Secure Socket Layer (SSL) |
|||||||||||||
Web servers support the HTTPS protocol which encrypts the data to inform the caller about the server the data is coming from. In the following is described how to set up a HTTPS environment. | |||||||||||||
Server Certificate | |||||||||||||
For testing purposes, you can generate your own certificate. For production use, you need to obtain a Server Certificate from a trusted source, such as Verisign or Thawte. If you have more than one domain name you wish to secure, you should get multiple certificates. Digital certificates are host and domain name specific, so you will need a certificate for each domain name. | |||||||||||||
Installation | |||||||||||||
The following describes the steps needed to configure Tomcat SSL. In all sample codes <plm_root> is defined as: <plm_root>= Agile e6 installation directory. |
|||||||||||||
Edit server_web.xml | |||||||||||||
Edit <plm_root>/epclt/webplm/config/server_web.xml. Add or uncomment the following sample XML snippet: <Connector className="org.apache.tomcat.service.PoolTcpConnector"> In this example the keystore is the file <plm_root>/ext/tomcat/conf/keystore with the password changeit. |
|||||||||||||
Edit java.security | |||||||||||||
Edit the file <plm_root>/ext/jre/<machine_platform>/lib/security/java.security and add the following line: security.provider.2=com.sun.net.ssl.internal.ssl.Provider Note: there may already be a security.provider.2 entry. Adjust the above line if needed. |
|||||||||||||
Generate Certificate (for Testing only) | |||||||||||||
This step is for test purposes only: Skip to the next step for production systems. Generate a certificate for Test purposes only. Run the Java keytool utility that is included in every Agile e6 installation. Replace <keystore> with the keystore attribute value defined above in server_web.xml. Use the password defined in the keypass attribute and you do not need to sign the certificate. % cd <plm_root>/ext/jre/<machine_platform>/bin % ./keytool -genkey -alias tomcat -keyalg RSA -keystore <keystore> In this example a digital certificate is generated with the alias tomcat using RSA algorithm and stored in the file <keystore>. RSA is required for Netscape and Internet Explorer browser. |
|||||||||||||
Import Certificate | |||||||||||||
This step is required for the production systems after a digital certificate from a trusted source is obtained. Use the keytool utility to import a certificate obtained from a trusted source. The following example imports a certificate file CERT.pem to the file <keystore>. Use the keystore attribute defined above in server_web.xml. % cd <plm_root>/ext/jre/<machine_platform>/bin % ./keytool -import -v -trustcacerts -alias tomcat -file CERT.pem -keystore <keystore> |
|||||||||||||
Enable the HTTPS Protocol | |||||||||||||
Then you need to add the following tomcat startup option (TOMCAT_OPTS) to support the HTTPS protocol for the URL class. TOMCAT_OPTS = -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol |
|||||||||||||
Communication Path during File Viewing |
|||||||||||||
This section describes the communication between the several components in a medium and high-end security environment. | |||||||||||||
|
|||||||||||||
Software components:
|
|||||||||||||
Communication steps: |
|||||||||||||
![]() |
The user pushes the viewing button to view a file. | ||||||||||||
![]() |
The Web Client calls the xfile userexit over ECI. | ||||||||||||
![]() |
The PLM Server calls the FMS callable over ECI (the Meta data will be stored in the Cache of the FMS Data Service). | ||||||||||||
![]() |
The Web Client responds a redirection URL to the browser and the browser sends a GET request to the Web File Service (the request contains an access ticket). | ||||||||||||
![]() |
The Web File Service decrypts the access ticket and sends a signed request envelope to the FMS Data Service to gain the Meta data. | ||||||||||||
![]() |
The FMS Data Service responds with a signed envelope, which contains the Meta data. | ||||||||||||
![]() |
The Web File Service calls the File Server via RPC by using the FMS client library. The RPC return packet contains the socket for the file transfer. | ||||||||||||
![]() |
The File Server creates a new thread for the file transfer and sends the file via socket to the calling Web File Service. | ||||||||||||
![]() |
The Web File Service sends the receiving data without caching as respond of the redirection GET request to the browser. | ||||||||||||
The high-end security environment communication is a little bit different. | |||||||||||||
|
|||||||||||||
Software components:
|
|||||||||||||
Communication steps: |
|||||||||||||
![]() |
The user pushes the viewing button to view a file. | ||||||||||||
The Web Client calls the xfile userexit over ECI (the PLM Server checks if a proxy configuration is available for the Web Client site and adds the proxy data to the Meta data). | |||||||||||||
![]() |
The PLM Server calls the FMS callable over ECI (the Meta data will be stored in the Cache of the FMS Data Service). | ||||||||||||
![]() |
The Web Client responds a redirection URL to the browser and the browser sends a GET request to the Web File Service (the request contains an access ticket). | ||||||||||||
![]() |
The Web File Service decrypts the access ticket and sends a signed request envelope to the FMS Data Service to gain the Meta data. | ||||||||||||
![]() |
The FMS Data Service responds with a signed envelope, which contains the Meta data. | ||||||||||||
![]() |
The Web File Service generates a POST request to the Web File Service, which is running on the internal Web Server to get the file. The POST request contains an encrypted envelope with the Meta data. | ||||||||||||
![]() |
The Web File Service calls the File Server via RPC by using the FMS client library. The RPC return packet contains the socket for the file transfer. | ||||||||||||
![]() |
The File Server creates a new thread for the file transfer and sends the file via socket to the calling Web File Service. | ||||||||||||
![]() |
The Web File Service sends the incoming file data without caching to the calling proxy Web File Service. | ||||||||||||
![]() |
The (Proxy) Web File Service send the receiving data without caching as respond of the redirection GET request to the browser. | ||||||||||||
Configuration |
|||||||||||||
The possibilities to configure the Web Proxy Server of the web file management system is described here. | |||||||||||||
Configuration Parameter | |||||||||||||
The web proxy supports a main switch to activate or deactivate the proxy mechanism. The main switch is accessible via the "Configuration parameter" mask (Manager > System Configuration > Other Parameters).
You have to insert this configuration parameter to activate the proxy mechanism. |
|||||||||||||
Define a Web Proxy Service | |||||||||||||
In case of a high-end security environment, the Web File Service on the external Web Server works as a proxy to the internal Web File Service. The definition of a Web Proxy needs two steps. |
|||||||||||||
![]() |
Define a default proxy for a site or a specialized proxy for a vault for the site. | ||||||||||||
![]() |
Set the site information in the configuration file of the Web Client. | ||||||||||||
Define a Proxy | |||||||||||||
You can define a set of default proxy entries for several sites, by adding the information of the external Web Server with the path to the (Proxy) Web File Service. Additionally, you can define a set of proxy entries for several sites, by adding the information of the external Web Server with the path to the (Proxy) Web File Service. If a vault has no proxy information, the default proxy information is used. |
|||||||||||||
Site Information of the Web Client | |||||||||||||
Each external Web Client should have a unique site information, so that the PLM Server could decide if a (Proxy) Web File Service is necessary. You can add this information in the file of the Web Client, which is located in the directory.The following line sets the site "www" for this Web Client: axalant.env.EP_PROXY_SITE=www |