Secure Teamcenter Active Workspace: Convert HTTP to HTTPS
What does HTTPS mean in the context of Web applications?
HTTPS, which stands for Hypertext Transfer Protocol Secure, is the secure version of HTTP, the protocol used for transmitting data between a user's web browser and a website's server. It is a fundamental component of internet security and is designed to protect the integrity and privacy of data as it's transmitted over the internet.
How to check if your website is secured?
To know if a website is using HTTPS, you can look for the lock icon in the browser's address bar. The URL will also start with https:// instead of http://
Web application without https -
Web application with https -
Importance of configuring AW (Active Workspace) with https -
With the evolution of AW client in Teamcenter, most of the customers are using AW as their preferred client, as it can be accessed from anywhere from any device without VPN connection. With this flexibility it’s important to make sure data exchange with the server is secure. As most of the users are using the AW client for design data or some critical data management which makes it important to secure the communication channel. With https configuration we can make sure the communication from users device to the AW server will be safe and can guarantee data security.
Protects sensitive data: PLM applications often contains sensitive data, such as intellectual property, financial data, and customer information. Using an HTTPS URL helps to protect this data from being intercepted by attackers while accessing such data from AW client.
Prevents eavesdropping: When data is transmitted over HTTP, it is not encrypted. This means that an attacker could eavesdrop on the communication and intercept sensitive data. Using an HTTPS URL encrypts the communication, preventing eavesdropping.
Preventing Data Leakage: Data leakage or unauthorized data access can be damaging to an organization's competitive advantage and reputation. Securing Active Workspace helps prevent such incidents.
Cybersecurity Threats: In a world with increasing cybersecurity threats, securing PLM applications which have web-based clients such as Active Workspace helps protect against malicious actors, hackers, and cyberattacks that could disrupt operations and compromise sensitive data.
How to convert Teamcenter Active Workspace URL from http to https (Steps to configure HTTPS in Active Workspace) -
Step 1: To enable the https for AW, the first step is to generate crt file and key file. If you are implementing it for your customer, then you can ask your customer to share signed certificate(crt) file and key file. Else if you are doing it for your local environment or for your understanding then you need to generate these files on your own. If you generate these files on your own, you can call them as self-signed certificates. Please check the steps below to generate these files:
For Key Generation -
openssl req -newkey rsa:2048 -nodes -keyout CTGTNB00028.key -out CTGTNB00028.csr
openssl: This is the command-line tool for using the OpenSSL library. It allows you to perform various cryptographic operations, including generating keys, creating Certificate Signing Requests (CSRs), and managing certificates.
req: This specifies that the OpenSSL command is for creating a CSR (Certificate Signing Request). CSRs are used to request a digital certificate from a Certificate Authority (CA).
-newkey rsa:2048: This part of the command generates a new private key and a CSR. -newkey indicates the creation of a new key pair, and rsa:2048 specifies that it should use the RSA algorithm with a key length of 2048 bits for generating the private key.
-nodes: This flag means that the private key will not be encrypted with a passphrase. This makes the key file less secure but more convenient because it won't require a password to use it.
-keyout CTGTNB00028.key: This specifies the file name (CTGTNB00028.key) where the generated private key will be saved.
-out CTGTNB00028.csr: This specifies the file name (CTGTNB00028.csr) where the generated CSR will be saved. The CSR contains information (like the public key and details about the entity requesting the certificate) that is sent to a CA for the issuance of a digital certificate.
For certificate Generation -
openssl x509 -signkey CTGTNB00028.key -in CTGTNB00028.csr -req -days 365 -out CTGTNB00028.crt
openssl: As previously mentioned, this is the command-line tool for using the OpenSSL library.
x509: This command specifies that OpenSSL will be dealing with X.509 certificates.
-signkey CTGTNB00028.key: This parameter designates the private key file (CTGTNB00028.key) that will be used to sign the certificate. The private key file provided here should correspond to the public key contained within the Certificate Signing Request (CSR) provided in the next argument.
-in CTGTNB00028.csr: This specifies the input file (CTGTNB00028.csr) that contains the Certificate Signing Request (CSR). The CSR includes information such as the public key and the details about the entity requesting the certificate.
-req: This flag indicates that the input (-in) is a Certificate Signing Request (CSR).
-days 365: This parameter sets the validity period of the certificate being generated to 365 days (1 year). The certificate will be valid for this specified duration after its issuance.
-out CTGTNB00028.crt: This specifies the output file name (CTGTNB00028.crt) where the generated X.509 certificate will be saved. This certificate is the result of signing the provided CSR using the private key and will contain information like the public key, expiration date, and other details about the entity it represents.
Step 2: Include the .crt and .key files in the config.json file as given below
Path- %TC_ROOT%\microservices\gateway- 1.5.0\config.json
Gateway folder name will changed based on your AW version -
Step 3: Restart the process manager from services
Step 4: Open the Active Workspace URL with HTTPS: This means to enter the URL of the Active Workspace server into your web browser, but replace the http:// with https://
Here the active workspace URL will work with https in it.
If you are doing this on your local machine and you have self-signed certificate then follow the next steps:
Step 5: After hitting URL with https in link, click the "Not secure" icon next to the URL: This icon will appear in the address bar of your web browser.
This will open a window where you can export the certificate to your machine: This window will allow you to download the SSL certificate to your computes
Step 6: Incorporate the certificate into the Java keystore using the following command
keytool -importcert -alias CTGTNB00028 -file C:\Temp\CTGTNB00028.crt -trustcacerts -keystore C:\AWC\jdk\jdk11.0.18\lib\security\cacerts -storetype JKS
keytool: This is the command-line utility provided with the Java Development Kit (JDK) for managing keystores, certificates, and keys.
-importcert: This command tells keytool that you want to import a certificate into a keystore.
-alias CTGTNB00028: This parameter sets the alias name (CTGTNB00028) for the imported certificate. The alias is used to refer to the certificate within the keystore.
-file C:\Temp\CTGTNB00028.crt: This specifies the path to the file (C:\Temp\CTGTNB00028.crt) containing the certificate that you want to import. This certificate is typically obtained from a Certificate Authority (CA) or generated through OpenSSL
-trustcacerts: This flag instructs keytool to trust the CA certificates found in the provided keystore (cacerts). This is useful when adding a certificate from a recognized Certificate Authority.
-keystore C:\AWC\jdk\jdk11.0.18\lib\security\cacerts: This parameter specifies the path to the keystore file (cacerts) where the certificate will be imported. In this case, it's a Java keystore file (JKS format) located at C:\AWC\jdk\jdk11.0.18\lib\security\cacerts.
-storetype JKS: This specifies the type of keystore being used (JKS - Java KeyStore). Java supports different keystore formats, and here, it explicitly mentions that it's a Java KeyStore format
This step is required if you are using self signed certificate, also this certificate needs to be imported on each clients machine if they are accessing web application with self signed certificate else they will always see the application as non secure.