Attributes maping using mTLS authentication and OP...

AlainBouchet · ‎Dec 08, 2025

I am using Windchill PDMLink Release 12.0 and Datecode with CPS 12.0.2.3

My current PLM configuration is using basic authentication (APACHE, OPENDJ & Windchill PDMLink). I have been requested to use mTLS login and authentication method. mTLS is configured and working. I now need to map Apache mTLS authentication attributes to OPENDJ / PLM user attributes. Where can I find documentation or explanation describing how to proceed ?

avillanueva · ‎Dec 08, 2025

Without providing your details of you installation, would you care to document your setup to share with others? For the LDAP attribute mapping, are you looking for this?

https://support.ptc.com/help/windchill/r13.1.1.0/en/index.html#page/Windchill_Help_Center/WCInstallConfigGuide/WCInstall_MapUserGroup.html

AlainBouchet · ‎Dec 09, 2025

Thanks for your post.

The document you are point to is not really what I am looking for, even if Windchill LDAP attribute description could be useful.

I have a Windchill 12.0 (almost) off-the-shelf installation :

Apache is running as front-end Web server

OpenDJ is running as LDAP server

Windchill PDMLink is running as PLM application.

Up to now, this installation was using https with basic authentication to allow user to connect to the PLM application.

We have now configured mTLS on the installation to secure the authentication process. Not a big deal when you have the good information.

Some changes in the mod_ssl.conf file, then add your CA root certificate on the server, restart the HTTP service and mTLS is active.

At that point, if i am trying to connect to my PLM application in my usual browser, without any change on the client side, I now get a login box using the company PKI card authentication mechanism instead of the old good basic authentication dialog box.

This mTLS feature is entirely handled by the WEB server layer and has nothing to do with OpenDJ and Windchill.

If I successfully identify myself, I am allowed to "talk to" the PLM and as there is no link with OpenDJ and the PLM application, I get a second login box (the basic one) where I need to enter my previous credentials to be identified as a PLM user.

This is this second login box that I would like to suppress by using authentication information contained in the user certificate transmitted through mTLS to log into the PLM application. That is what I would call "connecting mTLS authentication with OpenDJ and PLM application". And that's the part where I need some documentation to understand how to process.

Additionnal thoughts :

As the user certificate information does not necessarily match with the PLM / OpenDJ user attributes, I need to find one or several pieces of information common to the certificate attributes and the PLM/OpenDJ user attributes to be able to verify that mTLS user is matching one of my PLM users. This is what I meant when I was talking about "Attribute mapping".

The WEB litterature indicates that the apache module mod_authnz_ldap would be key to implement a search filter using certificate attributes exposed in the WEB server against LDAP attributes in OpenDJ.

My description is maybe a bit too long but I hope it clarifies what I am looking for.

mmeadows-3 · ‎Dec 09, 2025

Sorry up front. I know I'm rambling as I think through your request.

First, responses are light because mTLS doesn't appear to be on PTC's radar. A quick knowledge base search came back with nothing. This should be a PTC Technical Support call to at least raise visibility of mTLS requirements to PTC.

We are guessing 'Apache mTLS authentication attributes' really means LDAP attributes that you want to map into Windchill? If so, we are mapping OpenDJ attributes to Windchill and it really doesn't have anything directly to do with mTLS (see @avillanueva's article). The mTLS piece only comes into play in connecting Windchill to OpenDJ.

You said the Apache to OpenDJ connection is now using mTLS. Were you successful connecting Windchill to OpenDJ over mTLS? This would be a Java to OpenDJ mTLS connection. I'm not sure if PTC's JNDI Adapters implementation can work with mTLS.

If you are successful setting up mTLS on the Windchill side, then you should be able to follow the article referenced to map PTC supported attributes through adapterservice.json / Info*Engine Administration.

If you really want to add custom attributes, beyond what PTC supports out of the box, see this section of the help documentation and the following article.

https://support.ptc.com/help/windchill/r13.1.1.0/en/index.html#page/Windchill_Help_Center/customization/WCCG_Serv_LDAP_Intro.html#

https://www.ptc.com/en/support/article/CS162357

Hope this helps. Please let us know how far you get.

AlainBouchet · ‎Dec 09, 2025

Thanks for your contribution. I agree that PTC knowledge base is not of big help on the mTLS topic. I tried opening a ticket, but the answer just redirected me to the community....

Please see my answer to previous post for detailed explanation of what I am looking for.

My missing part is not between OpenDJ and PLM application but really between Apache (and the mTLS layer) and the couple OpenDJ/Windchill.

"Apache mTLS authentication attributes" means "attributes associated with the user certificate transferred by mTLS layer". These attributes can be exposed in variables accessible in the Apache Web server. So we can assume that they could be used to check for user existence in the OpenDJ LDAP, and if a match is found, we would connect to the PLM on behalf of this matching user.

I am looking for information or implementation samples related to these two last steps.

Attributes maping using mTLS authentication and OPENDJ LDAP

Attributes maping using mTLS authentication and OPENDJ LDAP