0% found this document useful (0 votes)

837 views107 pages

2022 ImplGuide Security

Uploaded by

Felipe Almeida

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

837 views107 pages

2022 ImplGuide Security

Uploaded by

Felipe Almeida

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

DELMIA Apriso 2022 Implementation Guide

Security

®2021 Dassault Systèmes. Apriso, 3DEXPERIENCE, the Compass logo and the 3DS logo, CATIA, SOLIDWORKS, ENOVIA, DELMIA, SIMULIA, GEOVIA, EXALEAD, 3D VIA, BIOVIA, NETVIBES, and 3DXCITE
are commercial trademarks or registered trademarks of Dassault Systèmes or its subsidiaries in the U.S. and/or other countries. All other trademarks are owned by their respective owners.
Use of any Dassault Systèmes or its subsidiaries trademarks is subject to their express written approval.
Security | DELMIA Apriso 2022 Implementation Guide 2

Contents
1 Overview 6
1.1 DELMIA Apriso Architecture 6
1.2 Common Security Threats 7
2 Web Server and Application Server 8
2.1 Securing Web Server 8
2.1.1 Securing IIS Server 8
2.1.2 Enabling HTTPS 8
2.1.3 Securing HTTP Cookies 20
2.1.4 Configuring SameSite Cookie 20
2.1.5 Configuring Cross-Origin Resource Sharing 21
2.1.6 Configuring Content Security Policy HTTP Response Headers 21
2.1.7 Configuring ReturnURL Parameter Allowlist 22
2.1.8 Displaying Exception Messages 22
2.2 Protecting Web Services and DELMIA Apriso Services 23
2.2.1 Security Overview of DELMIA Apriso Services 23
2.2.2 Securing DELMIA Apriso Services 24
2.3 Protecting Business Web Services 33
2.4 Disabling WSDL and MEX in DELMIA Apriso Services and Business Web Services 34
2.5 Protecting Configuration Files 36
2.5.1 Configuring the ConfigurationService.svc WCF Service 36
2.6 Setting Up Database Security 39
2.6.1 Database Users 39
2.6.2 Database Behind Firewall 40
2.7 Disabling IIS Request Validation 40
3 Password and Login Policy 41
3.1 Overview 41
3.2 Configuration 41
3.3 Configuring Password Encryption Strength 41
3.3.1 Overview 41
3.3.2 Configuration 42
3.4 Configuring Session Timeout 42
3.4.1 Overview 42
3.4.2 Configuration 42
4 User Authentication 44
4.1 Overview 44
4.2 User Authentication Modes 44
4.2.1 Rules of Authentication 46
4.2.2 Standard Authentication 47
4.2.3 LDAP Integrated Authentication 48
4.2.4 Windows Integrated Authentication 52
Security | DELMIA Apriso 2022 Implementation Guide 3

4.2.5 Swipe Authentication 59

4.2.6 3DPassport Authentication 59
4.2.7 Custom Authentication 64
4.3 Full Active Directory Integration 65
4.3.1 Overview 65
4.3.2 Configuration 68
4.3.3 Using Active Directory Integration 69
4.3.4 Best Practices 72
5 User Authorization 74
5.1 Role-Based Security 74
5.2 Access Control 74
5.2.1 Overview 74
5.2.2 Configuration Files 76
5.2.3 Using x509 Certificates to Validate Client Applications and Services 78
5.2.4 Enabling Access Control List 89
6 Security Logging and Alerts 90
6.1 Overview 90
6.2 Security Logging Configuration 92
6.3 Securing Confidential Information in Log Files 93
6.4 ACL Generator Logging 94
6.5 ACL Logging 94
7 Guidelines 96
7.1 DELMIA Apriso Process Builder Security 96
7.1.1 Validate User Input 96
7.1.2 Using SQL Function and User Formula Function in Standard Operations 96
7.1.3 Using HTML Output in Standard Operations 96
7.1.4 Using Map Business Control in Standard Operations 96
8 Best Practices 97
9 Appendices 98
9.1 Appendix A: DELMIA Apriso Services - Example Secure Configurations 98
9.1.1 Maintenance service using HTTPS security settings 98
9.1.2 Global Process Manager service using HTTPS security settings 99
9.1.3 Maintenance service using HTTPS security settings protected with certificates 100
9.2 Appendix B: Access Control List Generator Tool 100
9.2.1 Overview 100
9.2.2 Data Model 101
9.2.3 Access Control List Generation Mechanism 101
9.2.4 Manual Configuration of Capabilities 103
10 Known Issues 106
10.0.1 Error while Logging out 106
11 Documentation Availability 107
Security | DELMIA Apriso 2022 Implementation Guide 4

Figures
Figure 1 DELMIA Apriso architecture 6
Figure 2 Web Site Bindings screen 9
Figure 3 Add Site Bindings window 9
Figure 4 Configuring Site Bindings 9
Figure 5 Web Site SSL Settings 10
Figure 6 SSL Settings 10
Figure 7 Adding Registry Keys for Individual Security Protocols 11
Figure 8 Adding Client and Server Registry Keys for Security Protocols 12
Figure 9 Registry Keys for a Disabled Security Protocol 12
Figure 10 Adding Registry Key for TLS 1.2 Security Protocol 13
Figure 11 Adding Client and Server Registry Keys for TLS 1.2 Protocol 13
Figure 12 Registry Keys Enabling the TLS 1.2 Security Protocol 13
Figure 13 SSL Configuration Settings in Local Group Policy Editor 15
Figure 14 Enabling Custom SSL Cipher Suites 16
Figure 15 Default IIS settings 48
Figure 16 Configuring the LDAP account in Employee properties 51
Figure 17 Portal folder configuration 53
Figure 18 Kiosk folder configuration 53
Figure 19 Assignment of Roles to the user based on AD Group membership 68
Figure 20 Adding new groups and users 69
Figure 21 Adding a new group 70
Figure 22 Adding a new user 70
Figure 23 Assigning users to groups 71
Figure 24 Choosing a Role 71
Figure 25 Assigning an Active Directory Group to a DELMIA Apriso Role 72
Figure 26 Full Active Directory integration diagram 72
Figure 27 Access Control logic 75
Figure 28 DELMIA Apriso Server - Trusted Root Certification Authorities catalog 83
Figure 29 DELMIA Apriso Server - Intermediate Certification Authorities catalog 83
Figure 30 DELMIA Apriso Server - Personal catalog 84
Figure 31 DELMIA Apriso Client - Personal catalog 85
Figure 32 DELMIA Apriso Machine Integrator Connector - Personal catalog 86
Figure 33 Security Log screens 92
Figure 34 Access Control List data model 101
Figure 35 ACL Generator – building a list of Capabilities 102
Figure 36 ACL Generator – analyzing FlexParts 102
Figure 37 ACL Generator – analyzing FlexParts (continued) 103
Figure 38 ACL Generator – matching Capabilities with FlexParts 103
Figure 39 Adding Capabilities to a Role 104
Figure 40 Capabilities assigned to the Role 105
Security | DELMIA Apriso 2022 Implementation Guide 5
Security | DELMIA Apriso 2022 Implementation Guide 6

1 Overview
This document gives an overview of DELMIA Apriso Security, providing the background
information needed in order to effectively secure all instances of DELMIA Apriso. The contents
include a graphical representation of the DELMIA Apriso architecture, an explanation of the
most common security threats, details on DELMIA Apriso configuration for ensuring protection
against such threats, and additional guidelines and recommendations.

1.1 DELMIA Apriso Architecture

Figure 1 DELMIA Apriso architecture

Security | DELMIA Apriso 2022 Implementation Guide 7

1.2 Common Security Threats

For a detailed discussion of security threats and a glossary of terms, refer to the following
OWASP article related to Attacks and to OWASP glossary.
Security | DELMIA Apriso 2022 Implementation Guide 8

2 Web Server and Application Server

2.1 Securing Web Server
2.1.1 Securing IIS Server
For more information, refer to the “Security Guidance for IIS” documents at Microsoft Docs.

2.1.2 Enabling HTTPS

Summary
Secured connections (SSL) allow to transfer information in an encrypted format. Even if data is
sent via a public network, non-authorized users cannot access it.

Configure a Web Application and Establish SSL Connections

Prerequisites

Web application installed

Follow DELMIA Apriso Installation Guide to install the application on the Web server
using the default configuration settings and regular HTTP protocol.
Server certificate installed on the Web server
Web server requires a valid server certificate to establish SSL communications. For more
information, refer to articles on obtaining and installing server certificates for IIS.

If any previous installations of DELMIA Apriso client applications (e.g., the

DELMIA Apriso Desktop Client or Process Builder) exist on client computers, they
need to be removed and reinstalled once SSL is enabled.

Configure IIS
1. In IIS Manager, expand the local computer.
2. Click the website that you want to protect with SSL (or the website that contains the
application or file that you want to protect), and click Bindings in the Actions menu.
Security | DELMIA Apriso 2022 Implementation Guide 9

Figure 2 Web Site Bindings screen

3. On the Site Bindings window, click Add.

Figure 3 Add Site Bindings window

4. On the Add Site Bindings window, select https as the Type and select your certificate
from the SSL certificate list.

Figure 4 Configuring Site Bindings

Security | DELMIA Apriso 2022 Implementation Guide 10

If port 443 is not set after choosing https, the prerequisites were not installed
correctly.

5. Go to SSL Settings for your website, and select the Require SSL check box.

Figure 5 Web Site SSL Settings

Figure 6 SSL Settings

Using Secure Protocols

Using FIPS mode is not recommended as it is not compatible with DELMIA Apriso
encryption functions.

The recommended security protocol is TLS 1.2. It uses modern cryptographic

algorithms and offers authenticated encryption (AEAD).

When configuring the server:

Security | DELMIA Apriso 2022 Implementation Guide 11

1. Disable the support for SSL 2.0 and SSL 3.0 protocols. Those protocols are vulnerable to
attacks.
2. Disable the support for legacy protocols TLS 1.0, and TLS 1.1, to ensure that the most
secure protocol is used.
For more information, refer to:
Microsoft Docs article about Security Advisory.
Microsoft Docs article describing how to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in
Internet Information Services.

Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1

SSL 3.0, SSL 2.0, TLS 1.0, and TLS 1.1 protocols must be disabled on the DELMIA
AprisoServer machine.
To disable SSL 3.0, SSL 2.0, TLS 1.0, and TLS 1.1 protocols:
1. Open Registry Editor and locate the registry key/folder: HKey_Local_
Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
2. Add keys with names of the protocols that must be disabled using New > Key option from
the Edit menu.

Some of these keys may have been created already .

Figure 7 Adding Registry Keys for Individual Security Protocols

3. For each of the protocols add “Client” and “Server” keys using New > Key option from the
Edit menu.
Security | DELMIA Apriso 2022 Implementation Guide 12

Figure 8 Adding Client and Server Registry Keys for Security Protocols

4. For each of the “Client” and “Server” keys, add the DWORD values using New > DWORD
(32bit) Value option from the Edit menu:
Enabled - (Value data set to 0x00000000 (0))
DisabledByDefault - (Value data set to 0x00000001 (1))

Figure 9 Registry Keys for a Disabled Security Protocol

To apply the changes in registry, the server must be restarted. Restart it once all
configuration steps are completed.

Enable TLS 1.2

TLS 1.2 must be enabled on both DELMIA Apriso Server machine and on every client
machine running Windows operating system.
To enable the TLS 1.2 protocol:
1. Open Registry Editor and locate the registry key/folder: HKey_Local_
Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
2. Add “TLS 1.2” key using New > Key option from the Edit menu.

The key may have been created already .

Security | DELMIA Apriso 2022 Implementation Guide 13

Figure 10 Adding Registry Key for TLS 1.2 Security Protocol

3. Add “Client” and “Server” keys inside the “TLS 1.2” key using New > Key option from the Edit
menu.

Figure 11 Adding Client and Server Registry Keys for TLS 1.2 Protocol

4. For both “Client” and “Server” keys, add the DWORD values using New > DWORD (32bit)
Value option from the Edit menu:
Enabled - (Value data set to 0x00000001 (1))
DisabledByDefault - (Value data set to 0x00000000 (0))

Figure 12 Registry Keys Enabling the TLS 1.2 Security Protocol

Security | DELMIA Apriso 2022 Implementation Guide 14

When using TLS 1.2, make the following changes in the system registry on DELMIA Apriso
Server machine and on every client machine running Windows operating system:
1. Open Registry Editor and locate the registry keys/folders:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

Depending on the version of Windows operating system used, not all of the keys
may be present.

2. For both keys, add the DWORD value using New > DWORD (32bit) Value option from the
Edit menu:
SchUseStrongCrypto - (Value data set to 0x00000001 (1))

The server must be restarted to apply the changes. Restart it once all configuration
steps are completed.

Using Strong Ciphers

Using AEAD cipher suites is recommended, as they provide strong authentication and
key exchange, forward secrecy, and encryption of at least 128 bits.

The AES cipher is recommended .

Configure SSL Cipher Suites Order

To configure a secure cipher suite order on the server:

1. Open Local Group Policy Editor.
2. Navigate to Computer Configuration > Administrative Templates > Network > SSL
Configuration Settings.
Security | DELMIA Apriso 2022 Implementation Guide 15

Figure 13 SSL Configuration Settings in Local Group Policy Editor

3. Edit policy settings for the SSL Cipher Suite Order:

a. Check Enabled.
b. In the SSL Cipher Suites textbox specify the cipher suites that you want to enable.
Cipher suites have to be formatted in a single line, separated with a coma.
c. Click Apply.
Security | DELMIA Apriso 2022 Implementation Guide 16

Figure 14 Enabling Custom SSL Cipher Suites

An example list of cipher suites:

Security | DELMIA Apriso 2022 Implementation Guide 17

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

For more information on cipher suites, refer to Microsoft Docs article describing Cipher Suites
in TLS/SSL (Schannel SSP).

Deployment Info Update

Make the changes in DeploymentInfo.xml located under <drive>\Program Files\Dassault
Systemes\DELMIA Apriso 2022\Website\CentralConfiguration:

1. Replace the server name in the AppAddress, WebAddress, and Machine variables with full
domain server address.
2. Replace http with https in the Scheme variable.
3. Replace http with https in the WebRootURL variable.
4. Execute RunConfigUpdater.bat located in <drive>\Program Files\Dassault Systemes\DELMIA
Apriso 2022\Setup\Tools.

Web Services Configuration

When HTTPS/SSL is configured on the server:
1. Uncomment the sslDefault endpoint section in the web.config files found in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\iOs
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\1.0
Security | DELMIA Apriso 2022 Implementation Guide 18

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\1.1

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\Offline
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Portal\WebServices\1.0
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Portal\WebServices\1.1
2. Modify the value of the security mode key from "none" to "transport" in the wsHttpBinding
section in the web.config file found in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\Public

DELMIA Apriso Portal Configuration

When HTTPS/SSL is configured on the server:
1. Set the "requireSSL" flag in the web.config file to true:
<FlexNet.HttpServices.HostingSettings requireSSL="true"
requireTokenAuthorization="true"/>

The web.config file is stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso

2022\WebSite\HttpServices
2. Comment and uncomment the sections in the web.config file in <drive>\Program
Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Portal\Sts\ depending on the Windows
Authentication settings.
Windows Authentication is used:
Uncomment the line fot HTTPS with the enabled Windows Authentication.

Comment the lines for HTTPS with the disabled Windows Authentication and for
HTTP.

Security | DELMIA Apriso 2022 Implementation Guide 19

Windows Authentication is not used:

Uncomment the line for HTTPS with the disabled Windows Authentication.

<endpoint behaviorConfiguration="FlexNetEndPointBehaviorConfiguration"
binding="webHttpBinding" bindingConfiguration="StsBindingConf_SSL"
contract="FlexNet.Portal.WebUI.Portal.Sts.ITokenController"></endpoint>

Comment the lines for HTTPS with the enabled Windows Authentication and for
HTTP.

Updating ClickOnce Tools

To republish the ClickOnce manifests, Run Publish All Apriso Applications via ClickOnce.bat
found in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Downloads\ClickOnce Tools

Business Controls Configuration

Verify if there are any changes in the configuration of Business Controls that are required
when SSL is enabled on the DELMIA Apriso server.

Restart DELMIA Apriso Services after making the changes.

Security | DELMIA Apriso 2022 Implementation Guide 20

Trusted Sites
Add https://server.domain.com/* (replace the text in red with your server and domain names) to
the trusted sites in the Internet Options on the Security tab.

2.1.3 Securing HTTP Cookies

To secure Authentication Cookies while using SSL (to prevent session hijacking):
1. Uncomment the <httpCookies requireSSL="true" /> key in the <system.web> section of the
Web.config file found in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Portal

2. The requireSSLflag must be set to true in the <authentication mode="Forms"> element in the
<system.web> section of the same web.config file.

Example configuration:

<forms loginUrl="${WebRootUrl}/Portal/Kiosk/DefaultLogin.aspx" cookieless="UseCookies"

timeout="60" path="/" requireSSL="true" />

For more information on securing HTTP cookies, refer to Microsoft Docs articles related to
httpCookies Element.

2.1.4 Configuring SameSite Cookie

To embed DELMIA Apriso in a third party context, the value of SameSite cookies attribute must
be set to "None".
To edit the attributes of the SameSite cookies:
1. Open the Web.config file located at <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal\Web.config.
2. For the .ASPXAUTH cookie, set the value of cookieSameSite to "None."

<authentication mode="Forms">
<forms loginUrl="http://<server_name>/Apriso/Portal/Kiosk/DefaultLogin.aspx"
cookieless="UseCookies" timeout="60" path="/" cookieSameSite="None" />
</authentication>

3. For the ASP.NET_SessionId cookie, set the value of cookieSameSite to "None."

<sessionState cookieless="false" cookieSameSite="None" timeout="60" mode="StateServer"

stateConnectionString="tcpip=127.0.0.1:42424" />

4. Set the value of SameSite to "None" for all other DELMIA Apriso cookies.
a. Add <httpCookies sameSite="None" /> if it does not exist.
b. Add sameSite="None" attribute to the existing <httpCookies/> element.
If you are using DELMIA Apriso in the HTTP mode, change the browser settings:
Security | DELMIA Apriso 2022 Implementation Guide 21

For Microsoft Edge and Google Chrome, disable #cookies-without-same-site-must-be-secure.

For Mozilla Firefox, disable network.cookie.sameSite.noneRequiresSecure.

Using DELMIA Apriso in the HTTP mode is not recommended. The default and
recommended configuration uses the HTTPS mode with secure cookies.

2.1.5 Configuring Cross-Origin Resource Sharing

To limit Cross-Origin Resource Sharing (CORS) requests sent by web applications to a
particular domain or port, replace the default value of the Access-Control-Allow-Origin key in the
customHeaders section of the web.config file with the domain name or domain name:port number for
which the communication is to be limited.
By default, the value of the Access-Control-Allow-Origin key is set to "*", which enables CORS
communication for all domains.
The web.config file is stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal\Sts

For more information on Cross-Origin Resource Sharing, refer to the W3C Recommendation.

2.1.6 Configuring Content Security Policy HTTP Response Headers

Edit the value of the Content-Security-Policy and X-Content-Security-Policy keys in the
customHeaders section of the web.config file by providing relevant content security directives.
The web.config file is stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal

In a default DELMIA Apriso installation, the Content Security Policy settings specify the
domain used by DELMIA Apriso and 3ds.com as valid parents that may embed a page using
the <frame> and <iframe> elements:

A schema is required if DELMIA Apriso is configured in the HTTPS mode and is embedded in
a parent that is loaded from HTTP URL. For example:

<add name="Content-Security-Policy" value="frame-ancestors 'self' .3ds.com:

http://<serverName>" />

For more information on available Content Security Policy directives, refer to Content Security
Policy (CSP) Quick Reference Guide
Security | DELMIA Apriso 2022 Implementation Guide 22

2.1.7 Configuring ReturnURL Parameter Allowlist

To prevent session-hijacking attacks on DELMIA Apriso Portal, configure an allowlist of valid
ReturnURL parameter values.
ReturnURL is the URL to which the user is redirected after successful login.
In a default DELMIA Apriso installation, any URL can be used as a ReturnURL parameter
value.
To create an allowlist of valid ReturnURL parameter values, edit the value of the
PortalReturnUrlAllowlist key in the appSettings section of the web.config file.

The web.config file is stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso

2022\WebSite\Portal

Accepted value formats:

SAMEORIGIN – All URLs from the host on which the DELMIA Apriso server is installed are
allowed.
<add key="PortalReturnUrlAllowList" value="SAMEORIGIN" />

URL – a specific URL.

URL prefix with wildcard – partial URL with wildcard at the end, all URLs sharing the
same prefix are allowed. Only a single wildcard may be used in one prefix entry.
<add key="PortalReturnUrlAllowList" value="3ds.com/support/*" />

Do not include the schema (http://) in the values. Separate multiple values with a semicolon.

The allowlist applies only to absolute URLs.

Example configuration:

2.1.8 Displaying Exception Messages

The DisplayExceptionMessageInErrorPage property is by default set to false and should never be
used in the production environment. If set to true, the user will see a detailed error message
that might help with troubleshooting, but might include sensitive information.
Security | DELMIA Apriso 2022 Implementation Guide 23

The property is available in the web.config file located in <drive>\Program Files\Dassault

Systemes\DELMIA Apriso 2022\WebSite\Portal.

2.2 Protecting Web Services and DELMIA Apriso Services

All standard DELMIA Apriso services are located on the application server. They are used to
execute business logic against the database or an external system. They are bridges between
the client and the database or external system, and they can communicate with each other.

2.2.1 Security Overview of DELMIA Apriso Services

All standard DELMIA Apriso services are created in the Microsoft technology called Windows
Communication Foundation (WCF). One of the possibilities offered by WCF is secure data
transmission.

Configuring all services to use encrypted connections is recommended.

Services that allow to manage their security settings:

Framework Services
Global Process Manager Services
Job Executor Services
Job Scheduler Service
Maintenance Services
Process Builder Services
State Services
Configuration files for each of those services contains the <system.serviceModel> section in
which the security settings are defined. The section is divided into the following parts:
bindings
Contains definitions for the TCP and HTTP bindings. For more information, refer to
Microsoft Docs articles related to:
<netTcpBinding>
<readerQuotas>
Bindings supported by DELMIA Apriso:
netTcpBinding – binding for the TCP connection
TcpNoSecurity – binding configuration for the TCP connection without security
enabled
TcpNoSecurityGPM – binding configuration for the TCP connection used by the GPM
service without security enabled
TcpSecurityCert – binding configuration for the TCP connection with security enabled
and certificate-based validation of client applications and services
Security | DELMIA Apriso 2022 Implementation Guide 24

TcpSecurityCertGPM – binding configuration for the TCP connection used by the

GPM service with security enabled and certificate-based validation of client
applications and services
wsHttpBinding – binding for the HTTP connection
HttpNoSecurity – binding configuration for the HTTP connection without security
enabled
HttpSecurity – binding configuration for the HTTP connection with security enabled
HttpSecurityGPM – binding configuration for the HTTP connection used by the GPM
service with security enabled
HttpsSecurity – binding configuration for the HTTPS connection with security enabled
HttpsSecurityGPM – binding configuration for the HTTPS connection used by the
GPM service with security enabled
HttpsSecurityCert – binding configuration for the HTTPS connection with security
enabled and certificate-based validation of client applications and services
HttpsSecurityCertGPM – binding configuration for the HTTPS connection used by the
GPM service with security enabled and certificate-based validation of client
applications and services
services
Contains a list of available endpoints or the name of an external file with endpoint
configuration.
To change the security settings, edit the following <endpoint> settings:
address
binding
bindingConfiguration
For more details about possible configurations of the WCF service, refer to Microsoft Docs
article related to programming WCF security.
For information on certificate-based validation of client applications and services, refer to 5.2.3
Using x509 Certificates to Validate Client Applications and Services.

2.2.2 Securing DELMIA Apriso Services

DELMIA Apriso Server Configuration

The configuration examples use the wsHttpBinding binding and HttpsSecurity binding
configuration.

To secure a DELMIA Apriso service:

1. Change “net.tcp” to “https” in the remoting addresses for DELMIA Apriso Services in the
<FlexNet.ServicesLocations> section of the CentralConfiguration.xml file located in the
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
folder:
Security | DELMIA Apriso 2022 Implementation Guide 25

<FlexNet.ServicesLocations>
<add key="StateService"
value="REMOTING:https://${AppAddress}:32606/stateservice" />
<add key="FrameworkServices"
value="REMOTING:https://${AppAddress}:32601/frameworkservice" />
<add key="ProcessDesignerServices"
value="REMOTING:https://${AppAddress}:32603/pb20service" />
<add key="ProcessBuilderServices"
value="REMOTING:https://${AppAddress}:32603/pb20service" />
<add key="MaintenanceServices"
value="REMOTING:https://${AppAddress}:32602/maintenanceservice" />
<add key="SequenceProviderServices"
value="REMOTING:https://${AppAddress}:32601/frameworkservice" />
<add key="SchedulingServices"
value="REMOTING:https://${AppAddress}:32607/JobSchedulerService" />
<add key="JobSchedulerService"
value="REMOTING:https://${AppAddress}:32607/JobSchedulerService" />
<add key="JobExecutorServices"
value="REMOTING:https://${AppAddress}:32612/jobexecutorservice" />
<add key="GlobalProcessManagerServices"
value="REMOTING:https://${AppAddress}:32709/gpmservice" />
<add key="TidUpdateManagerServices"
value="REMOTING:https://${AppAddress}:32601/frameworkservice" />
<add key="MachineIntegratorService"
value="REMOTING:https://${AppAddress}:32502/ConnectorRemoting" />
</FlexNet.ServicesLocations>

2. Edit the endpoint settings for all DELMIA Apriso Services listed in the <client> section of
the WcfClientConfiguration.xml client-side configuration file:
address – change “net.tcp” to “https” and provide full domain address of the DELMIA
Apriso server
binding – change “netTcpBinding” to “wsHttpBinding”
bindingConfiguration – change “TcpNoSecurity” to “HttpsSecurity”

The WCFClientConfiguration.xml file is located in:

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration

The example settings for Process Builder Services:

Security | DELMIA Apriso 2022 Implementation Guide 26

3. Edit the endpoint settings in the server-side configuration files for DELMIA Apriso Services:
address – change “net.tcp” to “https” and provide full domain address of the DELMIA
Apriso server
binding – change “netTcpBinding” to “wsHttpBinding”
bindingConfiguration – change “TcpNoSecurity” to “HttpsSecurity”

The server-side configuration files for DELMIA Apriso Services are located in the following
directories:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\[ServiceName]

The table lists the names of the configuration files and relevant sections in these
configuration files, which contain the endpoint settings for the given service:

DELMIA Apriso Service Server-side configuration file

Framework Services The endpoint settings are in the <services> section of the
Job Executor Services RemotingServices.config file for each of the DELMIA Apriso
Services.
Job Scheduler Service
The example shows the settings for Process Builder Services:
Maintenance Services

Process Builder Services

State Services
Security | DELMIA Apriso 2022 Implementation Guide 27

<services>
<service
[…]
<endpoint

address="https://SERVERNAME.DOMAIN.com:32610/pb20service"
binding="wsHttpBinding"
bindingConfiguration="HttpsSecurity"
name="FlexNetEndpoint"
contract="FlexNet.SystemServices.Services.IServiceFacto
ry"
/>
</service>
</services>

Do not modify the endpoint settings for mexHttpBinding.

Global Process Manager The endpoint settings are in the <system.serviceModel>

Services section of the
FlexNetGlobalProcessManagerRemotingService.exe.config
file.

The GPM Service uses a dedicated binding

configuration with “GPM” at the end of its name.

Do not modify any other endpoint settings in the

FlexNetGlobalProcessManagerRemotingService.exe.config
file.

4. Bind the SSL certificate of the DELMIA Apriso Server to the ports used by DELMIA Apriso
Services:
32601, 32602, 32603, 32606, 32607, 32612, 32709

The certificate can be bound to a service port by executing the command:

Security | DELMIA Apriso 2022 Implementation Guide 28

netsh http add sslcert

ipport=0.0.0.0:01234certhash=01234567890abcdefghijklmnopqrstuvwxyz0appid={00112233-4455-
6677-8899-AABBCCDDEEFF}

where:
ipport parameter value is port used by the service (IP address should be 0.0.0.0).
certhash parameter value is the hash of the DELMIA Apriso server certificate.
appid parameter value is the GUID generated by the user that identifies the service.

For more information, refer to Microsoft Docs article about configuring a port with an SSL
certificate.
Additional configuration steps necessary when configuring x509 certificates for DELMIA
Apriso Services are described in 5.2.3 Using x509 Certificates to Validate Client Applications
and Services.

When securing DELMIA Apriso Services in a cluster environment, use certificates with
defined Subject Alternative Name (SAN) entries for virtual web cluster name, virtual
application cluster name, as well as names of all cluster nodes. All cluster nodes must
be in the same domain.

Examples of DELMIA Apriso certificate configurations in cluster environment:

Single certificate listing all of the above SAN entries.
Two certificates. The first certificate contains SAN entries for the virtual web cluster name
and the names of related web cluster nodes. The second certificate contains SAN entries
for the virtual application cluster name and the names of related application cluster nodes.
For details on DELMIA Apriso cluster configuration, refer to DELMIA Apriso High
Availability Configuration Installation Guide.

For examples of secure configurations of DELMIA Apriso services, see 9.1 Appendix
A: DELMIA Apriso Services - Example Secure Configurations.

Whenever the security settings of DELMIA Apriso Services are changed, delete the
WcfClientConfiguration.xml temporary file from <drive>\Temp\AprisoTemp\<server_name>\ on
the DELMIA Apriso server and restart DELMIA Apriso Services.

DELMIA Apriso Machine Integrator Connector Configuration

The following configuration changes must be made when securing a DELMIA Apriso Machine
Integrator Connector instance:

The configuration examples below use, the wsHttpBinding binding and HttpsSecurity
binding configuration.
Security | DELMIA Apriso 2022 Implementation Guide 29

When configuring an actual DELMIA Apriso deployment, the parameter values have to
correspond to the settings defined for other DELMIA Apriso Service.

Running DELMIA Apriso Machine Integrator Connector on DELMIA Apriso Server

1. In the CentralConfiguration.xml file located on the DELMIA Apriso Server in the

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
folder, change http to https in the value of the HubServerAddress key in the
<FlexNet.MachineIntegrator> section.

<add key="HubServerAddress" value="https://${WebAddress}:32500/mi" />

2. In the same file, change net.tcp to https in the value of the MachineIntegratorService key in
the <FlexNet.ServicesLocations> section

<FlexNet.ServicesLocations>
<add key="MachineIntegratorService "
value="REMOTING:https://${AppAddress}:32502/ConnectorRemoting" />
</FlexNet.ServicesLocations>

3. If you are connecting using SSL, change net.tcp to https in the value of the
ExtendedRemotingAppenderServicePattern key in the FlexNet.MachineIntegrator section:

<FlexNet.MachineIntegrator>
<add key="ExtendedRemotingAppenderServicePattern"
value="https://localhost:32502/ConnectorRemoting" />
</FlexNet.MachineIntegrator>

4. In the WcfClientConfiguration.xmlfile located on DELMIA Apriso Server in the <drive>\Program

Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration folder, edit the
address, binding, and bindingConfiguration parameters.

<system.serviceModel>
[…]
<endpoint
address=https://SERVERNAME.DOMAIN.com:32502/ConnectorRemoting
binding="wsHttpBinding" bindingConfiguration="HttpsSecurity"
name="MachineIntegratorService"
contract="FlexNet.SystemServices.Services.IServiceFactory">
<identity>
<dns value="DELMIA Apriso Services" />
</identity>
</endpoint>
</client>
</system.serviceModel>

5. In the WCFServices.config file located on the DELMIA Apriso Server in the <drive>\Program
Files\Dassault Systemes\DELMIA Apriso 2022\Services\Machine Integrator Service folder, edit
Security | DELMIA Apriso 2022 Implementation Guide 30

the address, binding, and bindingConfiguration parameters for the ConnectorRemoting

endpoint key.
<service
behaviorConfiguration="default"
name="FlexNet.SystemServices.Services.ServiceFactoryImpl">
<clear />
<endpoint
address=http://localhost:32503/ConnectorRemoting/mex
binding="mexHttpBinding"
contract="IMetadataExchange" />
<endpoint
address=https://SERVERNAME.DOMAIN.com:32502/ConnectorRemoting
binding="wsHttpBinding"
bindingConfiguration="HttpsSecurity"
name="FlexNetEndpoint"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</service>

6. In the MachineIntegrator.exe.config file located on the DELMIA Apriso Server in the

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Machine Integrator
Service folder, edit the value of the CentralConfigurationFile key in the <appSettings> section
so that a full domain name of the DELMIA Apriso Server is used.
<appSettings>
<add key="CentralConfigurationFile"
value="
https://SERVERNAME.DOMAIN.com/Apriso/CentralConfiguration/CentralConfiguration.xml" />
<add key="ClientSettingsProvider.ServiceUri" value="" />
</appSettings>

7. Bind an SSL certificate of the DELMIA Apriso Server to the Machine Integrator service ports
(32500, 32502).
The certificate can be bound to a service port with the command:

netsh http add sslcert ipport=0.0.0.0:32500

certhash=01234567890abcdefghijklmnopqrstuvwxyz0 appid={00112233-4455-6677-8899-
AABBCCDDEEFF}

where:
ipport parameter value is port used by the service (IP address should be 0.0.0.0)
certhash parameter value is the hash of the server certificate
Security | DELMIA Apriso 2022 Implementation Guide 31

appid parameter value is the GUID generated by the user that will identify the Machine
Integrator service.
For more information, refer to Microsoft Docs article about configuring a port with an SSL
certificate.

Whenever the security settings of DELMIA Apriso Machine Integrator are changed, it is
necessary to delete the WcfClientConfiguration.xmltemporary file from the following
location on the DELMIA Apriso server: <drive>\Temp\AprisoTemp\<server_name>\ and
restart DELMIA Apriso Services.

Standalone DELMIA Apriso Machine Integrator Connector:

1. In the CentralConfiguration.xml file located on the DELMIA Apriso Server in the

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
folder:
a. Change http to https in the value of the HubServerAddress key in the
<FlexNet.MachineIntegrator> section.

<add key="HubServerAddress" value="https://${WebAddress}:32500/mi" />

b. Change net.tcp to https in the value of the MachineIntegratorService key in the

<FlexNet.ServicesLocations> section.

<FlexNet.ServicesLocations>
<add key="MachineIntegratorService"
value="REMOTING:https://${AppAddress}:32502/ConnectorRemoting" />
</FlexNet.ServicesLocations>

2. If you are connecting using SSL, change net.tcp to https in the value of the
ExtendedRemotingAppenderServicePattern key in the FlexNet.MachineIntegrator section:

<FlexNet.MachineIntegrator>
<add key="ExtendedRemotingAppenderServicePattern"
value="https://localhost:32502/ConnectorRemoting" />
</FlexNet.MachineIntegrator>

3. In the WcfClientConfiguration.xml file located on the DELMIA Apriso Server in the

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
folder, edit the address, binding, and binding configuration parameters.
Security | DELMIA Apriso 2022 Implementation Guide 32

4. In the WCFServices.config file located on the machine hosting DELMIA Apriso Machine
Integrator Connector in the <drive>\Program Files (x86)\Dassault Systemes\DELMIA Apriso 2022
Client\Machine Integrator Connector folder, edit the address, binding, and binding
configuration parameters for the ConnectorRemoting endpoint key.

Please note that the address value must contain the full domain address of the
machine hosting DELMIA Apriso Machine Integrator Connector.

5. In the MachineIntegrator.exe.config file located on the machine hosting DELMIA Apriso

Machine Integrator Connector in the <drive>\Program Files (x86)\Dassault Systemes\DELMIA
Apriso 2022 Client\Machine Integrator Connector folder, edit the value of the
CentralConfigurationFile key in the <appSettings> section so that a full domain name of the
DELMIA Apriso Server is used.

</appSettings>

6. Bind an SSL certificate of the machine hosting DELMIA Apriso Machine Integrator
Connector to the Machine Integrator service ports (32500, 32502).
The certificate can be bound to a service port by executing the command:

netsh http add sslcert ipport=0.0.0.0:32500

certhash=01234567890abcdefghijklmnopqrstuvwxyz0 appid={00112233-4455-6677-8899-
AABBCCDDEEFF}

where:
ipport parameter value is port used by the service (IP address should be 0.0.0.0).
certhash parameter value is the hash of the certificate of the machine hosting DELMIA
Apriso Machine Integrator Connector
appid parameter value is the GUID generated by the user that identifies the Machine
Integrator service.

For more information, refer to refer to Microsoft Docs article about configuring a port with an
SSL certificate.

Whenever the security settings of DELMIA Apriso Machine Integrator are changed,
delete the WcfClientConfiguration.xml temporary file from the following locations on the
machine hosting the DELMIA Apriso Machine Integrator Connector:
%USERPROFILE%\AppData\Local\Temp\<ServerName> and
%USERPROFILE%\AppData\Local\Temp\<Name of the Machine Hosting MI>, restart DELMIA
Apriso Services on the DELMIA Apriso Server, and restart Machine Integrator Service
on the machine hosting the DELMIA Apriso Machine Integrator Connector.

2.3 Protecting Business Web Services

To secure DELMIA Apriso Business Web Services, edit the web.config file.
In each basicHttpBinding, wsHttpBinding and webHttpBinding section change the value of the
<security> key to:

The value must also be added to the bindings, in case the <security> key is not present
in the binding configuration.

The web.config is located in <drive>\Program Files\Dassault Systemes\DELMIA Apriso

2022\WebSite\BusinessWebServices
Security | DELMIA Apriso 2022 Implementation Guide 34

2.4 Disabling WSDL and MEX in DELMIA Apriso Services and

Business Web Services
As an additional measure increasing DELMIA Apriso security, remove the documentation
protocol from ASMX and WCF services which are not in use, and disable MEX endpoints in
WCF services which are not in use.
To disable WSDL in ASMX services:
1. Open the Web.config file from the service’s root directory.
ASMX services are located in the following directories:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal\BusinessControls\WebServices\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\BusinessWebServices\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\MessageProcessor\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\MachineIntegratorServices\
2. Add the webServices configuration element to the system.web element in the Web.config file.
3. In the webServices element, add the protocols configuration element.
4. In the protocols element, add the remove name="Documentation" key.
The following example shows the webServices configuration element added to a Web.config
file to disable the automatic generation of browser-friendly documentation:

5. Save the Web.config file.

To disable WSDL in WCF services:
1. Open the Web.config file from the service’s root directory.
WCF services are located in the following directories:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\BusinessWebServices\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\CentralConfiguration\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\MachineIntegratorServices\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\MessageProcessor\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal\BusinessControls\WebServices\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Portal\Sts\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal\WebServices\1.0\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal\WebServices\1.1\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\1.0\
Security | DELMIA Apriso 2022 Implementation Guide 35

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\1.1\

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\iOs\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\Offline\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\AJAX\
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\Public\
2. In the serviceBehaviors section:
a. in serviceMetadata element, change the values of httpGetEnabled and httpsGetEnabled keys
to false:

<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />

b. in serviceDebug element, change the value of the includeExceptionDetailInFaults key to

false:

<serviceDebug includeExceptionDetailInFaults="false" />

If the serviceMetadata and serviceDebug elements are not present in the Web.config
files, the default "false" value is applied to httpGetEnabled , httpsGetEnabled, and
includeExceptionDetailInFaults settings.

3. Save the Web.config file.

To disable MEX endpoints in WCF services:
1. Open the *.config file for the service.
The following *.config files contain MEX endpoints:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Framework
Services\RemotingServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Global Process
Manager Services\FlexNetGlobalProcessManagerRemotingService.exe.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Job Executor
Service\RemotingServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Job Scheduler
Service\RemotingServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Machine Integrator
Service\WCFServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Maintenance
Services\RemotingServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\Process Builder
Services\RemotingServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\State
Service\RemotingServices.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\BusinessWebServices\Web.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\MachineIntegratorServices\Web.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\MessageProcessor\Web.config
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\Web.config
Security | DELMIA Apriso 2022 Implementation Guide 36

2. Remove the MEX endpoint from the *.config file

3. Save the *.config file.

Changing any of the above settings for services that are used by your DELMIA Apriso
deployment may prevent the services from working correctly.

2.5 Protecting Configuration Files

The following configuration files can be opened directly through the HTTP/HTTPS protocol:
CentralConfiguration.xml
ClientApplications.xml
ComponentFactoryConfiguration.xml
DALInventory.xml
DefinitionsMap.xml
DeploymentInfo.xml
ExtensibleAccessControlConfiguration.xml
FlexNetLicense.xml
LoggingConfiguration.xml
MessageSubscriptionMappingConfigurations.xml
RemotedComponents.xml
WebServiceProviders.xml
WcfClientConfiguration.xml
XMLManager_BatchTransactionConfiguration.xml
XMLManager_ExternalSystemConfiguration.xml
XMLManager_HTTPConfiguration.xml
XMLManager_MappingConfiguration.xml
XMLManager_MQSeriesConfiguration.xml
XMLManager_RoutingConfiguration.xml

The access to the files via HTTP/HTTPS can be disabled in the web.config file in the
CentralConfiguration directory, by uncommenting the relevant values in the <hiddenSegments>
section.
For more information, refer to Microsoft Docs article related to hidden segments.
Request filtering in IIS must be enabled for this feature to work.
Once the direct access to configuration files via HTTP/HTTPS is turned off, enable the access
to those configuration files via the ConfigurationService.svc WCF service.

2.5.1 Configuring the ConfigurationService.svc WCF Service

To enable access to configuration files with the use of ConfigurationService.svc, change the
configuration file URLs in the following keys in the CentralConfiguration.xml file:
Security | DELMIA Apriso 2022 Implementation Guide 37

<add key=" ComponentFactoryConfiguration "
value="${WebRootURL}/CentralConfiguration/ConfigurationService.svc?file=
ComponentFactoryConfiguration.xml"/>

When using Machine Integrator, update the CentralConfigurationFile key in the appSettings
section, and the ConfigurationLocation key in the FlexNet.SystemServices.LoggingConfig section of
the MachineIntegrator.exe.config file for each Machine Integrator instance:
Security | DELMIA Apriso 2022 Implementation Guide 38

<appSettings>
<add key="CentralConfigurationFile"
value="http://
<server name>
/Apriso/CentralConfiguration/ConfigurationService.svc?file=CentralConfiguration.xml" />
[…]
</appSettings>
<FlexNet.SystemServices.LoggingConfig>
<add key="ConfigurationLocation"
value="${WebRootURL}/CentralConfiguration/
ConfigurationService.svc?file=LoggingConfiguration.xml"/>
</FlexNet.SystemServices.LoggingConfig>

When the DELMIA Apriso Server is configured to use HTTPS:

1. Edit the web.config file stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\Website\CentralConfiguration.
2. Change the default value of bindingConfiguration="HttpSecurity" to
bindingConfiguration="HttpsSecurity".
For example:

Additional Settings

Configuration Service with Two Endpoints

Configuration service can be configured to use both HTTPS and HTTP endpoints.

Example

<services>
<service behaviorConfiguration="DefaultBehavior"
name="FlexNet.SystemServices.Configuration.ConfigurationService">
<endpoint binding="wsHttpBinding" bindingConfiguration="HttpSecurity"
contract="FlexNet.SystemServices.Configuration.Common.IConfigurationService" />
<endpoint binding="wsHttpBinding" bindingConfiguration="HttpsSecurity"
contract="FlexNet.SystemServices.Configuration.Common.IConfigurationService" />
</service>
</services>
Security | DELMIA Apriso 2022 Implementation Guide 39

Configuration Service without SCT

Configuration Service can be configured to not use Security Context Token (SCT):
1. Open the CentralConfiguration.xml found in <drive>\Program Files\Dassault Systemes\DELMIA
Apriso 2022\Website\CentralConfiguration
2. Set the value of EstablishSecurityContext to false.
3. Open the web.config file found in <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\Website\CentralConfiguration.
4. Edit the proper bindingConfiguration and set the value of establishSecurityContext to false.

Example

<binding name="HttpsSecurity" closeTimeout="00:02:00" openTimeout="00:02:00"

receiveTimeout="00:10:00" sendTimeout="00:02:00" maxBufferPoolSize="5242880"
maxReceivedMessageSize="5242880">
<readerQuotas maxStringContentLength="5242880" maxArrayLength="32768" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>

Best Practice
If the service is on the same server as the DELMIA Apriso server, using the full path to the
configuration files on the hard drive is recommended. To avoid an unnecessary round trip for
the configuration file via IIS (HTTP protocol), override the settings in the application's
configuration file instead of using the ones from the centralconfiguration.xml file.

2.6 Setting Up Database Security

For details on setting up database security, refer to DELMIA Apriso Installation Guide.

2.6.1 Database Users

Roles in DELMIA Apriso important from the database perspective:

Administrator
FlxAdmin (SQL)/flxuser (Oracle) – a user with administrator rights who can manipulate the
database. FlxAdmin/flxuser is used by the following components:
DELMIA Apriso Archiving
DELMIA Apriso Database Upgrader
DELMIA Apriso Global Process Manager
Security | DELMIA Apriso 2022 Implementation Guide 40

Reader
FlxReader (SQL)/APP_READER_flxuser (Oracle) – a user who can only read data from the
database.
FlxReader is used by Monitoring and Maintenance grids.

Writer
FlxWriter (SQL)/APP_WRITER_flxuser (Oracle) – a user who can read data from and write
data to the database but cannot manipulate the schema of the database (alter, drop, etc.).
FlxWriter is used by the rest of DELMIA Apriso (Machine Integrator, Job Executor/Job
Scheduler, Process Builder, Function Interpreter, and Monitoring and Maintenance screens
except grids, etc.).

2.6.2 Database Behind Firewall

Placing the database behind an additional firewall is recommended. The firewall must be
configured in such way that only the application and the Web server are able to communicate
with it. This adds an additional layer of security to the database.

2.7 Disabling IIS Request Validation

DELMIA Apriso prevents accepting content which includes special characters, e.g. <tag>. The
request validation feature examines the content and determines whether it can be potentially
dangerous. This feature can be disabled, but it is not recommended. To disable request
validation:
1. Edit the web.config file found in <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\WebSite\Portal.
2. Set the validateRequest parameter to "false".

<pages controlRenderingCompatibilityVersion="4.0" validateRequest="false">

3. Set the requestValidationMode parameter to "2.0".

<httpRuntime executionTimeout="600" useFullyQualifiedRedirectUrl="true"

requestValidationMode="2.0"/>
Security | DELMIA Apriso 2022 Implementation Guide 41

3 Password and Login Policy

3.1 Overview
Through the Central Configuration file, DELMIA Apriso password rules and the system’s
behavior in different login scenarios can be customized. The password complexity, the
password validity period, and the number of invalid login attempts before the account is locked
can be defined.
The password structure rules and how long the account is locked if the number of consecutive
unsuccessful login attempts reaches a certain value can also be defined. All these rules must
be initially set during the installation, but they can also be changed in the functioning
application.

3.2 Configuration
The system-wide security settings for the DELMIA Apriso Portal are configured using the keys
located in the “SystemServices.Security” section of the Central Configuration:
AllowMultipleLogin
AccountLockoutThreshold
AccountLockoutResetDuration
AccountLockoutDuration
CodeAccountLockoutThreshold
PasswordExpirationNotification
MaximumPasswordAge
PasswordHistory
MinimumPasswordAge
MinimumPasswordLength
PasswordComplexityRule
PasswordCanIncludeUserData
LoginWithEmployeeNo
AllowRememberPassword

For detailed information on each key, refer to the Central Configuration Documentation.
Changing a password is allowed only when an employee is authenticated using a DELMIA
Apriso login/password. In other cases, DELMIA Apriso does not support the password
changing features.

3.3 Configuring Password Encryption Strength

3.3.1 Overview
DELMIA Apriso encrypts all user passwords using a complex multi-pass algorithm.
Passwords are stored in the database in hashed format. When the user logs in, the hashing
Security | DELMIA Apriso 2022 Implementation Guide 42

algorithm encrypts the provided password on-the-fly and compares it with the one stored in the
database.
Depending on the hardware configuration, the computational complexity of the password
hashing process may present a significant load on the system resources. In effect, the login
procedure may take longer than expected.
The number of passes used by the password hashing algorithm can be adjusted for the best
compromise between performance and security.

3.3.2 Configuration
To configure the number of passes used by the password hashing algorithm:
1. Add the DatabaseEncryptedPasswordStrength key in the FlexNet.SystemServices.Security section
of the Central Configuration.xml.

<FlexNet.SystemServices.Security>
[...]
<add key="DatabaseEncryptedPasswordStrength" value="10" />
[...]
</FlexNet.SystemServices.Security>

The value parameter corresponds to the number of passes to be used. The default value is 10
and the accepted range is 4-31.

By default, the DatabaseEncryptedPasswordStrength key is not present in the central

configuration.xml. Add it to change the default number of passes used by the password
hashing algorithm.

3.4 Configuring Session Timeout

3.4.1 Overview
DELMIA Apriso keeps track of all the user sessions, which enables the maintenance of
information about employees currently logged in, equipment being used, etc. The session
data is stored in a dedicated repository on the server. A DELMIA Apriso session is
independent from the ASP.NET session that runs when working with DELMIA Apriso through
the browser.

3.4.2 Configuration
The session timeout key is located in the FlexNet.SystemServices.Security section of the
CentralConfiguration.xml.
Security | DELMIA Apriso 2022 Implementation Guide 43

<FlexNet.SystemServices.Security>
<add key="PortalSessionTimeout" value="60" />
<add key="ProcessBuilderSessionTimeout" value="480" />
<add key="UserSessionCacheItemExpirationSpan" value="10" />
[...]
</FlexNet.SystemServices.Security>

Parameter Name Description

PortalSessionTimeout The session period after which the user is
automatically logged out of the DELMIA Apriso
Desktop Client and DELMIA Apriso Portal. The
value entered must be an integer, which expresses
the number of minutes the user has to be inactive
for his/her session to expire.
The default value is 60 minutes. Once the session
expires, the user is redirected to the login screen.

Additionally, the same value for

PortalSessionTimeout must be set for
authentication and sessionState section in the
system.web section of the web.config file of the
DELMIA Apriso Portal.

If the session expires in DELMIA Apriso

Portal, all unsaved data is lost and all
operations are closed.

If the session expires in DELMIA Apriso

Desktop Client and the user logs back in with
the same credentials, the session is
continued and all data entered in the screens
and operations are preserved.

ProcessBuilderSessionTimeout The session period after which the user is

automatically logged out of the DELMIA Apriso
Process Builder.
For details, refer to the Process Builder Help
userSessionCacheItemExpirationSpan The cache refresh period for the user session. The
default value is 10 minutes.
Security | DELMIA Apriso 2022 Implementation Guide 44

4 User Authentication
4.1 Overview
The DELMIA Apriso Portal is protected from unauthorized access with one, application-wide
security mechanism. This mechanism enables authenticating legitimate users basing on
several possible identity storage policies.

4.2 User Authentication Modes

DELMIA Apriso supports various user authentication modes. It contains several built-in modes
and an extensibility mechanism that allows building custom authentications.
Currently supported methods:
Standard authentication
Swipe authentication
LDAP authentication
Windows authentication
Query string authentication
3DPassport authentication
Custom authentication
Several of these methods can operate simultaneously, which allows to log in to the system in
the most convenient way.
Authentication methods:

Authentication Description
Type
Standard Authenticates employees using a login and password combination stored in
the DELMIA Apriso system. This is the default authentication method.
Swipe Authenticates employees using only their employee number (without the
need to provide a password). This can be used on hardware security devices
(like access card readers) that scan the user’s identity.
LDAP Authenticates employees using Lightweight Directory Access Protocol. The
login and password are stored in an external LDAP directory.
Windows Authenticates employees using their Windows Active Directory Domain
accounts. Users that are logged into a Windows Domain do not need to
provide a login or password, as they are automatically retrieved from the
system.

Windows authentication can not be used together with 3DPassport

authentication.
Security | DELMIA Apriso 2022 Implementation Guide 45

Query String Authenticates employees based on encrypted credentials passed in a query

string from a third-party application or other DELMIA Apriso instance.
3DPassport Allows users who have a 3DPassport account to use DELMIA Apriso and the
single sign-on (SSO) feature.

Currently only DELMIA Apriso Portal, DELMIA Apriso Desktop Client,

DELMIA Apriso Process Builder, DELMIA Apriso MPI Excel Add-In,
and DELMIA Apriso Mobile Apps support authentication with
3DPassport. Other desktop applications such as DELMIA Apriso
Global Process Manager do not support 3DPassport and users need
to use other authentication modes to access them.

3DPassport authentication can not be used together with Windows

authentication.

Custom Allows for employee authentication based on any custom scenario. This may
include utilizing other authentication engines or retrieving user contexts from
other systems (like company Portals). This feature requires the custom coding
of components that are responsible for user context retrieval or validation.

The DELMIA Apriso authentication configuration is done through the proper adjustment of
settings stored in the DELMIA Apriso Central Configuration file, which is by default located in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\Website\CentralConfiguration\CentralConfiguration.xml.

The FlexNet.SystemServices.Security section is responsible for security settings. It

encompasses configuring authentication methods and management of the whole
authentication process.
The authentication methods supported by user interfaces:

Authentication Type Web Browser Mobile App

Standard
LDAP
Windows Integrated

Swipe
Query String
3DPassport

Custom
Security | DELMIA Apriso 2022 Implementation Guide 46

LDAP authentication on tablets and smartphones is possible only with the use of the
dedicated DELMIA Apriso Mobile App. For details, refer to the Mobile Apps
Implementation Guide.

4.2.1 Rules of Authentication

The rules and dependencies that exist between different types of authorization:

Authorization Enabled Forms Enabled Windows Authentication

Authentication
Windows Error and redirect Credentials taken from the context, verified against the
to the standard ExternalLogin field. In the case of a verification error (invalid
login (silent login user), redirect to the standard login.
not supported).
Standard Asks for the user Asks for the user name and the password, and searches by
name and the the login name. If found, then verifies the DELMIA Apriso
password and password or the LDAP password (based on
verifies against StandardAuthenticationMode). Validates the given
the DELMIA credentials against the Active Directory (AD). If validated,
Apriso then attempts to log in using ExternalLogin.
credentials.
Business Asks for the user Asks for the user name and the password, and searches by
Control name and the the login name. If found, then verifies the DELMIA Apriso
password and password or the LDAP password (based on
verifies against StandardAuthenticationMode). Validates the given
the DELMIA credentials against the AD. If validated, then attempts to log
Apriso in using ExternalLogin.
credentials.

Windows and forms authentication modes cannot be used simultaneously due to IIS
limitations.

Windows authentication works only in combination with standard authorization. To use it, the
following conditions must be met:
The user logs in to the domain account that has access to the IIS folder to open the
standard login page.
If the browser does not support SSO, valid credentials must be provided in the pop-up
window that allows to access the standard login page.

Windows authentication may not work with mobile devices, or may require a double
entry of credentials.
Security | DELMIA Apriso 2022 Implementation Guide 47

Mobile clients (e.g., DELMIA Apriso for iOS) support only one authorization mode at a
time.

4.2.2 Standard Authentication

Overview
Default authentication method. In standard authentication, users must provide a login name
(EMPLOYEE.LoginName) or employee number (EMPLOYEE.EmployeeNo) and their
password. The system validates the credentials against the employee list and the password
list stored in the DELMIA Apriso database. The employee number is checked only when the
appropriate setting is enabled in the Central Configuration (for details, see 3.2 Configuration)
and when the login name was not found.
The user and password maintenance occurs inside DELMIA Apriso and is managed by
DELMIA Apriso security policies.
Use the standard authentication when no other company-wide authentication system is
available.

Configuration
To enable authentication based on DELMIA Apriso accounts, set the
StandardAuthenticationMode key to “Standard” in the FlexNet.SystemServices.Security section of
the CentralConfiguration.xml.

<add key="StandardAuthenticationMode" value="Standard"/>

Default FORMS Authentication Settings

To roll back from any type of authentication to forms, make sure the keys in the
“SystemServices.Security” section of the Central Configuration are set as follows:

<add key="StandardAuthenticationMode" value="Standard" />

For more information on each key, see Central Configuration Documentation.

Default IIS settings for the DELMIA Apriso application, kiosk, and Login.aspx:
Security | DELMIA Apriso 2022 Implementation Guide 48

Figure 15 Default IIS settings

4.2.3 LDAP Integrated Authentication

Overview
LDAP is a standard protocol used to access the objects stored in directories. Use LDAP
authentication when an electronic directory exists, which contains the company structure with
a list of employees and is accessible through the LDAP protocol.
LDAP authentication assumes that user accounts are maintained in an external LDAP-based
directory. DELMIA Apriso asks users for a login name and password, but validates the
credentials against the LDAP directory. If the user provided a login and a password that are
successfully validated by the LDAP server, then DELMIA Apriso checks if that particular LDAP
user has access to DELMIA Apriso. If access is granted, then the user is logged in using a
corresponding DELMIA Apriso employee account.
All security accounts and password maintenance are managed by a third-party directory
server (e.g., Microsoft Active Directory, Novell eDirectory). DELMIA Apriso only keeps a list of
users (who can access DELMIA Apriso) that are mapped to the accounts defined in the
directory server.

The standard and LDAP authentication modes are mutually exclusive. All other modes
are independent (can coexist with one another).

Prerequisites
A customer’s infrastructure must run a server with directory service accessible through the
LDAP protocol. Additionally, employees need to have their LDAP usernames mapped in the
DELMIA Apriso database (as described in Mapping LDAP Usernames).
Security | DELMIA Apriso 2022 Implementation Guide 49

Configuration
To enable LDAP authentication:
1. Modify entries in the FlexNet.SystemServices.Security section of the CentralConfiguration.xml
file.
2. Set StandardAuthenticationMode to "LDAP".
3. Provide path to the LDAP server that contains the directory of the users (by name or IP
adress). For example:
LDAP://ldapServer1
LDAP://192.168.0.255:389
4. Append the path to the LDAP server that contains the directory of the users with the port
number configured for SSL on the LDAP server to enable LDAP connection over SSL. The
default port vallue is 636. For example:
LDAP://ldapServer1:636
LDAP://192.168.0.255:636
5. Edit the LDAPDomain entry by adding the {username} macro where the actual user-entered
login name is to be inserted by the system.
This setting defines the LDAP query that will be executed to validate the login and
password provided by the user. The content of the query depends on the LDAP server type
and configuration and should be provided by the local LDAP Server Administrator. For
example:
DOMAIN\{username}
cn={username},o=OrganizationName
6. Set the authentication request type executed by DELMIA Apriso in
LDAPAuthenticationType entry. Possible values:
Secure (for Windows servers)
SecureSocketsLayer (for Novell servers)

For a detailed description of LDAP authentication types, refer to Microsoft Docs

article about authentication types.

Advanced LDAP options:

Setting Description
LDAPApplicationUser The name of a generic user with the proper rights to access an
LDAP server in order to compare the user attempting login with
the users stored by LDAP.
LDAPApplicationPassword The password for the LDAPApplicationUser.
LDAPUserQuery The LDAP attribute used to match the user. For example: mail,
employeeID.
LDAPAuthorizationFilter Enables specifying a user group as additional authorization. To
do this, specify the group details:
cn=FlexNetUsers,ou=groups,ou=system
Security | DELMIA Apriso 2022 Implementation Guide 50

For custom use of LDAPUserQuery and LDAPAuthorizationFilter, refer to the Custom

Configuration section below.

An example of a properly configured LDAP authentication (using Windows Active Directory as

the LDAP server):

<add key="StandardAuthenticationMode" value="LDAP"/>

An example of a properly configured advanced LDAP authentication (using Windows Active

Directory as the LDAP server):

<add key="StandardAuthenticationMode" value="LDAP"/>

Custom Configuration

In the LDAPUserQuery and LDAPAuthorizationFilter fields, custom LDAP filters can be

added. If the value begins with a parenthesis (“(“), it is treated as a custom LDAP query and it
overrides the default DELMIA Apriso query.
As an alternative to providing an attribute in the LDAPUserQuery field, a full LDAP query can
be specified that uses {userName} as a placeholder for the employee name/badge.
Default query: (&(objectClass=user)(sAMAccountName={userName})).
The standard query for the authorization filter uses the memberOf attribute. For specifying more
than one group, use memberOf attributes in addition to a full query from LDAPUserQuery. For
example:
(&(objectClass=user)(sAMAccountName={userName})(|
(memberOf=cn=FlexNetUsers,ou=groups,ou=system)
(memberOf=cn=Administrators,ou=groups,ou=system)))

For using an authorization filter other than memberOf, use a different attribute supported by your
LDAP in addition to LDAPUserQuery, and the standard query will be overridden. For example:
(&(objectClass=user)(sAMAccountName={userName})(employeeType=FlexNetUser)
Security | DELMIA Apriso 2022 Implementation Guide 51

Mapping LDAP Usernames

For authentication of users in DELMIA Apriso with external credentials, a link between
external accounts (in this case, the LDAP user accounts) and the corresponding DELMIA
Apriso accounts must be created. This enables to recognize users that do not belong to the
DELMIA Apriso system. Linking is done through the definition of an external login name for
DELMIA Apriso user accounts, which must contain the valid username of the external
system’s account. Once the external login name is supplied, a user is considered to be a
member of a third-party system with the right to access the DELMIA Apriso Portal.
To link an LDAP account with a DELMIA Apriso account:
1. Navigate to the Employee Maintenance screen in the ADC.
2. Select the employee you want to edit and click (Properties).
3. Go to the Login tab.
4. Enter the username of the LDAP account in the External Login Name field.
5. Save the changes.

From now on, DELMIA Apriso will be able to authenticate the LDAP user as long as the
correct LDAP password is entered.

Figure 16 Configuring the LDAP account in Employee properties

The DELMIA Apriso database can store information about only one external
login/username. Therefore, only one of the following methods can work at a given time:
LDAP or Windows Integrated.

Possible Extension (Custom Credentials Validation)

A standard LDAP authentication flow can be customized by providing custom code for the
user credentials (username and password) validation. This enables implementing user
credentials validation against any third-party infrastructure. A standard LDAP-based
credentials validator can be replaced using the ComponentFactory framework with a custom
one that implements the FlexNet.SystemServices.Security.ILDAPUserValidator interface defined in
the FlexNet.SystemServices.dll assembly.
Security | DELMIA Apriso 2022 Implementation Guide 52

public interface ILDAPUserValidator

{
Outcome ValidateUser(string userName, string password);
}

In previous versions, bool was used instead of Outcome, so old components may need to
be modified.

4.2.4 Windows Integrated Authentication

Overview
Windows Integrated authentication enables “silent authentication” (without asking a user for
credentials). User information is retrieved by DELMIA Apriso automatically from the operating
system, based on the user login to a Windows Domain.
This method of authentication does not require providing any additional information. A user
logged onto a Windows domain can enter the DELMIA Apriso Portal automatically by entering
the desired URL in the browser. This authentication is also called single sign-on (SSO).
Windows Integrated authentication can be extended to full AD integration, which allows to
synchronize Roles and accounts (for more details, 4.3 Full Active Directory Integration).

Prerequisites
DELMIA Apriso must be installed in an environment where all the DELMIA Apriso users have
corresponding Windows accounts and are logged onto the Windows Domain when entering
DELMIA Apriso. Additionally, employees must have their domain usernames mapped in the
DELMIA Apriso database.
To link a Windows account to a DELMIA Apriso account:
1. Navigate to the Employee editor screen via Employee Maintenance in the
DELMIA Apriso Desktop Client.
2. Enter <COMPANYDOMAIN>\<username> for the Windows account in the External Login Name
field.

Replace all the values enclosed in angle brackets (“< >”) with real existing values.

Configuration
To set up Windows Integrated authentication:
1. In the Central Configuration file edit the "WindowsSSOAuthentication" key located in the
"FlexNet.SystemServices.Security" section to enable/disable Windows Integrated
authentication:
2. Go to IIS Manager.
Security | DELMIA Apriso 2022 Implementation Guide 53

3. Click the Portal Web folder and open Authentication.

4. In Authentication, disable Forms Authentication and enable Windows Authentication.

Figure 17 Portal folder configuration

5. In IIS Manager, expand the Portal Web folder, click Kiosk, and open Authentication.
6. In Authentication, disable the Anonymous Authentication option.
7. Ensure that Windows Authentication is enabled.

Figure 18 Kiosk folder configuration

Make sure that all the files in the Kiosk directory have Anonymous Authentication
disabled when using Windows authentication.

8. Comment and uncomment proper sections in the web.config file found in <drive>\Program
Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Portal\Sts\ depending on the used
protocol.
For HTTP:
a. Uncomment the line for HTTP with the enabled Windows Authentication.

<endpoint
behaviorConfiguration="FlexNetEndPointBehaviorConfiguration"
binding="webHttpBinding"
bindingConfiguration="StsBindingConf_WI"
contract="FlexNet.Portal.WebUI.Portal.Sts.ITokenController">
Security | DELMIA Apriso 2022 Implementation Guide 54

</endpoint>

b. Comment the lines for HTTP with the disabled Windows Authentication and for HTTPS.

For HTTPS:
a. Uncomment the line for HTTPS with the enabled Windows Authentication.

b. Comment the lines for HTTPS with the disabled Windows Authentication and for HTTP.
Security | DELMIA Apriso 2022 Implementation Guide 55

9. Restart DELMIA Apriso services.

Client-side Browser Settings

Internet Options

Make sure the following settings are configured (default settings):

Security | DELMIA Apriso 2022 Implementation Guide 56

Global setting – Enable Integrated Windows Authentication:

Per zone setting – Automatic logon only in Intranet zone:

Security | DELMIA Apriso 2022 Implementation Guide 57

The DELMIA Apriso server should be placed in the Intranet or Trusted Sites zone in the
browser configuration settings on each client.
Security | DELMIA Apriso 2022 Implementation Guide 58

Google Chrome & Microsoft Edge

The browsers automatically apply the settings used in Internet Options. It is therefore
necessary to configure Internet Options as described above.

Mozilla Firefox

To configure Mozilla Firefox:

1. Open Mozilla Firefox and type about:config in the address bar.
2. Search for network.automatic-ntlm-auth.trusted-uris in the search box.
3. Add DELMIA Apriso server URL as the NTLM trusted site.
4. Restart Mozilla Firefox.

Connectivity Issues and Disabling the Negotiate Protocol

In a highly restrictive network security configuration, there may be connectivity issues, such as
ports being blocked.
In the IIS Manager for DELMIA Apriso, under Windows Authentication, disabling the
Negotiate option in the Providers dialog box can resolve such connectivity issues. This is not
a recommended solution and should be applied only in justifiable cases.
Security | DELMIA Apriso 2022 Implementation Guide 59

When the Negotiate option is disabled, the DELMIA Apriso mobile app for Android devices
will not function.

When logging in to the DELMIA Apriso Portal and Integrated Windows Authentication,
a sign in pop-up can appear as a result of a third-party issue. Cancel that pop-up.

4.2.5 Swipe Authentication

Overview
Swipe authentication enables user authentication based on login name only. This option is
useful when users log into DELMIA Apriso through the use of hardware that allows for the
secure scanning of security credentials from authorization cards or chips. This option should
be disabled unless it is required and used.

Configuration
To enable Swipe Authentication:
1. Edit the CentralConfiguration.xml file.
2. Find the SwipeAuthentication key in the “SystemServices.Security” section.
3. Change the value of SwipeAuthentication key to Enabled.
LoginSwipeRequiredRole key can be used to restrict Swipe Authentication only to user Roles
indicated by the key. If no value is entered, then the functionality remains disabled.
The following login page is dedicated for swipe authentication:
http://<Server Name>/Apriso/Portal/Kiosk/LoginSwipe.aspx

To use External Login Name with Swipe authentication, add the ExternalLoginName parameter
to the logging page URL.

4.2.6 3DPassport Authentication

Overview
3DPassport authentication allows users who have 3DPassport to access DELMIA Apriso.
Users already authenticated with 3DPassport in other applications can get immediate access
(with an SSO experience). New users are redirected to the 3DPassport logon service for the
validation of their credentials. Based on the 3DPassport user ID, DELMIA Apriso maps the
user to the related employee record in DELMIA Apriso.
The scenarios below describe the 3DPassport authentication functionality:
The user is already authenticated with the 3DPassport platform and wants to access
DELMIA Apriso or launch a 3DExperience widget with a DELMIA Apriso FlexPart
Security | DELMIA Apriso 2022 Implementation Guide 60

Before rendering content, DELMIA Apriso performs a request to the CAS server to get the
3DPassport user info, and then it tries to map the user to the DELMIA Apriso user (via the
External Login Name field). Following this, the user will have access to DELMIA Apriso.

To automatically skip the authentication method screen when accessing DELMIA

Apriso, the AuthMode=3DPassport parameter must be added in every web page
reader widget that points to DELMIA Apriso URL.

The user is not yet authenticated by 3DPassport and wants to access DELMIA
Apriso by selecting a 3DPassport logon method
The browser makes an HTTP redirect to the 3DPassport login page. If the user provides
valid credentials, then he or she is mapped to the existing DELMIA Apriso user (via the
External Login Name field) or a new user is created. Following this, the user has access to
DELMIA Apriso.

In both scenarios, if the 3DPassport user cannot be mapped to an existing DELMIA Apriso
employee (via the External Login Name field), then DELMIA Apriso automatically creates a
new employee entry for the user. In such a case, the existing employee record is copied from
the employee (the 3DPassportTemplateEmployeeNo setting configured in the Central Configuration)
with all of the related settings (e.g., Roles, Work Centers, skills). The user does not have to
provide any additional information and is automatically granted access to DELMIA Apriso. As
DELMIA Apriso cannot get the list of Roles from 3DPassport, all of the Roles are the same
(taken from the template user).

Integration of 3DPassport and DELMIA Apriso in a scenario when 3DPassport is

exposed as a service in a public cloud and DELMIA Apriso is available only in a local
network (that is, not resolved by the public service) is not supported.

Currently only DELMIA Apriso Portal, DELMIA Apriso Desktop Client, DELMIA Apriso
Process Builder, DELMIA Apriso MPI Excel Add-In, and DELMIA Apriso Mobile Apps
support authentication with 3DPassport. Other desktop applications such as DELMIA
Apriso Global Process Manager do not support 3DPassport and users need to use
other authentication modes to access them.

Prerequisites
3DPassport authentication requires HTTPS protocol to be enabled on DELMIA Apriso server.

Configuration

CentralConfiguration.xml

The following keys must be modified in the SystemServices.Security section of the

CentralConfiguration.xml file to enable 3DPassport authentication:
Security | DELMIA Apriso 2022 Implementation Guide 61

Key Description
3DPassportAuthentication Enables/disables 3DPassport authentication.
3DPassportTemplateEmployeeNo The EmployeeNo of the employee that will be used as a
template for a newly created user.

New Employee password (which can be used in

Standard Authentication mode) is set to the GUID
generated at the time of Employee creation.

3DPassportCustomizationOperationCode The name of the Operation used when additional

customization is needed. Using the built-in Flx_
CustomizeEmployee Operation (the EmployeeId Input is
passed in the Operation) is recommended.
Perform3DPassportLogout Indicates if 3DPassport logout will be performed when
logging out of DELMIA Apriso Portal.
3DPassportLoginUrl The URL of 3DPassport CAS server login action.
For example:
"http://example.com/cas/login"
3DPassportUrlPrefix The prefix of 3DPassport CAS server.
For example:
"http://example.com/cas/"
3DPassportServiceName The address of service that 3DPassport CAS server
redirects to after successfull login. This is used to
generate the URLs that will be sent to the 3DPassport
CAS server for redirection. The 3DPassport CAS server
must be able to resolve the host name. The
3DPassportServiceName setting must be a Fully
Qualified Domain Name.

Web.config

When the CentralConfiguration.xml file is set up according to the instructions above,

the Web.config file does not require any action. The instructions below can be useful in
non-standard configuration.

Add the following sections to the Web.config file (<drive>\Program Files\Dassault Systemes\DELMIA
Apriso 2022\WebSite\Portal):

Define the CasClientConfig configuration (the name of the service to which you want to
connect):
Security | DELMIA Apriso 2022 Implementation Guide 62

Provide the CAS-specific configuration parameters:

<casClientConfig
casServerLoginUrl="https://casServiceName/cas/login"
casServerUrlPrefix="https://casServiceName/cas/"
serverName="https://<your server>.<your domain>.com"
notAuthorizedUrl="~/NotAuthorized.aspx"
cookiesRequiredUrl="~/CookiesRequired.aspx"
redirectAfterValidation="true"
gateway="false"
renew="false"
singleSignOut="true"
ticketTimeTolerance="5000"
ticketValidatorName="Cas20"
proxyTicketManager="CacheProxyTicketManager"
serviceTicketManager="CacheServiceTicketManager"
gatewayStatusCookieName="CasGatewayStatus"
/>

Setting Description
casServerLoginUrl The URL address of the CAS login form.
This parameter cannot be empty.

If D3PassportLoginUrl key is specified in

CentralConfiguration.xml, this setting is ignored.

serverName The host name of the server hosting the application. This is used to
generate the URLs that will be sent to the CAS server for redirection.
The CAS server must be able to resolve the host name. The
serverName setting must be a Fully Qualified Domain Name.

This parameter cannot be empty.

If 3DPassportServiceName key is specified in

CentralConfiguration.xml, this setting is ignored.

To receive a full user configuration, set HTTPS protocol for

DELMIA Apriso.

casServerUrlPrefix The URL address of the CAS server application’s root.

This parameter cannot be empty.
Security | DELMIA Apriso 2022 Implementation Guide 63

If 3DPassportUrlPrefix key is specified in

CentralConfiguration.xml, this setting is ignored.

ticketValidatorName The name of the ticket validator that validates CAS tickets using a
particular protocol. The valid values are Cas10, Cas20, and Saml11
(required).
gateway Enables the CAS gateway feature. If this parameter is set, CAS will
not ask the client for credentials. The default value is set to False
(optional).
renew Forces the user to reauthenticate to CAS before accessing the
application. This provides additional security at the cost of usability
since it disables SSO for this application. The default value is set to
False (optional).
singleSignOut Enables the application to receive CAS single sign-out messages
sent when the user's SSO session ends. The default value is set to
True (optional).
ticketTimeTolerance Adds the given amount of tolerance in milliseconds to the client
system time when evaluating the SAML assertion validity period.
This effectively allows a given amount of system clock drift between
the CAS client and server. This configuration parameter is only
meaningful in conjunction with ticketValidatorName="Sam11" (optional).
notAuthorizedUrl If this option is set, the user is redirected to the given URL address. If
it is not set, the user is redirected to the CAS login screen with a
Renew option in the URL (optional).
serviceTicketManager Used to store the tickets returned by the CAS server for validation,
revocation, and single sign-out support. The valid value is
CacheTicketManager (optional).
proxyTicketManager The proxy ticket manager used to maintain the state during proxy
ticket requests (optional).
gatewayStatusCookieName The name of the cookie used to store the Gateway status
(NotAttempted, Success, Failed). This cookie is used to prevent the
client from attempting to gateway authenticate every request. The
default value is CasGatewayStatus(optional).
cookiesRequiredUrl The URL address of the redirection when the client is not accepting
session cookies. This condition is detected only when the gateway is
enabled. It locks the users onto a specific page. Otherwise, every
request causes a silent round-trip to the CAS server, adding a
parameter to the URL (optional).
Security | DELMIA Apriso 2022 Implementation Guide 64

DeploymentInfo.xml

1. Find the DeploymentInfo.xml file located under:

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
2. Replace the server name in WebAddress variable with full domain server address.
3. Run RunConfigUpdater.bat found in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Setup\Tools

ClickOnce Manifests

To republish the ClickOnce manifests:

1. Run Publish All Apriso Applications via ClickOnce.bat found in:
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\Downloads\ClickOnce Tools
2. Restart DELMIA Apriso services as well as ASP.NET State Service.

Additionally, if the 3DPassport server uses an SSL certificate (or certificates comprising
the SSL certification path) that is not signed by a Trusted Certification Authority, install the
SSL certificate(s) on all machines (desktop as well as mobile devices) used to access
DELMIA Apriso with 3DPassport Authentication.

4.2.7 Custom Authentication

Overview
Custom authentication is a programming model and open architecture that allows to support
custom authentication scenarios. Custom authentication requires coding custom login pages
that are responsible for the retrieval and/or validation of user credentials and then storing the
user session in DELMIA Apriso. This can be used when none of the previous methods are
applicable.
Main directions in authentication extensibility:
Implementing automatic logon by getting user contexts from external systems
In this scenario, the user is not asked for a login and password while entering DELMIA
Apriso. The user context is automatically retrieved from third-party systems like SAP or a
company’s Intranet. The custom authentication component needs to know how to securely
retrieve a user’s context and map it to a DELMIA Apriso user account.
Using external authorization engines
In this scenario, the DELMIA Apriso login pages are replaced with external authorization
engines that present the login page, ask the user for credentials, validate the provided
credentials, and redirect the user back to DELMIA Apriso while passing information about
the validated user account. The custom authentication component needs to know how to
Security | DELMIA Apriso 2022 Implementation Guide 65

securely retrieve the user information passed by an external authorization engine and map
it to a DELMIA Apriso user account.
Detailed development instructions for implementing custom authentication components are
beyond the scope of this document. Please contact your DELMIA Apriso consultant for
assistance related to a specific scenario.

In future versions of DELMIA Apriso, additional authentication scenarios (presently

considered as custom) may be included in the standard package to make
implementation easier.

4.3 Full Active Directory Integration

4.3.1 Overview
Full AD integration is an optional extension of Windows Integrated authentication.

Features
Integrating AD with DELMIA Apriso security provides the following features:
User management (creating, modifying, deleting) is performed only in the AD
Any consequent entry of users in DELMIA Apriso is no longer necessary
Users of a selected Active Directory Group (for example, "DELMIA Apriso Users") gain
access to DELMIA Apriso via integrated login (passwords are stored only in the AD)
AD Group membership influences the permissions in DELMIA Apriso (e.g., members of
"DELMIA Apriso PB Users" can access Process Builder)
DELMIA Apriso Roles are linked with AD Groups
A "workstation" AD account can be created so that multiple users can log in to DELMIA
Apriso using the same account (it is not possible to identify who performed the operation)
It is possible to author a Process that requires the supervisor to manually provide his or her
AD username/password in selected places in order to confirm a given activity
The system verifies it against the AD and determines which person performed the
activity (e.g., in the Audit Log)

AD integration with DELMIA Apriso does not extend to the support of advanced AD
features such as child domains, trusts, or federations.

Principle
When full AD integration is enabled, the user logs in to DELMIA Apriso using AD credentials.
The credentials are taken from Windows automatically. Alternatively, the user can provide
them in the standard login screen. Next, DELMIA Apriso validates if the user belongs to the
DELMIA Apriso AD Group. If yes, DELMIA Apriso checks if the given AD user already has an
employee account in DELMIA Apriso. If not, then a new account is created based on a
predefined employee template. Next, DELMIA Apriso scans all the DELMIA Apriso Roles that
Security | DELMIA Apriso 2022 Implementation Guide 66

are mapped to the AD Groups and compares the list of AD Group memberships for the user.
All the matching roles are granted for the user in the DELMIA Apriso security configuration
table.

After making changes to the settings of an existing AD user account, log in to Windows
and to DELMIA Apriso again for synchronization to take place.

Automatic User Creation

DELMIA Apriso automatically creates new DELMIA Apriso user accounts for AD users that
attempt to log in to DELMIA Apriso Portal. This is possible because of the DELMIA Apriso
global configuration setting that identifies the AD Group that grants access to DELMIA Apriso.
All members of this group can access DELMIA Apriso. When a user tries to access it the first
time, a new DELMIA Apriso account is created.
A new DELMIA Apriso user account requires additional DELMIA Apriso-specific parameters
(like default Facility, list of Work Centers, etc.), which are copied from a template user account
defined in DELMIA Apriso.

If full AD integration is used and automatic user creation is enabled, user accounts
must first be created using DELMIA Apriso Portal to allow users to log in to such tools
as Global Process Manager and Process Builder.

Automatic Roles Synchronization

DELMIA Apriso authorization is based on DELMIA Apriso Roles. Roles can be assigned to
various activities, such as executing a given operation, accessing a given FlexPart, running
Process Builder, etc. This mechanism can be integrated with the AD by linking DELMIA
Apriso Roles with AD Groups. Each AD user belongs to multiple groups and has the
corresponding DELMIA Apriso Roles. During login, DELMIA Apriso must assign DELMIA
Apriso Roles to the user based on AD Group memberships. This automatically propagates the
security privileges defined in the AD into DELMIA Apriso.

Password Verification in Active Directory

The verification of a username/password is performed in the AD (instead of the DELMIA

Apriso database). This can be handled by all Business Components, Business Controls, and
all the framework code that verifies usernames and passwords.

DELMIA Apriso State Service must be run on domain accounts that have privileges to
validate the provided credentials against the AD. For details, refer to the
Miscellaneous/Troubleshooting section of the DELMIA Apriso Administration
Guide.
Security | DELMIA Apriso 2022 Implementation Guide 67

User Creation Flow

If the account does not exist in DELMIA Apriso, the data is copied from a template, and the
username, first name, and last name are copied from the AD. If the appropriate value of the
ADCustomizationOperationCode key in Central Configuration is specified, an Operation is started
that allows to change the newly created user. The Operation must be completed successfully
(by returning "true"); otherwise, the account is not created and logging in is not possible.
The Flx_CustomizeEmployee Operation with basic parameters is included in the DELMIA
Apriso MODEL data to provide a starting point for developing a custom Operation for the user
template creation.
Basic parameters:
EmployeeId – Integer
ExternalGroupNames – List of Char

Roles Assignment Flow

The diagram presents the DELMIA Apriso Role assignments to the DELMIA Apriso user
based on the AD Group membership:
Security | DELMIA Apriso 2022 Implementation Guide 68

Figure 19 Assignment of Roles to the user based on AD Group membership

Each DELMIA Apriso Role requires a separate AD Group. Each AD Group can be
used only once.

4.3.2 Configuration
AD integration is configurable in the “SystemServices.Security” section of DELMIA Apriso
Central Configuration with the following keys:
WindowsSSOAuthentication
FullADIntegration
ADTemplateEmployeeNo
ADRootGroup
Security | DELMIA Apriso 2022 Implementation Guide 69

ADDomain
ADCustomizationOperationCode

Key Description
WindowsSSOAuthentication Must be set to enabled, as the AD uses this particular kind of
authentication.
ADTemplateEmployeeNo The ID of the employee used as a template when creating new
user accounts in DELMIA Apriso. The employee template
(which is a user account) can be configured using the Employee
Maintenance screen. Make sure that all attributes of the
employee are configured as required in the given
implementation, because the attributes will be copied to every
newly created user account.
ADCustomizationOperationCode Enables specifying a custom Operation for creating employee
templates. For more information, see User Creation Flow.

For detailed information on other keys, refer to the “SystemServices.Security” section of the
Central Configuration Documentation.

4.3.3 Using Active Directory Integration

Managing Active Directory Groups and Users
1. Add all the desired new groups and users, as shown below:

Figure 20 Adding new groups and users

Security | DELMIA Apriso 2022 Implementation Guide 70

Figure 21 Adding a new group

Figure 22 Adding a new user

2. Assign the created users to the appropriate groups.

Security | DELMIA Apriso 2022 Implementation Guide 71

Figure 23 Assigning users to groups

Assigning Active Directory Groups to DELMIA Apriso Roles

1. Navigate to the Role screen in the DELMIA Apriso Desktop Client and double-click the
desired Role (e.g., Process Author).

Figure 24 Choosing a Role

Security | DELMIA Apriso 2022 Implementation Guide 72

2. Go to the General tab in Role properties and enter the name of the desired AD Group in the
External role field.

Figure 25 Assigning an Active Directory Group to a DELMIA Apriso Role

3. After clicking Save, the specified Group will be assigned to the chosen Role.

4.3.4 Best Practices

The diagram presents an example of the recommended AD Groups structure in relation to
DELMIA Apriso Roles:

Figure 26 Full Active Directory integration diagram

The AD Administrator creates special groups in the AD and defines access to DELMIA Apriso
by creating a parent group ("DELMIA Apriso Users") containing all the AD users with DELMIA
Apriso access. The users are categorized in subgroups that define the specific privileges in
DELMIA Apriso and correspond to DELMIA Apriso Roles (e.g., the "DELMIA Apriso Admins"
group corresponds to the "Administrator" Role, and the "DELMIA Apriso PB Users" group
corresponds to the "Process Author" Role).
Security | DELMIA Apriso 2022 Implementation Guide 73

All DELMIA Apriso-specific AD Groups can contain existing standard AD Groups (e.g.,
"Contractors” and "Regular Workers") that include the actual users of the same type. The AD
Groups related to DELMIA Apriso must be set up only once and mapped to the DELMIA
Apriso Roles as needed in order to get appropriate access. All the remaining user
management (e.g., adding a new user account) takes place in a standard way: new account is
added to the regular groups, which automatically grants access to DELMIA Apriso and to the
required functionality.
Security | DELMIA Apriso 2022 Implementation Guide 74

5 User Authorization
5.1 Role-Based Security
For more information on configuring role-based security, refer to the Role and Skill
Configuration Help.

5.2 Access Control

The Access Control functionality in DELMIA Apriso validates the remoting calls sent to the
DELMIA Apriso Server.

5.2.1 Overview
In a default DELMIA Apriso installation, the Server checks if the client application or service is
on the list of clients allowed to perform server-side operations.
For applications supporting the user session, Access Control validates the user session
before a remoting call is accepted.
Additionally, certificate-based validation of client applications and services that send the
remoting calls can be enabled. For details, refer to 5.2.3 Using x509 Certificates to Validate
Client Applications and Services.
The Access Control List (ACL) functionality is available for DELMIA Apriso Desktop Client. It
expands the Role-based security of M&M Screens. When enabled, the Server validates the
methods in remoting calls against a list of Capabilities (sets of server-side operations) used by
FlexParts of M&M Screen type assigned to the given Role. For details, refer to 5.2.4 Enabling
Access Control List .

Access Control Logic

The Access Control mechanism on the DELMIA Apriso server carries out a three-stage check
of all the remoting calls received:
1. The server checks if the remoting call is coming from a valid client application or service.
2. The server checks if user session validation is enabled and validates the user session
when necessary
3. The server checks if user role-based validation of server-side operations (ACL) is enabled,
and performs an assessment of capabilities before allowing the user to perform the given
server-side operation requested in the incoming remoting call.

The diagram below presents the logic used by the Access Control mechanism in DELMIA
Apriso in greater detail.
Security | DELMIA Apriso 2022 Implementation Guide 75

Figure 27 Access Control logic

Security | DELMIA Apriso 2022 Implementation Guide 76

Skip Validation Attributes

Several methods used by DELMIA Apriso during the login process have the
SkipUserRolesValidation and SkipUsersSessionValidation attributes. This ensures that the user
credentials are properly authorized and the user session is properly handled by the system.

5.2.2 Configuration Files

Access Control configuration settings are located in the following files:

CentralConfiguration.xml

All Central Configuration keys related to Access Control configuration are located in the
<FlexNet.SystemServices.AccessControl> section of the CentralConfiguration.xml file and are listed
in the table:
Key Default Value Description
CertificatesEnabled false Server-side setting
which allows to use
x509 certificates to
authorize the Client
Applications or
Services.
For Client-side
configuration, refer to
WcfClientConfigurati
on.xml
CertificateSubjectField CN The name of
certificate subject
field used to store the
name of a client
application or
service, when
certificate-based
validation of client
applications and
services is enabled.
For details, refer to
5.2.3 Using x509
Certificates to
Validate Client
Applications and
Services.
ClientApplicationsConfig ${WebRootURL}/CentralConfiguration/ClientAppl Specifies the location
uration ications.xml
Security | DELMIA Apriso 2022 Implementation Guide 77

of the
ClientApplications.xml
file.
AssemblyResolutionPath ${WebSitePath}Downloads Path to the root folder
containing all client
assemblies used by
the Access Control
List Generator tool.
For details, refer to
9.2 Appendix B:
Access Control List
Generator Tool.

ClientApplications.xml

The ClientApplications.xml file contains the list of all the client applications and services that
can perform server-side operations on a DELMIA Apriso server. User Session Validation and
User Roles Validation (server-side operations validation – ACL) can be configured
individually for each of the listed WCF client applications or services.
Each ClientApplication key in the ClientApplications.xml file has four values:
1. name – the name of the client application or service
2. certificate – the name of the x509 certificate used to when authorizing the Client
Application or Service
3. userSessionValidation – the flag determining if the Access Control mechanism should
validate the user session for the given application or service
4. userRolesValidation – the flag determining if the remoting call sent by the given application
or service must be validated by the Access Control List functionality
5. trustedClient – the flag determining if the client is treated as a trusted client. Trusted clients
have access to DELMIA Apriso configuration when using configuration service.

If a client application or service is not listed in the ClientApplications.xml file, it is not

able to perform any server-side operations.

In a default DELMIA Apriso installation, the ClientApplications.xml file is configured as follows:

the user session validation (userSessionValidation="true") is enabled for:
DELMIA Apriso Desktop Client (FlexNetDesktopClient)
DELMIA Apriso Process Builder (FlexNetProcessBuilder)
DELMIA Apriso Portal (FlexNet.Portal.WebUI.Portal)
MPI Excel Add-in (FlexNet.Analytics.WinUI.Excel)
In the RedirerectUris section of the configuration file, multiple redirect URIs can be defined for
a client application. The client application decides to which URL (from the list) send the
response with access token.
Security | DELMIA Apriso 2022 Implementation Guide 78

An example of using multiple URIs is configuring SSL Termination for a Load Balancer where
a request can be made from more than one URL address.
Example configuration:

<RedirectUris>
<Uri>${WebRootURL}/Apriso/modules/oauth/oauth_callback.html</Uri>
<Uri>https://load_balancer_name.domainname/Apriso/Apriso/modules/oauth/oauth_
callback.html</Uri>
</RedirectUris>

WcfClientConfiguration.xml

The WcfClientConfiguration.xml file contains the client-side configuration settings for security
bindings and service behaviors.
The CertificatesEnabled key in the <appSettings> section enables the certificate-based
validation mechanism for Client Applications and Services.
For more information, refer to 2.2 Protecting Web Services and DELMIA Apriso Services.

5.2.3 Using x509 Certificates to Validate Client Applications and

Services
Custom x509 certificates can be used to ensure that the remoting calls sent to DELMIA Apriso
server come from legitimate client applications or services.

Enabling this feature may reduce overall system performance. The network
infrastructure may have significant delays, due to additional server requests and more
data being sent.

Prerequisites

Before enabling this functionality, obtain appropriate x509 certificates issued by a

Trusted Certification Authority or by your organization’s IT department.

To ensure optimum security to performance ratio, using x509 certificates with the following
settings is recommended:
Signature algorithm – sha256RSA
Signature hash algorithm – sha256
Public key – RSA (4096 Bits)

Due to significant performance impact, certificate revocation is not supported.

Security | DELMIA Apriso 2022 Implementation Guide 79

Certificates that are required to enable validation of DELMIA Apriso client applications and
services:

Certificate Description
DELMIA Apriso CA.pem Root certificate issued by a Trusted Certification Authority.

Certificate The Root certificate contains the public key and is used to sign the
name for Intermediate Root Certificate.
demonstration
purposes only. Using a self-signed root certificate is not recommended.

DELMIA Apriso SubCA.pem Intermediate certificate, signed with the Root certificate.

Certificate The Intermediate certificate contains the public key and is used to
name for sign the DELMIA Apriso Server and Client certificates.
demonstration
purposes only.

DELMIA Apriso DELMIA Apriso Server certificate, signed with the Intermediate
Services.pfx certificate
The DELMIA Apriso Services.pfx certificate contains the private key
and is used to validate the DELMIA Apriso Server.

The certificate must contain the “DELMIA Apriso Services”

name in the subject name field, as indicated in the
CertificateSubjectField key in Central Configuration (default
field = CN).

DELMIA Apriso Desktop DELMIA Apriso Client application or service certificates, signed
Client.pfx with the Intermediate certificate.
DELMIA Apriso Process
Each of these certificates contains the private key, and is used to
Builder.pfx
validate the specified client application or service.
DELMIA Apriso Global
Process Manager.pfx Each client application or service must have its own
DELMIA Apriso certificate.
Configuration
Manager.pfx Each certificate must contain the name of the application or
DELMIA Apriso MPI Excel service (as specified in the ClientApplications.xml) written in
Add-in.pfx the subject name field, as indicated in the
CertificateSubjectField key in Central Configuration (default
DELMIA Apriso Machine
Integrator.pfx field = CN).

DELMIA Apriso Remoting

Service.pfx

DELMIA Apriso Scheduler

Security | DELMIA Apriso 2022 Implementation Guide 80

Service.pfx

DELMIA Apriso Executor

Service.pfx

DELMIA Apriso PB
Service.pfx

DELMIA Apriso GPM

Service.pfx

DELMIA Apriso State

Service.pfx

DELMIA Apriso Incoming

Message Monitor.pfx

DELMIA Apriso Classic

Portal.pfx

DELMIA Apriso
WebServices.pfx

DELMIA Apriso
BusinessWebServices.pfx

DELMIA Apriso Web

APIs.pfx

DELMIA Apriso
WebApi.pfx

DELMIA Apriso iOS

Api.pfx

DELMIA Apriso
Dispatching Board.pfx

DELMIA Apriso Message

Processor.pfx

DELMIA Apriso Incoming

Message HTTP
Receiver.pfx

DELMIA Apriso Reporting

Services.pfx

Installation
Once the required certificates are obtained, they must be installed into Local Machine
certificate store catalogs specified in the tables below:
DELMIA Apriso Server

Local Machine Store catalog Certificate

Trusted Root Certification Authorities DELMIA Apriso CA.cer
Security | DELMIA Apriso 2022 Implementation Guide 81

Intermediate Certification Authorities DELMIA Apriso SubCA.cer

Personal DELMIA Apriso Services.pfx

DELMIA Apriso Desktop

The Mark this key as exportable option must be
Client.pfx
selected when importing .pfx files on the DELMIA Apriso
Server. DELMIA Apriso Process
Builder.pfx

DELMIA Apriso Global

Process Manager.pfx

DELMIA Apriso Configuration

Manager.pfx

DELMIA Apriso MPI Excel

Add-in.pfx

DELMIA Apriso Machine

Integrator.pfx

DELMIA Apriso Remoting

Service.pfx

DELMIA Apriso Scheduler

Service.pfx

DELMIA Apriso Executor

Service.pfx

DELMIA Apriso PB
Service.pfx

DELMIA Apriso GPM

Service.pfx

DELMIA Apriso State

Service.pfx

DELMIA Apriso Incoming

Message Monitor.pfx

DELMIA Apriso Classic

Portal.pfx

DELMIA Apriso
WebServices.pfx

DELMIA Apriso
BusinessWebServices.pfx

DELMIA Apriso Web APIs.pfx

DELMIA Apriso WebApi.pfx

Security | DELMIA Apriso 2022 Implementation Guide 82

DELMIA Apriso iOS Api.pfx

DELMIA Apriso Dispatching

Board.pfx

DELMIA Apriso Message

Processor.pfx

DELMIA Apriso Incoming

Message HTTP Receiver.pfx

DELMIA Apriso Reporting

Services.pfx

When configuring a cluster environment, the required certificates must be installed on

all cluster nodes.

Additionally, full control and read private key permissions must be added to the IIS_IUSRS
user account for the following certificates:
DELMIA Apriso Services
DELMIA Apriso Classic Portal
DELMIA Apriso WebServices
DELMIA Apriso BusinessWebServices
DELMIA Apriso Web APIs
DELMIA Apriso WebApi
DELMIA Apriso iOS Api
DELMIA Apriso Dispatching Board
DELMIA Apriso Remoting Service
DELMIA Apriso Message Processor
DELMIA Apriso Incoming Message HTTP Receiver

When configuring a cluster environment, full control and read private key permissions must
be added to the user account that was used to create the cluster for the following
certificates:
DELMIA Apriso Machine Integrator
DELMIA Apriso Remoting Service
DELMIA Apriso Scheduler Service
DELMIA Apriso Executor Service
DELMIA Apriso PB Service
DELMIA Apriso GPM Service
DELMIA Apriso State Service
DELMIA Apriso Incoming Message Monitor

For details on DELMIA Apriso cluster configuration, refer to DELMIA Apriso High
Availability Configuration Installation Guide.

When GPM packages are exchanged between two DELMIA Apriso instances, and only
one of these instances is configured to use x509 certificates to validate client
applications and services, both DELMIA Apriso instances must have the certificates
installed.
Security | DELMIA Apriso 2022 Implementation Guide 83

The figures below show the required certificates installed in the proper locations on a DELMIA
Apriso Server.

Figure 28 DELMIA Apriso Server - Trusted Root Certification Authorities catalog

Figure 29 DELMIA Apriso Server - Intermediate Certification Authorities catalog

Security | DELMIA Apriso 2022 Implementation Guide 84

Figure 30 DELMIA Apriso Server - Personal catalog

DELMIA Apriso Client Machines

Local Machine Store catalog Certificate

Trusted Root Certification Authorities DELMIA Apriso CA.cer

Intermediate Certification Authorities DELMIA Apriso SubCA.cer

Personal DELMIA Apriso Services.pfx

DELMIA Apriso Desktop Client.pfx
DELMIA Apriso Process Builder.pfx
DELMIA Apriso Global Process Manager.pfx
DELMIA Apriso MPI Excel Add-in.pfx
DELMIA Apriso Machine Integrator.pfx
DELMIA Apriso Reporting Services.pfx

Reporting Services Server

Local Machine Store catalog Certificate
Trusted Root Certification Authorities DELMIA Apriso CA.cer
Intermediate Certification Authorities DELMIA Apriso SubCA.cer
Personal DELMIA Apriso Reporting Services.pfx

Additionally, full control and read private key permissions must be added for the certificates
installed in the Personal catalog of the Local Machine Store, to every user account, which will
be used to launch DELMIA Apriso Client applications. Without these permissions, DELMIA
Apriso Client is not able to connect to DELMIA Apriso Server.
Security | DELMIA Apriso 2022 Implementation Guide 85

For DELMIA Apriso Reportign Services.pfx certificate, full control and read private key
permissions must be added to the user account that runs SQL Server Reporting Services
(SSRS).

Certificates must be installed on every machine running a DELMIA Apriso Client

instance.

Figure 31 DELMIA Apriso Client - Personal catalog

DELMIA Apriso Machine Integrator Connector (Standalone)

Local Machine Store catalog Certificate

Trusted Root Certification Authorities DELMIA Apriso
CA.cer

Intermediate Certification Authorities DELMIA Apriso

SubCA.cer

Personal DELMIA Apriso

Services.pfx
The Mark this key as exportable option must be selected when
DELMIA Apriso
importing .pfx files on a standalone instance of the DELMIA Apriso Machine
Machine Integrator Connector. Integrator.pfx

Certificates must be installed on every machine running a DELMIA Apriso Machine

Integrator Connector instance.
Security | DELMIA Apriso 2022 Implementation Guide 86

Figure 32 DELMIA Apriso Machine Integrator Connector - Personal catalog

Configuration

Before enabling the validation of client applications and services with the use of x509
certificates, refer to 2.2 Protecting Web Services and DELMIA Apriso Services for
detailed information on configuring the security settings of DELMIA Apriso services.

Once all of the required certificates are installed, enable the validation of client applications
and services:
1. Edit the CentralConfiguration.xml file, located on the DELMIA Apriso server in the
<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
folder.
2. Change the value of the CertificatesEnabled key in the
<FlexNet.SystemServices.AccessControl> section to “true”.
3. In the server side configuration files for a particular service, located on the DELMIA Apriso
server in the <drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Services\
[ServiceName] folder:
a. Edit the endpoint settings to use a binding supporting certificates.
For a list of supported bindings, refer to 2.2.1 Security Overview of DELMIA Apriso
Services.
b. Change the value of behaviorConfiguration parameter for the service from “default“ to
“SecurityBehaviorCert”.
Names of the configuration files and relevant sections in these configuration files, which
contain the endpoint settings for the given service:

DELMIA Apriso Server-side configuration file

Service
Framework The endpoint settings are in the <services> section of the
Services
Security | DELMIA Apriso 2022 Implementation Guide 87

Job Executor RemotingServices.config file for each of the DELMIA Apriso Services.
Services
The example below shows the settings for Process Builder Services
Job Scheduler
configured to use netTcpBinding with Certificates.
Service

Maintenance <services>
Services <service
behaviorConfiguration="SecurityBehaviorCert"
Process Builder [...]
Services <endpoint
address="https://SERVERNAME.DOMAIN.com:32610/pb20service"
State Services
binding="netTcpBinding"
bindingConfiguration="TcpSecurityCert"
name="FlexNetEndpoint"
contract="FlexNet.SystemServices.Services.IServiceFactory"
/>
</service>
</services>

Do not modify the endpoint settings for mexHttpBinding.

Global Process The endpoint settings are in the <system.serviceModel> section of the
Manager Services FlexNetGlobalProcessManagerRemotingService.exe.config file.

The example below shows the settings for Global Process Manager
Service configured to use netTcpBinding with Certificates:

The GPM Service uses a dedicated binding configuration with

“GPM” at the end of its name.

Do not modify any other endpoint settings in the

FlexNetGlobalProcessManagerRemotingService.exe.config file.

4. In the WcfClientConfiguration.xml client side configuration file, located on the DELMIA Apriso
server in the <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\Website\CentralConfiguration folder:
Security | DELMIA Apriso 2022 Implementation Guide 88

a. Change the value of the CertificatesEnabled key in the <appSettings> section to “true”.
b. Edit all of the endpoint settings in the <client> section to use a binding supporting
certificates.
For a list of supported bindings, refer to 2.2.1 Security Overview of DELMIA Apriso
Services.
The example below shows the settings for Process Builder Services:

When configuring DELMIA Apriso Machine Integrator Connector, the following configuration
changes are required:
1. Locate and edit the WCFServices.config file on:
The DELMIA Apriso server in the <drive>\Program Files\Dassault Systemes\DELMIA Apriso
2022\Services\Machine Integrator Service folder, or
The machine hosting Machine Integrator Connector in the <drive>\Program Files
(x86)\Dassault Systemes\DELMIA Apriso 2022 Client\Machine Integrator Connector folder.
2. Change the value of behaviorConfiguration parameter for the service from "default" to
“SecurityBehaviorCert”.
3. Edit the address, binding, and binding configuration parameters for the ConnectorRemoting
endpoint key to use a binding supporting certificates.
For a list of supported bindings, refer to 2.2.1 Security Overview of DELMIA Apriso
Services.
Example settings for Machine Integrator Connector configured to use netTcpBinding with
Certificates:
Security | DELMIA Apriso 2022 Implementation Guide 89

Whenever the security settings of DELMIA Apriso Machine Integrator are changed,
delete the WcfClientConfiguration.xmltemporary file from the following locations:
On the DELMIA Apriso server:
<drive>\Temp\AprisoTemp\<server_name>\ and
<drive>\Users\Apriso\AppData\Local\Temp\<server_name\
On the machine hosting the DELMIA Apriso Machine Integrator Connector:
%USERPROFILE%\AppData\Local\Temp\<ServerName> and
%USERPROFILE%\AppData\Local\Temp\<NameOfTheMachineHosting MI>.
Restart DELMIA Apriso Services on the DELMIA Apriso Server, and restart Machine
Integrator Service on the machine hosting the DELMIA Apriso Machine Integrator
Connector.

For an example configuration of a DELMIA Apriso service using certificates, see 9.1.3
Maintenance service using HTTPS security settings protected with certificates.

5.2.4 Enabling Access Control List

To enable Access Control List (ACL) for a client application or service:
1. Enable the userRolesValidation setting in ClientApplications.xml.
2. Restart DELMIA Apriso services.
3. Open the Post Upgrade Utility and run the ACL Generator tool (for details, refer to 9.2
Appendix B: Access Control List Generator Tool).

At this time, Role-based validation of server-side operations is supported only for

DELMIA Apriso Desktop Client. Changing the userRolesValidation setting for any
other client application or service listed in ClientApplications.xml without additional
manual configuration steps may prevent it from performing any server-side operations.
For more information on the manual configuration of Capabilities, refer to 9.2.4 Manual
Configuration of Capabilities.
Security | DELMIA Apriso 2022 Implementation Guide 90

6 Security Logging and Alerts

6.1 Overview
All security events that take place in the system are tracked by DELMIA Apriso and saved in a
dedicated table in the DELMIA Apriso database if necessary (e.g., in a 21 CFR part 11-
controlled environment). All the places in DELMIA Apriso that perform security-sensitive
operations use special logic that captures events when configured to do so (for details, see 6.2
Security Logging Configuration). The security-sensitive operations occur when logging in to
the following DELMIA Apriso modules:
DELMIA Apriso Portal:
Standard (with/without equipment)
NT Login (Integrated Windows authentication)
FI – URL invocation
DELMIA Apriso Global Process Manager
DELMIA Apriso Process Builder
The same logic is used when executing Processes and Operations using the following
components:
Authentication Business Control
FlexNet.BusinessFacade.Security.LoginManager Business Component methods:
ValidateEmployeeAndPassword
ValidateUserAndChangePassword
ValidateUsernameAndPassword
ValidateUsernameAndPasswordAndRole
FlexNet.BusinessFacade.Signature.SignatureManager:
SaveSingleSignature
SaveDoubleSignature
When one of the above occurs, the system:
1. Loads the configuration from the Central Configuration file (for details, see 6.2 Security
Logging Configuration) and proceeds if the access log is enabled (if it is not, the following
steps are skipped).
2. Creates a new database record in the SECURITY_LOG table (for more details on the table,
refer to the Database Documentation).
3. Posts a message to the DELMIA Apriso Logging Framework that can be redirected to the
Windows Security Log.
4. Communicates with the State Service to check the number of failed attempts.
5. Sends notification:
a. Creates and sends an alert to the user(s) with the particular Role (Security
Administrator).
b. Creates and sends an alert with the type “email” wherein an email is sent to the user(s)
with a particular Role (Security Administrator).
Security | DELMIA Apriso 2022 Implementation Guide 91

c. Creates messages in the system event log (using the standard DELMIA Apriso Logging
Framework).
d. Creates a job for the execution of a Standard Operation with a specific Operation code
and revision for Job Executor.
The information that is captured includes:
Employee no
Attempt date and time
Attempt result (success or failure)
Machine name/IP address
Access type (for Login, Signature, Authentication Business Control)
Additional information:
For the login type:
Information about the application that was accessed (e.g., for DELMIA Apriso Portal –
standard: with/without equipment, what equipment, NT domain/username, and
Operation name invoked through the URL)
For the signature type:
Signature type (single, double)
Signed action
For the Authentication Business Control:
The Process, Operation, and Step in which it was executed

The log of all events can be accessed by authorized personnel in the Security Log M&M
screen in the DELMIA Apriso Desktop Client (see Figure 33 Security Log screens) to view and
analyze all the security events captured by the system.
Security | DELMIA Apriso 2022 Implementation Guide 92

Figure 33 Security Log screens

6.2 Security Logging Configuration

DELMIA Apriso Central Configuration contains the settings for controlling if and how the
system should act in a 21 CFR Part 11-controlled environment.
The settings are located in two sections:
“SystemServices.Security” section
“EnableAccessLog”
“SystemServices.SecurityNotification” section
WorkstationNotificationThreshold
UserNotificationThreshold
NotificationByFlexNetAlert
NotificationByEmail
NotificationByStdOperationCode
NotificationByStdOperationRevision

For detailed information on each key, refer to the Central Configuration Documentation.
Security | DELMIA Apriso 2022 Implementation Guide 93

6.3 Securing Confidential Information in Log Files

DELMIA Apriso uses a configurable system for logging runtime information into log files. This
is used to gather several different types of information that are needed for problem detection,
system monitoring, etc. There are several levels for logging information (e.g., ERROR,
DEBUG, INFO).
There is a strict dependency between a particular logging level and the level of detail that is
stored in the log file (e.g., the DEBUG log could have some confidential information, such as
the names of particular parameters that are sent to Machine Integrator to control the machine).
This kind of information should not be shared, but it can be useful for production debugging.
Turning debug logs on for production can cause some performance decrease. By default the
debug logs are turned off. Debug logs can help to investigate issues in production, especially
in the implementation phase (before going live). Turning off the debug logs after going live is
recommended.
To turn the debug logs off (this may vary from implementation to implementation):
1. Navigate to the CentralConfiguration.xml file (which is usually located on the web server in
the <drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\Website\CentralConfiguration
folder).
2. Open the CentralConfiguration.xml file and find the RemotingExceptionDetailsEnabled key in the
flexNet.Framework section. Change the value of the key to false.
3. In the CentralConfiguration.xml file, get the location of the LoggingConfiguration.xml file from
the ConfigurationLocation key in the FlexNet.SystemServices.LoggingConfig section.
4. Open the LoggingConfiguration.xml file.
5. To revert the logging configuration to its default, comment out the following lines from the
<logger name = "FlexNet"> section:
<level value="DEBUG" />
<appender-ref ref="DebugRollingFileAppender" />

Sample logging configuration with the debug logs turned on:

<logger name = "FlexNet">

<level value="DEBUG" />

<appender-ref ref="DebugRollingFileAppender" />

<appender-ref ref="InfoRollingFileAppender" />

<appender-ref ref="WarningRollingFileAppender" />
<appender-ref ref="ErrorRollingFileAppender" />
<appender-ref ref="MergedErrorsFileAppender" />
<appender-ref ref="FlexNetEventLogAppender" />
</logger>

Sample logging configuration with the debug logs turned off:

Security | DELMIA Apriso 2022 Implementation Guide 94

<logger name = "FlexNet">

<appender-ref ref="InfoRollingFileAppender" />

6.4 ACL Generator Logging

The following log files are generated automatically for ACL Generator:
AccessControlListGenerator_InfoRolling.log
AccessControlListGenerator_WarningRolling.log
AccessControlListValidator_Debug.log

6.5 ACL Logging

To log ACL activity, make the following changes in the <FlexNet.SystemServices.Logging>
section of the LoggingConfiguration.xml file:
1. Add a new logging appender definition. When used, all the ACL logs will be saved in the
AccessControlListValidator_Debug.log file.

Example appender definition configuration:

2. Change the <root> logging level to DEBUG.

Security | DELMIA Apriso 2022 Implementation Guide 95

<root>
<level value="DEBUG" />
</root>

3. Add a reference to the appender created in the first step in the <logger> key.
<logger name = "FlexNet">


<appender-ref ref="ACLValidatorAppender" />
<appender-ref ref="InfoRollingFileAppender" />
<appender-ref ref="WarningRollingFileAppender" />
<appender-ref ref="ErrorRollingFileAppender" />
[...]
</logger>

4. Restart DELMIA Apriso Services.

Logging the ACL Validator activity for extended periods of time may result in reduced
system performance. Enable logging only when DELMIA Apriso is being configured by
the System Administrator or when troubleshooting the ACL functionality.

For more information, refer to the Logging Technical Guide.

Security | DELMIA Apriso 2022 Implementation Guide 96

7 Guidelines
7.1 DELMIA Apriso Process Builder Security
This section presents several security guidelines and recommendations which should be
taken into consideration by the Process Author who creates Standard Operations in DELMIA
Apriso.

7.1.1 Validate User Input

Make sure that all input from the user is validated and sanitized. This means that the input is
not only validated from the business perspective, but its length, format, and special characters
are also validated. This will prevent all common security threats.

7.1.2 Using SQL Function and User Formula Function in Standard

Operations
It is common to create an SQL statement which is used in a Standard Operation by
concatenating the strings that represent the dynamic data filter in the User Formula Function.
However, this is not a recommended approach from a security point of view. To mitigate the
risk of a security breach, make sure that the SQL statement uses binding parameters and/or
validate and sanitize all the user input.
If the Process Author decides to use curly bracket SQL function parameters, they should
ensure that all input entered by the user in runtime is properly validated – before it is passed to
the SQL function in the Standard Operation – to avoid malicious code injection.

7.1.3 Using HTML Output in Standard Operations

HTML output is a common way to display certain information to the user in the HTML format
(the data is rendered as HTML, not as plain text). However, this is not a recommended
approach from a security point of view. To mitigate the risk of a security breach, please make
sure that the data displayed to the user is plain text only and validate and sanitize all user
input.

7.1.4 Using Map Business Control in Standard Operations

It is possible to create a custom template (for pins and balloons) which includes HTML tags
(the pins and balloons may be styled with HTML, which contains JavaScript functions). This is
not a recommended approach from a security point of view. To mitigate the risk of a security
breach, be aware of what kind of JavaScript code you are using.
Security | DELMIA Apriso 2022 Implementation Guide 97

8 Best Practices
To ensure the correct and secure settings, the following order of configuration is
recommended:
1. Set up database security according to 2.6 Setting Up Database Security.
2. Install Windows updates recommended by Microsoft on Web, Application, Database
servers, and client machines as described in Other Prerequisites and Configurations to
be done before the Installation section of DELMIA Apriso Installation Guide.
3. Disable all TCP/IP ports, except those required by DELMIA Apriso as described in Other
Prerequisites and Configurations to be done before the Installation section of DELMIA
Apriso Installation Guide.
4. Enable HTTPS according to 2.1.2 Enabling HTTPS.
5. Enable TLS 1.2 on the server and client machines according to 2 Web Server and
Application Server.
6. Disable weak protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1) on the server and client
machines according to 2 Web Server and Application Server.
7. Secure HTTP Cookies according to 2.1.3 Securing HTTP Cookies.
8. Configure Cross-Origin Resource Sharing according to 2.1.5 Configuring Cross-Origin
Resource Sharing.
9. Configure Content Security Policy HTTP Response Headers according to 2.1.6
Configuring Content Security Policy HTTP Response Headers
10. Configure ReturnURL Parameter Whitelist according to 2.1.7 Configuring ReturnURL
Parameter Allowlist
11. Use the secret data transmission for DELMIA Apriso services according to 2.2 Protecting
Web Services and DELMIA Apriso Services
12. Configure a strong password and login policy according to 3 Password and Login Policy
13. Secure the configuration files by enabling Configuration Service as described in 2.5
Protecting Configuration Files
14. Disable WSDL and MEX in DELMIA Apriso Services and Business Web Services
according to 2 Web Server and Application Server
15. Make sure that all prerequisites listed in Verifying the Prerequsites for the Installation
section of the DELMIA Apriso Installation Guide are fulfilled.
Security | DELMIA Apriso 2022 Implementation Guide 98

9 Appendices
9.1 Appendix A: DELMIA Apriso Services - Example Secure
Configurations
Below are samples of the configuration files for the DELMIA Apriso services using HTTPS
security settings. Some sections of the configuration files, which are not directly related to
secure settings, were omitted for better legibility.

These example settings should be used for reference only.

9.1.1 Maintenance service using HTTPS security settings

RemotingServices.config:
<services>
<service
behaviorConfiguration="default"
name="FlexNet.SystemServices.Services.ServiceFactoryImpl">
<clear />
<endpoint
address=http://SERVERNAME.DOMAIN.com:32604/maintenanceservice/mex
binding="mexHttpBinding"
contract="IMetadataExchange" />
<endpoint
address=https://SERVERNAME.DOMAIN.com:32602/maintenanceservice
binding="wsHttpBinding"
bindingConfiguration="HttpsSecurity"
name="FlexNetEndpoint"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</service>
</services>

WcfClientConfiguration.xml:
<system.serviceModel>
[…]
<endpoint
address=https://SERVERNAME.DOMAIN.com:32602/maintenanceservice
binding="wsHttpBinding”
bindingConfiguration="HttpsSecurity"
name="MaintenanceServices"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</client>
</system.serviceModel>

CentralConfiguration.xml:
Security | DELMIA Apriso 2022 Implementation Guide 99

<FlexNet.ServicesLocations>
<add key="MaintenanceServices"
value="REMOTING:https://${AppAddress}:32602/maintenanceservice" />
</FlexNet.ServicesLocations>

9.1.2 Global Process Manager service using HTTPS security settings

FlexNetGlobalProcessManagerRemotingService.exe.config:
<system.serviceModel>
[…]
<services>
[…]
<service
behaviorConfiguration="default"
name="FlexNet.SystemServices.Services.ServiceFactoryImpl">
<clear />
<endpoint
address=http://SERVERNAME.DOMAIN.com:32710/gpmservice/mex
binding="mexHttpBinding"
contract="IMetadataExchange" />
<endpoint
address=https://SERVERNAME.DOMAIN.com:32709/gpmservice
binding="wsHttpBinding"
bindingConfiguration="HttpsSecurityGPM"
name="FlexNetEndpoint"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</service>
[…]
</services>
</system.serviceModel>

WcfClientConfiguration.xml:
<system.serviceModel>
[…]
<endpoint
address=https://SERVERNAME.DOMAIN.com:32709/gpmservice
binding="wsHttpBinding"
bindingConfiguration="HttpsSecurityGPM"
name="GlobalProcessManagerServices"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</client>
</system.serviceModel>

CentralConfiguration.xml:
<FlexNet.ServicesLocations>
<add key="GlobalProcessManagerServices"
value="REMOTING:https://${AppAddress}:32709/gpmservice" />
</FlexNet.ServicesLocations>
Security | DELMIA Apriso 2022 Implementation Guide 100

9.1.3 Maintenance service using HTTPS security settings protected

with certificates
RemotingServices.config:
<services>
<service
behaviorConfiguration="SecurityBehaviorCert"
name="FlexNet.SystemServices.Services.ServiceFactoryImpl">
<clear />
<endpoint
address=http://SERVERNAME.DOMAIN.com:32604/maintenanceservice/mex
binding="mexHttpBinding"
contract="IMetadataExchange" />
<endpoint
address=https://SERVERNAME.DOMAIN.com:32602/maintenanceservice
binding="wsHttpBinding"
bindingConfiguration="HttpsSecurityCert"
name="FlexNetEndpoint"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</service>
</services>

WcfClientConfiguration.xml:
<system.serviceModel>
[…]
<endpoint
address=https://SERVERNAME.DOMAIN.com:32602/maintenanceservice
binding="wsHttpBinding”
bindingConfiguration="HttpsSecurityCert"
name="MaintenanceServices"
contract="FlexNet.SystemServices.Services.IServiceFactory" />
</client>
</system.serviceModel>

CentralConfiguration.xml:
<FlexNet.ServicesLocations>
<add key="MaintenanceServices"
value="REMOTING:https://${AppAddress}:32602/maintenanceservice" />
</FlexNet.ServicesLocations>

9.2 Appendix B: Access Control List Generator Tool

9.2.1 Overview
The ACL Generator tool is available in the Post-Upgrade Utility (PUU).
Security | DELMIA Apriso 2022 Implementation Guide 101

After ACL is enabled in Central Configuration, the ACL Generator must be run in the PUU to
build a list of Capabilities and a map of the Capabilities allowed for each FlexPart of the M&M
Screen type (which is used by the ACL Validator).

The ACL Validator can also be used with other client applications supporting
UserSession. However, the Capabilities and Roles must be configured manually for
these client applications (for instructions for the manual configuration of Capabilities,
refer to 9.2.4 Manual Configuration of Capabilities).

9.2.2 Data Model

The ACL Generator tool uses the following database tables:

Figure 34 Access Control List data model

For detailed information on individual tables, refer to Database Documentation.

9.2.3 Access Control List Generation Mechanism

The steps below are performed when the ACL Generator Tool is run in PUU.
Security | DELMIA Apriso 2022 Implementation Guide 102

Building a List of Capabilities

1. ACL Generator reads the RemotedComponents.xml file listing all the server-side components
and their interfaces.
2. A list of server-side operations (Capabilities) is built.
3. The CAPABILITY table is populated.

Figure 35 ACL Generator – building a list of Capabilities

Analyzing FlexParts
1. ACL Generator reads the BUSINESS_OBJECT table to obtain a list of all the FlexParts of
the M&M Screen type.
2. ACL Generator reads the SCREEN table to obtain information on AssemblyNames and
ClassNames used in the Screens from the list obtained in the previous step.

Figure 36 ACL Generator – analyzing FlexParts

3. ACL generator performs an in-depth analysis of AssemblyNames and ClassNames (the

M&M Screens linked to FlexParts) to obtain a list of all the server-side operations
(Capabilities) that can be reached from a given FlexPart.
Security | DELMIA Apriso 2022 Implementation Guide 103

Figure 37 ACL Generator – analyzing FlexParts (continued)

Matching Capabilities with FlexParts

1. The results of the analyses performed in the previous steps are combined to obtain a list of
the Capabilities for all FlexParts of the M&M Screen type.
2. The CAPABILITY_ROLE table is populated.

Figure 38 ACL Generator – matching Capabilities with FlexParts

For more information on using the Post-Upgrade Utility, refer to the Post-Upgrade Utility
Help.

9.2.4 Manual Configuration of Capabilities

The map of the Capabilities created using ACL Generator is based on the Role-based security
of FlexParts of the M&M Screen type. By principle, it is used only by the DELMIA Apriso
Desktop Client.
Before enabling ACL Validator for other client applications and services, the map of
Capabilities must be manually expanded using the DELMIA Apriso Desktop Client.
To configure the Capabilities for a user Role, ensure that ACL is enabled on the server and
follow the steps:
1. Open the DELMIA Apriso Desktop Client and log in as a user with full administrative
access.
Security | DELMIA Apriso 2022 Implementation Guide 104

2. Open the Roles screen and open the editor for one of the existing Roles or create a new
Role.
3. Navigate to the Capabilities tab.
4. Click (Link) to open the list of all the Capabilities defined in the system.

This list contains only the Capabilities that have not yet been assigned to the given
Role.

5. Select one or more items on the list. Use the filters for help in finding the required entries.
6. Click (Select) to add the selected Capabilities to the user Role.

Figure 39 Adding Capabilities to a Role

7. The selected Capabilities are added to the list in the Capabilities tab.
Security | DELMIA Apriso 2022 Implementation Guide 105

Figure 40 Capabilities assigned to the Role

8. Close the Role editor screen.

Security | DELMIA Apriso 2022 Implementation Guide 106

10 Known Issues
10.0.1 Error while Logging out
When a user who was authenticated with 3DPassport login logs out, an error might be
recorded in the log file. Despite the error, the session ends and the user is logged out. The
error should not cause any problems and can be ignored.
Security | DELMIA Apriso 2022 Implementation Guide 107

11 Documentation Availability
All DELMIA Apriso documentation is available from <server name>/apriso/start and at 3DS
Support.
For more information, refer to the 3DS Support Knowledge Base.

Apriso 2024 - ReleaseNotes
No ratings yet
Apriso 2024 - ReleaseNotes
12 pages
2024 ImplGuide MachineIntegrator
No ratings yet
2024 ImplGuide MachineIntegrator
59 pages
2025 ReleaseNotes
No ratings yet
2025 ReleaseNotes
16 pages
2024 TechGuide WebAPI
No ratings yet
2024 TechGuide WebAPI
33 pages
2023 ImplGuide ExplosionNavigationTasking
No ratings yet
2023 ImplGuide ExplosionNavigationTasking
29 pages
AES Introduction To DELMIA Apriso Infrastructure Hardware and Virtualization
No ratings yet
AES Introduction To DELMIA Apriso Infrastructure Hardware and Virtualization
22 pages
DevOps Security Best Practices Checklist
100% (2)
DevOps Security Best Practices Checklist
14 pages
FlexNetDotNet Configurator Installation Galleys GuideV0
No ratings yet
FlexNetDotNet Configurator Installation Galleys GuideV0
6 pages
Dell Appassure Backup, Replication, and Recovery Evaluators Guide
No ratings yet
Dell Appassure Backup, Replication, and Recovery Evaluators Guide
48 pages
LiveOptics Security Tech Brief
No ratings yet
LiveOptics Security Tech Brief
22 pages
Safetica DLP Guide: Protecting Data
100% (1)
Safetica DLP Guide: Protecting Data
18 pages
Basline Security and Itil
No ratings yet
Basline Security and Itil
8 pages
Afaria Capabilities: Mobile Device Management and Security
No ratings yet
Afaria Capabilities: Mobile Device Management and Security
70 pages
SAP - BPC - 70 - SP01 - NW - Sec PDF
No ratings yet
SAP - BPC - 70 - SP01 - NW - Sec PDF
40 pages
BPC Security Guide
No ratings yet
BPC Security Guide
42 pages
Essential DevOps Security Checklist
No ratings yet
Essential DevOps Security Checklist
15 pages
Cybersecurity Measures for Industrial Control Systems
No ratings yet
Cybersecurity Measures for Industrial Control Systems
17 pages
CS DeltaV Security Manual-Introduction Only
0% (1)
CS DeltaV Security Manual-Introduction Only
5 pages
Akamai App & API Protector Overview
No ratings yet
Akamai App & API Protector Overview
4 pages
RSA Archer 6.5 Platform Administrator's Guide
No ratings yet
RSA Archer 6.5 Platform Administrator's Guide
1,238 pages
SAP Security Guide for Experts
No ratings yet
SAP Security Guide for Experts
40 pages
AUTOSAR FO EXP SecurityOverview
No ratings yet
AUTOSAR FO EXP SecurityOverview
25 pages
Chapter - 4 CompTIA Security+ SY0-701 Exam - Satender Kumar
No ratings yet
Chapter - 4 CompTIA Security+ SY0-701 Exam - Satender Kumar
46 pages
DS WhitePapers Access and Security Index Concepts and Best Practices
No ratings yet
DS WhitePapers Access and Security Index Concepts and Best Practices
20 pages
DevSecOps for Regulated Industries
No ratings yet
DevSecOps for Regulated Industries
20 pages
Lecture 07
No ratings yet
Lecture 07
28 pages
Elbit Systems: Cyber Defense
No ratings yet
Elbit Systems: Cyber Defense
23 pages
DevSecOps What, Why and How
100% (1)
DevSecOps What, Why and How
25 pages
DevSecOps Insights for Developers
No ratings yet
DevSecOps Insights for Developers
34 pages
Dot Net Checklist v1r2-3
No ratings yet
Dot Net Checklist v1r2-3
119 pages
Checkpoint R65 Secure Platform Secure Platform Pro Admin Guide
100% (2)
Checkpoint R65 Secure Platform Secure Platform Pro Admin Guide
148 pages
98 - Network - Application Programmers Interface Guide
No ratings yet
98 - Network - Application Programmers Interface Guide
149 pages
Administrator's Guide SAP ERP Financial Accounting and Operations 1.0
No ratings yet
Administrator's Guide SAP ERP Financial Accounting and Operations 1.0
44 pages
Akamai's Advanced Web Security Solutions
No ratings yet
Akamai's Advanced Web Security Solutions
26 pages
DevSecOps: A Comprehensive Guide
No ratings yet
DevSecOps: A Comprehensive Guide
6 pages
AGS Security Patch Process
No ratings yet
AGS Security Patch Process
164 pages
Archer 6.10 Platform Security Configuration Guide
No ratings yet
Archer 6.10 Platform Security Configuration Guide
134 pages
Check Point Security Administration Student Manual
100% (10)
Check Point Security Administration Student Manual
240 pages
Understanding SecDevOps Principles
No ratings yet
Understanding SecDevOps Principles
37 pages
RSA Archer Platform 6.7 Security Configuration Guide
No ratings yet
RSA Archer Platform 6.7 Security Configuration Guide
125 pages
Security Features
No ratings yet
Security Features
7 pages
Navigating The Security Landscape: A Guide To Technologies and Providers
100% (1)
Navigating The Security Landscape: A Guide To Technologies and Providers
26 pages
AUTOSAR EXP SecurityOverview
No ratings yet
AUTOSAR EXP SecurityOverview
26 pages
DevSecOps Reference Architectures - March 2018
No ratings yet
DevSecOps Reference Architectures - March 2018
29 pages
Check Point Security Administration Student Manual R77.30
No ratings yet
Check Point Security Administration Student Manual R77.30
240 pages
Top 10 Azure Security Best Practices
No ratings yet
Top 10 Azure Security Best Practices
25 pages
4b Book of Aos Security
No ratings yet
4b Book of Aos Security
12 pages
SSAM Security 2205
No ratings yet
SSAM Security 2205
28 pages
Sase For Securing Microsoft 365 Solution Guide
No ratings yet
Sase For Securing Microsoft 365 Solution Guide
69 pages
Unit 1.1 (Application - Security)
No ratings yet
Unit 1.1 (Application - Security)
27 pages
Storage Device Management
No ratings yet
Storage Device Management
63 pages
SY0-071-Module 4 Powerpoint Slides
No ratings yet
SY0-071-Module 4 Powerpoint Slides
358 pages
281027
No ratings yet
281027
258 pages
Next-Generation Firewall Overview: Key Safe Enablement Requirements
No ratings yet
Next-Generation Firewall Overview: Key Safe Enablement Requirements
8 pages
Operating System Security Overview
No ratings yet
Operating System Security Overview
749 pages
PS Series Storage Array Design Guide
No ratings yet
PS Series Storage Array Design Guide
21 pages
Dell Technologies PowerScale Administration
No ratings yet
Dell Technologies PowerScale Administration
502 pages
Tibco Admin 5.11
No ratings yet
Tibco Admin 5.11
313 pages
Government of India Ministry of Electronics & Information Technology National Informatics Centre
No ratings yet
Government of India Ministry of Electronics & Information Technology National Informatics Centre
2 pages
Azure Application Gateway
100% (1)
Azure Application Gateway
574 pages
Fortigate 1100e Series
No ratings yet
Fortigate 1100e Series
6 pages
SpeedTouch 585 UserGuide
No ratings yet
SpeedTouch 585 UserGuide
110 pages
CompTIA Secqs
No ratings yet
CompTIA Secqs
36 pages
Chapter 444
No ratings yet
Chapter 444
36 pages
Vol II Part 13 Epc Schedule DC 09 DBR For CCTV
No ratings yet
Vol II Part 13 Epc Schedule DC 09 DBR For CCTV
71 pages
Mastering URLs for E-Governance Access
No ratings yet
Mastering URLs for E-Governance Access
2 pages
UPPSC AE 2024: Networking Exam Guide
No ratings yet
UPPSC AE 2024: Networking Exam Guide
6 pages
A901E Lab Guide
No ratings yet
A901E Lab Guide
70 pages
Installation and Upgrade Guide: Access Manager Appliance 4.4
No ratings yet
Installation and Upgrade Guide: Access Manager Appliance 4.4
84 pages
ITAA UserManual PDF
No ratings yet
ITAA UserManual PDF
43 pages
Placeholder - Com - The Free Image Placeholder Service Favoured by Designers
No ratings yet
Placeholder - Com - The Free Image Placeholder Service Favoured by Designers
1 page
Understanding Hypertext Transfer Protocol
No ratings yet
Understanding Hypertext Transfer Protocol
13 pages
WS1 SEGV2 Doc 3
No ratings yet
WS1 SEGV2 Doc 3
73 pages
RBT System ARBT Subject PDF
No ratings yet
RBT System ARBT Subject PDF
33 pages
Musaamin Web Id Cara Install Eprints34 Di Ubuntu2004
No ratings yet
Musaamin Web Id Cara Install Eprints34 Di Ubuntu2004
13 pages
Single Port KVM over IP Switch Manual
No ratings yet
Single Port KVM over IP Switch Manual
73 pages
Solv - MCQ Bank - CyberSecurity Level - 2-Student
No ratings yet
Solv - MCQ Bank - CyberSecurity Level - 2-Student
14 pages
SAP HANA 2.0 Express Installation Guide
No ratings yet
SAP HANA 2.0 Express Installation Guide
50 pages
AWS IAM Quotas and Security Overview
No ratings yet
AWS IAM Quotas and Security Overview
45 pages
Mobile Gateway Service User Guide
No ratings yet
Mobile Gateway Service User Guide
75 pages
Decrypt TLS Traffic with Wireshark
No ratings yet
Decrypt TLS Traffic with Wireshark
21 pages
Security+ Acronyms and Definitions Guide
No ratings yet
Security+ Acronyms and Definitions Guide
15 pages
Secrets of PowerShell Remoting
No ratings yet
Secrets of PowerShell Remoting
91 pages
HP SDS Monitor System Requirements v1.8 August 2022
No ratings yet
HP SDS Monitor System Requirements v1.8 August 2022
7 pages
User Manual
100% (1)
User Manual
255 pages
12 - Vrealize-Orchestrator-81-Install-Config-Guide
No ratings yet
12 - Vrealize-Orchestrator-81-Install-Config-Guide
76 pages
Agent DG 35 PDF
No ratings yet
Agent DG 35 PDF
155 pages
NetBackup IT Analytics DC Installation Guide For Virtualization Manager v11.5
No ratings yet
NetBackup IT Analytics DC Installation Guide For Virtualization Manager v11.5
87 pages

2022 ImplGuide Security

Uploaded by

2022 ImplGuide Security

Uploaded by

DELMIA Apriso 2022 Implementation Guide

4.2.5 Swipe Authentication 59

1.1 DELMIA Apriso Architecture

Figure 1 DELMIA Apriso architecture

1.2 Common Security Threats

2 Web Server and Application Server

2.1.2 Enabling HTTPS

Configure a Web Application and Establish SSL Connections

Web application installed

If any previous installations of DELMIA Apriso client applications (e.g., the

Figure 2 Web Site Bindings screen

3. On the Site Bindings window, click Add.

Figure 3 Add Site Bindings window

Figure 4 Configuring Site Bindings

Figure 5 Web Site SSL Settings

Figure 6 SSL Settings

Using Secure Protocols

The recommended security protocol is TLS 1.2. It uses modern cryptographic

When configuring the server:

Some of these keys may have been created already .

Figure 7 Adding Registry Keys for Individual Security Protocols

Figure 9 Registry Keys for a Disabled Security Protocol

Enable TLS 1.2

The key may have been created already .

Figure 10 Adding Registry Key for TLS 1.2 Security Protocol

Figure 12 Registry Keys Enabling the TLS 1.2 Security Protocol

Using Strong Ciphers

The AES cipher is recommended .

Configure SSL Cipher Suites Order

To configure a secure cipher suite order on the server:

Figure 13 SSL Configuration Settings in Local Group Policy Editor

3. Edit policy settings for the SSL Cipher Suite Order:

Figure 14 Enabling Custom SSL Cipher Suites

An example list of cipher suites:

Deployment Info Update

Web Services Configuration

<drive>\Program Files\Dassault Systemes\DELMIA Apriso 2022\WebSite\WebServices\1.1

DELMIA Apriso Portal Configuration

The web.config file is stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso

Windows Authentication is not used:

Updating ClickOnce Tools

Business Controls Configuration

Restart DELMIA Apriso Services after making the changes.

2.1.3 Securing HTTP Cookies

<forms loginUrl="${WebRootUrl}/Portal/Kiosk/DefaultLogin.aspx" cookieless="UseCookies"

2.1.4 Configuring SameSite Cookie

3. For the ASP.NET_SessionId cookie, set the value of cookieSameSite to "None."

<sessionState cookieless="false" cookieSameSite="None" timeout="60" mode="StateServer"

For Microsoft Edge and Google Chrome, disable #cookies-without-same-site-must-be-secure.

2.1.5 Configuring Cross-Origin Resource Sharing

2.1.6 Configuring Content Security Policy HTTP Response Headers

<add name="Content-Security-Policy" value="frame-ancestors 'self' *.3ds.com:*

2.1.7 Configuring ReturnURL Parameter Allowlist

The web.config file is stored in <drive>\Program Files\Dassault Systemes\DELMIA Apriso

Accepted value formats:

URL – a specific URL.

The allowlist applies only to absolute URLs.

2.1.8 Displaying Exception Messages

The property is available in the web.config file located in <drive>\Program Files\Dassault

2.2 Protecting Web Services and DELMIA Apriso Services

2.2.1 Security Overview of DELMIA Apriso Services

Configuring all services to use encrypted connections is recommended.

Services that allow to manage their security settings:

TcpSecurityCertGPM – binding configuration for the TCP connection used by the

2.2.2 Securing DELMIA Apriso Services

To secure a DELMIA Apriso service:

The WCFClientConfiguration.xml file is located in:

The example settings for Process Builder Services:

DELMIA Apriso Service Server-side configuration file

Process Builder Services

<add name="Content-Security-Policy" value="frame-ancestors 'self' .3ds.com: