Bryan,

In 9.1, there were some passwords saved in clear text in Apache property files. This didn't make our security folks too happy 🙂 But it sounds like there are no clear text passwords saved in property files anymore. Is that right?

Mary-Ann

I see what you mean. I believe everything is encrypted after 10.0. I just took a look on PTC's site and found this:

• Passwords in properties files are encrypted by default in Windchill 10.0 and later
• Encrypted properties will display the value encrypted.<PropertyName> in the property file

If you edit a properties file manually (not recommended by PTC but still done a lot) you could put a plain-text password in there but you are supposed to change passwords using xconfmanager and it will automatically encrypt them for you.

Here's a reference CS document: https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS117247

I also looked for encrypting passwords - according to CS119306, Apache passwords are not encrypted in any version of Windchill.

Interesting - you're right! I just looked in my Apache conf files and see the plain text password for the LDAP user. I've never looked before. We control access to the server and also the file system so it's not an issue for us but that could be a concern for IT security.

This is Apache's doing not PTC's -- and Apache clearly sees no point in encrypting passwords in their configuration files.

Essentially, if you get to the server and then can get to the files in question, encryption of the passwords isn't going to buy you significantly more security unless the decryption process requires a password or key that is provided by the administrator on each startup of the server process. That's too obnoxious for most to even contemplate. If the means for decryption are tucked away somewhere on the file system that the attacker has already compromised, then this only cause slightly delay the attacker's progress.

So overall I personally concur with Apache -- this is what server and file system security are for.

I agree with you. If they are already in your system and reading the password in plain text then you have bigger problems to worry about.

Yup. Sometimes computer security doesn't seem to have quite the same perspective on things that we do. We can engineer the risk down. But the paperwork would have been easier if the password was encrypted

Which when it gets right down to it is why within PTC-authored software components passwords are encrypted.

If only we could get IT to go to Oracle 12c! At least we'll be on 11.2.0.4 before we go to production with 10.2 M030.

The last info I read on this was that you needed to already be on 10.2 M020+ with Oracle 11G in order to upgrade Oracle to 12c. Then you could just export from 11 and import into 12. That's one reason we're going to 11.2.0.4 to begin with. The other reason is that we can have our existing 10.1 M030 database already at 11.2.0.4 so when we go to 10.2 M030 there are no oracle changes. After a while we can consider the 12c upgrade.

Bear in mind that, according to the latest software matrices shown on :

http://support.ptc.com/WCMS/files/156056/en/Windchill10.2M030SoftwareMatrices52015.pdf

you will need either Oracle 11.2.0.4 or 12.1.0.2, and that some of the table entries are greyed out because

12.1.0.2 is only available in (the much more expensive...) 'Enterprise Edition', as shown on :

http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index-092322.html

So for now at least, you may find that you are stuck with using 11.2.0.4

Some other websites suggest that the only differences bewteen 12.1.0.1 and 12.1.0.2 are for 'Enterprise' edition features.

If that is true then why isn't 12.1.0.1 'Standard Edition (One)' certified & supported by PTC for Windchill 10.2 M030 ?

UPDATE: 07-Sept-2015

According to a new posting on PTC Knowledgebase, and the latest version of software matrices :

https://support.ptc.com/appserver/cs/view/solution.jsp?source=subscription&n=CS202620

http://support.ptc.com/WCMS/files/167881/en/Windchill10.2M030SoftwareMatrices8515.pdf

"The Standard Edition of Oracle 12.1.0.1 is now supported" for use with v10.2 M030

Also, now shown on the footer of Oracle's doc 1905806.1  it says:

"UPDATE: A release of 12.1.0.2 for Standard Edition customers is planned for Q3CY2015."

Other pages on Oracle's website suggest that will be the last release of SE1, and they are now talking about SE2...