cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Have a PTC product question you need answered fast? Chances are someone has asked it before. Learn about the community search. X

How do I configure Windchill to limit wcadmin logins only from certain subnets?

RandyJones
19-Tanzanite
19-Tanzanite
‎Jun 24, 2022 01:33 PM
‎Jun 24, 2022 01:33 PM

How do I configure Windchill to limit wcadmin logins only from certain subnets?

Windchill PDMLink 12.0.2.6 with 2 replica servers.

The master server and replica servers all currently reside in the subnets we want to limit wcadmin to if that makes any difference.

 

We want to limit wcadmin from only logging in if they are coming from certain subnets. I opened a case with PTC and their response was: "Yes, I totally agreed that this falls under “Windchill Configuration” as we are attempting to limit the logins to Windchill.
But we currently don’t have any documentation on this configuration. It is currently not supported and verified by PTC.

To request this functionality, refer to Product Ideas @ PTC Community<https://www.ptc.com/en/support/enablement/submitting_product_ideas>. Our research and development will review the functionality you requested and that is the best and fastest way to receive response on your requested feature."

 

I don't want to wait for time for PTC to implement something let alone if they would even ever get to it.

 

So I have tried the following:

- adding a HTTPServer/conf/conf.d/60-limit-wcadmin.conf contents of this:

# This limits wcadmin to only logging on from specified subnets. eg local subnets...

# The LocationMatch is the first LocationMatch from 30-app-Windchill-Auth.conf.
# There are multiple LocationMatch with Require valid-user sections however this is
# the only one that seems to be matched on.
# So if the ootb PTC supplied one changes then this will need to change also.
<LocationMatch ^/+Windchill/+(;.*)?>

        # Comment this Header set out when not needed for debugging
        # Very useful to determine when matching locations
        #Header set X-LocationMatch01 "HERE01"

        # The actual section to limit wcadmin
        <RequireAny>
                <RequireAll>
                        # limit wcadmin to certain subnets
                        Require user wcadmin
                        Require ip 192.168
                </RequireAll>
                <RequireAll>
                        # Any valid user except for wcadmin
                        Require valid-user
                        Require not user wcadmin
                </RequireAll>
        </RequireAny>
</LocationMatch>

 

This "works" in that wcadmin is limited to logging in from a 192.168 subnet however it breaks some replica server functionality.

 

I then removed the 60-limit-wcadmin.conf and instead modified the ootb HTTPServer/conf/conf.d/30-app-Windchill-Auth.conf as follows:

.
.
### Changing this section
<LocationMatch ^/+Windchill/+(;.*)?>
  AuthName "Windchill"
  AuthType Basic
  AuthBasicProvider OpenLDAP Windchill-AdministrativeLdap
  Require valid-user
</LocationMatch>

### to this
<LocationMatch ^/+Windchill/+(;.*)?>
  AuthName "Windchill"
  AuthType Basic
  AuthBasicProvider OpenLDAP Windchill-AdministrativeLdap
  #Require valid-user
  # The actual section to limit wcadmin
  <RequireAny>
    <RequireAll>
      # limit wcadmin to certain subnets
      Require user wcadmin
      Require ip 192.168
    </RequireAll>
    <RequireAll>
      # Any valid user except for wcadmin
      Require valid-user
      Require not user wcadmin
    </RequireAll>
  </RequireAny>
</LocationMatch>
.
.
.

 

This works and seems to fix the previous issues we had with the replica servers however I am concerned that something else might silently fail.

 

Has anybody out there done what we are wanting to do?

If so how did you accomplish it?

 

Thanks Randy

Labels:
Notify Moderator
3 REPLIES 3
Ajit_Kulkarni
14-Alexandrite
14-Alexandrite
(To:RandyJones)
‎Jun 24, 2022 01:59 PM
‎Jun 24, 2022 01:59 PM

Hello Randy,

 

Your requirement is unique. Thanks for sharing your implementation. 

 

Regards

Ajit

0 Kudos
Notify Moderator
avillanueva
22-Sapphire I
22-Sapphire I
(To:RandyJones)
‎Jun 27, 2022 07:18 AM
‎Jun 27, 2022 07:18 AM

Apache documentation would have this covered but if you are looking to know where Windchill might break, I might suggest studying past Apache logs for all wcadmin transactions.  Things like SOLR use their own logins and I would think that wcadmin would only be when a physical administrator was logging in to do some task, This should not interfere with how the system operates internally but even if it did, the admin would see it right away. Interesting about the replica servers. I would think that you might need to ensure that all Location blocks have the same configuration. Thanks for the tip as this can make systems more secure.

0 Kudos
Notify Moderator
RandyJones
19-Tanzanite
19-Tanzanite
(To:RandyJones)
‎Jul 01, 2022 10:54 AM
‎Jul 01, 2022 10:54 AM

We have had this in place for a week now and have not ran across any issues. Since we have a local install of the Windchill Help Center I also made the same modifications to HTTPServer/conf/conf.d/30-app-Windchill-WHC-Auth.conf

0 Kudos
Notify Moderator
Top Tags