cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

How to configure Thingworx as a client with certificate authentification.

jgabriel
12-Amethyst

How to configure Thingworx as a client with certificate authentification.

We are using 3rd party user data provider, LDAP, with WebService that needs certificate authentication. In this scenerio, Thingworx is client, so I configured tomcat/java arguments like this:

-Djavax.net.ssl.trustStore=C:/Users/user/Downloads/truststore.jks

-Djavax.net.ssl.trustStorePassword=

-Djavax.net.ssl.keyStore=C:/Users/user/Downloads/ws.jks

-Djavax.net.ssl.keyStorePassword=password


But when I make an HTTPS request, I noticed that the certificate authentication doesn't work (HTTP 403) in ThingWorx. From SSL debug logs it seems, that Thingworx does not use provided certificates. Keystores are cotrrect, my java test app works as expected with them, so we can rule that out.


Currently, there is opened support ticket with PTC.

Does anyone tried to achieve that? Hot to configure Tomcat? Any ideas, why it is not working?

Environment:

ThingWorx: 7.3.3-b67

Tomcat: 8.0.42

1 ACCEPTED SOLUTION

Accepted Solutions
jgabriel
12-Amethyst
(To:jgabriel)

Content loader functions does not support ssl contex from underling JAVA, as result no request from JS gets authorized with certificates.

Tomcat configuration is correct, you just have to use JAVA to build custom functionality.

View solution in original post

7 REPLIES 7
posipova
20-Turquoise
(To:jgabriel)

Adding this for TS reference, support number:

13662500

Are you just trying to configure Tomcat in 443? There is documentation on this in KCS.

No, as a client to other server.

jgabriel
12-Amethyst
(To:jgabriel)

Content loader functions does not support ssl contex from underling JAVA, as result no request from JS gets authorized with certificates.

Tomcat configuration is correct, you just have to use JAVA to build custom functionality.

jgabriel
12-Amethyst
(To:jgabriel)

Example i recieved from support:

String username = ....;
String groupName = ...;

TransactionFactory.beginTransactionRequired();
ThreadLocalContext.setSecurityContext(SecurityContext.createSuperUserContext());
EntityServices x = (EntityServices) EntityUtilities.findEntity("EntityServices", ThingworxRelationshipTypes.Resource);
x.CreateUser(username, null, null, username);
User user = (User) EntityUtilities.findEntity(username, ThingworxRelationshipTypes.User);
Group grp = (Group) EntityUtilities.findEntity(groupName, ThingworxRelationshipTypes.Group);
if (grp != null) {
    user.addGroup(grp);
}
TransactionFactory.endTransactionRequired();

Is there any place where you can find examples like this?


For example how do I figure that I have to first invoke:

  1. ThreadLocalContext.setSecurityContext(SecurityContext.createSuperUserContext());

That is something that I am not able to get from JavaDoc…

sarathi
12-Amethyst
(To:jgabriel)

Hi @jgabriel did u solve above problem if solved means help me to how to resolve that problem regarding certificate based client authentication  because i am also facing same problem....

jgabriel
12-Amethyst
(To:sarathi)

Javascript content loader functions are unable (tested on TW 7.3) to use certificates.

 

Please see: https://serverfault.com/questions/845141/where-to-put-certificates-in-tomcat-when-app-acts-as-client

Top Tags