PLM Connection 2016
Welcome.
Unrestricted © Siemens AG 2016
Realize innovation.
Authentication in
Teamcenter
Gintas Jazbutis | Principal Enterprise Engineer
Unrestricted © Siemens AG 2016
Realize innovation.
Teamcenter
Simplifying PLM
Unrestricted © Siemens AG 2016
Page 3
May 16-19, 2016
Siemens PLM Software
Teamcenter
Platform
Unrestricted © Siemens AG 2016
Page 4
May 16-19, 2016
Siemens PLM Software
Advantedge Elements
Delivery Model is adaptive to your situation:
Template based – Using our Best Practice Lead Engagement Model and Templates
Requirement based – Your Requirements-driven, supported by our Best Practice Templates
Unrestricted © Siemens AG 2016
Page 7
May 16-19, 2016
Siemens PLM Software
Agenda
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 8
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 9
May 16-19, 2016
Siemens PLM Software
Authentication
Authentication is the Confirmation that the User Trying to
Access a System is, in fact, that Person
Authentication Factors:
• Something The User Knows
• Password
• Something The User Has
• PKI Card
• Something The User Is
• Fingerprint
Combination of these
is Multifactor
Authentication
Authentication is Just One Piece of the Security Puzzle
• Authentication – How To Get Into The System
• Authorization – What Can a User Do, Once In
• Asset Protection – Infrastructure, Network Traffic, Data
• Audit – Record of What Users Have Done
Unrestricted © Siemens AG 2016
Page 10
May 16-19, 2016
Siemens PLM Software
Teamcenter Authentication
Teamcenter Provides Authentication Functionality Natively
Teamcenter Password Parameters:
• PASSWORD_minimum_characters (default=0)
• PASSWORD_mixed_case_required (default=false)
• PASSWORD_minimum_alpha (default=0)
• PASSWORD_minimum_digits (default=0)
• PASSWORD_minimum_special_chars (default=0)
• PASSWORD_special_characters (default is unset)
• Change these Defaults!
Or, Use Non-Teamcenter System to Manage Authentication
• Corporate LDAP
• Active Directory
• Kerberos
• Third Party Authentication System
•  Teamcenter Security Services (TcSS) Needed
Unrestricted © Siemens AG 2016
Page 11
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 12
May 16-19, 2016
Siemens PLM Software
Teamcenter Security Services
Consists of Two Web Applications (.war)
• Identity Service
• Login Service
Support Single Sign-On for Teamcenter Applications
Run in J2EE Web App Server
• JBoss is Common
• Has Version Quirks, Depending on What You’re
Trying to Do (especially with Kerberos)
• Tomcat Works
• PD Has Been OK with Customers Using It
• Light Load, Small Footprint
• Generally Not a Performance Bottleneck
Login Service
Identity Service
J2EE Web App Server
Unrestricted © Siemens AG 2016
Page 13
May 16-19, 2016
Siemens PLM Software
Teamcenter Security Services: Identity Service
Identity Service:
• Authenticate the users via Identity Provider
• Default Implementation of Identity Provider :
• LDAPIdentityProvider
• Generate Tokens
• Validate Tokens
Identity Service
Identity Provider API
LDAPv3 Custom
SSO
Commercial
SSO
Oracle/Sun
Directory
Server
Microsoft
Active
Directory
Non-LDAP
repository
Unrestricted © Siemens AG 2016
Page 14
May 16-19, 2016
Siemens PLM Software
Teamcenter Security Services: Login Service
Login Service:
• Front End of TcSS
• Interacts with Teamcenter Client Applications
• Challenges User With Login Prompt
• Collects Results and Sends On to Identity Service
• Returns TcSS Application Token to Client
• Holds Session State for Single Sign-On
• Applet Based Mode
• Requires Java Browser Plugin On Clients
• This Has Security Implications
Java Applet for TcSS Single Sign-On Applet Mode
• Applet-Free Mode
• Cannot Do Forms-based Authentication, must be HTTP 401-based
• When Using TcSS with SSO for Active Workspace, Must Have Applet-Free Mode Working
Unrestricted © Siemens AG 2016
Page 15
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 16
May 16-19, 2016
Siemens PLM Software
TcSS Authentication Only Mode
Simplest Starting Point for Using TcSS:
• Uses Only Identity Service
• Integrated with LDAP / AD
• Does Not Do Single Sign-On for Teamcenter Applications
• May Get Multiple Authentication Challenges
• Transparent to End Users
• No Applet Involvement
• Since there is No Login Service
Still See the Same RAC Login Prompt
This is Basically a Straight Replacement of Teamcenter’s Native Authentication with a Directory Service
Only Need to Configure on Pool Server(s) these Environment Variables:
• TC_SSO_SERVICE  points to URL of Identity Service
• TC_SSO_APP_ID  the App ID in the Identity Service Application Registry (e.g. Teamcenter1)
Unrestricted © Siemens AG 2016
Page 17
May 16-19, 2016
Siemens PLM Software
TcSS Authentication Only Mode
1. Launch RAC
Rich Client
User
Client Tier
Not Needed, Don’t Even Bother With It
2. Login request with
Credentials
Login Service
Web Tier
Teamcenter Web Tier
3. Login request with
Credentials
Identity Service
4. Validate Session
Enterprise Tier
Resource Tier
Teamcenter Server
5. Authenticate User
TcSS Library
LDAP
Directory
Server
Unrestricted © Siemens AG 2016
Page 18
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 19
May 16-19, 2016
Siemens PLM Software
TcSS Single Sign-On Mode
• Adds Login Service
• For Multiple Teamcenter Applications Requiring Sign On:
• Teamcenter
• Visualization
• Office Integration
• Etc.
• Presents Single Authentication Challenge
• Java Applet in Browser Stores Single Sign-On Token
• Applications Talk to This Applet
• Need Java Plugin in Browser…
Unrestricted © Siemens AG 2016
Page 20
May 16-19, 2016
Siemens PLM Software
TcSS Single Sign-On Mode
1. Launch RAC
User
Browser
Rich Client
configured
with applet
basedSSO
2. Initiate SSO session
8. Procure SSO Token
Client Tier
TCCS
4. User
provides
credentials
3. Login
Challenge
7. SSO Session
Agent Applet
9. Login request with TcSS token
Web Tier
Login Service
Teamcenter Web Tier
6. SSO Session
9. Login request with TcSS token
Identity Service
10. Validate Session
Enterprise Tier
Resource Tier
Teamcenter Server
5. Authenticate
User
TcSS Library
LDAP
Directory
Server
Unrestricted © Siemens AG 2016
Page 21
May 16-19, 2016
Siemens PLM Software
TcSS Single Sign-On Mode
Adding Teamcenter Client Communications System (TCCS):
• “Juiced-up” FCC
• Can Deal with Forward, Reverse Proxies
• And Authenticating Reverse Proxies
• Can Deal with Kerberos
• Also Allows Single Configuration Point for HTTPS Between Client and Server
Unrestricted © Siemens AG 2016
Page 22
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 23
May 16-19, 2016
Siemens PLM Software
Authenticating Reverse Proxies
A Reverse Proxy is a Server that Connects to Multiple Servers on Behalf of a Client
• Hides Servers Behind It
• Can Do Load Balancing
• Load Balancers Typically Function as a Reverse Proxy
• Can Be an Authentication Point for Incoming Connections
Teamcenter Security Services
Login Service
Identity Service
Authentication
System
Teamcenter Web
Application Server
Client
Reverse Proxy Server
Teamcenter Volume Server
Unrestricted © Siemens AG 2016
Page 24
May 16-19, 2016
Datacenter
Siemens PLM Software
Authenticating Reverse Proxies
Reverse Proxy can be:
• Hardware Load Balancer
• Apache
• IIS
• Etc.
When A Reverse Proxy Does Authentication:
• When A Client Goes to Teamcenter Backend (such as TcSS), It Connects to the Reverse Proxy
• To Make That Connection, the Client Needs To Authenticate
Authentication System:
• 2-Way SSL (Between Client and Reverse Proxy)
• LDAP System Integrated with Reverse Proxy
• WebSEAL
• Siteminder
• Kerberos
• Etc.
Unrestricted © Siemens AG 2016
Page 25
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 26
May 16-19, 2016
Siemens PLM Software
TcSS Applet-Free Single Sign-On Mode
For When Java Browser Plugin is not Feasible
You Will Need to Configure TCCS (Teamcenter Client Communications System)
You Will Need to Add an Authenticating Reverse Proxy
• Required in front of TcSS Login Service
• Authentication Service
• SSO Login Service Must be Deployed Behind Authenticating Server Which is Configured With HTTP
401(Basic, Digest or Negotiate) Authentication
• Kerberos
• Form-Based Authentication is Not Supported in Applet-Free Mode
• Corporate Authentication System Might Not Be Changeable to Accommodate This
Needed For Active Workspace SSO
• Authentication-Only Mode (No Login Service, Transparent to User) Should be OK, but no SSO
• Authentication is in tcserver
Unrestricted © Siemens AG 2016
Page 27
May 16-19, 2016
Siemens PLM Software
TcSS Applet-Free Single Sign-On Mode
1. Launch RAC
User
Client Tier
Rich client
configured
with applet
free SSO
This is NOT a Browser, it is a
Login challenge dialog from TCCS
2. Initiate SSO session
8. Procure SSO token
4. Submit SSO request
TCCS
with credential
3. Login
9. SOA login request
challenge
with SSO token
Authentication Server/Reverse Proxy
Web Tier
5. Authenticate
8. Procure SSO token
Teamcenter Web Tier
8. Procure SSO
token
9. SOA login request
7. SSO Session
6.Get SSO
session
with SSO token
Enterprise
Tier
User
SSO Login Service
10. Validate token
SSO Identity Service
Note the Different
Authentication Step
Teamcenter Server
SSO Server
Library
Resource
Tier
LDAP
Directory
Server
Unrestricted © Siemens AG 2016
Page 28
May 16-19, 2016
Siemens PLM Software
TcSS Login Service Configuration with Authenticating Reverse Proxy
With an Authenticating Reverse Proxy
• Login Service Accepts an Already-Authenticated
Connection
• Then it Proceeds to Identity Server to Generate a
Session
• Key Configuration is in the Login Service “Context
Parameters”
• Needs tcss.behind_sso_gateway to be true
• Means Login Service is accepting AlreadyAuthenticated Connections
• Image Shows Example for PKI Card Authentication with
2-way SSL
• So PKI Card certificate is Sent to Login Server
• And Value of CN (common name, attribute on client
certificate) is Sent On to Identity Server
Unrestricted © Siemens AG 2016
Page 29
May 16-19, 2016
Siemens PLM Software
Agenda
Highlighting
• Teamcenter Authentication
• Teamcenter Security Services
• Authentication-Only Mode
• Single Sign-On Mode
• Authenticating Reverse Proxies
• Applet-Free Single Sign-On Mode
• Other Authentication Setups
Unrestricted © Siemens AG 2016
Page 30
May 16-19, 2016
Siemens PLM Software
TcSS with Commercial SSO
1. Launch RAC
User
Client Tier
Rich client
configured
with applet
free SSO
This shows Applet-Free, but
Applet-Based SSO can be used here
2. Initiate SSO session
8. Procure SSO token
4. Submit SSO request
TCCS
with credential
3. Login
9. SOA login request
challenge
with SSO token
Commercial SSO
Web Tier
5. Authenticate
8. Procure SSO token
Teamcenter Web Tier
8. Procure SSO
token
9. SOA login request
7. SSO Session
6.Get SSO
session
with SSO token
Enterprise
Tier
User
SSO Login Service
10. Validate token
SSO Identity Service
Note the Different
Authentication Step
Teamcenter Server
SSO Server
Library
Resource
Tier
LDAP
Directory
Server
Unrestricted © Siemens AG 2016
Page 31
May 16-19, 2016
Siemens PLM Software
TcSS with Kerberos
1. Launch RAC
User
Client Tier
Rich client
configured
with applet
free SSO
2. Initiate SSO session
4. Obtain Kerberos Service
Ticket by Supplying Ticket
Granting Ticket (TGT) from
Ticket Cache
8. Procure SSO token
TCCS
3. HTTP 401
9. SOA login request
with SSO token
5. Get SSO Session Request
with Kerberos Service
Ticket in HTTP Header
Negotiate Challenge
Authenticating Server / Reverse Proxy
Web Tier
8. Procure SSO token
Teamcenter Web Tier
SSO Login Service
8. Procure SSO
token
9. SOA login request
7. SSO Session
session
with SSO token
Enterprise
Tier
6.Get SSO
10. Validate token
SSO Identity Service
Teamcenter Server
SSO Server
Library
Resource
Tier
Active
Directory /
KDC
Unrestricted © Siemens AG 2016
Page 32
May 16-19, 2016
Siemens PLM Software
TcSS with Kerberos: IIS as Authenticating Reverse Proxy
Unrestricted © Siemens AG 2016
Page 33
May 16-19, 2016
Siemens PLM Software
SAML
Security Assertion Markup Language
• XML-based Protocol Using Security Tokens
• Pass Information about a User Between Identity Provider (IDP) and a
Service Provider
• Can Use SAML Starting with Teamcenter 10.1.5, 11.2
• IDPs:
• Shibboleth
• WebSEAL
• Siteminder
• Service Providers:
• Shibboleth
• WebLogic
• WebSphere
• Using SAML IDP Will Generate SAML Token for Initial Authentication
• Teamcenter will Internally Still Use Teamcenter Token
Unrestricted © Siemens AG 2016
Page 34
May 16-19, 2016
Siemens PLM Software
TcSS with SAML (2.0)
Rich client configured in
applet mode
SAML IDP form
authentication
2. Initiate SSO session
1. Launch RAC
External
SAML ID
Provider
User
8. Procure SSO token
3. SAML
4. POST SAML assertion
Authentication containing credential
Challenge
TCCS
9. SOA login request
with SSO token
Reverse Proxy/SAML provider
8. Procure SSO token
Teamcenter Web Tier
SSO Login Service
8. Procure SSO
token
9. SOA login request
7. SSO
Session
with SSO token
10. Validate token
Applet Mode is
REQUIRED
6.Get SSO
session
SSO Identity Service
Teamcenter Server
SSO Server
Library
LDAP
Directory
Server
5. Map to TC User
Unrestricted © Siemens AG 2016
Page 35
May 16-19, 2016
Siemens PLM Software
TcSS with RSA
Client is configured
to use SSO
authentication
User
Browser
Rich
Client
enabled
with SSO
Authentication
Request
Tc Web Tier for Rich Client
is not protected to require
authentication
IIS Reverse Proxy
RSA
Web Agent
Teamcenter Web Tier
Server validates SSO
token with Identity
Service
RSA Web Agent
SSO Login Service
SSO Identity Service
- Authenticates the user
- Populates header field
with authenticated user
name and cookie on the
response
Teamcenter Server
Unrestricted © Siemens AG 2016
Page 36
May 16-19, 2016
Siemens PLM Software
TcSS When Web Tier is Also Protected by Reverse Proxy
Browser
Rich Client
enabled with
applet based
SSO
TCCS
TCCS fetches
session cookie
from SSO applet
when challenged
TCCS detects
authentication
challenge from
Authentication
server
Reverse Proxy protects
both Login Service and
Web Tier
Reverse Proxy/Authentication Server
Teamcenter Web Tier
Server validates SSO
token with Identity
Service
Teamcenter Server
Browser detects and
handles authentication
challenge when
communicating with Login
Service protected by
reverse proxy
SSO Login Service
SSO Identity Service
Login Service is configured
behind third party
Authentication Server and
assumes user id received
is already authenticated
Identity Service generates
SSO Token for
authenticated user id
received from
Authentication Server
Unrestricted © Siemens AG 2016
Page 37
May 16-19, 2016
Siemens PLM Software
Things to Watch For
• For Debugging, Take it One Step At a Time
• There are Configuration Bits in RAC, Web Tier, Pool Server, and TcSS
• And Reverse Proxy
• Need to Maintain Internal Teamcenter Users
• For Access Manager, for Example
• Synchronization Required
• ldap_sync Will Pull ALL the Users from LDAP
• Better to use make_user in Some Way
• Need “System” Users
• Infodba, dcproxy
• Can you Have These in Directory Service?
• Because of Server-Level Command-Line Access:
• Still Need to Maintain Internal Teamcenter Passwords
Unrestricted © Siemens AG 2016
Page 38
May 16-19, 2016
Siemens PLM Software
Security Solutions Alignment Workshop
• Two-to-Three Day Onsite Workshop
• Provide Overview of Teamcenter Security Solution Options in the areas of:
• Authentication
• Audit
• Asset protection
• Authorization (generic guidelines)
• Align customer’s security requirements with solution options
• Define implementation proposal for solution options
Unrestricted © Siemens AG 2016
Page 39
May 16-19, 2016
Siemens PLM Software
Authentication in Teamcenter
Summary
Better Security with Teamcenter Authentication
Improved Security – Meeting Corporate Password Requirements
Simplified Admin – Using Corporate Directory Service
Flexible – Variety of Options to Pick Best Solution
Unrestricted © Siemens AG 2016
Page 40
May 16-19, 2016
Siemens PLM Software
Teamcenter on Siemens PLM Community
Join the conversation on Siemens PLM Community
www.siemens.com/plm/community/teamcenter
• Teamcenter Blog
• Teamcenter Knowledge Base
• Teamcenter Users Forum
• Teamcenter Administrators Forum
Read insightful posts from Siemens PLM Software key experts
and thought leaders, ask questions, share best practices and
connect with Teamcenter users from around the globe!
Unrestricted © Siemens AG 2016
Page 41
May 16-19, 2016
Siemens PLM Software
Your Feedback is Important!
Use the PLM World mobile app to fill out the Session Survey
• Locate the session in the app
• Select “Take Survey”
Unrestricted © Siemens AG 2016
Page 42
May 16-19, 2016
Siemens PLM Software
Related Presentations
Deployment Excellence -- Administration
Day
Time
Room
Session
Title
Presenter
Monday
02:00 PM - 03:00 PM
R 17
157
BMIDE - Understanding Conditions, Deep Copy, and GRM Rules Demo Dima Martynyuk
Monday
03:15 PM - 04:15 PM
R 17
124
What's new in Teamcenter Security
Sandip Dalvi
Tuesday
09:45 AM - 10:45 AM
R 16
36
Active Workspace Stylesheets - Tips & Tricks
Divya Sree Dinnepati
Tuesday
01:15 PM - 02:15 PM
R 15
30
Active Workspace Troubleshooting 101
Gueorgui Tchamkoriyski
Tuesday
03:45 PM - 04:45 PM
R 18
77
Authentication in Teamcenter
Gintas Jazbutis
Wednesday 11:00 AM - 12:00 PM
R 18
81
Teamcenter File Volumes Management
David Howe
Wednesday 01:15 PM - 02:15 PM
R 18
263
Teamcenter Security Roundtable
Sandip Dalvi
Wednesday 02:30 PM - 03:30 PM
R 14
183
Configuring NX on Windows
Scott Felber
Thursday
11:00 AM - 12:00 PM
R 14
162
Teamcenter FMS System Installation & Configuration
Jeffery Groneck
Thursday
02:30 PM - 03:30 PM
R 15
162
Teamcenter FMS Advanced Concepts and Utilities
Patrick Mills
Secondary
Unrestricted © Siemens AG 2016
Page 43
May 16-19, 2016
Siemens PLM Software
Related Materials
Teamcenter Documentation
• https://docs.plm.automation.siemens.com/tdoc/tc/11.2.1/PDF/#uid:index
• Security Services Installation / Customization
• Utilities Reference
Unrestricted © Siemens AG 2016
Page 44
May 16-19, 2016
Siemens PLM Software
Presenter Contact
Gintas Jazbutis
Principal Enterprise Engineer
gintas.jazbutis@siemens.com
siemens.com
Unrestricted © Siemens AG 2016
Page 45
May 16-19, 2016
Siemens PLM Software
Advantedge Success Program
System Architecture - Advanced Technical Services (ATS) Offerings
Advantedge packaged services with speed, quality, consistency and best practices for PLM
deployment in architecture, infrastructure, performance and security domains.
Web: www.siemens.com/plm/ats Email: ats.plm@siemens.com
Unrestricted © Siemens AG 2016
Page 46
May 16-19, 2016
Siemens PLM Software
Siemens PLM Services Booth
Siemens PLM Services Booth
-
Walk
Drive
Sail
Bring colleagues
More information on my presentation content Additional information on your interests -
Just stop by the Siemens PLM Services booth
talk with Siemens PLM representatives
Unrestricted © Siemens AG 2016
Page 47
May 16-19, 2016
Siemens PLM Software
Thank You
See you next year!
Unrestricted © Siemens AG 2016
Realize innovation.