Additional Resources

Configuring Windchill Risk and Reliability for PKI

Windchill Risk and Reliability applications and services can be configured for a secure environment such as the common access card (CAC) with public key infrastructure (PKI). This environment uses certificates for user authentication and authorization. Follow the steps outlined in this document to set up requirements for your site.

Setting Up Security with LDAP in Windchill Risk and Reliability

If your security requirements prohibit users from entering username and password credentials to sign on to applications, configure LDAP and single sign-on (SSO) for Windchill Risk and Reliability. For details, see the LDAP Settings, Groups, and Users section of the Windchill Risk and Reliability Administrator Guide.

Securing Windchill Risk and Reliability Web Services

To secure the Windchill Risk and Reliability website and require client certificates, follow these steps:

1. Replace web.config and bindings.config with secure configurations.

▪ These files are under the Web directory of your Windchill Risk and Reliability installation. Bindings.config is in the Include subfolder.

▪ If you are using SSO, replace these files with the versions with the config.secure.sso extension

▪ If you are not using SSO, replace these files with the versions with the config.secure extension.

▪ Always create a backup copy of the files you are replacing.

2. Install a certificate for the website in Internet Information Services (IIS). For instructions, see Microsoft documentation here.

3. Create an HTTPS binding for the website. For instructions, see here.

4. Configure the Windchill Risk and Reliability 12.0.1.0 web services to require SSL and client certificates. Click Apply to save these settings.

5. Restart the website by issuing the iis reset command from the command prompt.

This configuration ensures that users who attempt to access Windchill Risk and Reliability web services have a valid client certificate. Access must be through the secure HTTPS protocol.

Securing Windchill Risk and Reliability Desktop and Administrator

If your site uses these applications and requires users to present certificates for authentication, follow these steps to secure the Windchill Risk and Reliability services:

1. Replace the following files with secure configurations:

◦ bindings.config

◦ clients.config

◦ servicebehaviors.config

◦ RiskandReliability.Service.LongRunningTasks.exe.config

◦ RiskandReliability.Service.ObjectBroker.exe.config

2. Edit the new configuration files as follows:

a. Edit clients.config.RiskandReliability.Service.LongRunningTasks.exe.config, and RiskandReliability.Service.ObjectBroker.exe.config. Replace all occurrences of local host with the fully qualified name of the server on which those services are running. This name has the form server.domain and must match the computer name the server certificate is issued to.

b. Edit servicebehaviors.config. Specify the server and client certificates. Replace the value in the find Value tags with the name of your issuing Certificate Authority (CA).

3. Refer to the following links to configure your certificates and Certificate Authority Chain for WCF services:

◦ https://msdn.microsoft.com/en-us/library/aa702621(v=vs.110).aspx

◦ https://msdn.microsoft.com/en-us/library/aa738659(v=vs.110).aspx

4. Restart the services.

Notes and Troubleshooting

• Because the Windchill Risk and Reliability services communicate with one another, you must install a certificate for the services to use. For instructions, see here.

• It is assumed that the server and client certificates are issued by the same CA.

• If your services fail to start, run the Event Viewer program and find the error associated with the failed service start. These error message should be self-explanatory.

• With the services secured and requiring certificates, any user who attempts to access the Windchill Risk and Reliability desktop applications receives an error message specifying that a valid certificate was not found.

©2021 PTC Inc. The information contained herein is provided for informational use and is subject to change without notice. The only warranties for PTC products and services are set forth in the express warranty statements accompanying such products and services and nothing herein should be construed as constituting an additional warranty. PTC shall not be liable for technical or editorial errors or omissions contained herein. Important Copyright, Trademark, Patent, and Licensing Information: See the About Box, or copyright notice, of your PTC software.