Windchill provides a way to manage the user/group access to a particular folder. Below are the steps to follow to provide/deny the access to a folder.
- Create an ACL with desired access permissions from policy administration.
- Go to the folder where the access restrictions should be applied and right click on the name
- Select “Edit” and uncheck the “Inherit domain from parent“
- Click on find and select the ACL from the pop-up and click on OK
- Click on OK on “Edit Folder” pop-up
This applies the ACL to the folder.
One fine day our SSL certificate was expired and we need to update our Windchill solution with new one. A quick Google search shows that not much information available outside the Winchill own forums. Therefore I am writing down my steps to deploy new SSL certificate for Windchill. Our Windchill solution version is 10.2 and running on Windows 2008 Server R2 VM. So all my steps are in that OS context.
The whole procedure is two step solution, first we need to extract CRT and KEY files from PFX file and second is to set up HTTPD.
Extract CRT and KEY files from PFX
- Open Command Prompt
- CWD to <Windchill Dir>\HTTPServer\bin
- EXEC openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
- System prompts for password and pass phrase for the certificate. Enter the same as password that is with PFX file.
- EXEC openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
- Now you will find both CRT and KEY files in the target folder. For windchill, we need to give unencrypted key file.
- EXEC openssl rsa -in <filename1>.key -out <filename2>.key
Setting up the HTTPD
- Change both CRT and KEY file names as “server.crt” and “server.key” respectively
- Now stop the Windchill and close the HTTPD
- Move the CRT file into <Windchill Dir>\HTTPServer\conf\extra\ssl.crt\
- Move the KEY file into <Windchill Dir>\HTTPServer\conf\extra\ssl.key\
- CWD to <Windchill Dir>\Java\bin
- EXEC keytool -import -alias Windchill -file <Windchill Dir>\HTTPServer\conf\extra\ssl.crt\server.crt -storetype jks -keystore <Windchill Dir>\Java\jre\lib\security\cacerts
- System prompts for password, type your key store password.
- If system prompts as “alias already exists“, then choose a new alias for the certificate
- System prompt for Trust this certificate, type “yes“
- Now, open file “<Windchill Dir>\HTTPServer\config.xml” and look for “<property name=”certAlias”” set the value as the same alias that given in previous step.
In the process of making our Windchill solution more secure, we are turning it over to HTTPS. After deploying the SSL certificate now its time to targeting its web interface to HTTPS. I followed below procedure to achieve that.
- From the Windchill administration shell do the following
- xconfmanager -s wt.webserver.protocol=https -t codebase/wt.properties
- xconfmanager -s wt.webserver.port=443 -t codebase/wt.properties -p
- xconfmanager -s wt.server.codebase=$(wt.webserver.protocol)://wcp.omnioffshore.com/$(wt.webapp.name) -t codebase/wt.properties -p
- Start httpd (with SSL for HTTPS else without SSL)
In the event of disaster recovery, if the database instance name was changed then the Windchill configuration file must be updated with those changes. Following is the way we changed our Windchill configuration;
- Stop Windchill by issuing “Windchill stop” command at Windchill command prompt.
- Issue the following commands at windhill prompt
- Xconfmanager –s wt.pom.jdbc.host=<Host Name / IP Address> –t codebase\wt.properties -p
- Xconfmanager –s wt.pom.jdbc.port=<Oracle Listener Port> –t codebase\wt.properties -p
- Xconfmanager –s wt.pom.jdbc.host=<Oracle Service Name> –t codebase\wt.properties -p
- Now start windchill by issuing “Windchill start” at Windchill command prompt