cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Provide a way to dynamically add trusted hosts & whitelist prefixes to Windchill Environment

Provide a way to dynamically add trusted hosts & whitelist prefixes to Windchill Environment

Provide a way to dynamically update trusted hosts & whitelist prefixes for Windchill

 

Currently you have to set the following properties - worker.exe.whitelist.prefixes & wt.auth.trustedHost, repropogate & restart Windchill.  This is cumbersome and means that to add a new IP address or drive path you have to restart Widnchill causing downtime or waiting for a maintenance window.  If a worker stops working, and you need to stand up a new worker your options are : Function at reduced capability, Have immediate downtime (and possible subsequent downtime), or future downtime

 

Possible Solutions:

  • For trusted host,
    • allow a subnet range
    • dynamically read from another file that doesn't require restart
    • Use certificate authentication between servers
  • For prefix whitelisting, allow 
    • Dynamically read from another file that doesn't require restart
3 Comments
jbailey
14-Alexandrite

Either no one read this, or I found an undocumented feature that does what I want...

 

So this is what is documented... space delineated hosts & IP addresses

<Property name="wt.auth.trustedHost" overridable="true"

targetFile="codebase/wt.properties"

value="host 1 host 2 host 3 XXX.XXX.215.XXX XXX.XXX.215.XX1 XXX.XXX.215.XX2 "/>

 
After a "WTH, Let's try it moment... I added an * instead of the last IPv4 Octet.... BINGO . You can trust subnets vs individual hosts.
I haven't tried multiple subnets (I have to find a worker on another  

<Property name="wt.auth.trustedHost" overridable="true"

targetFile="codebase/wt.properties"

value="XXX.XXX.215.*"/>

BrianSullivan
5-Regular Member

Thanks for Posting the Subnet Example:

This is an issue; 

We have Single Sign On Enabled - so CAD Workers need to use Trusted Auth.

and We also have a Reverse Proxy/Alias in Place (Internal/External) so CAD Workers routing through the DMV... the device can select from a series of IP for Load Balancing...  We were about to add them all to the list...  But glad to try your WTH solution.

jbailey
14-Alexandrite

@BrianSullivan  - We have had this in production in 11.2.1.6 for 3 months now, no issues