cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can subscribe to a forum, label or individual post and receive email notifications when someone posts a new topic or reply. Learn more! X

Dummys Guide to Whitelist Setup in 10.2 ???

davehaigh
12-Amethyst

Dummys Guide to Whitelist Setup in 10.2 ???

OK, PTC sent me a link to
12 REPLIES 12

I guess I should point out I'm on Windows so I guess the unix command nohup isn't needed.

Also the worker machines are not on the windchill server so the examples they give of C:\\|D:\\|G:\\| don't really tell me what I need to know to specify a separate worker machine.

I'd also like the command syntax for the windchill shell to set this up.

David Haigh
TomU
23-Emerald IV
(To:davehaigh)

Two things you need to do:


1.) Add the remote workers to the "trustedHosts" property. Separate multiple entries with spaces. (CS182327<)">https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS182327>)

Example:

xconfmanager -s wt.auth.trustedHosts=192.168.21.27 -p



2.) Add the path to the Creo executable on the remote worker to the "whitelist" property.

Example: (We have the Creo Adapters installed on the "E:" drive in the "ptc" folder)

xconfmanager -s worker.exe.whitelist.prefixes="E:\\ptc" -t codebase/WEB-INF/conf/wvs.properties -p

These are with Windchill 10.2 M020.

Tom U.

Ok that was a missing piece of the puzzle.

What I don't get is where is the server listed in the white list? What if I set up multiple worker machines? How does it know which machine that path is on?

I'm going to have a doc worker with LiveCycle on one windows machine and a CAD worker on another windows machine.

David Haigh
TomU
23-Emerald IV
(To:davehaigh)

If you really want to you can specify the hostname in the whitelist. Instead of using "worker.exe.whitelist.prefixes", use "worker.exe.whitelist.prefixes.<host name=">". This way you can specify a unique location on each host. (See CS140965<)">https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS140965>)

I didn't bother to do this since all workers defined by "trustedHosts" have the Creo adapters installed in the same location on their respective machines.

Tom U.
RandyJones
20-Turquoise
(To:davehaigh)

On 03/23/15 15:34, Haigh, David A. wrote:
>
> Ok that was a missing piece of the puzzle.
>
> What I don’t get is where is the server listed in the white list? What if I set up multiple worker machines? How does it know which machine that path is on?
>

It doesn't know or care. The whitelist is merely a list of "whitelisted" commands or prefixes that are suitable to run on any worker machine. Which machine the command(s) are run on is setup when you configure the worker.

> I’m going to have a doc worker with LiveCycle on one windows machine and a CAD worker on another windows machine.
>
> David Haigh
> Phone: 925-424-3931
> Fax: 925-423-7496
> Lawrence Livermore National Lab
> 7000 East Ave, L-362
> Livermore, CA 94550
>
> *From:*Uminn, Tom [mailto:-]
> *Sent:* Monday, March 23, 2015 12:04 PM
> *To:* Haigh, David A.; -
> *Subject:* [solutions] - RE: Dummys Guide to Whitelist Setup in 10.2 ???
>
> Two things you need to do:
>
> 1.)Add the remote workers to the “trustedHosts” property. Separate multiple entries with spaces. (CS182327 <)">https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS182327>)
>
> Example:
>
> xconfmanager -s wt.auth.trustedHosts=192.168.21.27 -p
>
> 2.)Add the path to the Creo executable _on the remote worker_ to the “whitelist” property.
>
> Example: (We have the Creo Adapters installed on the “E:” drive in the “ptc” folder)
>
> xconfmanager -s worker.exe.whitelist.prefixes="E:\ptc" -t codebase/WEB-INF/conf/wvs.properties -p
>
> These are with Windchill 10.2 M020.
>
> Tom U.
>
> *From:*Haigh, David A. [mailto:-]
> *Sent:* Monday, March 23, 2015 2:33 PM
> *To:* Haigh, David A.; - <">mailto:->
> *Subject:* [solutions] - RE: Dummys Guide to Whitelist Setup in 10.2 ???
>
> I guess I should point out I’m on Windows so I guess the unix command nohup isn’t needed.
>
> Also the worker machines are not on the windchill server so the examples they give of C:\|D:\|G:\| don’t really tell me what I need to know to specify a separate worker machine.
>
> I’d also like the command syntax for the windchill shell to set this up.
>
> David Haigh
> Phone: 925-424-3931
> Fax: 925-423-7496
> Lawrence Livermore National Lab
> 7000 East Ave, L-362
> Livermore, CA 94550
>
> *From:*Haigh, David A. [mailto:-]
> *Sent:* Monday, March 23, 2015 11:14 AM
> *To:* - <">mailto:->
> *Subject:* [solutions] - Dummys Guide to Whitelist Setup in 10.2 ???
>
> OK, PTC sent me a link to https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS140965
>
> I looked at the 10.2 install guide and read the following information in wvs.properties.xconf file.
>
> I’m confused.
>
> Does someone have a dummy’s guide to setting this up?
>
> Assume I have three workers where the machine names are*Barney*, *Fred*, & *Stonequarry*.
>
> Step by step How would I set this up?
>
> I assume I’m doing this in the windchill shell.
>
> From the wvs.properties.xconf file:
>
> ===========================
>
> **************************************************************************
>
> * WORKER EXECUTABLE PREFIX SETTINGS *
>
> **************************************************************************
>
> The following properties specify the trusted worker startup commands or their prefixes. If
>
> the executable of a worker matches one of the commands or prefixes listed, the worker is
>
> eligible for auto-start by the Worker Agent. Otherwise, it is not eligible for auto-start.
>
> If a worker command is to be specified in the list, then the complete worker startup command,
>
> not just a portion of it, should be included. For example:
>
> nohup /usr/object_adapters/10.1/cadds/caddsworker &
>
> If a prefix of a worker command (or commands of workers installed under the same directory)
>
> is to be specified in the list, the prefix must end with a name of a directory. For example,
>
> if one of the prefixes in the whitelist is
>
> nohup /usr/object_adapters/10.1
>
> a worker whose exe is "nohup /usr/object_adapters/10.1/cadds/caddsworker &" (or any worker
>
> whose exe is prefixed with "nohup /usr/object_adapters/10.1/") is eligible for auto-start.
>
> But a worker with an exe of "nohup /usr/object_adapters/10.1x/cadds/caddsworker &" or
>
> "/usr/object_adapters/10.1/cadds/caddsworker &" will not be eligible for auto-start.
>
> The vertical bar (pipe) character is used as a delimiter to separate multiple worker commands
>
> or prefixes in the property value. For example:
>
> D:\apps\remoteworkers|nohup /usr/object_adapters/10.1/cadds/caddsworker &
>
> -->
>
>
>
>
>
>

So this worker.exe.whitelist.prefixes.<worker_host>=<prefixes>

I would configure like this? (for workers called stonequary & flintstone)

xconfmanager -s worker.exe.whitelist.prefixes.stonequary="C:\ptc\creo_view_adapters\proe_production" -t codebase/WEB-INF/conf/wvs.properties -p
xconfmanager -s worker.exe.whitelist.prefixes.flintstone="C:\ptc\creo_view_adapters\doc_production" -t codebase/WEB-INF/conf/wvs.properties -p

David Haigh
TomU
23-Emerald IV
(To:davehaigh)

Close. Backslashes in the path have to be entered twice "\\". When viewing the property (xconfmanager -d ...) it will only display them once.

Again, keep in mind, you probably don't need to whitelist quite so deep. All this is doing is telling Windchill that it may only run executables if they exist in this path.

Tom U.

Ok so as Randy pointed out I wouldn't then need to configure this for both servers.

xconfmanager -s worker.exe.whitelist.prefixes="C:\\ptc" -t codebase/WEB-INF/conf/wvs.properties -p

I started printing out sections of the Visualization Services Guide. Instead of giving the users examples and why, they seem to go into all the detail I don't really need, and skip the how and why of different configuration options.

Your one phrase, "All this is doing is telling Windchill that it may only run executables if they exist in this path." Told me more than I'd figured out from what I've read so far.

David Haigh

David and Tom,

Attemping to setup a worker for 10.2. I set both the properties above as suggested then restarted Windchill. The worker still states that the executable is not safe. I've double checked the property settings and they appear to be set appropriately.

wvs.properties entry;

worker.exe.whitelist.prefixes=c\:\\ptc

wt.properties entry

wt.auth.trustedHosts=149.59.130.114

Any other suggestions as to why the worker is still reporting unsafe?

Thanks

Bob Mills

TomU
23-Emerald IV
(To:bmills)

Make sure the case is correct.  The syntax used in the worker definition must exactly match the property value.  "C:\ptc" is not equal to "c:\ptc".

bmills
1-Visitor
(To:TomU)

Thanks Tom! that was exactly my problem. I needed to revisit my Unix days, that would have triggered my brain on this one.

avillanueva
22-Sapphire II
(To:bmills)

I've also battled this field. What I can confirm is that they must be doing some parsing in the command path that expects the whitelist prefix to stop on a slash. For example, I had three workers on my cad worker setup as pdmlink10worker1, pdmlink10worker2 and pdmlink10worker3.  These were all subfolder names. If my whitelist prefix was "C:\pdmlink10worker" is puked on it.  If I changed it to "C:\pdmlin10worker1" it accepted my first command but no the others obviously.  The implementation should have been straight up java regex. Not sure how they goofed it.

Announcements


Top Tags