Administering Security
Since security is an important aspect of Windchill ESI administration, you need to be familiar with the following security-related topics:
• User account security
• Data security
|
The following section deals primarily with security administration as it relates to the EAI components of Windchill ESI, particularly to the TIBCO BusinessWorks environment. Refer to the Policy Administration for security information related to Windchill PDMLink.
|
User Account Security
User access to the TIBCO environment is configurable and is controlled via the TIBCO BusinessWorks Administrator. As the Windchill ESI administrator, you should determine the TIBCO user security approach that best matches your environment and its requirements. Refer to the TIBCO BusinessWorks documentation for further details.
The following sections discuss security considerations for the following:
• SAP user account for Windchill ESI
• TIBCO EMS
SAP User Account for Windchill ESI
Windchill EAI software components access distribution targets such as SAP systems via a user name (ESISYS) and a password which are specified in the adapter configuration.
This user name is the name that is typically recorded in the created by field in the SAP distribution target for the affected business objects for example, CNs, BOMs, parts, and documents. This account should not be configured as a GUI-enabled dialog-type user. For security reasons, an SAP system should not allow end-users to log onto the account through the SAP GUI.
You should be familiar with the security authorization profile of this account, and may want to configure alerts and notification in case of invalid logon attempts, password expiration, or a locked account in an SAP system.
To maintain security, do not grant a broad security authorization profile, such as SAP_ALL to the ESISYS account.
You can also use TIBCO BusinessWorks security features, to obfuscate the account credentials in the associated TIBCO Runtime Agent (.tra) file.
Refer to the Windchill Enterprise Systems Integration Installation and Configuration - SAP (Windchill Enterprise Systems Integration Installation und Konfiguration - SAP) section for details on setting up this account.
TIBCO EMS
The TIBCO EMS queues are secured via:
• A server administrator user account
• Client user accounts for both Windchill PDMLink and the ESI BusinessWorks application.
• Required authentication to access the queues
The user account credentials are not obfuscated. Refer to the Windchill Enterprise Systems Integration Installation and Configuration - SAP (Windchill Enterprise Systems Integration Installation und Konfiguration - SAP) section for details on setting up EMS security measures. As the Windchill ESI administrator, you should be familiar with these measures and may wish to configure alerts or notifications in case there is a security breach.
Data Security
The EAI software components of Windchill ESI do not use an external or third-party database. Most operations occur in memory. Persistence to disk occurs primarily for:
• Check pointing (state management)
• Writing to log
Windchill ESI does not encrypt data in storage or in transit. You may need to customize the Windchill ESI application to support encryption if your product structure data is particularly sensitive or must traverse unsecured network links.
Refer to the Windchill Enterprise Systems Integration Installation and Configuration - SAP (Windchill Enterprise Systems Integration Installation und Konfiguration - SAP) section for details on traversing Wide Area Networks (WANs) and firewalls with TIBCO EMS and Rendezvous.