cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Your Friends List is a way to easily have access to the community members that you interact with the most! X

What is default access rights for Windchill/bin/adminTools/sip?

Go to solution
avillanueva
22-Sapphire II
22-Sapphire II
‎Oct 11, 2023 08:09 AM
‎Oct 11, 2023 08:09 AM

What is default access rights for Windchill/bin/adminTools/sip?

This appears to be a very critical folder. I am looking to know what the default rights (Linux) applies to this folder and key files underneath. If you want more information on this folder and its function, I suggest you read here:

https://support.ptc.com/help/wnc/r12.0.2.0/en/index.html#page/Windchill_Help_Center/WCSysAdminPasswordPasswordSystemEncrypt.html

Also curious if anyone else has further beefed up security in this area.

Labels:
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
RandyJones
19-Tanzanite
19-Tanzanite
(To:avillanueva)
‎Oct 11, 2023 09:19 AM
‎Oct 11, 2023 09:19 AM

I have not done anything other than ootb Windchill 12.1.2.4 install which on RedHat 7.9 gives this:

[root@lin02 adminTools]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@lin02 adminTools]# pwd
/opt/ptc/Windchill/Windchill/bin/adminTools
[root@lin02 adminTools]# ls -l
total 43
drwxrwxr-x. 2 root root 6 Nov 18  2022 Portal
drwxrwxr-x. 3 root root 5 Nov 18  2022 rehost
drwxrwxr-x. 4 root root 8 Nov 18  2022 sip
drwxrwxr-x. 5 root root 8 Nov 18  2022 WebServices
[root@lin02 adminTools]# ls -lR sip
sip:
total 43
-rwxrwxr-x. 1 root root 15881 Jun 15  2022 EncryptPasswords.xml
drwxrwxr-x. 2 root root     3 Nov 18  2022 ksp
-rwxrwxr-x. 1 root root   656 Jun 15  2022 README.txt
drwxrwxr-x. 2 root root     3 Nov 18  2022 store
-rwxrwxr-x. 1 root root   122 Nov 18  2022 validIEProperties.list
-rwxrwxr-x. 1 root root   809 Jul 26 20:33 validProperties.list

sip/ksp:
total 7
-rwxrwxr-x. 1 root root 30 Nov 18  2022 sip.ksp

sip/store:
total 14
-rwxrwxr-x. 1 root root 11743 Aug 18 18:35 sip.keystore
[root@lin02 adminTools]#

 

View solution in original post

Notify Moderator
6 REPLIES 6
HelesicPetr
22-Sapphire I
22-Sapphire I
(To:avillanueva)
‎Oct 11, 2023 08:20 AM
‎Oct 11, 2023 08:20 AM

Hi @avillanueva 

Because I have had experience just with windows os I can not say exactly what is necessary but as I know linux needs to set some security configuration explicitly I have experience just with some backup scripts with one customer. He solved it always with additional security config. 

 

I've checked the content and it seams there are some keystores that  you should add  read/modify and also create permissions I guess.

PetrH

AVENG
0 Kudos
Notify Moderator
avillanueva
22-Sapphire II
22-Sapphire II
(To:HelesicPetr)
‎Oct 11, 2023 08:48 AM
‎Oct 11, 2023 08:48 AM

Windows to Linux should translate but I would expect that things like the keystore and more importantly, the key file should be locked down to just admins and service accounts running the server and not be visible from outside those users. I would expect it would be something like 640 since we are not executing these files and they should not be visible to others, right?

0 Kudos
Notify Moderator
HelesicPetr
22-Sapphire I
22-Sapphire I
(To:avillanueva)
‎Oct 11, 2023 09:13 AM
‎Oct 11, 2023 09:13 AM

Hi @avillanueva 

Yes, but the Windchill service needs the rights to manipulate with this files in the place. 

So it depends what account is used for the service. 

 

I also have had experience that in some very strict company the service needed to be run as a local admin user instead of domain user. But it was Windows 

 

PetrH

AVENG
0 Kudos
Notify Moderator
RandyJones
19-Tanzanite
19-Tanzanite
(To:avillanueva)
‎Oct 11, 2023 09:19 AM
‎Oct 11, 2023 09:19 AM

I have not done anything other than ootb Windchill 12.1.2.4 install which on RedHat 7.9 gives this:

[root@lin02 adminTools]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@lin02 adminTools]# pwd
/opt/ptc/Windchill/Windchill/bin/adminTools
[root@lin02 adminTools]# ls -l
total 43
drwxrwxr-x. 2 root root 6 Nov 18  2022 Portal
drwxrwxr-x. 3 root root 5 Nov 18  2022 rehost
drwxrwxr-x. 4 root root 8 Nov 18  2022 sip
drwxrwxr-x. 5 root root 8 Nov 18  2022 WebServices
[root@lin02 adminTools]# ls -lR sip
sip:
total 43
-rwxrwxr-x. 1 root root 15881 Jun 15  2022 EncryptPasswords.xml
drwxrwxr-x. 2 root root     3 Nov 18  2022 ksp
-rwxrwxr-x. 1 root root   656 Jun 15  2022 README.txt
drwxrwxr-x. 2 root root     3 Nov 18  2022 store
-rwxrwxr-x. 1 root root   122 Nov 18  2022 validIEProperties.list
-rwxrwxr-x. 1 root root   809 Jul 26 20:33 validProperties.list

sip/ksp:
total 7
-rwxrwxr-x. 1 root root 30 Nov 18  2022 sip.ksp

sip/store:
total 14
-rwxrwxr-x. 1 root root 11743 Aug 18 18:35 sip.keystore
[root@lin02 adminTools]#

 

Notify Moderator
avillanueva
22-Sapphire II
22-Sapphire II
(To:RandyJones)
‎Oct 11, 2023 10:13 AM
‎Oct 11, 2023 10:13 AM

So if the key file is readable by all, does that expose the keystore to decryption?

0 Kudos
Notify Moderator
RandyJones
19-Tanzanite
19-Tanzanite
(To:avillanueva)
‎Oct 11, 2023 01:45 PM
‎Oct 11, 2023 01:45 PM

I would say so. If you change any parent directory to more secure then that prevents the non root user from reading it. eg change Windchill (Windchill/bin/adminTools) then non root user can't see inside of Windchill.

 

 

0 Kudos
Notify Moderator
Top Tags