Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X
Hi,
I try to setup an OData connector from Thingworx to PDMLink.
Version is 11.0 for PDMLink, 8.1.5 for TX.
Navigate is installed, SSO mode with a PDMLink authentication ( ie no PingFederate )
Everything works fine in Navigate.
But I can't make the OData connector works.
My configuration :
No Auth ( driven by SSL certificate... )
Connection definition
Base url is https://kora.4cad.fr/Windchill/sslClientAuth
Also added
But when I try to use the "validate connection" service, 403 error, and in PDMLink log
ERROR : wt.servlet.AuthBridgeServlet - Request rejected due to lack of remote user
What do I miss ?
regards,
Solved! Go to Solution.
Ok I think I understand what's going on.
PDMLink's REST API is protected of CSRF attacks, so you have to use a specific header in the request.
Only the POST requests, GET requests don't need it.
I thought that the connector's CSRF settings would do this, but it doesn't
I checked the network exchange with wireshark, no CSRF token.
So it fails...
Now I need to find how to set this token, maybe in the GetCustomHeaderParameters, but I need to make a call to PDMLink to retrieve the token !
Hello
I am trying the same configuration for ODataConnector, and I learned that a Javascript is required to set wt.effectiveUid (or else there is no remote user, and you get code 403). In the GetCustomerHeaderParameters service on the connector, add this script:
var sessionQueryParam = "wt.effectiveUid";
var Language = Resources["CurrentSessionInfo"].GetCurrentUserLanguage();
var params = {
infoTableName : "InfoTable",
dataShapeName : "NavigateCustomHeadersDataShape"
};
var result = Resources["InfoTableFunctions"].CreateInfoTableFromDataShape(params);
var CurrentUser = Resources["CurrentSessionInfo"].GetCurrentUser();
params = {
tableName: "GenericConnectorConnectionSettings" /* STRING */
};
var configTable = me.GetConfigurationTable(params);
var row = configTable.getRow(0);
var authType = row.getStringValue("AuthenticationType");
if("None".equals(authType)) {
var camelHttpQuery = sessionQueryParam + "=" + CurrentUser;
row = {"Accept-Language" : Language, "CamelHttpQuery": camelHttpQuery };
} else {
row = {"Accept-Language" : Language };
}
result.AddRow(row);
With this addition, I am able to successfully execute the ValidateConnection test. I am working now on issues with the GetEndpointList service, but I get authenticated.
Follow up:
Setting Relative URL to: /servlet/odata/IE restricts the connection to the IE endpoint. Using /servlet/odata will allow access to all endpoints.
You also need Windchill 11.0 M030 to be patched to at least CPS06 for the REST services to be up to date. Remember that you need to re-apply the Windchill Extension for Navigate after completing the CPS patch.
Hi,
My version is
M030-CPS08
Not sure my rest module is up to date...
M010 1.0 odata.1.0.10.00.10 01 windchill 1.0 REST Services
I tried servlet/odata but it's not working.
[https://kora.4cad.fr/Windchill/sslClientAuth/servlet/odata/$metadata?wt.effectiveUid=Administrator] with status [ - Invalid domain request]
However, GetEndPointList works... in the new composer :-)
Last update, I can create the service, calling it raise an error
Unable to Invoke Service InvokeIE on ODATAConnector2 : Your route exchange has failed. Service operation failed [https://kora.4cad.fr/Windchill/sslClientAuth/servlet/odata/IE/InvokeIETask?wt.effectiveUid=Administrator] with status [ - A potential security problem was detected. Refresh the page and try again. If the problem persists, contact your administrator.]
But this comes from the CSRF_NONCE header, so I can fix it I guess.I'll post the final result
Here's a clarification I received from R&D:
The relative url should be /servlet/odata only. Any domains like IE, ProdMgmt, etc should be set as values of the ServiceRootRelativeURL configuration. By setting the relative url that includes the domain name in it, you are restricting the connector to expose endpoints only in that domain. The expected protocol is to list all domains in the ServiceRootRelativeURL configuration, even if it's just one domain like IE in this case.
The final trick to this configuration is that ODataConnector is only fully supported in the New Composer (aka Next Gen Composer). You can edit it in the old composer, but to successfully run all the services you need to open the New Composer and select the service to run from there. You make the New Composer available by clicking on your login name in the upper right, clicking Preferences, and checking the box for "Turn on New Composer Feature". That will add the new composer as a choice on the black bar at the top of the interface.
We have documented all of this in Article CS291231 (https://www.ptc.com/en/support/article?n=CS291231)
Thanks for all the infos.
I can call some services, like getGroups
I can't call more complex serevices, like getBom. Works with postman, but no way from TX.
I tried with TX 8.3.1, but it's even worse as calling the test connection service returns an invalid service name error.
Still digging ...
Hello.
For that last error, take a look at this article. There is a bug report open for this but the article also offers a possible workaround.
-- Craig A.
Well,
I don't have any special characters in the payload, not sure it's related
Ok I think I understand what's going on.
PDMLink's REST API is protected of CSRF attacks, so you have to use a specific header in the request.
Only the POST requests, GET requests don't need it.
I thought that the connector's CSRF settings would do this, but it doesn't
I checked the network exchange with wireshark, no CSRF token.
So it fails...
Now I need to find how to set this token, maybe in the GetCustomHeaderParameters, but I need to make a call to PDMLink to retrieve the token !
Ok I think I understand what's going on.
PDMLink's REST API is protected of CSRF attacks, so you have to use a specific header in the request.
Only the POST requests, GET requests don't need it.
I thought that the connector's CSRF settings would do this, but it doesn't
I checked the network exchange with wireshark, no CSRF token.
So it fails...
Now I need to find how to set this token, maybe in the GetCustomHeaderParameters, but I need to make a call to PDMLink to retrieve the token !