Monday, June 27, 2011
Configuring Windchill with Multilayer certificates is pretty much the same as configuring a single certificate. It just we need to understand why this is needed.
Many companies who issue certificates provide multilayer certificates. These are also called as chained certificates. A multilayer certificate is a combination of a primary certificate and an intermediate certificate. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.
In chained certificates you have to install 2 certificates the intermediate and the primary certificate. All you need to do is follow the same procedure in my Previous topic(Windchill with HTTPS) once for intermediate and once for the primary certificate.
This is how an intermediate certificate from Verisign looks:
Once you have this installed then you need to import the primary certificate. After you import the intermediate and primary certificate, this is how your certificate looks like when you open the primary certificate obtained from Windchill
If it is not installed properly many Windchill Modules such as Publishing, PSE etc. stop working.
Tuesday, June 14, 2011
This article is pretty much enough for any engineer to configure Windchill to work with HTTPS on a monolithic and a clustered Windchill environment.
1. Create the Key and Certificate
2. Import it in the system
3. Modify Windchill
Difference in Monolithic and Cluster architecture during Implementation
A monolithic system is pretty much straight forward where in you create and import the keys on the same system. On a cluster environment keys are to be generated and imported after you finish implementing the master. Since, the same instance of Windchill is copied to the other slaves. This saves the time of copying the certificates and re-importing them in the slaves.
NOTE: /usr1/ptc/Windchill_9.1/Windchill is used as a sample Windchill home. Please modify it according to suite your environment.
1. Creating a self signed Certificate
This a 3 fold procedure where in you need to first create the .key, .csr and then a .crt file.
To do so in a terminal go to the Apache/lob folder and follow below steps
$ export LD_LIBRARY_PATH=/usr1/ptc/Windchill_9.1/Apache/lib:/usr/lib
The /usr/lib is included use some important Unix lib files. You can set the environment accordingly to your system.
$ cd /usr1/ptc/Windchill_9.1/Apache /bin
$ ./openssl genrsa 1024 >/usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.key/server.key
This step will create the server.key file.
Next is the most important when creating the .csr file. There is one more important thing below and I have highlighted it
$ ./openssl req -new -key /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.key/server.key -out /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.csr/server.csr -config /usr1/ptc/Windchill_9.1/Apache/conf/extra/openssl.cnf
After you execute this command you will be prompted for many entries. I am giving some example values here.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MA
Locality Name (eg, city) :Boston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Org
Organizational Unit Name (eg, section) :Windchill
The next property is most important and you need to enter your fully qualified cluster hostname in the below property. Don’t get confused since it says ‘your name’ in the example.
Common Name (eg, YOUR name) :windchill.acme.com
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :changeit
An optional company name :
These steps will create a .csr file. The next step will be to create a .crt file
$ ./openssl x509 -req -days 1991 -signkey /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.key/server.key -in /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.csr/server.csr -out /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.crt/server.crt
This command will install a certificate named ‘server.crt’ in Apache.
Next step is the most important step to actually import this certificate into the certificate store.
You need to execute the below command from a windchill shell
2. Importing it in Certificate keystore
Go to the JAVA_HOME/jre/lib/security folder. Create a copy of ‘cacerts’ file and remane the copy to ‘jssecacerts’
$ keytool -import -trustcacerts -storetype jks -keystore %JAVA_HOME%\jre\lib\security\jssecacerts -alias windchill -file /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.crt/server.crt
You will be prompted for a password. You need to put in the password that you had entered during creating the .csr file. This will import the certificate into the keystore named ‘cacerts’.
3. Changes in Windchill
The HTTPS steps are to be done after cluster is implemented. On the slaves you will need to modify ‘wt.webserver.port’ and ‘wt.webserver.protocol’ in wt.properties to 443 and https respectively. You don’t change the master to HTTPS. You should keep Master running in HTTP. These settings need to done in the same manner for a monolithic server.