Skip to main content
avillanueva
23-Emerald I
avillanueva23-Emerald I
23-Emerald I
October 11, 2023
Solved

What is default access rights for Windchill/bin/adminTools/sip?

  • October 11, 2023
  • 2 replies
  • 1879 views

This appears to be a very critical folder. I am looking to know what the default rights (Linux) applies to this folder and key files underneath. If you want more information on this folder and its function, I suggest you read here:

https://support.ptc.com/help/wnc/r12.0.2.0/en/index.html#page/Windchill_Help_Center/WCSysAdminPasswordPasswordSystemEncrypt.html

Also curious if anyone else has further beefed up security in this area.

    Best answer by RandyJones

    I have not done anything other than ootb Windchill 12.1.2.4 install which on RedHat 7.9 gives this:

    [root@lin02 adminTools]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@lin02 adminTools]# pwd
/opt/ptc/Windchill/Windchill/bin/adminTools
[root@lin02 adminTools]# ls -l
total 43
drwxrwxr-x. 2 root root 6 Nov 18 2022 Portal
drwxrwxr-x. 3 root root 5 Nov 18 2022 rehost
drwxrwxr-x. 4 root root 8 Nov 18 2022 sip
drwxrwxr-x. 5 root root 8 Nov 18 2022 WebServices
[root@lin02 adminTools]# ls -lR sip
sip:
total 43
-rwxrwxr-x. 1 root root 15881 Jun 15 2022 EncryptPasswords.xml
drwxrwxr-x. 2 root root 3 Nov 18 2022 ksp
-rwxrwxr-x. 1 root root 656 Jun 15 2022 README.txt
drwxrwxr-x. 2 root root 3 Nov 18 2022 store
-rwxrwxr-x. 1 root root 122 Nov 18 2022 validIEProperties.list
-rwxrwxr-x. 1 root root 809 Jul 26 20:33 validProperties.list

sip/ksp:
total 7
-rwxrwxr-x. 1 root root 30 Nov 18 2022 sip.ksp

sip/store:
total 14
-rwxrwxr-x. 1 root root 11743 Aug 18 18:35 sip.keystore
[root@lin02 adminTools]#

     

    2 replies

    HelesicPetr
    22-Sapphire II
    HelesicPetr22-Sapphire II
    22-Sapphire II
    October 11, 2023

    Hi @avillanueva 

    Because I have had experience just with windows os I can not say exactly what is necessary but as I know linux needs to set some security configuration explicitly I have experience just with some backup scripts with one customer. He solved it always with additional security config. 

     

    I've checked the content and it seams there are some keystores that  you should add  read/modify and also create permissions I guess.

    PetrH

    avillanueva
    23-Emerald I
    avillanueva23-Emerald IAuthor
    23-Emerald I
    October 11, 2023

    Windows to Linux should translate but I would expect that things like the keystore and more importantly, the key file should be locked down to just admins and service accounts running the server and not be visible from outside those users. I would expect it would be something like 640 since we are not executing these files and they should not be visible to others, right?

    HelesicPetr
    22-Sapphire II
    HelesicPetr22-Sapphire II
    22-Sapphire II
    October 11, 2023

    Hi @avillanueva 

    Yes, but the Windchill service needs the rights to manipulate with this files in the place. 

    So it depends what account is used for the service. 

     

    I also have had experience that in some very strict company the service needed to be run as a local admin user instead of domain user. But it was Windows 

     

    PetrH

    R
    RandyJones20-TurquoiseAnswer
    20-Turquoise
    October 11, 2023

    I have not done anything other than ootb Windchill 12.1.2.4 install which on RedHat 7.9 gives this:

    [root@lin02 adminTools]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@lin02 adminTools]# pwd
/opt/ptc/Windchill/Windchill/bin/adminTools
[root@lin02 adminTools]# ls -l
total 43
drwxrwxr-x. 2 root root 6 Nov 18 2022 Portal
drwxrwxr-x. 3 root root 5 Nov 18 2022 rehost
drwxrwxr-x. 4 root root 8 Nov 18 2022 sip
drwxrwxr-x. 5 root root 8 Nov 18 2022 WebServices
[root@lin02 adminTools]# ls -lR sip
sip:
total 43
-rwxrwxr-x. 1 root root 15881 Jun 15 2022 EncryptPasswords.xml
drwxrwxr-x. 2 root root 3 Nov 18 2022 ksp
-rwxrwxr-x. 1 root root 656 Jun 15 2022 README.txt
drwxrwxr-x. 2 root root 3 Nov 18 2022 store
-rwxrwxr-x. 1 root root 122 Nov 18 2022 validIEProperties.list
-rwxrwxr-x. 1 root root 809 Jul 26 20:33 validProperties.list

sip/ksp:
total 7
-rwxrwxr-x. 1 root root 30 Nov 18 2022 sip.ksp

sip/store:
total 14
-rwxrwxr-x. 1 root root 11743 Aug 18 18:35 sip.keystore
[root@lin02 adminTools]#

     

      avillanueva
      23-Emerald I
      avillanueva23-Emerald IAuthor
      23-Emerald I
      October 11, 2023

      So if the key file is readable by all, does that expose the keystore to decryption?

      R
      RandyJones20-Turquoise
      20-Turquoise
      October 11, 2023

      I would say so. If you change any parent directory to more secure then that prevents the non root user from reading it. eg change Windchill (Windchill/bin/adminTools) then non root user can't see inside of Windchill.

       

       

      Terms & ConditionsAccessibility statement