Configuring HTTPS for PTC HTTP Server and Windchill

Installation and Upgrade > Installation and Configuration Guide > Advanced Configurations > Configuring HTTPS for PTC HTTP Server and Windchill

To complete these instructions, Windchill Services must be installed because it delivers the site.xconf file which is needed to complete an HTTPS configuration.

Out-of-the-box Windchill is configured for HTTP; however, Windchill is prepared to support HTTPS with the idea that minimal steps are required for you to implement HTTPS. The instructions provided in this section only support HTTPS with HTTP Server (the default Web server packaged with Windchill). Instructions for HTTPS for other Web servers must be obtained from the product vendor.

To enable Windchill to support HTTPS for other Web servers, you would:

• Use the xconfmanager utility to set the wt.server.codebase property in wt.properties to use HTTPS. This is the same instruction performed for HTTP Server.

• Restart the Web server, servlet engine and Windchill to effect the changes.

Configurations for HTTPS require the use of a commercial certificate of authority. Third-party vendors distribute certificates of authority. There are several configuration methods that can be implemented using certificates of authority. The instructions provided here should require a minimum of effort to implement HTTPS for your installation.

1. Obtain a certificate of authority.

The first step is to obtain a certificate of authority. Third-party vendors provide certificates. Windchill requires that the certificate be trusted by Java. If you elect to use a certificate that is not trusted by Java, then you must configure Java to trust this certificate. Certificates provided by Verisign and Thawte, for example, are Java trusted certificates of authority.

If the Web server certificate of authority is not trusted by Java, then the certificate of authority must be added to the jssescacerts keystore. Before executing the following command, the default JDK cacerts file must be copied to the filename jssecacerts. The cacerts file is located in the <JAVA_HOME>/lib/security directory.

keytool -import -alias <some alias name>

-file <path to certificateAuthority.cert> -storetype jks -keystore /<JAVA_HOME>/lib/security/jssecacerts

This must be configured for the JDK that is used by the servlet engine, the Windchill server, and any other Java application that would access the Web server.

To list the default certificate of authority trusted by your JDK, execute:

keytool -list -v -keystore /<JAVA_HOME>/lib/security/cacerts

Additional information about Java security can be found at:

http://java.sun.com/products/jsse

2. Configure HTTP Server to recognize the certificate of authority.

The certificate file and the private key are added to HTTP Server. By default, two files have been provided as a reference specifically for the purpose of security access configurations.

For PTC HTTP Server

a. Install the certificate file server.crt into the <Apache>/conf/ directory.

b. Install the private key server.key into the <Apache>/conf/ directory.

3. On PTC HTTP Server 2.4, the following command in HTTPSERVER_HOME enables SSL:

ant -DHTTPS_ENABLED=true -f config.xml reconfigure

4. Configure Windchill for HTTPS by changing the URL to HTTPS.

Using the xconfmanager utility, change the following two properties to the appropriate values:

a. wt.webserver.port=<port used for HTTPS>. The protocol default port is 443.

b. wt.webserver.protocol=https

5. Restart HTTP Server.

The HTTP Server start commands are the same for SSL or non-SSL servers:

◦ For Windows:

<httpserver_home>\bin\httpd.exe

◦ For Unix:

<httpserver_home>/bin/apachectl

6. Restart Embedded Servlet Engine.

7. Restart Windchill.

Other Windchill products such as the workgroup managers may also support HTTPS and would require additional configurations to convert to HTTPS. See the workgroup manager documentation for those instructions.

Additional information about HTTPS can be found at http://httpd.apache.org/docs/current/ssl/

HTTP Strict-Transport-Security (HSTS) Configuration

HSTS helps to protect web sites against protocol downgrade attacks and cookie hijacking. HSTS configuration will be set OOTB on Windchill server configured with HTTPS from Windchill 12.0.1.0. For secure deployments HTTPS should always be configured on site.

• For deployment of HTTP Server with Preserve configuration Option, see the section Updating the HTTP Server configuration files in the help topic section Post-Update Options in the Windchill Installation and Configuration Guide — Update Existing Installation

• For deployment of HTTP Server with Preserve configuration Option, see the section Updating the HTTP Server configuration files in the help topic Post-Update Options.

PTC strongly recommends that you configure HTTP Strict-Transport-Security (HSTS) in your Windchill installation.

For enabling HSTS for IIS use the following instructions:

1. Configure IIS with HTTPS.

2. From the left pane of the IIS Manager, select the node <ComputerName/Site>.

3. In the middle pane, click HTTP Response Headers.

4. Click Add... in the Actions panel.

5. Enter the following values in the Add Custom HTTP Response Headers dialog box:

◦ Name: Strict-Transport-Security

◦ Value: max-age=10368000; includeSubDomains;

6. Restart the site.