Cancel
Showing results for 
Search instead for 
Did you mean: 

Re: SSL / HTTPS configuration for FMS

Siemens Phenom Siemens Phenom
Siemens Phenom

which Teamcenter version are you using?

I have seen one that FCC didn't make use of the JAVA_HOME directory provided in TC_ROOT\install\tem_init.bat - so it used a different JAVA directory that was magically determined...

Re: SSL / HTTPS configuration for FMS

Solution Partner Genius Solution Partner Genius
Solution Partner Genius

Hi @Amol_XPLM ,

Form the GTAC this works for me:

Symptom

---------------
How can the .NET middle tier and FMS be configured to use SSL encryption via
the https protocol?

Hardware/Software Configuration

Server 2008 R2 (with IIS 7.x)
Tc9.1.1.1

Solution

To convert the .NET middle tier from http to https (using SSL) with a
self-signed certificate, follow these steps:

1. With your currently working .NET middle tier being in place, open the IIS
Management interface under Administrative Tools.

2. In the IIS management interface, select the server name under 'Start Page'.

3. Under that, click on 'Server Certificates'.

4. On the right, click 'Create Self-Signed Certificate'.

5. Give the certificate an easy name, like the hostname.

6. To replace the http binding to the https binding, you will need to click on
the website you want to do this on.

7. At the right, you should see an option called 'Bindings'. Click this.

8. Under bindings, you can remove the http entry if you don't need it. In
this case, we are going to use the same port but change the protocol so we did
delete it.

9. Click Add... and set the type to https, IP Address to All Unassigned, port
to your desired port, and the SSL Certificate you can use the drop-down and
pick the one you created. Click OK.

10. Now, you can try your thin client interface (web client) using the new
https protocol.

11. Once you get this working, you will need to update the database preference
WEB_protocol and WEB_default_site_server from the Edit-Options-Search menu-bar
under a Rich Client so that the default protocol is also updated to https.

12. After this, you will need to update the protocol for any 4Tier RAC
configurations that are currently in place to connect to the new location which
can be done via TEM to use the new https URL instead of the older http one.

13. To allow for the FSC to use the same certificate, we need to make sure we
convert the certificate to a Java keystore format. To do this, you can do the
following:

The PFX keystore format is not compatible with FMS so it must be converted to a
JKS. As part of the conversion process you will need the alias or "friendly"
name of the certificate entry in the PFX file. If you generated this keystore
on a Windows server follow the example below to obtain this information.

$JAVA_HOME/bin/keytool -v -list -storetype pkcs12 -keystore filename.pfx

The above command will return all of the certificate information, copy down the
alias information. The following example will convert the PFX to a JKS

$JAVA_HOME/bin/keytool -importkeystore -srckeystore filename.pfx -srcstoretype
pkcs12 -srcalias ALIAS -destkeystore my_keystore -deststoretype jks
-deststorepass PASSWORD -destalias DEST_ALIAS

In the above example you will need to provide the proper information for the
bold items.

•filename.pfx : This is your source pfx keystore
•ALIAS: This is the alias you copied down from the previous step.
•my_keystore: This is the desired name of your new keystore.
•PASSWORD: is the password you would like to set for the new keystore.
•DEST_ALIAS: is the new alias you would like to assign the certificate, this
does not have to match the one obtained in the previous example.

Store the resulting JKS file in a safe location.
14. Setting up the FSC for SSL. Follow these steps:

Browse to the %TC_ROOT%\fsc directory.

Edit the fmsmaster_FSC_<instance>.xml file.

<fsc id="FSC_*" address="http://<hostname>:4544" ismaster="true">

To

<fsc id="FSC_*" address="https://<hostname>:4544" ismaster="true">

In the FSC directory copy the file fsc.properties.template to fsc.properties.
Edit the resulting file, uncomment and edit the following lines:

com.teamcenter.fms.servercache.keystore.file=<Path to Keystore>
com.teamcenter.fms.servercache.keystore.password=changeit
com.teamcenter.fms.servercache.keystore.ssl.certificate.password=changeit

com.teamcenter.fms.allowuntrustedcertificates=true

In the above example the path to the keystore is the secure location where you
stored the file. The passwords are those that you set when you converted the
keystore. Copy fscadmin.properties.template to fscadmin.properties and then
uncomment and make sure the following line is set to true

com.teamcenter.fms.allowuntrustedcertificates=true

Copy fsc.properties to fsc.clientagent.properties

Restart the FSC service.

If the service fails check the log files under %TC_ROOT%/fsc/logs/FSC/process

15. Update the %FMS_HOME%\fcc.xml file to use the new https protocol.

16. Ensure that the certificate you put into the keystore used by the FSC into
the %TC_ROOT%\portal\jre\lib\security\cacerts keystore file.

17. In the database preferences, you will have a few preferences that will
need to be updated. The search of http://<server>:<port> such as
http://server1:4544 should return for FMS_Bootstrap_URLS and
Default_Transient_Server most likely. These should be updated to reflect the
https protocol instead of the http protocol. Save these changes and then
restart the pool manager (if it is running) and then try to log in via RAC.

 

In the properties file you have to regenerate the password string.

 

But the Self Signed Certificate is not enough for TC-NX combo.

I use Openssl script to create pfx file to import every necessary places.

 

Regards,

Attila

Attila Szepesi, Application Engineer, graphIT Ltd.
Production: NX12.0.2 NX1863 | TcUA 11.3
Development: VB.NET, C# Testing: NX--