PTC tries to keep up with Oracle’s Java security patches but Oracle doesn’t make it easy.  Oracle recently decided it was time to make changes to the Java keystore mechanism.  Windchill uses the Java keystore to maintain and query encrypted passwords.

The initial Oracle changes in Java 1.8.0_u151 through 1.8.0_u162 introduced a significant Windchill performance issue, affecting all Windchill releases and Critical Patch Sets that ship with these builds.  Windchill 11.0 M030 CPS11+ and 11.1 M010+ servers can run two to three times slower than previous installations.  We expect this issue to affect future patch sets of 11.0 M020 and 11.1 M020 too.

The solution for these builds is to:

  1. Download Java Development Kit 1.8.0_u144 or older

  2. Extract it and build a packaged installation of Java for Windchill

  3. Use it to rebuild the Java keystore.

  4. Then switch back to the shipped Java version (e.g. 1.8.0_u162).

Please be careful when following this article.  Though it appears to be straight forward, it is a procedural overview and not a pick-by-pick instruction set.  I failed twice before finally succeeding.  Do this in a test/development environment first and make a backup of the keystore files (refer to the article) before making any changes.

An Oracle account is needed to download archived versions of Java.  We want Java SE JDK 1.8_u144.  Once downloaded, we want to extract it to disk and configure it to function as a bundled Java.  Please reach out if you need help bundling the JDK.  Once bundled, switch the current Windchill Java build with our Java 144 build.  Now we can launch a Windchill shell and run the rebuild keystore command.

We need to know which passwords have been encrypted and we need to know their values before running the rebuild keystore command.  The command prompts for ~15 passwords which may or may not have set or known values.  Most prompted properties are found in:

  • %wt_home%\bin\adminTools\sip\validProperties.list

  • %wt_home%\bin\adminTools\sip\validIEProperties.list

Depending on your Windchill configuration, several of these properties won’t be set or used.  There are additional encrypted properties that are not identified in these files.  These additional encrypted properties for simple installations are typically found in these files:

  • %wt_home%\codebase\

  • %wt_home%\codebase\WEB-INF\

  • %wt_home%\codebase\WEB-INF\ieStructProperties.txt

  • %wt_home%\codebase\WEB-INF\mapCredentials.txt

Search all *.properties and *.txt files for 'encrypted.', looking for any additionally encrypted properties. This procedure builds the list of encrypted properties that should have defined values in the keystore but it doesn’t provide the current values.

The keystore implementation is designed to be a black box with no out-of-the-box functions for retrieving passwords.  The security concept is if the password is not know, it must be changed.  This can get very tedious since each application (DB, LDAP, SOLR, etc.) has a different procedure for setting passwords.

A simpler solution is to track down the current passwords before rebuilding the keystore.  If FELCO Solutions performed your Windchill implementation, most likely you have a credentials document containing the passwords we set for you during installation.  If you can’t locate it, please reach out to us.

Not all passwords are known.  For example, the secret and secret2 passwords used by Info*Engine are set to random values during installation.  We never know their values.  Our Windchill Management Tools can be used to extract the existing passwords from the keystore before rebuilding it.  We have found this approach to be the most expedient.

The situation is not improving.  By Java 1.8.0_u171 the Java keystore mechanism doesn’t work at all; requiring a rollback to 1.8.0_u162 and applying the previously described performance fix (or using unencrypted passwords which is not recommended).  Note this secondary degradation is resolved by Windchill 11.1 M020.

We have applied these resolutions to several Windchill systems now.  We can help if you need assistance recovering passwords.