Unable to Open Creo View when Windchill is using H...

TomU · ‎Sep 14, 2023

I'm running into an issue with Creo View when Windchill is configured to use HTTPS. Attempting to open anything from Windchill in Creo View throws this error:

Following the steps in CS242260 to create an environment variable (PVIEW_SEARCH_ALL_CERTIFICATES=1) has no effect.
Following the steps in CS312299 to alter Edge internet properties to not check for certificate revocation will allow the Creo View login dialog to appear, but as soon as credentials are entered the dialog closes and Creo View never appears. (Webserver logs do show successful authentication.)
The location of the users TEMP directory is not the issue. (CS347988 and CS378634.)
Firewalls are disabled and no anti-virus software is currently in use.
These are commercially purchased certificates, and the full chain is valid and not expired.
Creo Parametric works just fine. It's only Creo View that is having problems.
This is not a cluster and there is not a proxy server.

Is there anything special that needs to be done on the client computers to fix this issue, or should simply installing the certificates on the Windchill server (Apache and Java) be sufficient? The error is reproducible on both the server and on the client computers, and changing versions of Creo View has no effect.

avillanueva · ‎Sep 14, 2023

I did not see this listed above:

https://www.ptc.com/en/support/article/CS385890?source=search

Basic authentication? Can you post your debug logs from the Creo View session?

TomU · ‎Sep 14, 2023

Not using single sign on.

shussaini · ‎Sep 14, 2023

What version of Windchill you are using? Note that starting 12.1, Windchill uses TLS1.3/SSL3 which needs to be enabled in the config files.

regards

~Syed

TomU · ‎Sep 14, 2023

@shussaini,

This is 12.1.2.4. According to the documentation, TLS 1.3 is enabled by default. Are you saying Creo View 10 does not support TLS 1.3 by default?

TLS 1.3 Support for Windchill (ptc.com)

https://www.ptc.com/en/support/article/CS355457

TomU · ‎Sep 14, 2023

Enabling TLS 1.2 (only) did not make any difference.

-----------------------------------------------------------

Enabling TLS 1.2

Option to configure TLS 1.2 manually is available. Follow the below mentioned steps for the TLS 1.2 configuration:

1.Update the mod_ssl.conf.template file located at <ApacheHome>/conf/template/ as below:

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

2.Run the command from Windchill shell and <Apache_Home>:

ant -f config.xml reconfigure

3.Restart the Apache HTTP server.

-----------------------------------------------------------

AG_WC · ‎Dec 28, 2023

I am using Windchill 12.1.2.1 (HTTPS and SSO) and Creo View 9.1. I was running into the same issue and was able to resolve it by enabling TLS1.2. Here's what I did. Hope this helps!

Stop HTTPServer
Updating below properties in WT_HOME\HTTPServer\conf\customTemplates\mod_ssl.conf.template file (note that in order to enable TLSv1.2 it needs to be removed from below properties, hence you don't see it listed below. TLSv1.3 is enabled by default so you don't see that as well)

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

From a command prompt or Windchill Shell change directory to WT_HOME\HTTPServer and execute ant -f config.xml reconfigure
After executing above command please make sure below modules remain enabled in WT_HOME\HTTPServer\conf\httpd.conf. If they are not, then please enable them manually by uncommenting them.

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so

Start HTTPServer

jbailey · ‎Apr 10, 2024

Just a note on this:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

A more simpler implementation, only granting specific protocols could look like:

SSLProtocol -all TLSv1.2 TLSv1.3
SSLProxyProtocol -all TLSv1.2 TLSv1.3

TomU · ‎Sep 14, 2023

I installed Fiddler and enabled HTTPS decoding. Attempting to open a representation from Windchill threw this (Fiddler) error message:

This system is on an isolated network that does not have internet access.

The message about checking for certificate revocation seems to point back to CS312299. I repeated the steps in that article again, and this time I noticed the comment about the second one not taking affect until restarting the computer. (The PTC article does not mention needing to restart.)

After a restart Creo View will now launch successfully, but the pview.exe process(es) will not terminate after closing. End users (who make this same change) can see objects in Creo View, but from the servers Creo View just displays a blank white page. The mouse seems to act like there are lines present, but none of them are visible or selectable. Just for fun I downloaded a representation and opened it locally in Creo View on the server (without Windchill) and still get the same behavior, so apparently the 'not displaying geometry' issue in Creo View is unrelated to HTTPS. Any suggestions on that?

shussaini · ‎Sep 15, 2023

That's frustrating. I would suggest better to open a support ticket. they can advise better based on your environment.

regards
~Syed

TomU · ‎Sep 15, 2023

I've had a ticket open all week without any real progress. That's why I created the post here.

avillanueva · ‎Sep 15, 2023

"This system is on an isolated network that does not have internet access."

That likely was the cause. It was trying to contact the cert chain to validate. I think you might have another issue going on with the second part.

TomU · ‎Sep 15, 2023

Yeah, I'd really like to know why Creo View checks this certificate chain but Creo Parametric (apparently) does not.

RandyJones · ‎Sep 15, 2023

We are using 12.1.2.4, https, and commercial certs (Lets Encrypt) and it works for us. We are making the following modifications to 20-mod_ssl.conf:

SSLVerifyClient none
# Changed the cipher suite and protocols for enhanced security
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

TomU · ‎Sep 15, 2023

@RandyJones,

That's quite a list for 'SSLCipherSuite'. How did you determine you needed all of those?

RandyJones · ‎Sep 15, 2023

@TomU wrote:

@RandyJones,

That's quite a list for 'SSLCipherSuite'. How did you determine you needed all of those?

We used this website:

https://ssl-config.mozilla.org/#server=apache&version=2.4.54&config=intermediate&openssl=1.1.1q&guideline=5.6

Srinivas_256 · ‎Mar 01, 2024

@TomU You are able to fix this issue, even we are facing same issue as below using 12.1.2.1.Nothing seems to be working.Please provide your inputs If you solved the same.Thank you - Srinivas

taheri2 · ‎Apr 02, 2024

Hi guys, anyone identified a resolution to this issue if you can please share that would be great.

Thanks in advance.

Taher

TomU · ‎Apr 02, 2024

PTC's final answer was that Creo View is not supported on Windows Servers. The workarounds above, specifically the one unchecking the Internet Options, resolved the issue for regular users on Windows 10/11 machines, but it did not fix the issue on any of the Windows servers. For those I still have no solution.

Srinivas_256 · ‎Apr 03, 2024

Thank you for your reply Tom.IT is not allowing us to go for workaround option, working with PTC and our IT team to identify the fix, will keep posted here If I have anupdate.

-Srinivas

dheidebrecht · ‎Apr 09, 2024

We finally found the answer after fighting this issue for weeks now.

Open inetcpl.cpl > Advanced Tab > Uncheck the box for "Do not save encrypted pages to disk".

Enjoy and have a great day!

Unable to Open Creo View when Windchill is using HTTPS

Unable to Open Creo View when Windchill is using HTTPS