The community will undergo maintenance on October 16th at 10:00 PM PDT and will be unavailable for up to one hour.
We are currently in process of setting up OAM with Windchill, could you please let me know if you were able to successfully implement ? If so is it possible to share the configurations need to be done from Windchill side and OAM side ?
Currently we did configure the OAM for a POC work but doesnt seems to be working. When we enable OAM we are getting user not found from Corporate LDAP, if we disable OAM the user seems to have got it authented.
Regards
Baalajee.T
Hi Baalajee,
How are you integrating Apache with OAM? Are you using webpass? If you are using webpass, you should set the user header variables in your OAM so that the tomcat recieves the logged in user name. By the way, where are you getting the "User not found" error is it in the Apache logs or in the webpage after the login
Thanks for the response, at the moment the OAM team is different from the application team and hence i m not sure on the configuration.I will check and let you know, from the Windchill side is there any settings that we need to make it enabled ?
I m getting the error when trying to give the credentials from UI. We are using Webgate for this.
HI Binesh,
We use webgate for integration Apache with OAM. User headers are being set for the same. Is there any specific header name which needs to be set ? Syntax etc ?.
Regards
Baalajee.T
So you have two ways of configuring webgate, the basic which leverages the basic authentication prompt or single sign on using the form provided by OAM. The way webgate works is, it intercepts any requests against the protected resources and if it is not already authenticated by a cookie, it will direct you to login prompt . Once authenticated, you can configure webgate and OAM to set the variable REMOTE_USER to uid/samaccountname of the authenticated user. If the resources are protected by webgate, then you need to remove Windchill authentication directives in the HTTP server, you can use protocolAuthOnly in the webapp properties and and run ant command to make this change.
Thanks a lot Binesh for the response. We tried the same from OAM after your suggestion and the windchill changes as below. We are still getting the same error. Any other suggestions ? Also do you know how the CadWorker integration will work with OAM(form-based auth). Does the functionality works properly without any issues ?
[ptcadmin@ftdcslainf642 conf]$ cat app-Windchill.properties
#Ant properties
#Tue Aug 15 12:24:09 CDT 2017
ajpWorker=ajpWorker
authRealm=Windchill
disableAJP=false
disableAuthentication=false
docBase=/opt/ptc/Windchill_11/Windchill/codebase
enableCustomErrorDoc=true
isCognosWebApp=false
protocolAuthOnly=false
proxyEntireWebApp=false
Set the value of protocolAuthOnly to true and run the command ant -f webAppConfig.xml regenWebAppConf. Based on what you said, I am not sure whether authentication is the issue here, even if you leave the all authentication constraints on, you should get a second basic authentication prompt after you pass single sign on. What exactly is the error message you have on the browser? Is it from apache or tomcat?
As for CAD worker, we have a cluster node running with basic authentication where we point our CAD workers to. But if you don't have this setup, you can use trusted host authentication.
Hi Binesh,
Sorry got stuck in other work and could not respond. Getting the below error.
Exception: | wt.util.WTRuntimeException: (wt.session.sessionResource/2) wt.org.UserNotFoundException: User not found: unknown web name: "uid=if311,ou=other,ou=people,dc=cummins,dc=com". Nested exception is: (wt.session.sessionResource/2) wt.org.UserNotFoundException: User not found: unknown web name: "uid=if311,ou=other,ou=people,dc=cummins,dc=com". |
---|
From the authentication window. No second authentication prompt is being redirected.
Below is the information we got from OAM while debugging which the UID is being passed. The problem here is windchill is throwing full uid=if311,ou=other,ou=people,dc=cummins,dc=com instead of uid=if311 alone. Any help would be of gr8 use here.
Headers and Cookies to the Application
failureurl: null oam_error_code: null
You need an OAM policy authorization which add header variable REMOTE_USER, what you have now is HTTP header not header variable
Actions
Authorization Success
Return Type Name Attribute
HeaderVar REMOTE_USER uid