teamcenter 10.0 security services installation

Teamcenter 10

Security ServicesInstallation/Customization

Publication NumberTSS00001 Q

Proprietary and restricted rights notice

This software and related documentation are proprietary to Siemens ProductLifecycle Management Software Inc.

2012 Siemens Product Lifecycle Management Software Inc. All Rights Reserved.

Siemens and the Siemens logo are registered trademarks of Siemens AG. Teamcenteris a trademark or registered trademark of Siemens Product Lifecycle ManagementSoftware Inc. or its subsidiaries in the United States and in other countries. Allother trademarks, registered trademarks, or service marks belong to their respectiveholders.

2 Security Services Installation/Customization TSS00001 Q

Contents

Proprietary and restricted rights notice . . . . . . . . . . . . . . . . . . . . . . . . . 2

Getting started with Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Getting started with Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1Siemens PLM Software customization support . . . . . . . . . . . . . . . . . . . . . . . 1-2Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Basic concepts about Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4Security Services components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Installing Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Installing Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1Basic guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1Basic installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Upgrade to Security Services 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Installation files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3Create the WEB_ROOT directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4Copy installation files from the software distribution image . . . . . . . . . . . . . . 2-4Launch the Web Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5Create the Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6Create the Identity Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8Logging Teamcenter application information . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Setting up an LDAP server for Security Services . . . . . . . . . . . . . . . . . . 3-1

Setting up an LDAP server for Security Services . . . . . . . . . . . . . . . . . . . . . . 3-1LDAP requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Configuring Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Configuring Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Context parameter worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Debugging Teamcenter Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13Configuring the Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15Configuring the Identity Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18Configuring the secure socket layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24Deploying Security Services on Web application servers . . . . . . . . . . . . . . . . . 4-27

Setting environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Setting environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Verifying Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Verifying Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1Test Identity Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1Test Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1Test Java API documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

TSS00001 Q Security Services Installation/Customization 3

Contents

Verify DNS lookup of Active Directory domain controllers . . . . . . . . . . . . . . . 6-3

Customizing Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Customizing Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1Customize the logon window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1Customizing the identity provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2Interoperating with commercial SSO products . . . . . . . . . . . . . . . . . . . . . . . . 7-3Interoperating with a password management facility . . . . . . . . . . . . . . . . . . . 7-5

Using Kerberos authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Using Kerberos authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1General considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1Third-party configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7Kerberos considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1Installation prerequisites for localized installations . . . . . . . . . . . . . . . . . . . . A-1Perform the localization installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Configuring Teamcenter products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Configuring Teamcenter products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1Teamcenter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2Teamcenter Enterprise configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4Engineering Process Management configuration . . . . . . . . . . . . . . . . . . . . . . B-5Portfolio, Program and Project Management configuration . . . . . . . . . . . . . . . B-7Systems Engineering and Requirements Management configuration . . . . . . . . B-8Community Collaboration configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-8Lifecycle Visualization configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-8Product Master Management configuration . . . . . . . . . . . . . . . . . . . . . . . . . . B-9

WebSEAL, SiteMinder, File Management System (FMS), and two-way SSLfor reverse proxy support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

WebSEAL, SiteMinder, File Management System (FMS), and two-way SSL forreverse proxy support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

Session cookie sharing with FMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1Reverse proxy servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index-1

Figures

Security Services components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

4 Security Services Installation/Customization TSS00001 Q

Contents

Security Services communication flow . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Teamcenter Web Application Manager dialog box . . . . . . . . . . . . . . . . . 2-5Advanced Web Application Options dialog box . . . . . . . . . . . . . . . . . . . 2-6Select Solutions dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8Add Web Application dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9Select Solutions dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10Modify Table dialog box: SSO Token Specification Table . . . . . . . . . . . . 4-19Add Row to Table SSO Token Specification Table dialog box . . . . . . . . 4-20Modify Table dialog box: LDAP Domain map . . . . . . . . . . . . . . . . . . . . 4-22Modify Table dialog box: Referral Credentials Table . . . . . . . . . . . . . . . 4-23Java API documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3Add Row to Table Login Input Definitions dialog box . . . . . . . . . . . . . 7-2Login Service parameters for the Weblogic application server . . . . . . . . 8-5Login Service parameters for the JBOSS application server . . . . . . . . . 8-6Application Registry Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6WebSEAL session cookie sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3SiteMinder session cookie sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . C-4

TSS00001 Q Security Services Installation/Customization 5

Chapter

1 Getting started with SecurityServices

Getting started with Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Siemens PLM Software customization support . . . . . . . . . . . . . . . . . . . . . . . 1-2

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Supported Web application servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Supported Web browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Supported LDAP directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Java environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Teamcenter Security Services product support . . . . . . . . . . . . . . . . . . . . . 1-3

Basic concepts about Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Security Services components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7Session management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Logon credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7Application IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7Security Services application tokens . . . . . . . . . . . . . . . . . . . . . . . . . 1-8Teamcenter Security Services session lifetime . . . . . . . . . . . . . . . . . . 1-8

Security Services communication channels . . . . . . . . . . . . . . . . . . . . . . . 1-9Existing communication links in Teamcenter products . . . . . . . . . . . . 1-10Communication links between browser and Teamcenter Webapplications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Security Services session agent proprietary protocol over sockets . . . . . 1-11Login Service proprietary protocol over HTTP . . . . . . . . . . . . . . . . . . 1-11Login Service redirection protocol over HTTP . . . . . . . . . . . . . . . . . . 1-11Identity Service proprietary protocol over HTTP . . . . . . . . . . . . . . . . 1-12Communicating with LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Using Teamcenter Security Services AutoLogin as the authenticationmechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Context-sensitive rights management . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

TSS00001 Q Security Services Installation/Customization

Chapter

1 Getting started with SecurityServices

Getting started with Security ServicesTeamcenter Security Services eliminates the need for multiple authenticationchallenges as users move from one Teamcenter application to another, and itprovides a common framework to integrate with a sites single sign-on solution.

Security Services includes the following features:

Enables single sign-on for Teamcenter applications, such as TeamcenterEnterprise and Engineering Process Management.

Supports single sign-on for both thin clients and rich clients.

Enables common authentication through LDAP v3-compliant directory servers,such as Microsoft Active Directory and the Sun Java System Directory Server,and can be customized to work with other authentication services.

Requires no user workstation installation and administration.

Can be configured to interoperate with commercial single sign-on products.

Incorporates a variety of security features; for example, it maintains nopersistent credentials on the users workstation.

Supports clustering where the Identity Service Web component is deployed in aWeb server cluster, enabling load balancing and failover support.

Supports password reset for deployments where a Microsoft Active Directoryuser account is either marked for required password reset or where the userspassword has expired.

Provides an integrated mechanism for password management.

Supports lightweight directory access protocol (LDAP) referrals, which allowusers to be distributed across multiple LDAP servers.

Supports Domain Name System (DNS) lookup to map a Microsoft ActiveDirectory domain name to a set of domain controllers, as described in RFC2782.The priority and weight information associated with each domain controllerare used to select the most appropriate domain controllers for connection, andtransparent failover is supported. DNS lookup operates with the primary activedirectory domain and domain referrals.

TSS00001 Q Security Services Installation/Customization 1-1

Chapter 1 Getting started with Security Services

Provides support for LDAPSLDAP connections over a Secure Sockets Layer(SSL).

Provides support for automatic logon, which allows Security Services to acquireand use a preauthenticated user ID from a customer-provided executable forSecurity Services logon. Security Services specifies the output requirements ofthe executable, which provides the preauthenticated user ID. You must create,deploy, maintain, and secure this executable.

Provides a context-sensitive rights management facility. In conjunction withGlobal Services, Security Services can provide special pseudo user IDs, givingusers enhanced rights in particular Teamcenter applications under definedcircumstances.

Provides support for Internet Protocol IPv6 client interfaces that use Teamcenterclient communication system (TCCS). Because the Login Service is a clientinterface, it can be referenced using IPv4 or IPv6 URLs.

Siemens PLM Software customization support

Siemens PLM Software is committed to maintaining compatibility betweenTeamcenter product releases. If you customize functions and methods usingpublished APIs and documented extension points, be assured that the nextsuccessive release will honor these interfaces. On occasion, it may become necessaryto make behaviors more usable or to provide better integrity. Our policy is to notifycustomers at the time of the release prior to the one that contains a publishedinterface behavior change.

As Teamcenter evolves and advances, leveraging newly available technologies,Teamcenter will make the ability to extend and tailor Teamcenter as flexible andsimple as possible. The direction is to fully leverage the developing Eclipse paradigmto consolidate the thin client and rich client frameworks. A single client frameworkallows extending both the thin client and rich client with a single extension. Notethat this consolidation will change the current extension model for the thin clientin the future.

Siemens PLM Software does not support code extensions that use unpublished andundocumented APIs or extension points. All APIs and other extension points areunpublished unless documented in the official set of technical manuals and help filesissued by Siemens PLM Software Technical Communications.

The Teamcenter license agreements prohibit reverse engineering, including:decompiling Teamcenter object code or bytecode to derive any form of the originalsource code; the inspection of header files; and the examination of configurationfiles, database tables, or other artifacts of implementation. Siemens PLM Softwaredoes not support code extensions made using source code created from such reverseengineering.

If you have a comment or would like to request additional extensibility, contactthe Siemens PLM Software customer support representatives at GTAC for furtherassistance.

1-2 Security Services Installation/Customization TSS00001 Q

Getting started with Security Services

PrerequisitesSecurity Services requires a Web server and a browser with a Java Plug-in ona client machine.

For information about versions of operating systems, third-party software, andTeamcenter software that are certified for your platform, see the Siemens PLMSoftware Certification Database:

http://support.industrysoftware.automation.siemens.com/certification/teamcenter.shtml

Supported Web application servers

The following Web application servers can deploy the Security Services Webcomponents (Login Service and Identity Service):

Note The Web application server must support Java 1.6 or later.

IBM WebSphere application server Sun Java System application server Oracle application server WebLogic application server JBoss application server

Supported Web browsers

Security Services is supported by the following Web browsers:

Microsoft Internet Explorer Mozilla Firefox

Supported LDAP directories

Security Services can use any LDAP v3 compliant Identity Provider, and it has beenvalidated against the following products:

Sun Java System Directory Server Microsoft Active Directory

Java environment

In addition to installing one of the supported Web browsers, you also must installthe Java 2 Runtime Environment (JRE) Java Plug-in on each client machine. Youmust enable popups for the Teamcenter domain.

Teamcenter Security Services product support

Security Services 10 is distributed with the following Teamcenter products:

Note Security Services 10 has its own installation process that is separate from theother Teamcenter products.

Teamcenter

Teamcenter Enterprise



Teamcenter engineering process management (Engineering ProcessManagement)

Teamcenter portfolio, program and project management (Portfolio, Program andProject Management)

Teamcenter systems engineering and requirements management (SystemsEngineering and Requirements Management)

Teamcenter community collaboration (Community Collaboration)

Teamcenter lifecycle visualization (Lifecycle Visualization)

Teamcenter product master management (Product Master Management)

Basic concepts about Security ServicesThe basic concept behind Security Services is the notion of a single sign-on session.A Security Services session spans one or more Teamcenter applications. It isestablished after the user is successfully authenticated through a Teamcenter logon,which occurs as a side effect of the user accessing the first Teamcenter application.The session terminates when the user ends the Security Services session or afterthe session expires.

Session expiration occurs if there is no interaction with Security Services over aconfigurable span of time, even if the user is actively using one or more Teamcenterapplications. However, Security Services session expiration does not affect a userscurrent sessions with the Teamcenter applications; it simply means they receive alogon challenge if they start another Teamcenter application.

Security Services consists of two deployable components:

Login Service

The Login Service is the Security Services component that interacts withTeamcenter client applications. On behalf of those clients, it challenges the userwith a logon prompt and collects the supplied user ID and password. Followingauthentication of those credentials, it returns a Teamcenter Security Servicesapplication token to the Teamcenter client application. The Login Service is alsothe repository for active Security Services sessions. That is, it holds the stateinformation essential to the single sign-on capability of Security Services. In theWeb Application Manager, this service appears as Teamcenter Security ServicesLogin Service Web Application.

Identity Service

The Identity Service authenticates user credentials, meaning it verifies a userID and password against an underlying identity provider. That provider canbe an LDAP directory or a customer-provided facility. The Identity Servicealso interacts with Teamcenter server applications to validate TeamcenterSecurity Services application tokens. In a typical single sign-on deployment,user credentials are collected and submitted by the Login Service. However, theIdentity Service is independent of the Login Service. Other applications canfurnish user credentials directly for authentication, using the Identity Servicesimply as an interface to an identity provider. In the Web Application Manager,



this service appears as Teamcenter Security Services Identity Service WebApplication. The Identity Service is configured for a default LDAP identityprovider implementation, but it can be configured to work with a variety ofimplementations.

The Login Service loads applets for rich and thin clients on the client computer.These applets are written in Java and use Java Object Signing.

Using applets for these purposes avoids any need to install executables on clientcomputers to support Security Services.

Teamcenter Security Services session agent applet

This applet, which lasts the lifetime of the Security Services session, representsthe session to the user. It contains no Security Services session informationdirectly, but it connects the Teamcenter client to the Login Service. This appletappears as a small browser on the your desktop, which you can minimize withoutaffecting the Security Services session. Clicking the Logout button in this dialogbox ends the Security Services session. You must enter your logon credentials tolaunch another client.

Teamcenter Security Services session detector applet

When a thin client Teamcenter application is started, the Login Service loads asession detector applet instance, which determines if there is an active SecurityServices session.

Teamcenter Security Services status reporter applet

This applet assists the internal establishment of a Security Services sessionwith the rich client.

Teamcenter Security Services autologon applet

This applet is used in place of the Security Services status reporter applet inSecurity Services deployments configured for autologon. This applet invokes andcommunicates with a user-supplied executable that runs in place of the usualinteractive challenge to acquire JRE user credentials.

The Login Service, the Identity Service, and the Java applets use Java ObjectSigning. With Java Object Signing, the Security Services applets do not directlyread any certificate store. On the clients, access to certificate stores is handled bythe Java browser plug-in run-time environment (JRE).

Security Services normally requires each Teamcenter user to have a singleTeamcenter user identifier and associated password established in the underlyingidentify provider, aside from the special cases where Security Services AutoLogin orcommercial SSO are used without aliasing user names (see Customizing SecurityServices).

The Teamcenter application maintains a user ID for each user, along with otherinformation about the user that serves the specific needs of that application. Thisprovides each user with a known identity within the Teamcenter application, inaddition to a global ID. These IDs can be identical, but they are not required to be.The Security Services libraries provide a means for a Teamcenter application toobtain the appropriate user identity within that application.

The following figure illustrates the interaction between these components.



Security Services components

The Login Service is a Web application that controls logon challenges. TeamcenterWeb applications interact with the Login Service through a Web redirection protocoland the Security Services applets. Teamcenter rich clients interact with the LoginService through the Security Services client library and the Security Servicesapplets. The Login Service interacts with the Identity Service to authenticate usersand to generate Security Services tokens.

The Identity Service is also a Web application. Teamcenter servers and Webapplications interact with the Identity Service interfaces to an identity provider (forexample, an LDAP repository) to authenticate users and to determine the usersalias for a specific Teamcenter application.

You can deploy both the Login Service and Identity Service in a clustered Webserver environment. This enables load balancing and failover. Some Teamcenterapplications can be configured to use the Identity Service directly for authentication.If single sign-on capability is not needed, this means the Identity Service can bedeployed without the Login Service. This is known as authentication-only mode.

When a Security Services-enabled Teamcenter application is first launched, thatapplication (either a thin client or rich client application) invokes the Login Service.Because there is no active Security Services session, the Login Service challengesyou with a logon window. In that window, enter your Teamcenter user name andpassword, and, if desired, a locale from the displayed list.

If Security Services is configured to authenticate users using Microsoft ActiveDirectory, you can enter the user ID in domain\username format, for example,acme.com\john. If you omit the domain, the domain is assumed to be the base DN(base distinguished name) configured in the Identity Service.



After entering this information, the Login Service authenticates the provided userID. If your credentials are not valid, the logon window redisplays containing an errormessage (for example, invalid password) in the selected language.

If you are using a thin client application, the browser returns you to the applicationshome page. If you are using a rich client application, a Teamcenter welcome windowdisplays.

After logging on to your Teamcenter application, the system displays the SecurityServices Session Agent window on your client desktop. This window represents yourSecurity Services session. It is through this window that subsequent Teamcenterapplications join your Security Services session. Do not close the window unless youare ready to end your session; however, you can minimize it. After logging off theSession Agent window, launching another Teamcenter application displays a newlogon window.

Security Services components

Security Services incorporates a range of mechanisms to ensure the security andintegrity of user credentials and the single sign-on session. This section explainsthese mechanisms and provides some guidelines for deploying single sign-on ina secure manner.

You should understand the following areas regarding the security implications ofSecurity Services:

Session management, such as integrity of the sessions and credentials.

Communication channels over which single sign-on credentials are transmitted.

Session management

Session management consists of logon credentials, Security Services tokens, andSecurity Services session lifetime.

Logon credentials

Users log on to Security Services through a browser. The users logon credentials aretransmitted from the workstation using HTTP or HTTPS (selected during SecurityServices configuration) to the Login Service, and subsequently to the IdentityService and the LDAP repository. After the users credentials are authenticated, thecredentials are not accessed or transmitted as users launch subsequent Teamcenterapplications that join their Security Services session.

Application IDs

An application is represented within Security Services as a unique text stringknown as an application ID. You must define an application ID for each Teamcenterapplication in your Security Services domain. You use these application IDs whencompleting the Application Registry table.



Security Services application tokens

Teamcenter Security Services application tokens represent authenticated userswithin Security Services. These tokens essentially replace the users originalcredentials for Teamcenter applications joining the users Security Services session.Each time a user launches a Teamcenter application, Security Services creates atoken and delivers it to the applications client. The client forwards this token to theapplications underlying server, which then submits the token back to the SecurityServices Identity Server for validation.

Using Teamcenter Security Services application tokens avoids the obvious securityissue that would be present if the users credentials were passed among Teamcenterclients and servers. Teamcenter Security Services tokens security is achieved usingthe following mechanisms:

Tokens are never stored on the client workstation. They are passed from thebrowser to rich clients, but they do not persist on the workstation as cookies, infiles, or any other form.

Tokens are specific to each installed Teamcenter product. Each token includesa tag indicating the installed Teamcenter product to which it applies. Thistag is established for each Teamcenter product during installation. No otherapplication can submit a token unless its tag matches the tokens tag.

Tokens have a configurable (typically short) lifetime.

Tokens are encrypted. Encryption keys are maintained exclusively within theLogin and Identity Services.

A new type of Teamcenter Security Services application token is used only inconjunction with mediating applications. Mediating applications (Global Servicesis currently the only such application) can assume the role of a Security Servicessession agent and submit special Security Services logon requests, which includethe usual target application ID plus an additional pseudo application ID. All logonrequests to Security Services return a Teamcenter Security Services applicationtoken built for the target application, but the token Teamcenter Security Servicesreturns to the mediating application has a special structure: It contains an innertoken, which is intended for the target application and contains an alias user ID.Security Services looks up that alias user ID for the target application in the LDAPidentity provider, keying off the actual user ID and pseudo application ID. Thattoken is returned to the mediating application wrapped in an outer token that isseparately encrypted. The mediating application decrypts the outer token andextracts and forwards the inner token to the target application, which subsequentlyvalidates that token back with Security Services, conferring the alias user IDs levelof authentication for the real user on the target application.

Configuration for this new feature involves setting a mediator password, configuringpseudo application IDs in the Application Registry table, and adding LDAP entriesfor the pseudo application IDs, as described in Setting up an LDAP server forSecurity Services.

Teamcenter Security Services session lifetime

Once authenticated, a Teamcenter Security Services session exists until the userlogs off of each participating Teamcenter application. Any Teamcenter applicationlaunched by the user after the initial logon joins the users existing session without



presenting another logon window to the user. Therefore, security of the sessionassumes the users workstation is secure; for example, that it is not left unattended.

Security Services includes a configuration setting that defines the maximumTeamcenter Security Services session idle time. If a Teamcenter Security Servicessession is found to be idle for longer than the specified time, the session isautomatically closed. If a new Teamcenter application is launched, the user receivesa new logon window.

Security Services communication channels

A number of communication pathways are involved when deploying SecurityServices. SSO credentials (logon credentials and Teamcenter Security Servicestokens) are transmitted over these channels. Some but not all of the pathways andprotocols employ proprietary Security Services protocols. The following figure showsthe various communication channels involved in a Teamcenter deployment.



SYSTEMS

Teamcenter Server

SYSTEMS

Teamcenter Web App

SYSTEMS

TeamcenterSecurity Services

Login Service

SYSTEMS

TeamcenterWeb App

SYSTEMS

TeamcenterSecurity Services

Identity Service

SYSTEMS

TeamcenterServer

UserWorkstation

TeamcenterRich Client

TeamcenterServer

TeamcenterRich Client

Browser

Firewall

DB LDAP DBDBDB

Existing product-specific communication pathways (non-SSO-specific)

Standard HTTP/HTTPS communication (non-SSO-specific)

Proprietary Teamcenter Security Services IPC communication protocol over sockets

Proprietary Teamcenter Security Services Login Service protocol over HTTP or HTTPS

Proprietary Teamcenter Security Services Identity Service protocol over HTTP or HTTPS

Teamcenter Security Services Identity Service and LDAP communication

Teamcenter Security Services Login Service redirection protocol

Processes

Security Services communication flow

Existing communication links in Teamcenter products

Many of the communication links over which Teamcenter Security Services tokensare transmitted are specific to individual Teamcenter products. Several typicaldeployments of both Web-based and non-Web-based Teamcenter applications appearin the diagram. Teamcenter Security Services tokens are transmitted from clients(rich clients or Web applications) to servers as part of the protocol explained in theprevious section.



For information regarding the security of data transmitted between those clientsand servers, see your Teamcenter product documentation.

Communication links between browser and Teamcenter Web applications

Some Teamcenter applications offer thin client interfaces, including the LoginService. This browser communication is non-Teamcenter Security Services specific,but user logon credentials are transmitted using Web protocols. It is assumed thatthese and other Web applications deployed behind a firewall and on Web servers thatemploy secure communication protocols (for example, SSL).

Security Services session agent proprietary protocol over sockets

Part of the Security Services solution involves communication between rich clientsand Security Services session agent applets running in the browser. This is aproprietary protocol based on sockets. The communication over this channel includestransmission of Security Services tokens, and its security is based on the followingmechanisms:

It uses an unpublished protocol specific to Security Services.

It is confined to a single user workstation.

It employs unpublished port numbers.

It incorporates the applications unique tag defined during installation.

It leverages OS security mechanisms such that only the OS user can initiatethe protocol.

Login Service proprietary protocol over HTTP

In parallel with the normal browser communication, the Security Services sessionagent applet communicates with the Login Service using a proprietary protocol overHTTP. This communication channel is involved in the transmission of SecurityServices tokens to rich clients. The security of this channel is based on the followingmechanisms:


It is built on top of a secure underlying communication protocol. That is,it is assumed that the Login Service is on a Web server employing securecommunications, such as SSL.

Login Service redirection protocol over HTTP

Teamcenter thin client applications interact with the Login Service using a Webredirection protocol. It is through this protocol that an application obtains a SecurityServices token. There are two key mechanisms that ensure the security of tokens:

The Web application must provide its unique application tag.

The application return URL is configured during installation and the token canonly be returned to that URL.



Identity Service proprietary protocol over HTTP

Teamcenter applications interact with the Identity Service to validate SecurityServices tokens by using a proprietary protocol over HTTP. Generally, thiscommunication occurs behind security boundaries. Some Teamcenter deploymentsinvolve the installation of servers outside the security boundary. The followingmechanisms ensure the integrity and security of this communication:


Callers of the Identity Service must provide the unique application tag (definedduring installation) in each transmission.

The Identity Service can be deployed on a web server configured to use SSL.

Communicating with LDAP servers

Security Services leverages LDAP connections for its communication with anunderlying LDAP server. If desired, these can occur over SSL (LDAPS).

For more information, see Enable SSL for Security Services components.

Using Teamcenter Security Services AutoLogin as the authenticationmechanism

A customer-supplied executable writes the current users user ID as a string tostandard output. The SSOAutoLoginApplet applet reads this user ID value fromstandard output and uses it to create a Security Services session.

If an error occurs, based on the value of tcsso.use_autologin_default, either thelogon window is displayed with an error message or an error window is displayed.Once you create a Security Services session, all standard Security Servicesfunctionality is available.

Note

If you use Security Services AutoLogin or commercial SSO and you disableduser aliasing, you do not need LDAP in your Security Services deployment.

Using this external executable customization creates possible security issuesand puts an additional security burden on the customer environment. Thepath name and command line argument for the autologon executable on theusers workstation is a context parameter in the Login Service installation.This parameter must be the full path name of the executable. If only theexecutable name is used, a user can place a different executable with thesame name in the system path prior to the desired executable, which wouldallow spoofing.

The executable used to supply user information to the Login Service musthave rigorous file security in place, allowing only a Security Servicesadministrator to read or modify it. Also, the communication and transmissionof the user information from the executable to the Login Service is a possiblesecurity breach, and that transmission must be protected from interception.

Siemens PLM Software is not responsible for security issues created by useof this customization point.



Context-sensitive rights management

In conjunction with Teamcenter Global Services, Security Services introduces afacility to provide access between pairs of PDM applications where both application(home and target) are members of a local PDM domain. The access between thehome and the target applications is mediated by Global Services, so we refer toGlobal Services in this role as the mediating application. The level of authorizationassociated with an instance of this access depends on the identities of the initiatingTeamcenter user and each of the participating PDM applications and the nature ofthe access. Global Services distills those attributes into an pseudo application IDand requests an application token for the pseudo application from the Login Service.Security Services returns a token to the mediating application containing an aliasuser ID that is recognized by the target application.

This access between the mediating application and the target application isreferred to as a trust relationship. The target application does not authenticate theunderlying user but trusts that the mediating application has authenticated andauthorized that user for the activity implied by the alias user ID.

Configuring trust relationships requires additional LDAP table configuration, anadditional Identity Service context parameter, and additional entries in the IdentityService Application Registry table.

For information about configuration, see Setting up an LDAP server for SecurityServices and Configuring Security Services.


Chapter

2 Installing Security Services

Installing Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Basic guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Basic installation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Upgrade to Security Services 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Installation files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Create the WEB_ROOT directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Copy installation files from the software distribution image . . . . . . . . . . . . . . 2-4Copy files in Windows Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4Copy files in UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Launch the Web Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Create the Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6Name the Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6Choose advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6Enter disk locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7Select the solution type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7Select solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Create the Identity Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Logging Teamcenter application information . . . . . . . . . . . . . . . . . . . . . . . . . 2-10


Chapter

2 Installing Security Services

Installing Security ServicesTeamcenter Security Services consists of two deployments: the Login Service andthe Identity Service.

Login Service

The Login Service is a client interface, which means that it can be referencedusing IPv4 or IPv6 URLs. Any application that configures a link to the LoginService must be able to input IPv4 and IPv6 addresses. No configuration changesare required within the Login Service.

Identity Service

The Identity Service can only be referenced using IPv4 addressing. A tablewithin the Identity Service points to the application root URL and, because it isa client interface, it must accept IPv4 and IPv6 URLs.

Basic guidelinesFollowing are some basic guidelines relative to a Teamcenter deployment thatincludes Security Services:

User workstations must be secure. Once signed on, a single sign-on session existson the users workstation, which other Teamcenter applications can join withoutanother logon window being displayed. Furthermore, the Security Servicessession agent functionality depends on the users operating system security.

Deploy the Login Service on a Web server using secure communication, forexample, Secure Sockets Layer (SSL).

If the Security Services deployments are not behind a firewall, deploy theIdentity Service on a Web server using SSL. This requires server certificateswhere the Teamcenter applications are deployed.

For more information, see Configuring the secure socket layer (SSL).

If the Security Services Login Service and Identity Service are deployed behind afirewall, no SSL is needed between them. Clients do not see this URL traffic andthe firewall guarantees communication between them is secure.

Set the token lifetime configuration setting low, typically 1 to 5 minutes.

Configure the session lifetime long enough to avoid the user inconveniencecaused by multiple sign-ons but short enough to provide a measure of security


Chapter 2 Installing Security Services

in case users inadvertently leave their machine logged on but unattended.Typically, other mechanisms (for example, operating system security features)are in place to address this latter issue, in which case the session lifetime can beset from several to many hours.

Basic installation process

Siemens PLM Software recommends the following step-by-step deployment:

1. Install the Security Services Login Service and Identity Service components.

2. Fill in the Teamcenter Security Services Application Registry worksheet, showingthe Teamcenter applications, their IDs, thin client URLs, LDAP attributes, andtrusted settings.

3. If LDAP is required, configure LDAP using the procedures in Setting up anLDAP server for Security Services.

4. Verify LDAP settings using the LDAPBrowser utility.

5. Configure the Security Services Login Service and Identity Service components.

6. Verify your Security Services installation using the steps in Verifying SecurityServices. You should be able to log on to Security Services, even if no otherTeamcenter products have been installed.

7. Configure and deploy your Teamcenter products, one at a time, verifying thatthey work with Security Services (see Verifying Security Services). If you areusing SSL and are experiencing issues, try configuring without SSL first (ifpossible) then change back.

8. Refer to the troubleshooting information in Troubleshooting, which containsissues that are derived from real deployment situations.

9. Consider upgrading to the latest version of Security Services. All stateless(Security Services 2.1 or newer) versions are cross-compatible, and all statefull(Security Services 2.0 or earlier) versions are cross-compatible. A variety ofissues have been resolved, diagnostics are better, and new features have beenadded. Obtain an upgrade using the Siemens PLM Software Global TechnicalAccess Center (GTAC).

Upgrade to Security Services 10

If you have a previous version of Security Services installed, you must perform thefollowing steps prior to installing Security Services 10:

Note

If your Teamcenter application does not have Security Services 2005 SR1(version 2.1) libraries, contact GTAC to determine if upgrading to theTeamcenter application itself is necessary.


Installing Security Services

Security Services 2005 SR1 is a stateless server design and is not compatiblewith older Security Services libraries installed in Teamcenter applications.

1. Record your existing Security Services context parameter settings using thecontext parameter worksheets in Configuring Security Services.

2. Remove old Security Services WAR files from your Web servers, undeploySecurity Services components, and delete the old installation.

Installation files

Installation files for Security Services are on the software distribution image thatcontains the Security Services 10 directory. The following table describes whichinstallation files are required to install each solution.

Installation file Contains solutions

INSTALL_TCWEB.EXE/TZ Web Application Manager

INSTALL_SSO.EXE/TZ Security Services:

Security Services Login Service Webapplication

Security Services Identity Service Webapplication

INSTALL_SSO_optional_language.EXE/TZ

Optional language file. Optional languages includethe following:

INSTALL_SSO_CS_CZ.EXE/TZ (Czech)

INSTALL_SSO_DE_DE.EXE/TZ (German)

INSTALL_SSO_ES_ES.EXE/TZ (Spanish)

INSTALL_SSO_FR_FR.EXE/TZ (French)

INSTALL_SSO_IT_IT.EXE/TZ (Italian)

INSTALL_SSO_JP_JP.EXE/TZ (Japanese)

INSTALL_SSO_KO_KO.EXE/TZ (Korean)

INSTALL_SSO_PL_PL.EXE/TZ (Polish)

INSTALL_SSO_PT_BR.EXE/TZ (BrazilianPortuguese)

INSTALL_SSO_RU_RU.EXE/TZ (Russian)

INSTALL_SSO_ZH_CN.EXE/TZ (Chinesetraditional)



Installation file Contains solutions

INSTALL_SSO_ZH_TW.EXE/TZ (ChineseTaiwan)

Create the WEB_ROOT directoryBefore you copy installation files for Teamcenter thin client solutions, create ahome directory for the thin client solutions on the Web application server host (forexample, webbase). You eventually deploy the Login Service and Identity ServiceWAR files from within this directory. This directory is called WEB_ROOT.

Copy installation files from the software distribution imageCopy installation files for Security Services to the Web application server host inWindows Explorer or UNIX.

Copy files in Windows Explorer

1. Insert the software distribution image that contains the Security Services10 directory.

2. Browse to the Windows directory on the software distribution image where theINSTALL_TCWEB.EXE and INSTALL_SSO.EXE files are located.

3. Double-click the INSTALL_TCWEB.EXE program icon. WinZip displays aself-extractor dialog box.

4. In the Unzip to Folder box, enter the path to your Web tier installation directory(WEB_ROOT), then click Unzip. WinZip extracts the installation files.

5. Click Close to close the WinZip self-extractor dialog box.

6. Double-click the INSTALL_SSO.EXE program icon. WinZip displays aself-extractor dialog box.

7. In the Unzip to Folder box, enter the path to your Web tier installation directory(WEB_ROOT), then click Unzip. WinZip extracts the installation files.

8. To install an optional language, double-click theInstall_SSO_optional_language.EXE icon. WinZip displays a self-extractordialog box.

In the Unzip to Folder box, enter the path to your Web tier installation directory(WEB_ROOT), then click Unzip. WinZip extracts the installation files.

Repeat this step for each optional language you install.

9. Click Close to close the WinZip self-extractor dialog box.



Copy files in UNIX

1. Insert the software distribution image that contains the Security Services10 directory.

2. Change the directory to your WEB_ROOT directory.

3. Copy the files using the following commands:

uncompress -c


Create the Login Service

To create the Login Service, click Add in the Teamcenter Web Application Managerdialog box.

The Web Application Manager displays the Add Web Application dialog box.

Name the Login Service

Replace the default entries in the Name and a Staging Location boxes with theactual name and location of the Login Service. These will identify the Login Serviceto your Web server. These are used as path and file names, so follow the namingconstraints of your host operating system. If you want to include a description,enter one in the Description box.

Choose advanced options

For more configuration options for your Web application, click Advanced WebApplication Options.

The Web Application Manager displays the Advanced Web Application Optionsdialog box.

Advanced Web Application Options dialog box

Select the Automatically Build Deployable File option to automatically build adeployable file for your Login Service application after installing the logon solution.This triggers the build of a WAR file after you complete this initial installationand after every configuration change.

Specify the WAR file name in the Deployable File Name box. This is the name of thefile that is deployed by your Web server. You may want to use the same name youspecified as the name of the service in the previous dialog box.

For your initial install of the Login and Identity services, you can leave theremaining selections at their default settings.

Click OK to exit the Advanced Web Application Options dialog box and return tothe Add Web Application dialog box.



Enter disk locations

The Disk Locations for Install Images box contains the default path to theinstallation files for the Teamcenter solutions on the software distribution image.For this install, select the directory containing the INSTALL_TCWEB.EXE/TZ andINSTALL_SSO.EXE/TZ files for your system. You can change this default path ifnecessary by selecting one default path and clicking Modify.

Note Additional language support requires the same process for eachINSTALL_SSO_optional_language.EXE file. Add this location to the list of disklocations. For example, the install_root\de_de location contains the followingfiles for the German language:

TEAMCENTER_SSO_LOGINSERVICE_DE_DE.JAR

TEAMCENTER_SSO_LDAPIDPROVIDER_DE_DE.JAR

TEAMCENTER_SSO_LOGINSERVICE_HELP_DE_DE.JAR

Select the solution type

Using the list, select Thin Client as the solution type. This is the default.

Select solutions

To select the Login Service, click Solutions in the Add Web Application dialog box.

The Web Application Manager displays the Select Solutions dialog box. Anylanguage localizations you specified in the Enter disk locations step, along with theJava API Documentation solution, appear along with the Login Service and IdentityService.

Note The Java API documentation describes the APIs exposed by the Login Serviceand Identity Service. If you want to deploy the Java API Documentationsolution, select it as part of your Login Service deployment.

Select Teamcenter Security Services Login Service Web Application. At this point,the Identity Service solution and its related language localizations are unavailableas the two services are mutually exclusive. However, the language localizations forthe Login Service remain active.



Select Solutions dialog box

After you make your selections, click OK in the Select Solutions dialog box, andclick OK in the Add Web Application dialog box. Then, click OK in the Progress boxthat follows.

Create the Identity Service

To create the Identity Service, click Add in the Teamcenter Web ApplicationManager dialog box.

The Web Application Manager displays the Add Web Application dialog box.



Add Web Application dialog box

As in the Login Service installation, enter a value in the Name, Staging Location,and (optionally) Description boxes for your Web application. Refer to the previousdiscussion on the Advanced Web Application Options, the Disk Locations forInstall Images, and the Solution Type.

To select the Identity Service, click Solutions from the Add Web Application dialogbox.

The Web Application Manager displays the Select Solutions dialog box.

Select Teamcenter Security Services Identity Service Web Application. Atthis point, the Login Service solution and its related language localizations areunavailable as the two services are mutually exclusive. However, the languagelocalizations for the Identity Service remain active.



Select Solutions dialog box

After you make your selections, click OK in the Select Solutions dialog box, andclick OK in the Add Web Application dialog box. Then, click OK in the Progress boxthat follows.

Logging Teamcenter application informationTo prepare for the next step of configuring your LDAP, enter information regardingthe Teamcenter applications you intend to have on your system in the TeamcenterSecurity Services Application Registry worksheet. Refer to this information when youconfigure your LDAP for the Identity Service Web application.

Note Consider the following when completing the Teamcenter Security ServicesApplication Registry worksheet:

The application ID entered for each Teamcenter application installationmust correspond to the appropriate configuration variable in each product.For example, Teamcenter 10 has a TC_SSO_APP_ID configuration variable.

The application root URL must be specified for any Teamcenter product thinclient. This URL can be in either IPv4 or IPv6 format.

The application user name attribute is the attribute name in LDAP thatholds the users alias.

For more information on determining how to map users from their login IDwithin each Teamcenter application and if aliasing is required, see Settingup an LDAP server for Security Services.

The Trusted Application box is set to false unless you are configuring aGlobal Services trusted application.

The Strip Domain Name box is set to false unless all user IDs are checkedfor embedded domain names.

A deployment can include multiple instances of a specific Teamcenterproduct. Each instance must have its own application ID.



The Login Service Web application is a required entry in this table. Itsapplication root URL box can contain any value, or it can be left empty.

The Token Lifetime value is set to 600 seconds; it should be set low, typically1 to 5 minutes.

Teamcenter Security Services Application Registry worksheet

ApplicationID

Applicationroot URL(can be ineither IPv4 orIPv6 format)

LDAPuser nameattribute

Trustedapplication

Stripdomainname

Tokenlifetime


Chapter

3 Setting up an LDAP serverfor Security Services

Setting up an LDAP server for Security Services . . . . . . . . . . . . . . . . . . . . . . 3-1

LDAP requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1Example 1 Defining multiple attributes . . . . . . . . . . . . . . . . . . . . . . . . 3-2Example 2 Defining a single shared Teamcenter attribute . . . . . . . . . . . 3-3Example 3 Defining pseudo application IDs . . . . . . . . . . . . . . . . . . . . . 3-3Example 4 No schema changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4


Chapter

3 Setting up an LDAP serverfor Security Services

Setting up an LDAP server for Security ServicesSiemens PLM Software provides a Windows-based diagnostic utility to helpyou determine proper LDAP settings for the Security Services Identity Serviceconfiguration. You can download it from the GTAC site:

http://support.ugs.com/

From the main window, choose Download and UploadProductUpdatesTeamcenter EnterprisepatchSecurity Services and selectLDAPBrowser.zip.

Use this tool to connect to an LDAP server, examine naming contexts and DNentries, and verify that the connection settings are valid. The tool can authenticatea user and examine their attributes to verify that the attribute names and valuesare correct.

LDAP requirementsSecurity Services uses an LDAP version 3 directory server for user authenticationand application-level authorization. Normally, each Teamcenter user must have auser ID and password set in the directory server, since it is against this directoryserver that Security Services attempts to authenticate the users logon credentials.

Some Security Services configurations do not require changes to the LDAP schema.Specifically, if all users are authorized to launch all Teamcenter applications (notethat each application does its own authorization checks, so Security Services cannotoverride the applications authorization settings) and the user aliases within allTeamcenter applications match the user logon IDs, then no schema changes arenecessary.

Further, some Security Services configurations do not require LDAP. Specifically, ifthe above is true and if Security Services AutoLogin or a commercial SSO is used, noLDAP is required. Otherwise, your deployment will use LDAP and you can modifythe schema to achieve certain features, specifically application authorization (theability to launch a specific Teamcenter application) and aliasing (mapping the logonID to an application-specific user alias).

To use application authorization and aliasing using Security Services for aTeamcenter application, you must define a user ID attribute for that Teamcenterapplication in the LDAP server schema. Then, set the value of that attribute to theiralias for the specific application. If the user is not authorized for that application, do


Chapter 3 Setting up an LDAP server for Security Services

not set that attribute for that user. Because Teamcenter applications can share asingle attribute, this implies that if a user is authorized for one application, they areauthorized for the others and that they share the same alias for each user.

Note The Login Service is a Teamcenter application and it has a correspondingattribute like any other Teamcenter application. Because every Teamcenter usermust have a value set for this attribute, setting the value on this attribute fora user authorizes the user to logon to Teamcenter.

The following sections illustrate when you might set these attributes.

Example 1 Defining multiple attributes

If you install Engineering Process Management and Systems Engineering andRequirements Management and each user has a distinct alias in each application,then:

1. Create three attributes in the LDAP repository:

uid for the Login Service

TcEngUserName for Engineering Process Management

TcReqUserName for Systems Engineering and Requirements Management

2. Create (or modify) an object class in the LDAP repository to hold the threeattributes, and attach that object class to each Teamcenter user entry in therepository.

3. When you configure the Identity Service, configure the Application Registrytable with these values:

Application ID Attribute name

TCSSOLoginService uid

TcEngineering TcEngUserName

TcRequirements TcReqUserName

4. For Teamcenter user JHill who is authorized for all Teamcenter applications,the attribute values in the LDAP directory server might be:

uid = Joe

TcEngUserName = Joey

TcReqUserName = Joseph

5. For Teamcenter user FSmith who is only authorized to use Engineering ProcessManagement, the attribute values in the LDAP directory server might be:

uid = Fred

TcEngUserName = Freddy


Setting up an LDAP server for Security Services

Example 2 Defining a single shared Teamcenter attribute

If you install Engineering Process Management and Systems Engineering andRequirements Management and all users share a single Teamcenter user alias thatis distinct from their logon ID, and all Teamcenter users are authorized to launch allTeamcenter applications, then:

1. Create one attribute in the LDAP repository, for example, TcUserName. This isshared by all Teamcenter applications, including the Login Service.

2. Create (or modify) an object class to hold this attribute, and attach that objectclass to each Teamcenter user entry in the repository.

3. When configuring the Identity Service, configure the Application Registry tablewith these values:


TCSSOLoginService TcUserName

TcEngineering TcUserName

TcRequirements TcUserName

Example 3 Defining pseudo application IDs

As in Example 1, if you install Engineering Process Management and SystemsEngineering and Requirements Management and each user has a distinct alias ineach application, and a pseudo application ID, TcPseudoEngineering, is definedin the Application Registry table intended for user FSmith, then:

1. Create four attributes in the LDAP repository, for example:

uid for the Login Service

TcEngUserName for Engineering Process Management

TcReqUserName for Systems Engineering and Requirements Management

TcPseudoUserName for Engineering Process Management, but withenhanced user rights

2. Create (or modify) an object class in the LDAP repository to hold the fourattributes, and attach that object class to each Teamcenter user entry in therepository.

3. When you configure the Identity Service configuration, configure the ApplicationRegistry table with these values:



TcEngineering TcEngUserName

TcRequirements TcReqUserName

TcPseudoEngineering TcPseudoUserName


Chapter 3 Setting up an LDAP server for Security Services

4. For Teamcenter user JHill who is authorized for all Teamcenter applications,the attribute values in the LDAP directory server are the same as in Example 1.

5. For Teamcenter user FSmith who is authorized to use Engineering ProcessManagement both directly and via a mediating application with enhanced rights,the attribute values in the LDAP directory server might be:

uid = Fred

TcEngUserName = Freddy

TcPseudoUserName = AdminFred

Example 4 No schema changes

If you install several Teamcenter applications and the user alias within eachapplication is the same as the users logon ID, and every user is authorized tolaunch each Teamcenter application (or each Teamcenter application does its ownauthorization), then:

No new attributes (or object classes) are needed in the LDAP repository. Use theexisting user ID attribute (for example, uid) for all the Teamcenter applications,including the Login Service.

When you configure the Identity Service, configure the Application Registrytable with these values:



TcEngineering uid

TcRequirements uid

TcEnterprise uid


Chapter

4 Configuring Security Services

Configuring Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Context parameter worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Debugging Teamcenter Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13Debug output files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14Debugging from within an application . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Configuring the Login Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15Launch the Web Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15Modifying Web application information . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15Modifying context parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15Values found in the Login Input Definitions table . . . . . . . . . . . . . . . . . . 4-16Configuring a load balancer, reverse proxy, or SSO Gateway (commercialSSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

Customizing the logon window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Configuring the Identity Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18Modify context parameters for the Identity Service . . . . . . . . . . . . . . . . . 4-18Modifying Identity Service tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

SSO Token Specification table configuration values . . . . . . . . . . . . . . 4-19Application Registry table configuration values . . . . . . . . . . . . . . . . . 4-20LDAP Domain map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21Referral Credentials table configuration values . . . . . . . . . . . . . . . . . 4-22

Configuring the secure socket layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24Enable SSL for Security Services components . . . . . . . . . . . . . . . . . . . . . 4-24Enable SSL for Teamcenter clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24Enable SSL for Teamcenter applications . . . . . . . . . . . . . . . . . . . . . . . . . 4-25Debug SSL issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Deploying Security Services on Web application servers . . . . . . . . . . . . . . . . . 4-27


Chapter

4 Configuring Security Services

Configuring Security Services

After installing the Login Service and the Identity Service described in Basicinstallation process and configuring your LDAP Identity Provider, you can nowconfigure the Login and Identity Services for your site using the Teamcenter WebApplication Manager.

Note Siemens PLM Software recommends you configure and verify Security Serviceson your system before you install and configure other Teamcenter applications.

Context parameter worksheets

Prior to beginning your configuration, complete the context parameter worksheets(Login Service context parameter worksheet and Identity Service context parameterworksheet). Your Security Services product configuration will proceed quickly ifyou have this information ready.

There are context parameters associated with both the Login Service and theIdentity Service. Enter the value in the Value column of these tables.

Note Default values appear in parentheses at the end of each description.

Login Service context parameter worksheet

Context parameter name Description Value

webmaster Specifies the e-mail addressof the administrator towhom questions andcomments about theapplication should be directed(change_me_webmaster_name@change_me_email_domain).

tcsso.login_service.appid Specifies the TeamcenterID of the Login Service.This value should match thecorresponding entry in theApplication Registry table(TCSSOLoginService).


Chapter 4 Configuring Security Services



tcsso.login_service.http_connection_close Indicates whether to close orkeep alive the Session AgentHTTP Connection followingeach request to the LoginService. Change this onlyto solve connection issuesbetween the Session AgentApplet and the Login Service(keep-alive).

tcsso.login_service.rp_cookieNamePattern Specifies a pattern or set ofpatterns describing the namesof cookies used by reverseproxy servers protectingTeamcenter applications(PD-H-SESSION-ID,PD-S-SESSION-ID,SMSESSION).

tcsso.login_service.proxyURL Specifies theprotocol://host:port URLfor the Login Service whenused with load balancing orcommercial SSO proxies.If the value is empty,Security Services usesthe HTTP request to retrievethe protocol://host:portinformation needed for theLogin Service information(blank).

tcsso.login_service.sso_service_url Specifies the URL ofthe Identity Service(change_me).

Note The URL must be anIPv4 address.

tcsso.use_autologin Indicates whether AutoLoginis used (false).





identityServicePassword Specifies a password sharedbetween the Login Serviceand Identity Service tosign and encrypt securityinformation to prevent it frombeing forged or viewed. It canbe any value, but SiemensPLM Software recommendsthat it contain both lettersand numbers and be atleast eight characters long.The password must be thesame as that specified in theIdentity Service configuration(change_me_password).

tcsso.autologin_use_default Indicates whether AutoLoginallows users to manuallyenter the logon informationif the login executable fails(false).

tcsso.wnt_autologin_exe Specifies the absolute path tothe Windows executable toretrieve the pre-authenticateduser ID for the currentlylogged-on user. If theexecutable requires commandline parameters, specify themas part of this string.

This requires all Windowsclient machines connectingto this Login Service tohave the automatic loginexecutable installed inthe same absolute path(change_me_if_autologin).

tcsso.Unix_autologin_exe Specifies the absolute pathto the Linux executable toretrieve the pre-authenticateduser ID for the currentlylogged-on user. If theexecutable requires commandline parameters, specify themas part of this string.

This requires all Linuxclient machines connectingto this Login Service tohave the automatic logon




Context parameter name Description Valueexecutable installed inthe same absolute path(change_me_if_autologin).

tcsso.behind_sso_gateway Indicates the presence ofa third-party SSO solution(false).

tcsso.gateway.field.type Indicates how the gatewaytransmits credentialinformation (Teamcenteruser ID) in the HTTP requestto the Login Service (header).

Choose from the followingvalues:

header cookie principal parameter remote_user

This value is ignored iftcsso.behind_sso_gatewayis false.

tcsso.gateway.field.name Indicates the nameof the chosen field intcsso.gateway.field.type(COMMSSOCRED).

This value is ignored iftcsso.behind_sso_gatewayis false.

tcsso.ie.java.update.URL Specifies the URL of Javaupdates for Internet Explorer(https://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab).

This value can be blank.

tcsso.mozilla.java.update.URL Specifies the URL ofJava updates for theMozilla family of browsers(https://javadl.sun.com/webapps/download/GetFile/1.6.0_16-b01/windows-i586/xpiinstall.exe).

This value can be blank.





tcsso.forgotten.password.URL Specifies the URL to associatewith the hypertext link forforgotten passwords on thelogon window. If blank, nolink appears. If the URL isvalid, it is assumed that itlinks to a site that providesthe capability for recovering orregenerating user passwords(blank).

tcsso.online_help.enable Enables Security Servicesonline help for users if set totrue. If false, no online helpis available (true).

tcsso.login_service.enable_session_agent_applet

Indicates whether the singlesign-on session agent appletis enabled. If false, the appletis disabled and thin clientsingle sign-on for rich clientsdoes not function (true).

tcsso.login_service.force_web_browser_login

Indicates whether singlesign-on among browserinstances on the usersworkstation is disabled. Iftrue, every new browserinstance receives a logonchallenge (false).

DEBUG Note Using the DEBUGoption produces avoluminous amount oflogging information.

Indicates whether theLogin Service prints debuginformation (warn).

If set to true, the LoginService prints info, warn,error, and fatal information.Choose from the followingvalues:

warn

false

true





debug

info

error

fatal

For more information, seeDebugging TeamcenterSecurity Services.

The Identity Service context parameter worksheet lists context parameters set forthe Identity Service.

Identity Service context parameter worksheet


webmaster Specifies the e-mail addressof the administrator to whomquestions and comments aboutthe application should be directed(change_me_webmaster_name@change_me_email_domain).

identityProvider Specifies the class ofidentity provider usedby the Identity Service(com.teamcenter.ss.identity.spi.LDAPIdentityProvider).

identityServicePassword Specifies a password sharedbetween the Login Service andIdentity Service to sign and encryptsecurity information to prevent itfrom being forged or viewed. Itcan be any value, but SiemensPLM Software recommends that itcontain both letters and numbersand be at least eight characterslong. The password must bethe same as that specified inthe Login Service configuration(change_me_password).





passwordLifetime Specifies the lifetime, in seconds,for autologon or commercial SSOattempt. This time limits areplay attack. This is configurableto accommodate latency indeployments (30).

mediatorPassword Specifies a password sharedbetween the Identity Serviceand a mediating application.Used to encrypt tokens passedto the mediator for laterdistribution to target applicationsparticipating in trust relationships(change_me_password).

tokenLifetime Specifies the lifetime, in seconds, of aTeamcenter Security Services token.This short-lived, one-time-usecredential, is a secure substitute forthe users real credentials (600).

sessionLifetime Specifies the number of minutesthat an Teamcenter SecurityServices session can be idle beforeit is terminated, where idle meansno logon or logoff events. Generally,this should be several hours. Ifa Teamcenter Security Servicessession expires, it does not harmTeamcenter application sessionsthe user has open. The user gets anew challenge if they start a newapplication (600).

tcsso.LogLevel Specifies the Teamcenter SecurityServices events to be logged. Useone of the following values:

None No Teamcenter SecurityServices events are logged.

Authentication failures Only authentication failures orunauthorized access events arelogged.

Authentication successful Authentication successes arelogged.

All authentication events All positive and negativesecurity-related events arelogged.





The Teamcenter Security ServicesAuthentication log is writtento the \Documents andSettings\user_ID_of_deployment_owner\ApplicationData\teamcenter\sso\sso_Authentication.log(Windows) or theHOME/.teamcenter/sso/sso_Authentication.log (Linux)file (Authentication failures).

tcsso.AuthLogDir Specifies the destination directoryfor the authorization log file. If leftblank, the log file is written to thesame directory as the servlet debugfile (blank).

LDAPVersion Specifies the minimum LDAPversion used for connections (3).

LDAPHosts Specifies the host name of the LDAPserver.

This field can be populated threeways:

As a single LDAP host name.

As a space-delimited list ofhost names, where the listedhosts contain identical LDAPrepositories. Connect attemptsoccur in the order listed.

As an Active Directory domainname, in which case SecurityServices performs a run timeDNS query to resolve theavailable Active Directorydomain controllers. Priorityand weight attributes for thedomain controllers determinethe connect order.

When specific host namesare specified, the names canoptionally include a trailingcolon and port number, forexample, localhost1:3001localhost2:3002. If a port is




Context parameter name Description Valuenot included, LDAPPortNo is used(localhost).

For information about using LDAPreferrals to search multiple hosts,see Referral Credentials tableconfiguration values.

LDAPPortNo Specifies the port number for LDAPserver (389).

LDAPConnectType Specifies what type of LDAPconnection (ldap or ldaps) to usewhen connecting to an LDAP server.

ldap The LDAP connectionsare not over SSL.

ldaps The LDAP connectionsare over SSL.

auto The type of connectionis determined dynamically foreach LDAP server. This settingapplies to the primary LDAPserver and LDAP servers towhich there are referrals. Ifthe connection types are knownand uniform, Siemens PLMSoftware recommends settingthe type.

(auto)

MaxLDAPConnections Specifies the maximum number ofconnections that can be created foreach Identity Service for each LDAPserver. The value must be between2 and 100 (20).

SecurityAuthenticationLevel Specifies the LDAP authentication(simple).

QueryDN Specifies the LDAP distinguishedname (DN) used to authenticate theLDAP server for LDAP searches, forexample, cn=Directory Manager(change_me_QueryDN).

QueryDNPassword Specifies the passwordused for LDAP searches(change_me_password).

BaseDN Specifies the base DN from which tosearch (change_me_ou=people,o=tcsso.com).





UserObjectClass Specifies the user object classto use as part of the search(inetOrgPerson).

UserAttribute Specifies the user attribute forwhich to search (uid).

LDAPConnectionSetupDelay Positive values specify the interval(in seconds) to wait betweeninitiating a parallel connectionto each successive server in thelist when multiple LDAP serversare specified by the LDAPHostsparameter or when multiple domaincontrollers are discovered usingdomain name server (DNS) lookup.

The following values have specialinterpretations:

-1 Connect to the serversserially and wait for eachattempt to time out beforemoving to the next server.

0 Initiate parallel connectionsto all servers at once and usethe first server that responds(-1).

LDAPConnectTimeout Specifies the interval (in seconds) towait before abandoning all (possiblyconcurrent) LDAP connectionattempts.

If LDAPConnectionSetupDelayis greater than 0, this valueshould be 0 (unlimited timeout) orsubstantially greater than the valueof LDAPConnectionSetupDelayto allow multiple connectionattempts (0).





PasswordResetEnabled Enables display of the changepassword logon window. Thiswindow provides fields for usersto enter their new password.This capability is available onlyfor deployments where the userrepository is Active Directory.

If set to true, there must also be anentry in the Referral Credentialstable listing the QueryDNand QueryDNPasswordparameters granting administrativepermissions. These credentialsare used for password updateoperations.

If false, and a reset or expiredpassword is detected, the userreceives an error message (false).

For more information, see ReferralCredentials table configurationvalues.

PasswordResetMessage Displays additional informationwhen prompted to change password.This can be a link to a changepassword service (blank).

GatewayAliasingEnabled Specifies that UserID aliasingfor Teamcenter applications isenabled and always performedunless Security Services isconfigured in gateway or SecurityServicesAutoLogin mode. If thisparameter is true, UserID aliasingis performed in gateway andSecurity ServicesAutoLogin modes,as well. Unless a valid LDAPrepository is configured in SecurityServices, this parameter must beset to false (true).





ReferralsEnabled Specifies LDAP referrals, where oneLDAP server references another,are enabled if set to true. If youenable this feature, you have topopulate the Referral Credentialstable (false).

For more information, see ReferralCredentials table configurationvalues.

ReferralHopLimit Specifies the maximum number ofhops (jumps) to follow in sequenceduring a referral. This value isignored if ReferralsEnabled isfalse (5).

ReferralAuthentication Specifies what authentication touse when connecting to other LDAPservers during referrals. Use one ofthe following values:

Anonymous indicatesanonymous authenticationshould be used.

QueryDN indicates theprimary QueryDN andQueryDNPassword valuesshould be used.

CredentialsTable indicatesauthentication informationshould be obtained