File Server (Web-enabled)

Technical View of the WebFile Server

 

Secure Socket Layer (SSL)

  Web servers support the HTTPS protocol which encrypts the data to inform the caller about the server the data is coming from. In the following is described how to set up a HTTPS environment.
  Server Certificate
  For testing purposes, you can generate your own certificate. For production use, you need to obtain a Server Certificate from a trusted source, such as Verisign or Thawte. If you have more than one domain name you wish to secure, you should get multiple certificates. Digital certificates are host and domain name specific, so you will need a certificate for each domain name.
  Installation
 

The following describes the steps needed to configure Tomcat SSL. In all sample codes <plm_root> is defined as:

<plm_root>= Agile e6 installation directory.

  Edit server_web.xml
 

Edit <plm_root>/epclt/webplm/config/server_web.xml. Add or uncomment the following sample XML snippet:

<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
<Parameter name="keypass" value="changeit"/>
</Connector>

In this example the keystore is the file <plm_root>/ext/tomcat/conf/keystore with the password changeit.

  Edit java.security
 

Edit the file <plm_root>/ext/jre/<machine_platform>/lib/security/java.security and add the following line:

security.provider.2=com.sun.net.ssl.internal.ssl.Provider

Note: there may already be a security.provider.2 entry. Adjust the above line if needed.

  Generate Certificate (for Testing only)
 

This step is for test purposes only: Skip to the next step for production systems.

Generate a certificate for Test purposes only. Run the Java keytool utility that is included in every Agile e6 installation. Replace <keystore> with the keystore attribute value defined above in server_web.xml. Use the password defined in the keypass attribute and you do not need to sign the certificate.

% cd <plm_root>/ext/jre/<machine_platform>/bin

% ./keytool -genkey -alias tomcat -keyalg RSA -keystore <keystore>

In this example a digital certificate is generated with the alias tomcat using RSA algorithm and stored in the file <keystore>. RSA is required for Netscape and Internet Explorer browser.

  Import Certificate
 

This step is required for the production systems after a digital certificate from a trusted source is obtained.

Use the keytool utility to import a certificate obtained from a trusted source. The following example imports a certificate file CERT.pem to the file <keystore>. Use the keystore attribute defined above in server_web.xml.

% cd <plm_root>/ext/jre/<machine_platform>/bin

% ./keytool -import -v -trustcacerts -alias tomcat -file CERT.pem -keystore <keystore>

  Enable the HTTPS Protocol
 

Then you need to add the following tomcat startup option (TOMCAT_OPTS) to support the HTTPS protocol for the URL class.

TOMCAT_OPTS = -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol

 

Communication Path during File Viewing

  This section describes the communication between the several components in a medium and high-end security environment.
 

 

Software components:

Browser The browser is used to access the web site on the Web Server.
Web Client The Web Client is a web service, which gains access to the PLM system.
FMS Data Service The FMS Data Service is an internal service, which provides the Meta data for the file access.
Web File Service The Web File Service provides the file access for the user.
PLM Server The PLM Server represents the PLM system.
File Server The File Server manages the files within the PLM system.

 

 

Communication steps:

The user pushes the viewing button to view a file.
The Web Client calls the xfile userexit over ECI.
The PLM Server calls the FMS callable over ECI (the Meta data will be stored in the Cache of the FMS Data Service).
The Web Client responds a redirection URL to the browser and the browser sends a GET request to the Web File Service (the request contains an access ticket).
The Web File Service decrypts the access ticket and sends a signed request envelope to the FMS Data Service to gain the Meta data.
The FMS Data Service responds with a signed envelope, which contains the Meta data.
The Web File Service calls the File Server via RPC by using the FMS client library. The RPC return packet contains the socket for the file transfer.
The File Server creates a new thread for the file transfer and sends the file via socket to the calling Web File Service.
The Web File Service sends the receiving data without caching as respond of the redirection GET request to the browser.
  The high-end security environment communication is a little bit different.
 

 

Software components:

Browser The browser is used to access the web site on the Web Server.
Web Client The Web Client is a web service, which gains access to the PLM system.
FMS Data Service The FMS Data Service is an internal service, which provides the Meta data for the file access.
Web File Service The Web File Service provides the file access for the user.
PLM Server The PLM Server represents the PLM system.
File Server The File Server manages the files within the PLM system.
 

Communication steps:

The user pushes the viewing button to view a file.
  The Web Client calls the xfile userexit over ECI (the PLM Server checks if a proxy configuration is available for the Web Client site and adds the proxy data to the Meta data).
The PLM Server calls the FMS callable over ECI (the Meta data will be stored in the Cache of the FMS Data Service).
The Web Client responds a redirection URL to the browser and the browser sends a GET request to the Web File Service (the request contains an access ticket).
The Web File Service decrypts the access ticket and sends a signed request envelope to the FMS Data Service to gain the Meta data.
The FMS Data Service responds with a signed envelope, which contains the Meta data.
The Web File Service generates a POST request to the Web File Service, which is running on the internal Web Server to get the file. The POST request contains an encrypted envelope with the Meta data.
The Web File Service calls the File Server via RPC by using the FMS client library. The RPC return packet contains the socket for the file transfer.
The File Server creates a new thread for the file transfer and sends the file via socket to the calling Web File Service.
The Web File Service sends the incoming file data without caching to the calling proxy Web File Service.
The (Proxy) Web File Service send the receiving data without caching as respond of the redirection GET request to the browser.
 

Configuration

  The possibilities to configure the Web Proxy Server of the web file management system is described here.
  Configuration Parameter
 

The web proxy supports a main switch to activate or deactivate the proxy mechanism. The main switch is accessible via the "Configuration parameter" mask (Manager > System Configuration > Other Parameters).

EDB-FMS-PROXY ON/OFF (default)

You have to insert this configuration parameter to activate the proxy mechanism.

  Define a Web Proxy Service
 

In case of a high-end security environment, the Web File Service on the external Web Server works as a proxy to the internal Web File Service. The definition of a Web Proxy needs two steps.

Define a default proxy for a site or a specialized proxy for a vault for the site.
Set the site information in the configuration file of the Web Client.
  Define a Proxy
 

You can define a set of default proxy entries for several sites, by adding the information of the external Web Server with the path to the (Proxy) Web File Service.

Additionally, you can define a set of proxy entries for several sites, by adding the information of the external Web Server with the path to the (Proxy) Web File Service. If a vault has no proxy information, the default proxy information is used.

  Site Information of the Web Client
 

Each external Web Client should have a unique site information, so that the PLM Server could decide if a (Proxy) Web File Service is necessary. You can add this information in the webplm.properties file of the Web Client, which is located in the <webclient_root>/config directory.

The following line sets the site "www" for this Web Client:

axalant.env.EP_PROXY_SITE=www