Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X
I'm starting down the path of upgrading our PDMLink installation from 9.1 to 10.2. A couple of questions have popped up as I start looking at the documentation.
Mary-Ann
Hi Mary-Ann,
Bryan
Bryan,
In 9.1, there were some passwords saved in clear text in Apache property files. This didn't make our security folks too happy 🙂 But it sounds like there are no clear text passwords saved in property files anymore. Is that right?
Mary-Ann
I see what you mean. I believe everything is encrypted after 10.0. I just took a look on PTC's site and found this:
If you edit a properties file manually (not recommended by PTC but still done a lot) you could put a plain-text password in there but you are supposed to change passwords using xconfmanager and it will automatically encrypt them for you.
Here's a reference CS document: https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS117247
I also looked for encrypting passwords - according to CS119306, Apache passwords are not encrypted in any version of Windchill.
Interesting - you're right! I just looked in my Apache conf files and see the plain text password for the LDAP user. I've never looked before. We control access to the server and also the file system so it's not an issue for us but that could be a concern for IT security.
This is Apache's doing not PTC's -- and Apache clearly sees no point in encrypting passwords in their configuration files.
Essentially, if you get to the server and then can get to the files in question, encryption of the passwords isn't going to buy you significantly more security unless the decryption process requires a password or key that is provided by the administrator on each startup of the server process. That's too obnoxious for most to even contemplate. If the means for decryption are tucked away somewhere on the file system that the attacker has already compromised, then this only cause slightly delay the attacker's progress.
So overall I personally concur with Apache -- this is what server and file system security are for.
I agree with you. If they are already in your system and reading the password in plain text then you have bigger problems to worry about.
Yup. Sometimes computer security doesn't seem to have quite the same perspective on things that we do. We can engineer the risk down. But the paperwork would have been easier if the password was encrypted
Which when it gets right down to it is why within PTC-authored software components passwords are encrypted.
9.1 can run 11.2.0.3 as that is what I upgraded to last December before going to Windchill 10.0m040 in April.
We receieved a notice from Oracle that 11g was going to maintenance mode witha 20% increase in maintenance fees effective January 1, 2016!!
Have you considered going to 12c for your Oracle version since it is supported on Windchill 10.2 m020 and higher?
The 11g increase in fees has caused my management to consider pushing us to 10.2 with 12c later this year.
I do want to see what PTC is going to call X-26, will it be 10.3 or 11? Hopefully we will know more next month in Nashville.
If only we could get IT to go to Oracle 12c! At least we'll be on 11.2.0.4 before we go to production with 10.2 M030.
The last info I read on this was that you needed to already be on 10.2 M020+ with Oracle 11G in order to upgrade Oracle to 12c. Then you could just export from 11 and import into 12. That's one reason we're going to 11.2.0.4 to begin with. The other reason is that we can have our existing 10.1 M030 database already at 11.2.0.4 so when we go to 10.2 M030 there are no oracle changes. After a while we can consider the 12c upgrade.
Bear in mind that, according to the latest software matrices shown on :
http://support.ptc.com/WCMS/files/156056/en/Windchill10.2M030SoftwareMatrices52015.pdf
you will need either Oracle 11.2.0.4 or 12.1.0.2, and that some of the table entries are greyed out because
12.1.0.2 is only available in (the much more expensive...) 'Enterprise Edition', as shown on :
http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index-092322.html
So for now at least, you may find that you are stuck with using 11.2.0.4
Some other websites suggest that the only differences bewteen 12.1.0.1 and 12.1.0.2 are for 'Enterprise' edition features.
If that is true then why isn't 12.1.0.1 'Standard Edition (One)' certified & supported by PTC for Windchill 10.2 M030 ?
UPDATE: 07-Sept-2015
According to a new posting on PTC Knowledgebase, and the latest version of software matrices :
https://support.ptc.com/appserver/cs/view/solution.jsp?source=subscription&n=CS202620
http://support.ptc.com/WCMS/files/167881/en/Windchill10.2M030SoftwareMatrices8515.pdf
"The Standard Edition of Oracle 12.1.0.1 is now supported" for use with v10.2 M030
Also, now shown on the footer of Oracle's doc 1905806.1 it says:
"UPDATE: A release of 12.1.0.2 for Standard Edition customers is planned for Q3CY2015."
Other pages on Oracle's website suggest that will be the last release of SE1, and they are now talking about SE2...