations:
<filter>
<filter-name>ContentCorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>[ALLOWED_ORIGINS]</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,OPTIONS,HEAD</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ContentCorsFilter</filter-name>
<url-pattern>/oslc/preview/*</url-pattern>
<url-pattern>/oslc/config/*</url-pattern>
<url-pattern>/oslc/cm/*</url-pattern>
</filter-mapping>
<filter-name>ContentCorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>[ALLOWED_ORIGINS]</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,OPTIONS,HEAD</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ContentCorsFilter</filter-name>
<url-pattern>/oslc/preview/*</url-pattern>
<url-pattern>/oslc/config/*</url-pattern>
<url-pattern>/oslc/cm/*</url-pattern>
</filter-mapping>
Configuring Apache to Frame Windchill Previews for a Cross-Site Deployment
When Windchill is integrated with an external OSLC server such as Codebeamer and both are deployed cross-site, Apache must be configured to support framing of Windchill previews in the integrated OSLC server. A cross-site deployment refers to servers that are deployed to different top-level internet domains, such as windchill.foo.com and codebeamer.bar.com.
|
|
This configuration is necessary to ensure compatibility with newer browser versions.
|
To configure Apache, follow these steps:
1. Set the following properties in the app-Windchill.properties file:
|
Property
|
Description
|
|---|---|
|
trustedAncestorSites
|
Specify the URL of the cross-site OSLC server to enable framing of the OSLC preview page.
This value should match the value for allowedOrigins in the OSLCContentSecurityFilter in the web.xml file.
For example, the URL of the cross-site Codebeamer server https\://ppumsv-ipfc408d.almrd.example.com\:8573
|
|
authCookieNameRegexp
|
Regular expression for the authentication cookie name, which can be the same as the name of the authentication cookie.
For example: _shibsession_.*
To locate the authentication cookie, login to the Windchill and go to > > in the browser.
|
|
enableOslcPreviewRewrite
|
Set this value to true to enable the Apache-based jump page flow.
|
|
enableRefererChecking
|
Set this value to true to enable a referer header check as an additional security measure. This is optional.
|
|
originBaseUrl
|
If enableRefererChecking is set to true, then specify the base URL of the Windchill server.
For example: https\://pwrdcsv-wcqa576d.ptcnet.ptc.com
|
|
setReferrerPolicy
|
If enableRefererChecking is set to true, then set this value to true to configure the referrer policy response header to strict-origin.
|
2. Execute the Ant command ant -f webAppConfig.xml regenAllWebApps.
Alternatively, you can execute the Ant command ant -f webAppConfig.xml regenWebAppConf -DappName=Windchill.
3. Restart the Apache server to apply the changes.
4. Verify that you can view Windchill previews in the integrated OSLC server.