Tuesday, June 14, 2011

Windchill with HTTPS

This article is pretty much enough for any engineer to configure Windchill to work with HTTPS on a monolithic and a clustered Windchill environment.

Procedure highlights

1. Create the Key and Certificate

2. Import it in the system

3. Modify Windchill

Difference in Monolithic and Cluster architecture during Implementation

A monolithic system is pretty much straight forward where in you create and import the keys on the same system. On a cluster environment keys are to be generated and imported after you finish implementing the master. Since, the same instance of Windchill is copied to the other slaves. This saves the time of copying the certificates and re-importing them in the slaves.

NOTE: /usr1/ptc/Windchill_9.1/Windchill is used as a sample Windchill home. Please modify it according to suite your environment.

1. Creating a self signed Certificate

This a 3 fold procedure where in you need to first create the .key, .csr and then a .crt file.

To do so in a terminal go to the Apache/lob folder and follow below steps

$ export LD_LIBRARY_PATH=/usr1/ptc/Windchill_9.1/Apache/lib:/usr/lib

The /usr/lib is included use some important Unix lib files. You can set the environment accordingly to your system.

$ cd /usr1/ptc/Windchill_9.1/Apache /bin

$ ./openssl genrsa 1024 >/usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.key/server.key

This step will create the server.key file.

Next is the most important when creating the .csr file. There is one more important thing below and I have highlighted it

$ ./openssl req -new -key /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.key/server.key -out /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.csr/server.csr -config /usr1/ptc/Windchill_9.1/Apache/conf/extra/openssl.cnf

After you execute this command you will be prompted for many entries. I am giving some example values here.

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:MA

Locality Name (eg, city) []:Boston

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Org

Organizational Unit Name (eg, section) []:Windchill

The next property is most important and you need to enter your fully qualified cluster hostname in the below property. Don’t get confused since it says ‘your name’ in the example.

Common Name (eg, YOUR name) []:windchill.acme.com

Email Address []:admin@acme.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:changeit

An optional company name []:

These steps will create a .csr file. The next step will be to create a .crt file

$ ./openssl x509 -req -days 1991 -signkey /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.key/server.key -in /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.csr/server.csr -out /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.crt/server.crt

This command will install a certificate named ‘server.crt’ in Apache.

Next step is the most important step to actually import this certificate into the certificate store.

You need to execute the below command from a windchill shell

2. Importing it in Certificate keystore

Go to the JAVA_HOME/jre/lib/security folder. Create a copy of ‘cacerts’ file and remane the copy to ‘jssecacerts’

$ keytool -import -trustcacerts -storetype jks -keystore %JAVA_HOME%\jre\lib\security\jssecacerts -alias windchill -file /usr1/ptc/Windchill_9.1/Apache/conf/extra/ssl.crt/server.crt

You will be prompted for a password. You need to put in the password that you had entered during creating the .csr file. This will import the certificate into the keystore named ‘cacerts’.

3. Changes in Windchill

The HTTPS steps are to be done after cluster is implemented. On the slaves you will need to modify ‘wt.webserver.port’ and ‘wt.webserver.protocol’ in wt.properties to 443 and https respectively. You don’t change the master to HTTPS. You should keep Master running in HTTP. These settings need to done in the same manner for a monolithic server.

No comments:

Post a Comment