Configuring Windchill File Vaults to Use Azure Blobs
This section explains the configurations required in Windchill and Azure portal to allow the use of Azure Blobs when Windchill is running in Azure Virtual Machine (VM).
* 
Connection to Azure Blobs with Windchill running on premises is not supported.
The configurations described in this section must be performed again after you have updated or upgraded your existing Windchill version.
Azure Portal Configuration
Configurations required to be performed in Azure portal includes adding required components and setting up access control. You must configure permissions and set access on Azure portal for Windchill to successfully work with Azure Blobs.
Windchill supports two mechanisms to configure authentication:
MSI — This is a preferred option which can be used when Azure VM is enabled with MSI.
SECURITY_CREDENTIALS — This is a fallback mechanism if MSI option cannot be used. In this option, Windchill securely stores the credentials and uses it for communicating with Azure.
Before You Begin
Create the following entities on Azure portal before configuring Azure Blobs for Windchill:
Storage Accounts — Account kind must be Standard (general purpose v2).
Azure VMs with Managed Service Identity (MSI) enabled.
Key Vault Key — This entity is optional and must be created if you are planning to use Key vault Encryption.
Adding Policy for an MSI User Account
The MSI enabled Azure VM for your storage accounts must be given Storage Blob Data Contributor role. Perform the following steps to add the role:
1. Log in to your Azure portal.
2. Navigate to your Storage Account.
3. Go to Access Control(IAM).
4. Click Add.
5. Select Storage Blob Data Contributor and assign access to your MSI configured Azure VM.
* 
If you want to be able to copy across Storage Accounts, then assign Storage Account Contributor instead of Storage Blob Data Contributor. This occurs if you have multiple Storage Accounts for your Vaults, as would be the case with content replication with remote file servers.
6. Click Save. Your Azure VM is not MSI enabled.
Setting the Key Vault Encryption in Azure Blob
To enable the Key Vault encryption, you must perform these steps in your Azure portal:
1. Create a Key Vault and generate a Key
2. Create an Application
3. Link the Application to the Key
Creating a Key Vault and generating a Key
To create a Key Vault and generate a key, follow these steps in your Azure portal:
1. From the Dashboard, click + Create a resource.
2. In the New window, search for Key Vault.
3. Click Create. Enter Name, Subscription, Resource Group, Location and click Create.
4. Key Vault is generated successfully, and Overview page is displayed. Note the DNS Name from this page.
* 
The KeyVaultKeyIDURL is the combination of the DNS Name and the Key Name. For example, if the Key Name is KeyVaultKey and the DNS Name is https://contentkeyvault.vault.azure.net/ then the KeyVaultKeyIDURL is https://contentkeyvault.vault.azure.net/keys/KeyVaultKey. The KeyVaultKeyIDURL is needed by the custom Java program in Windchill.
5. Click Keys > +Generate/Import.
6. Enter Name.
7. Select Key Type as RSA.
8. Select RSA Key Size and click Create.
9. The Key is created successfully.
* 
The VALUE of the key is the AuthKey used by the custom Java program in Windchill. Ensure to note it down as it is not retrievable later.
Creating an Application
To create a new application, follow these steps in your Azure portal:
1. From the Dashboard, click Azure Active Directory > App Registrations > +New application registration.
2. Enter Name, Application Type, Sign-on URL and click Create.
3. The Application is created successfully.
* 
The Application ID is the AppId which is needed by the custom Java program in Windchill.
Linking the Application to the Key
To link the Application and the Key, follow these steps in your Azure portal:
1. From the Dashboard, open the Key Vault > Access policies > + Add New > Select Principal.
2. Search for your Application name and click Select.
3. In Key permissions select Select all and click OK.
4. The Application and the Key are successfully linked, and this completes the setup for Key Vault encryption in Azure Blob.
Configuring Access Control — Points to remember
If you opt to authenticate using Account Name and Key, then Windchill has the administrative access of your Storage account.
If you opt to use MSI and assign the role Storage Blob Data Contributor, then Windchill has the administrative access to your Storage account.
And if you assign Storage Blob Data Reader role, then Windchill gets only read access to your Storage account.
Windchill Configurations
You can configure Windchill to use Azure Blobs using command line tool.
Before you begin
This command line tool consists of configuration fields. Press ENTER to skip a specific configuration. The command line tool displays the existing configuration. The configuration is broadcasted to all the registered Fileservers, that is, replica sites, automatically. You can configure multiple Azure Blob storage accounts using SECURITY_CREDENTIALS as authentication strategy.
Run the following command at the Windchill shell to configure Azure Blobs:
windchill com.ptc.windchill.objectstorage.azureblob.tools.BlobConfigurationTool configure -u <username> -p <password>.
Perform the following steps to configure the account:
1. Authentication Strategy: (SECURITY_CREDENTIALS/MSI)? [SECURITY_CREDENTIALS] — The default value is SECURITY_CREDENTIALS. If you select MSI option. Step 2 and 3 are not applicable.
2. Do you want to Add or Update Azure Blob Storage Account?(y/n) - Type y to add or update the storage account
Azure Storage Account Name — Enter the Account Name that you wish to configure.
Azure Storage Account Key — Type the access Key ID for your Azure account.
Do you want to Add or Update Azure Blob Storage Account?(y/n) - type n to go to next step
3. Do you want to Remove existing Azure Blob Storage Account?(y/n) - Type y to remove the existing storage account
Azure Storage Account Name — Enter the Account Name that you wish to remove.
Do you want to Remove existing Azure Blob Storage Account?(y/n) - Type n to go to next step
4. Blob Encryption Configurator Delegate Name — Type the delegate name to choose the encryption type. The encryption type is used to encrypt the content stored on Azure Blob.
5. SSEKeyVaultKeyProvider Delegate Name —Type the delegate name to choose the KMS Key ID. The KMS Key ID is used to encrypt the content stored on Azure Blob.
6. CSESecKeyGenerator Delegate Name — Type the delegate name to manage the Secret Keys. The Secret Key returned by the delegate is used for encrypting the content stored on Azure Blob.
For more details on encryption, refer to the topic Encryption Customization for Azure Blob Mounts.
To validate the configurations, you can generate a report by using the following command line tool:
windchill com.ptc.windchill.objectstorage.azureblob.tools.BlobConfigurationTool generateReport -u <username> -p <password>
* 
If the configuration related to delegate names is changed, restart the main and replica servers, for the configuration to take effect.
Windchill now supports secure file transfer. You can configure your Azure storage account to accept requests only from secure connections by setting the Secure transfer required property as enabled for the storage account. You can enable the Secure transfer as mentioned here.
It is strongly recommended to keep the Secure transfer required as enabled to ensure secure connections to Azure Blob Storage.
Mounting to Azure Blob Storage
Before You Begin
Create a folder in Azure portal in the desired mount path. Perform the following steps:
1. Login to your Azure portal and navigate to Blobs.
2. Click Upload.
3. Select a sample text file and in the Advanced tab give the desired folder name in Upload to folder.
4. Click Upload. The folder is created successfully. Note the path from Azure portal.
Mounting the Root Folder from Windchill
In Windchill select the Mount Type as Azure Blob Storage while mounting the root folder and the mount path must be of the following pattern:
<StorageAccountName>/<ContainerName>/<PathtoDesiredFolder>
For example, if your Storage Account name is StorageForUSA, container name is Container-in-USA, and the path is VaultsForWindchill/RootFolderMountLocation then you must enter the mount path as:
StorageForUSA/Container-in-USA/VaultsForWindchill/RootFolderMountLocation
Was this helpful?