cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - New to the community? Learn how to post a question and get help from PTC and industry experts! X

How to build a Remote Apache Webserver for Internet access to Windchill

Go to solution
GaryMansell
12-Amethyst
12-Amethyst
‎Jun 12, 2015 10:46 AM
‎Jun 12, 2015 10:46 AM

How to build a Remote Apache Webserver for Internet access to Windchill

Hi,

We currently have an internal user only Windchill PDMLink System and we now have a requirement to allow select customer users to securely access the system over the Internet. I intend to do this build building an additional Apache Server (Remote Apache Web Server) located in a secure DMZ on a hardened Linux server, with an updated Apache install.

For security reasons, I intend to build a minimal Redhat Linux server to host this Apache Server, but I know from previous experience that it can be difficult to install & administer such a system if you don't get the minimal OS build right in the first place - too few packages and nothing works, too many and it's a security risk.

Does anyone have any recommendations here - will the default Redhat Minimal Package Selection install be OK for what I need?

I would prefer not to install all the Redhat Graphical System environment for security reasons, but is it even possible to run the PTC installer(s) from the command line?

When it comes to Apache, is it best to manually "roll your own" Apache straight from apache.org and overlay the PTC Windchill Apache config and Ant installation onto it, or is it OK to use the (slightly older) "Early Release" version of Apache that is available for download from the PTC Website that already has the PTC Windchill Apache config applied to it and tested?

As I mentioned, I wanted as minimal a software Installation as possible on this server, so is it possible to just install Apache from the PTC supplied "Early Release" version of Apache, or do you need to first run the PSI that comes with the original Windchill release and install the original Apache (and I think Java might be necessary?), and then use the Apache "Early Release" download to replace the OOTB Apache version with the newer version?

Thanks in advance to anyone who might be able to answer some/all of my questions, and if anyone has any other sage advice on building a secure Internet facing Apache server for Windchill, then I would welcome the advice.

Regards.

Gary

Labels:
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
GaryMansell
12-Amethyst
12-Amethyst
(To:GaryMansell)
‎Jun 17, 2015 04:47 AM
‎Jun 17, 2015 04:47 AM

After some trial and error testing, and communication with fellow community members, I can report back answers to my questions in the hope it might help others..

  1. It is possible to just build standalone remote apache server from the Early Access apache release download bundle provided by PTC - it installs OK just running the setup script in the bundle, you don't need to install it in conjunction with the PSI (You need Redhat Desktop GUI environment installed - see 3 below).
  2. It is not absolutely necessary to first build the apache server using the PSI and OOTB apache and Java SDK, but if you don't install at least Java, then you won't be able to run the ant scripts to configure apache and you will have to manually edit all the files which is not a simple task. I presume that it would be possible to just install Java manually to the machine by downloading it from java.com, but in the end, the process that I followed was to first install the OOTB Java SDK using the PSI, then I extracted the ant.tar.gz/ant.zip archive from the OOTB apache media into the loadpoint, then I ran the setup command to install the Early Access apache release.
  3. You have to have the Redhat GUI environment installed to run the PSI as command line is not supported.

I don't like the idea of the Redhat Desktop GUI environment and the out-dated Java SDK being installed on an Interned facing apache webserver, so what I think I will do is first to do the above installation on our TEST environment and then just copy the configured apache loadpoint across to a minimal and hardened apache webserver for PROD usage.

Rgds

Gary

View solution in original post

0 Kudos
Notify Moderator
3 REPLIES 3
BineshKumar1
13-Aquamarine
13-Aquamarine
(To:GaryMansell)
‎Jun 12, 2015 12:58 PM
‎Jun 12, 2015 12:58 PM

Apache on Linux is a good option.

You can follow the below WHC links

  1. http://www.ptc.com/cs/help/windchill_hc/wc100_hc/index.jspx?id=WCInstall_ConfigApacheInstallRemotely&action=show
  2. http://www.ptc.com/cs/help/windchill_hc/wc100_hc/index.jspx?id=WCInstall_AddApacheConfig&action=show
  3. http://www.ptc.com/cs/help/windchill_hc/wc100_hc/index.jspx?id=WCInstall_ConfigWCWork&action=show

I would prefer early release from Apache than downloading from org because it has gone through at least minimal testing from PTC.

Also you need to devise a strategy for your internal users. I would recommend a split dns configuration for this.

Thanks

Binesh

Barry Wehmiller International

0 Kudos
Notify Moderator
GaryMansell
12-Amethyst
12-Amethyst
(To:BineshKumar1)
‎Jun 15, 2015 03:08 AM
‎Jun 15, 2015 03:08 AM

Hi Binesh,

Thank you for taking the time to reply to my post, I am familiar with the articles you suggest and have read a good deal of the documentation relating to this subject on ptc.com. They provide a Windchill Hardening guide too, which has some good information in. I have the "split brain" DNS already configured and we will be using WindchillDS on the primary Windchill Server for the external user accounts rather than AD.

So, you recommend the PTC Supplied Early Release of Apache over manually "rolling your own" from apache.org - this was my presumption too, but I am glad of the confirmation. My thinking is that PTC must have a need for a secure release of apache with all the latest fixes in, and so this is most likely the result of that and that it would be updated whenever an upstream vulnerability that affects Windchill is discovered (I understand that a lot of the vulnerabilities found in apache often don't affect Windchill).


It is the detail of using this PTC Supplied Early Release of Apache that my queries are more directed towards, namely:


  1. Is it possible to build the apache server from just the Early Release download bundle itself (ie just run the included setup script), or do you need use the PSI to install it?
  2. Do you perhaps even need to perform a normal Apache install using the PSI and the OOTB version of Apache (and perhaps even the Java SDK too?) on the apache server to set it all up properly first and then use the Early Release download bundle to patch over the top of this configuration somehow?
  3. Is it possible to do this installation without the Redhat GUI environment being available on the apache server (for security reasons) - ie by the command line?

Thanks and Regards

Gary

0 Kudos
Notify Moderator
GaryMansell
12-Amethyst
12-Amethyst
(To:GaryMansell)
‎Jun 17, 2015 04:47 AM
‎Jun 17, 2015 04:47 AM

After some trial and error testing, and communication with fellow community members, I can report back answers to my questions in the hope it might help others..

  1. It is possible to just build standalone remote apache server from the Early Access apache release download bundle provided by PTC - it installs OK just running the setup script in the bundle, you don't need to install it in conjunction with the PSI (You need Redhat Desktop GUI environment installed - see 3 below).
  2. It is not absolutely necessary to first build the apache server using the PSI and OOTB apache and Java SDK, but if you don't install at least Java, then you won't be able to run the ant scripts to configure apache and you will have to manually edit all the files which is not a simple task. I presume that it would be possible to just install Java manually to the machine by downloading it from java.com, but in the end, the process that I followed was to first install the OOTB Java SDK using the PSI, then I extracted the ant.tar.gz/ant.zip archive from the OOTB apache media into the loadpoint, then I ran the setup command to install the Early Access apache release.
  3. You have to have the Redhat GUI environment installed to run the PSI as command line is not supported.

I don't like the idea of the Redhat Desktop GUI environment and the out-dated Java SDK being installed on an Interned facing apache webserver, so what I think I will do is first to do the above installation on our TEST environment and then just copy the configured apache loadpoint across to a minimal and hardened apache webserver for PROD usage.

Rgds

Gary

0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags