Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X
Hi,
We currently have an internal user only Windchill PDMLink System and we now have a requirement to allow select customer users to securely access the system over the Internet. I intend to do this build building an additional Apache Server (Remote Apache Web Server) located in a secure DMZ on a hardened Linux server, with an updated Apache install.
For security reasons, I intend to build a minimal Redhat Linux server to host this Apache Server, but I know from previous experience that it can be difficult to install & administer such a system if you don't get the minimal OS build right in the first place - too few packages and nothing works, too many and it's a security risk.
Does anyone have any recommendations here - will the default Redhat Minimal Package Selection install be OK for what I need?
I would prefer not to install all the Redhat Graphical System environment for security reasons, but is it even possible to run the PTC installer(s) from the command line?
When it comes to Apache, is it best to manually "roll your own" Apache straight from apache.org and overlay the PTC Windchill Apache config and Ant installation onto it, or is it OK to use the (slightly older) "Early Release" version of Apache that is available for download from the PTC Website that already has the PTC Windchill Apache config applied to it and tested?
As I mentioned, I wanted as minimal a software Installation as possible on this server, so is it possible to just install Apache from the PTC supplied "Early Release" version of Apache, or do you need to first run the PSI that comes with the original Windchill release and install the original Apache (and I think Java might be necessary?), and then use the Apache "Early Release" download to replace the OOTB Apache version with the newer version?
Thanks in advance to anyone who might be able to answer some/all of my questions, and if anyone has any other sage advice on building a secure Internet facing Apache server for Windchill, then I would welcome the advice.
Regards.
Gary
Solved! Go to Solution.
After some trial and error testing, and communication with fellow community members, I can report back answers to my questions in the hope it might help others..
I don't like the idea of the Redhat Desktop GUI environment and the out-dated Java SDK being installed on an Interned facing apache webserver, so what I think I will do is first to do the above installation on our TEST environment and then just copy the configured apache loadpoint across to a minimal and hardened apache webserver for PROD usage.
Rgds
Gary
Apache on Linux is a good option.
You can follow the below WHC links
I would prefer early release from Apache than downloading from org because it has gone through at least minimal testing from PTC.
Also you need to devise a strategy for your internal users. I would recommend a split dns configuration for this.
Thanks
Binesh
Barry Wehmiller International
Hi Binesh,
Thank you for taking the time to reply to my post, I am familiar with the articles you suggest and have read a good deal of the documentation relating to this subject on ptc.com. They provide a Windchill Hardening guide too, which has some good information in. I have the "split brain" DNS already configured and we will be using WindchillDS on the primary Windchill Server for the external user accounts rather than AD.
So, you recommend the PTC Supplied Early Release of Apache over manually "rolling your own" from apache.org - this was my presumption too, but I am glad of the confirmation. My thinking is that PTC must have a need for a secure release of apache with all the latest fixes in, and so this is most likely the result of that and that it would be updated whenever an upstream vulnerability that affects Windchill is discovered (I understand that a lot of the vulnerabilities found in apache often don't affect Windchill).
It is the detail of using this PTC Supplied Early Release of Apache that my queries are more directed towards, namely:
Thanks and Regards
Gary
After some trial and error testing, and communication with fellow community members, I can report back answers to my questions in the hope it might help others..
I don't like the idea of the Redhat Desktop GUI environment and the out-dated Java SDK being installed on an Interned facing apache webserver, so what I think I will do is first to do the above installation on our TEST environment and then just copy the configured apache loadpoint across to a minimal and hardened apache webserver for PROD usage.
Rgds
Gary
 
					
				
				
			
		
