Community Tip - If community subscription notifications are filling up your inbox you can set up a daily digest and get all your notifications in a single email. X
This appears to be a very critical folder. I am looking to know what the default rights (Linux) applies to this folder and key files underneath. If you want more information on this folder and its function, I suggest you read here:
Also curious if anyone else has further beefed up security in this area.
Solved! Go to Solution.
I have not done anything other than ootb Windchill 12.1.2.4 install which on RedHat 7.9 gives this:
[root@lin02 adminTools]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@lin02 adminTools]# pwd
/opt/ptc/Windchill/Windchill/bin/adminTools
[root@lin02 adminTools]# ls -l
total 43
drwxrwxr-x. 2 root root 6 Nov 18 2022 Portal
drwxrwxr-x. 3 root root 5 Nov 18 2022 rehost
drwxrwxr-x. 4 root root 8 Nov 18 2022 sip
drwxrwxr-x. 5 root root 8 Nov 18 2022 WebServices
[root@lin02 adminTools]# ls -lR sip
sip:
total 43
-rwxrwxr-x. 1 root root 15881 Jun 15 2022 EncryptPasswords.xml
drwxrwxr-x. 2 root root 3 Nov 18 2022 ksp
-rwxrwxr-x. 1 root root 656 Jun 15 2022 README.txt
drwxrwxr-x. 2 root root 3 Nov 18 2022 store
-rwxrwxr-x. 1 root root 122 Nov 18 2022 validIEProperties.list
-rwxrwxr-x. 1 root root 809 Jul 26 20:33 validProperties.list
sip/ksp:
total 7
-rwxrwxr-x. 1 root root 30 Nov 18 2022 sip.ksp
sip/store:
total 14
-rwxrwxr-x. 1 root root 11743 Aug 18 18:35 sip.keystore
[root@lin02 adminTools]#
Hi @avillanueva
Because I have had experience just with windows os I can not say exactly what is necessary but as I know linux needs to set some security configuration explicitly I have experience just with some backup scripts with one customer. He solved it always with additional security config.
I've checked the content and it seams there are some keystores that you should add read/modify and also create permissions I guess.
PetrH
Windows to Linux should translate but I would expect that things like the keystore and more importantly, the key file should be locked down to just admins and service accounts running the server and not be visible from outside those users. I would expect it would be something like 640 since we are not executing these files and they should not be visible to others, right?
Hi @avillanueva
Yes, but the Windchill service needs the rights to manipulate with this files in the place.
So it depends what account is used for the service.
I also have had experience that in some very strict company the service needed to be run as a local admin user instead of domain user. But it was Windows
PetrH
I have not done anything other than ootb Windchill 12.1.2.4 install which on RedHat 7.9 gives this:
[root@lin02 adminTools]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@lin02 adminTools]# pwd
/opt/ptc/Windchill/Windchill/bin/adminTools
[root@lin02 adminTools]# ls -l
total 43
drwxrwxr-x. 2 root root 6 Nov 18 2022 Portal
drwxrwxr-x. 3 root root 5 Nov 18 2022 rehost
drwxrwxr-x. 4 root root 8 Nov 18 2022 sip
drwxrwxr-x. 5 root root 8 Nov 18 2022 WebServices
[root@lin02 adminTools]# ls -lR sip
sip:
total 43
-rwxrwxr-x. 1 root root 15881 Jun 15 2022 EncryptPasswords.xml
drwxrwxr-x. 2 root root 3 Nov 18 2022 ksp
-rwxrwxr-x. 1 root root 656 Jun 15 2022 README.txt
drwxrwxr-x. 2 root root 3 Nov 18 2022 store
-rwxrwxr-x. 1 root root 122 Nov 18 2022 validIEProperties.list
-rwxrwxr-x. 1 root root 809 Jul 26 20:33 validProperties.list
sip/ksp:
total 7
-rwxrwxr-x. 1 root root 30 Nov 18 2022 sip.ksp
sip/store:
total 14
-rwxrwxr-x. 1 root root 11743 Aug 18 18:35 sip.keystore
[root@lin02 adminTools]#
So if the key file is readable by all, does that expose the keystore to decryption?
I would say so. If you change any parent directory to more secure then that prevents the non root user from reading it. eg change Windchill (Windchill/bin/adminTools) then non root user can't see inside of Windchill.