Configuring Windchill File Vaults to Use Azure Blobs

This section explains the configurations required in Windchill and Azure portal to allow the use of Azure Blobs when Windchill is running in Azure Virtual Machine (VM).

• Connection to Azure Blobs with Windchill running on premises is not supported.

• The configurations described in this section must be performed again after you have updated or upgraded your existing Windchill version.

Configurations required to be performed in Azure portal includes adding required components and setting up access control. You must configure permissions and set access on Azure portal for Windchill to successfully work with Azure Blobs.

• MSI — This is a preferred option which can be used when Azure VM is enabled with MSI.

• SECURITY_CREDENTIALS — This is a fallback mechanism if MSI option cannot be used. In this option, Windchill securely stores the credentials and uses it for communicating with Azure.

Create the following entities on Azure portal before configuring Azure Blobs for Windchill:

• Key Vault Key — This entity is optional and must be created if you are planning to use Key vault Encryption.

The MSI enabled Azure VM for your storage accounts must be given Storage Blob Data Contributor role. Perform the following steps to add the role:

5. Select Storage Blob Data Contributor and assign access to your MSI configured Azure VM.

If you want to be able to copy across Storage Accounts, then assign Storage Account Contributor instead of Storage Blob Data Contributor. This occurs if you have multiple Storage Accounts for your Vaults, as would be the case with content replication with remote file servers.

To enable the Key Vault encryption, you must perform these steps in your Azure portal:

To create a Key Vault and generate a key, follow these steps in your Azure portal:

3. Click Create. Enter Name, Subscription, Resource Group, Location and click Create.

4. Key Vault is generated successfully, and Overview page is displayed. Note the DNS Name from this page.

The KeyVaultKeyIDURL is the combination of the DNS Name and the Key Name. For example, if the Key Name is KeyVaultKey and the DNS Name is https://contentkeyvault.vault.azure.net/ then the KeyVaultKeyIDURL is https://contentkeyvault.vault.azure.net/keys/KeyVaultKey. The KeyVaultKeyIDURL is needed by the custom Java program in Windchill.

The VALUE of the key is the AuthKey used by the custom Java program in Windchill. Ensure to note it down as it is not retrievable later.

To create a new application, follow these steps in your Azure portal:

1. From the Dashboard, click Azure Active Directory > App Registrations > +New application registration.

The Application ID is the AppId which is needed by the custom Java program in Windchill.

To link the Application and the Key, follow these steps in your Azure portal:

1. From the Dashboard, open the Key Vault > Access policies > + Add New > Select Principal.

4. The Application and the Key are successfully linked, and this completes the setup for Key Vault encryption in Azure Blob.

• If you opt to authenticate using Account Name and Key, then Windchill has the administrative access of your Storage account.

• If you opt to use MSI and assign the role Storage Blob Data Contributor, then Windchill has the administrative access to your Storage account.

• And if you assign Storage Blob Data Reader role, then Windchill gets only read access to your Storage account.

You can configure Windchill to use Azure Blobs using command line tool.

This command line tool consists of configuration fields. Press ENTER to skip a specific configuration. The command line tool displays the existing configuration. The configuration is broadcasted to all the registered Fileservers, that is, replica sites, automatically.

Run the following command at the Windchill shell to configure Azure Blobs:

windchill com.ptc.windchill.objectstorage.azureblob.tools.BlobConfigurationTool configure -u <username> -p <password>.

1. Authentication Strategy: (SECURITY_CREDENTIALS/MSI)? [SECURITY_CREDENTIALS] — The default value is SECURITY_CREDENTIALS. You can change it to MSI.

2. Azure Storage Account Name — Enter the Account Name that you wish to configure.

3. Azure Storage Account Key — Type the access Key ID for your Azure account.

4. Blob Encryption Configurator Delegate Name — Type the delegate name to choose the encryption type. The encryption type is used to encrypt the content stored on Azure Blob.

5. SSEKeyVaultKeyProvider Delegate Name —Type the delegate name to choose the KMS Key ID. The KMS Key ID is used to encrypt the content stored on Azure Blob.

6. CSESecKeyGenerator Delegate Name — Type the delegate name to manage the Secret Keys. The Secret Key returned by the delegate is used for encrypting the content stored on Azure Blob.

For more details on encryption, refer to the topic Encryption Customization for Azure Blob Mounts.

To validate the configurations, you can generate a report by using the following command line tool:

windchill com.ptc.windchill.objectstorage.azureblob.tools.BlobConfigurationTool generateReport -u <username> -p <password>

If the configuration related to delegate names is changed, restart the master and replica servers, for the configuration to take effect.

Create a folder in Azure portal in the desired mount path. Perform the following steps:

3. Select a sample text file and in the Advanced tab give the desired folder name in Upload to folder.

4. Click Upload. The folder is created successfully. Note the path from Azure portal.

In Windchill select the Mount Type as Azure Blob Storage while mounting the root folder and the mount path must be of the following pattern:

For example, if your Storage Account name is StorageForUSA, container name is Container-in-USA, and the path is VaultsForWindchill/RootFolderMountLocation then you must enter the mount path as:

StorageForUSA/Container-in-USA/VaultsForWindchill/RootFolderMountLocation