s Contents

Concepts You Need to Know About 1

Supported Browsers 2
Prerequisites 3
How to Configure UMC 4
Configuring the Identity Provider in
a High Availability/Reliability 5
Scenario
How to Configure Custom Plugin
6
Authentication
User Management Component 1.9.1
How to Configure Authentication via
UMC Installation Manual 7
Cookie Adapter
How to Configure Teamcenter
8
Manufacturing Web Integration
How to Configure Teamcenter
9
Manufacturing RAC Integration
How to Upgrade to UMC 1.9.1 10
How to Uninstall UMC 11
Appendix 12

02/2018
A5E39179255-AD
Guidelines

This manual contains notes of varying importance that should be read with care; i.e.:

Important:

Highlights key information on handling the product, the product itself or to a particular part of the documentation.

Note: Provides supplementary information regarding handling the product, the product itself or a specific part of
the documentation.

Trademarks

All names identified by ® are registered trademarks of Siemens AG.

The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes
could violate the rights of the owner.

Disclaimer of Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Security information

Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks. In order to protect plants, systems, machines and networks against
cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions only form one element of such a concept.

Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems,
machines and components should only be connected to the enterprise network or the internet if and to the extent
necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place.

Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more
information about industrial security, please visit http://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends to apply product updates as soon as available and to always use the latest product versions. Use of
product versions that are no longer supported, and failure to apply latest updates may increase customer’s
exposure to cyber threats.

To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.
siemens.com/industrialsecurity.

Siemens AG A5E39179255-AD Copyright © Siemens AG 2018

Digital Factory 20180201_64496 Technical data subject to change
Postfach 48 48
90026 NÜRNBERG
GERMANY
Contents
1 Concepts You Need to Know About...................................................................................... 5
1.1 User Manager Domain...................................................................................................... 5
1.2 User Manager User........................................................................................................... 5
1.3 User Manager Group ........................................................................................................ 6
1.4 Machine Roles .................................................................................................................. 7
1.5 Deployment Scenarios...................................................................................................... 9
1.6 Built-in User Roles .......................................................................................................... 10

2 Supported Browsers ............................................................................................................ 11

3 Prerequisites ......................................................................................................................... 12
3.1 IIS Prerequisites.............................................................................................................. 13

4 How to Configure UMC......................................................................................................... 17

4.1 Quick Configuration - Standalone UMC Scenario........................................................... 18
4.2 Configuring Https Protocol in Microsoft IIS ..................................................................... 19
4.3 How to Configure UMC Manually.................................................................................... 20
4.4 How to Configure UMC via Script ................................................................................... 20
4.5 How to Configure UMC Ring Servers, UM Servers and Agents ..................................... 21
4.5.1 Configuring UM Priority Ring Server ....................................................................... 22
4.5.2 Configuring UM Secondary Ring Server ................................................................. 23
4.6 Configuring Identity Provider........................................................................................... 23
4.7 Performing Optional Configurations of the Identity Provider........................................... 25
4.8 Configuring Web UI and Service Layer API.................................................................... 28
4.9 Configuring Remote Authentication ................................................................................ 29
4.10 Configuring Integrated Windows Authentication ........................................................... 30
4.11 Configuring Firefox for Integrated Windows Authentication .......................................... 33
4.12 How to Configure Smart Card (PKI) Authentication...................................................... 34
4.12.1 Configuring Smart Card Authentication Infrastructure .......................................... 34
4.12.2 Configuring Smart Card Web Application ............................................................. 34
4.12.3 Setting Account Policy for Smart Card Authentication .......................................... 36
4.13 Installing and Configuring UMC Station Client.............................................................. 37
4.14 Enabling HTTPS in a HTTP UMC Scenario.................................................................. 38

5 Configuring the Identity Provider in a High Availability/Reliability Scenario ................. 40

5.1 Supported Network Configuration................................................................................... 40
5.2 Supported Client Affinity ................................................................................................. 40
5.3 High Availability/Reliability General Issues ..................................................................... 41
5.4 Health State Service ....................................................................................................... 42
5.5 NLB and Health State Integration ................................................................................... 43

6 How to Configure Custom Plugin Authentication ............................................................. 45

6.1 Setting User Alias for Plugin Authentication ................................................................... 46

User Management Component 1.9.1 - UMC Installation Manual

iii
A5E39179255-AD
 6.2 Implementing a Stateful Plugin ....................................................................................... 46
6.3 Implementing a Stateless Plugin..................................................................................... 48
6.4 Building a Script for Plugin Activation ............................................................................. 49

7 How to Configure Authentication via Cookie Adapter ...................................................... 50

7.1 Implementing a Lockdown Procedure............................................................................. 51
7.2 Generating a Private/Public Keys Pair............................................................................ 51
7.3 Configuring the Cookie Adapter...................................................................................... 51

8 How to Configure Teamcenter Manufacturing Web Integration ....................................... 55

8.1 Generating Private and Public Keys for Teamcenter Web Integration............................ 57
8.2 Configuring the TCSS Web Adapter ............................................................................... 57

9 How to Configure Teamcenter Manufacturing RAC Integration....................................... 62

9.1 Generating Private and Public Keys for Teamcenter RAC Integration............................ 64
9.2 Configuring the TCSS RAC Adapter............................................................................... 65

10 How to Upgrade to UMC 1.9.1............................................................................................ 69

10.1 General Recommendations .......................................................................................... 69
10.2 Upgrading UM Secondary Ring Server......................................................................... 70
10.3 Upgrading UM Priority Ring Server............................................................................... 70
10.4 Upgrading UM Server ................................................................................................... 71
10.5 Upgrading UM Agent .................................................................................................... 72
10.6 Upgrading UMC Station Client...................................................................................... 72

11 How to Uninstall UMC......................................................................................................... 73

11.1 Uninstalling Full UMC.................................................................................................... 73
11.2 Uninstalling UMC Station Client .................................................................................... 73

12 Appendix ............................................................................................................................. 74
12.1 Importing a Windows Local User on an Agent.............................................................. 74
12.2 Troubleshooting ............................................................................................................ 74
12.3 UMC Processes ............................................................................................................ 76
12.4 Event Logging ............................................................................................................... 77
12.5 Log Forwarding Service ................................................................................................ 79
12.5.1 IElLog.................................................................................................................... 79
12.5.2 Log Forwarding Service C++ Plug-in .................................................................... 80
12.6 Additional Provisioning Configuration ........................................................................... 82

User Management Component 1.9.1 - UMC Installation Manual

iv
A5E39179255-AD
1 Concepts You Need to Know About
The following concepts are considered prerequisites to understand how to configure UMC:

• User Manager Domain

• User Manager User
• User Manager Group
• Machine Roles
• Deployment Scenarios
• Built-in User Roles

1.1 User Manager Domain

A User Manager domain (UM domain) is a collection of computers defined by the administrator of a
network that shares a common directory database. A UM domain provides access to the centralized
user accounts and group accounts maintained by the UM domain administrator.

Important:

UM domains are different entities with respect to Windows domains that are defined at
operating system level.

1.2 User Manager User

A User Manager user (UM user in what follows) is a user in the User Manager Component database,
identified by a user name. Note that UM users are different entities with respect to Windows users,
which are defined at operating system level.

Custom attributes can be associated with UM users. Example of custom attributes are common user
properties such as phone number, department, and so on.
To apply Secure Application Data Support (SADS), access to encrypted application data can be
granted to authorized users to allow them to decrypt it using specific Subject Keys.

UM User Types

You can distinguish three types of UM users:

• users created from scratch in UMC or created via csv file;

• Windows local users that are imported into UMC (via umx): in this case the user name follows
the pattern <machineName>\<localUserName>;
• Active Directory users that are imported into UMC (via umx or via Web UI): in this case the
user name follows the pattern <ADdomainName>\<ADuserName>.

User Management Component 1.9.1 - UMC Installation Manual

5
A5E39179255-AD
1 Concepts You Need to Know About
1.3 User Manager Group

UM User Passwords

Users created within UMC have also an associated password. Empty passwords are not allowed.
Users imported from Windows authenticate against Windows and do not have a UMC password.
Imported Windows local users authenticate only locally against Windows on the machine where they
are present. They can be used only for configuration purposes, for instance to be associated with a
Windows service running on the machine.

Offline Users

When you create a UMC user you can flag the user as offline. UMC provisioning service checks if the
offline user exists in Active Directory:

• if the user is present, user data are synchronized and the user becomes online,
• otherwise the user remains offline.

Important:

Users created as offline are enabled by design: they can therefore perform the actions
allowed by their function rights.

The user name of offline users must follow the AD pattern <domainName>\<ADuserName>. They do
not have a UMC password, as they cannot authenticate until they become online. The User Security
Identifier (SID, see Microsoft Documentation on Security Identifiers for more details) property is set to a
default value (S-1-0-0) that is synchronized with the actual AD value by the UMC provisioning service.

Users are also flagged offline if they are deleted from AD. In this case users are permanently deleted
from UMC database after an amount of time that can be configured (default is12 hours). See the
additional provisioning configuration in the User Management Component Installation Manual for more
details.

1.3 User Manager Group

A User Manager group (UM group in what follows) is a container of users and is identified by a name.
Note that UM groups are different entities with respect to Windows groups that are defined at operating
system level.

To apply Secure Application Data Support (SADS), access to encrypted application data can be
granted to authorized groups to allow them to decrypt it using specific Subject Keys.

UM Group Types

There are two types of UM groups:

• groups created from scratch in UMC or created via csv file;

• Active Directory groups that are imported into UMC (via umx or via Web UI).

User Management Component 1.9.1 - UMC Installation Manual

6
A5E39179255-AD
 1 Concepts You Need to Know About
1.4 Machine Roles

Offline Groups

When creating a UMC group, you can flag the group as offline. UMC provisioning service checks if the
offline group exists in Active Directory:

• if the group is present, group data are synchronized, the AD users members of the groups are
imported into UMC and the group becomes online,
• otherwise the group remains offline.

The group name of offline users must follow the AD pattern <ADdomainName>\<ADgroupName>.

1.4 Machine Roles

UMC Computer Roles

In a typical UMC scenario there are three computer roles:

• UM ring server: the owner of the UM configuration, which is responsible for managing the
domain, and provides full implementation of authentication and user management features. The
priority ring server is the one which is configured first, running the umconf utility. If more than
one ring server is available, if you unjoin the priority ring server, the system dynamically elects a
new priority ring server.
• UM server: provides full implementation of authentication features, the UM server is in
degraded mode if it is not connected to any UM ring server.
• UM agent: works as a client of the UM server/UM ring server to which it is attached, which can
be used to run an application developed using the UMC API. See the User Management
Component API SDK Developer Manual for more details. In order to import Windows Local
Users, see Importing a Windows Local User on an Agent in the UMC Installation Manual.

Important:

Engineering operations are not allowed on the UM Agent except for encryption
enablement.

The main differences between the three aforementioned machine roles are listed in the table below.

The ring server to which the other ring servers send the request to write on the UMC database (the
candidate for writing) is called master ring server. Both the priority and secondary ring server can be
master.
If the priority server is master, writing is enabled and the machine can write on the UMC database.

In case of failure, the secondary ring server becomes a master ring server with no writing enabled
(safe mode on). If the safe mode is switched off using the appropriate umx command, the secondary
ring server becomes a master with writing enabled. Consider that some operations on the UMC system
configuration are not allowed in this case, e. g. modifying the whitelist (see UMCONF User Manual for
more details).

User Management Component 1.9.1 - UMC Installation Manual

7
A5E39179255-AD
1 Concepts You Need to Know About
1.4 Machine Roles

UMC Station Client

A machine role orthogonal to the previous ones is UMC station client. A UMC station client is a
machine where UMC station client software has been installed and that has been registered to be a
trusted machine. A UMC station client provides a claim in which certified logon station information are
included. These details can be used to associate authorization rights with a machine, which must not
be a ring server,server or agent, using the client product.

UMC installation includes UMC station client installation, thus, UM ring servers, UM servers and UM
agents need only to register to become UMC station clients, whereas a machine that is not part of the
UMC domain has to install the UMC station client software first and then has to register to become a
UMC station client.

CAUTION:

If you want to manage Active Directory users, the UM ring server and the UM server
machines have to be joined to the AD Windows domain.

Machine Role Functionalities

The table below provides the functionality mapping against the machine roles. For each functionality:

denotes that the functionality has been fully implemented;

denotes that the functionality is not available.

only available when the system is connected to the UM Server

UM Server UM Ring Server UM

Agent

Perform TIA User authentication

Local single modifications

Change password

Authentication against Active Directory

Manage Domain attach/join (acts as proxy for

agents)

Potential Master

Can sign authentication object

Propagate UM configuration

Can host Identity Provider /Remote

Authentication or
UMC Web UI

Number of instances max 4 1-2 max 25

Off Line Authentication/Read-Only on the

configuration

User Management Component 1.9.1 - UMC Installation Manual

8
A5E39179255-AD
 1 Concepts You Need to Know About
1.5 Deployment Scenarios

Ring Failover - recovery (merge

missing)

Electronic Log Store&Forward

Log Forwarding

Import Windows Local Users

Import AD Users/Group

1.5 Deployment Scenarios

We support the following deployment scenarios:

• standalone scenario: one ring server where UMC and all its Web components are installed
and configured: Note that: a quick configuration guide is available for this scenario.
• redundant scenario:
– 2 UM ring server machines, one ring server is configured first and is called priority ring
server, the secondary one is added to the ring using the join command;
– up to 4 UM servers
– up to 25 UM agents.

Each UMC Web component can be installed and configured on any UM ring server and/or on any UM
server. If you install the UMC Web UI on a UM server, you cannot import AD users via UMC Web UI.

NLB redundancy is supported only for Identity Provider.

Standalone engineering station

UMC allows you to prepare configuration data (users, groups and so on) in a standalone engineering
station, export this data in a UMC configuration package which can then be imported into a production
target system. The two commands involved are the umx export and import package commands. If you
want to overwrite the configuration of the target production system with that of the source engineering
machine the update command can be used instead of the import command. For more information on
these command and how they impact the target machine, see the UMX User Manual.

If the target system is not configured, you can import a package using the umconf import package
command. For more information see the UMCONF User Manual.

User Management Component 1.9.1 - UMC Installation Manual

9
A5E39179255-AD
1 Concepts You Need to Know About
1.6 Built-in User Roles

1.6 Built-in User Roles

A User Manager role groups a set of function rights. Function rights are the capabilities to perform
operations. They are associated with roles so that the set of UM users with a specific UM role is
allowed to perform the set of operations associated with it. UM roles can be associated with UM users
or with UM groups so that all the users belonging to such groups inherit the UM role function rights.
UM roles are used to define the function rights within UMC, for instance, to define whether a user can
configure UMC or not.

The following roles are automatically created by the system while configuring UMC:

• Administrator: built-in "root" role, can perform any operation. The user that has this role is a
root user that can perform any operation. This role cannot be associated with any group. It can
be associated with a user if the user performing the association has in turn the Administrator
role. The Administrator role cannot be deleted. Only users having the Administrator role can
modify other users having this role.
• UMC Admin: can manage users, groups and all the other UMC entities.
• UMC Viewer: can access the user management configuration without making modifications.

User Management Component 1.9.1 - UMC Installation Manual

10
A5E39179255-AD
2 Supported Browsers
The following browsers are supported either by the Identity Provider and by the Web UI.

General Recommendations

• For security reasons, we suggest that you set the browser cookie policy management so that
cookies are not maintained after the browser is closed. In this way you can disable the
possibility that a user reopens a browser and is logged in without providing the credentials
again.
• The browser used to display the UMC Web UI must allow the pop-up display.
• While using the UMC Web UI do not select the option Prevent this page from creating
additional dialogs. The selection of this option causes Web UI malfunctions.
• Disable the Autocomplete option in your browser settings.

Identity Provider

• Internet Explorer 8
• Internet Explorer 9
• Internet Explorer 10
• Internet Explorer 11
• Chrome 32.0.1700.107 m or higher
• Firefox 31.0 or higher
• Microsoft Edge 25.10586.0.0 or higher

UMC Web UI

The Web UI is based on HTML5. For this reason it is supported only on:

• Internet Explorer 11
• Chrome 32.0.1700.107 m or higher
• Firefox 31.0 or higher
• Microsoft Edge 25.10586.0.0 or higher

Important:

The following resolutions are supported:

• 1280x800
• 1920x1200

User Management Component 1.9.1 - UMC Installation Manual

11
A5E39179255-AD
3 Prerequisites
The following lists the prerequisites for UMC divided by:

• General Recommendations
• Supported Operating Systems
• Prerequisites for Installing UMC
• Identity Provider Prerequisites
• IIS Configuration

General Recommendations

• Operating Systems: The operating system must be updated to the latest security patches in
order to improve system reliability and security,
The Windows Security Patch KB2532445 must be installed on the following OS:
– Windows Server 2008 R2 SP1(Professional, Enterprise, Datacenter Edition)
– Windows 7 SP1 (x86, x64)

• Computer Naming Conventions: The computer name of the machines on which you will install
UMC must only contain alphanumeric characters and not exceed 15 characters. See host name
limitations in Microsoft Support Documentation for more information.

Supported Operating Systems

UMC can be installed on the following Operating Systems:

• Windows Server 2016 (Standard)

• Windows Server 2012 R2 (Standard, Datacenter Edition)
• Windows Server 2008 R2 SP1 (Standard, Enterprise, Datacenter Edition)
• Windows 8.1 (x86, x64)
• Windows 7 SP1 (x86, x64)
• Windows 10 Version 1511 (OS Build 10586.0) or subsequent (x86, x64)

Prerequisites for Installing UMC (32 bit /64 bit)

In order to install UMC, the following redistributable packages have to be installed on Windows server
2008 R2, Windows 7, Windows 8.1, Windows server 2012 R2, Windows 10:

• Microsoft Visual C++ 2015 Redistributable - x86 14.0.23026.00

• Microsoft Visual C++ 2015 Redistributable - x64 14.0.23026.00

User Management Component 1.9.1 - UMC Installation Manual

12
A5E39179255-AD
 3 Prerequisites
3.1 IIS Prerequisites

Important:
• For 32-bit operating system versions only the 32-bit redistributable packages have
to be installed, whereas for 64-bit operating system versions all the redistributable
packages have to be installed.
• In the BUNDLE and SIWA installers the redistributable packages are automatically
installed.

The following table lists the UMC components which can run on 32 or 64 bit machines.

Component 32 bit 64 bit

UMCONF

UMX

Identity Provider

Web UI

Remote Authentication

Integrated Windows Authentication

Service Layer API

API SDK

Identity Provider Prerequisites

• The machine has to be a 64 bit machine.

• Microsoft Framework:
– Microsoft .NET Framework 4 Client Profile
– Microsoft .NET Framework 4 Extended

• Microsoft Internet Information Services:

– Internet Information Services 7.5, 8, 8.5, or 10

CAUTION:

UMC Web services use cookies to guarantee the correct functioning. We do not display
any warning related to cookie usage, as our application must not be used as an open
Web service, available, for instance, on the Internet.

3.1 IIS Prerequisites

IIS configuration verification steps vary depending on the version of Windows on which it is being
performed. The following verification procedures are based on: Windows Server 2016 and Windows 10

In order to harden your system it is recommended you install the minimum set of IIS features possible,
see UMC Security Concept for more information on system hardening.

User Management Component 1.9.1 - UMC Installation Manual

13
A5E39179255-AD
3 Prerequisites
3.1 IIS Prerequisites

Windows Server 2016

Verify the following features and roles are installed for Windows Server 2016.

1. On the start page click Server Manager.

2. Click Dashboard on the left pane.
3. Click 2 Add Roles and Features.
4. Click Role-based or feature-based installation and click Next.
5. Select a server from the list and click Next.
6. Verify the following Roles are selected under Web Server (12 of 34):
– Common HTTP Features (4 of 6)
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content

– Health and Diagnostics (1 of 6)

- HTTP Logging

– Performance (1 of 2)
- Static Content Compression

– Security (2 of 9 )
- Request Filtering
- Windows Authentication

– Application Development (4 of 11)

- .Net Extensibility 4.6
- ASP.NET 4.6
- ISAPI Extensions
- ISAPI Filters

7. Verify the following Roles are selected under Management Tools (3 of 7):
– IIS Management Console
– IIS Management Scripts and Tools
– Management Service

8. Click Next.
9. Verify the following Features are selected:
– .Net Framework 3.5 Features (1 of 3)
- .Net Framework 3.5 (includes .net 2.0 and 3.0)

– .Net Framework 4.6 Features (3 of 7)

- .NET Framework 4.6
- ASP.NET 4.6
- WCF Services (1 of 5)
- TCP Port Sharing

– Windows Defender Features and WoW64 Support

- Windows Defender

User Management Component 1.9.1 - UMC Installation Manual

14
A5E39179255-AD
 3 Prerequisites
3.1 IIS Prerequisites

- GUI for windows Defender

– Windows PowerShell (3 of 5)
- Windows PowerShell 5.1
- Windows PowerShell 2.0 Engine
- Windows PowerShell ISE

10. Close Windows Server Manager.

Windows 10

Verify the following features and roles are installed for Windows 10.

1. Type "Turn Windows Features on and off" in the Search Windows search box.
2. Click Turn Windows Features on and off in the result pane, a windows is displayed.
3. Verify the following are installed under:
– Internet Information Services:
- Web Management Tools:
- IIS Management Console
- IIS Management Scripts and Tools
- IIS Services

- World Wide Web Services:

- Application Development Features
- .Net Extensiblity 4.6
- ASP.NET 4.6
- ISAPI Extensions
- ISAPI Filters

- Common HTTP Features

- Default Document
- Directory Browsing
- HTTP Errors
- Static Content

- Health and Diagnostics

- HTTP Logging

- Performance Features
- Static Content Compression

- Security
- Request Filtering
- Windows Authentication

- .Net Framework 3.5 Features

- .Net Framework 4.6 Advanced Features
- ASP.NET 4.6
- WCF Services

User Management Component 1.9.1 - UMC Installation Manual

15
A5E39179255-AD
3 Prerequisites
3.1 IIS Prerequisites

- TCP Port Sharing

- Windows PowerShell 2.0

- Windows PowerShell 2.0 Engine

4. Click Cancel to close the window.

User Management Component 1.9.1 - UMC Installation Manual

16
A5E39179255-AD
4 How to Configure UMC
Once UMC has been installed it can be configured in one of two alternative ways:

• manually;
• via script, you can use the quick configuration page if you only need to configure a simple
standalone scenario.

CAUTION:
• If HTTPS protocol has been configured HTTP cannot be used.
• The firewall configuration on UMC Servers and Ring Servers must be configured to
allow inbound access on either the port which is used for HTTP (by default 80)or,
the port that is used for HTTPS (by default 443).
• The underlying system must be correctly configured in order to guarantee that the
UMC Web Components will function correctly. For example, if a proxy is present, it
must be correctly configured.

HTTP configuration

CAUTION:

We strongly suggest that you enable https in plant environments.

If IIS is not configured to work with https protocol, you can configure UMC both manually and via script,
but secure protocol is not enabled. In this scenario:

• SSO does not work. To enable SSO you have to edit the Identity Provider web.config file (e.g.
C:\Program Files\Siemens\UserManagement\WEB\IPSimatic-Logon\Web.config) and remove
the key requireSSL="true".
• If UMC Web UI does not work, verify that the value of the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Siemens\User Management\WebUI\Settings\secure is
set to 0.
• Windows Integrated Authentication does not work (see Known Issues in Release Notes).
• The antiforgery token has to be disabled setting the following entry <add key=
"UseAntiForgeryToken" value="false" /> in the web.config file.
• Smart card authentication does not work.

Web Components Configuration Reset

UMC provides a script, REMOVE_IdP_WebUI_configurator.bat, to reset the configuration of the Web

Components. The batch file can be found in C:\Program Files\SIEMENS\UserManagement\BIN, if the
default installation folder is selected and works on a 64 bit machine only.

User Management Component 1.9.1 - UMC Installation Manual

17
A5E39179255-AD
4 How to Configure UMC
4.1 Quick Configuration - Standalone UMC Scenario

CAUTION:

If you perform any modification to the IIS configuration after launching the configuration
script IdP_WebUI_configurator.bat or you have configured UMC without using this
script, you have to reset the Web components configuration and, only afterwards,
configure the system again.

4.1 Quick Configuration - Standalone UMC Scenario

The procedure described in what follows describes the minimum steps required to configure a UMC
standalone scenario, therefore a machine which has the role priority ring server. The procedure does
not endeavor to document all the possible configuration options, however some additional
configurations which can be applied to this scenario are listed in additional configurations, for more
complex configurations and scenarios see configuring UMC manually or via script.

Prerequisites

• Full UMC installation has been installed.

• IIS has been configured to work with the HTTPS protocol.
• The operating system must be 64 bit.
• (only required to manage Active Directory users) the Windows user specified at step 2.d must
have:
– Active Directory access rights;
– Write access on the UMC folder C:\ProgramData\Siemens\UserManagement\CONF or
alternatively they must belong to the Windows group UM Service Account.

Procedure

1. Right-click UMConf, which can be found in the subdirectory Wow\bin, for example; C:\
Program Files\Siemens\UserManagement\Wow\Bin, and select Run As Administrator.
2. Following the guided configuration in UMConf Interactive mode:
– Create a User Management Domain, by specifying a name using only alphanumeric
characters.
– Create a User Management user with administrator role, by specifying the username
using only alphanumeric characters, and password a password that complies with your
organization's password policy.
– Associate a Windows user who is either a member of UM Service Accounts group or who
has administrative rights to the UMCService, by inserting .\ username and the
corresponding password.
– (optional) To manage Active Directory users, specify a Windows user as described in
prerequisites, by inserting domain\username and password.

3. Right-click IdP_WebUI_configurator.bat, which can be found in C:\Program Files\SIEMENS\

UserManagement\BIN, if the default installation folder is selected, and select Run as
Administrator.

User Management Component 1.9.1 - UMC Installation Manual

18
A5E39179255-AD
 4 How to Configure UMC
4.2 Configuring Https Protocol in Microsoft IIS

Additional Configurations

• Configure Firefox for Integrated Windows Authentication, this procedure is not required for other
browsers.
• Perform Additional Identity Provider Configuration.
• If SADS (secure application data support) is required, it must be enabled via the UMX utility, by
running the command: umx -AP -setakp, for more information see the UMX User Manual.

4.2 Configuring Https Protocol in Microsoft IIS

Prerequisites

A valid SSL certificate has been acquired from a Certification Authority or a self-signed SSL certificate
has been created.

Procedure

1. Open IIS Manager.

2. In the tree on the left go to the node of the site which you have configured.
3. Right click on the node and select Edit Bindings.
4. Click Add: the following dialog box opens.

5. Insert the parameters as displayed in the previous image and click OK. The SSL certificate
parameter has to be the acquired certificate name.
6. Click OK and then Close.

User Management Component 1.9.1 - UMC Installation Manual

19
A5E39179255-AD
4 How to Configure UMC
4.3 How to Configure UMC Manually

4.3 How to Configure UMC Manually

General Recommendations

The Web components can be configured in any UM ring server and/or in any UM server. In order to
guarantee IdP high availability and reliability, we suggest that you install and configure it on more than
one machine and configure the IdP high availability/reliability.

Prerequisites

IIS has been previously configured to work with the HTTPS protocol.

Workflow

1. Configure UM ring server(s), UM server(s) and agent(s)

2. Configure the following UMC Web Components:
– Identity Provider
– Web UI and Service Layer API
– Remote Authentication

3. Perform the following additional Web configuration steps:

– perform optional configuration of the Identity Provider;
– configure Integrated Windows Authentication;
– configure Firefox for Integrated Windows Authentication;
– configure Smart Card Authentication;

4. Install and configure UMC station clients (optional).

4.4 How to Configure UMC via Script

To configure all the Web components on the same UM ring server/UM server, UMC provides a script
IdP_WebUI_configurator.bat that allows you to configure them to work with the HTTPS protocol and
to configure the integrated Windows authentication (except the Firefox configuration that has to be
performed manually).

The batch file can be found in C:\Program Files\SIEMENS\UserManagement\BIN, if the default

installation folder is selected. If IIS has been previously configured to work with the HTTPS protocol,
the script configures the Web components accordingly.

User Management Component 1.9.1 - UMC Installation Manual

20
A5E39179255-AD
 4 How to Configure UMC
4.5 How to Configure UMC Ring Servers, UM Servers and Agents

Note:
• If the user which is used to run the script is a Windows local user the FQDN cannot
be retrieved, this results in the registry key of the IDP being configured with only
the machine name and not the domain name.
• If you have a configured a site in IIS with a name which is not Default Web Site
you must open a command prompt as administrator from the installation folder of
the .bat file. and specify the name of the site as a parameter for example: C:\
Program Files\Siemens\UserManagement\BIN>IdP_WebUI_configurator.bat "your
web site name"

General Recommendations

The Web components can be configured in any UM ring server and/or in any UM server. In order to
guarantee IdP high availability and reliability, we suggest that you install and configure it on more than
one machine and configure the IdP high availability/reliability.

Prerequisites

• IIS has been previously configured to work with the HTTPS protocol.
• The operating system must be 64 bit

Workflow

1. Configure UM ring server(s), UM server(s) and agent(s).

2. For all the servers on which you want to configure the Web components, right-click
IdP_WebUI_configurator.bat, which can be found in C:\Program Files\SIEMENS\
UserManagement\BIN, if the default installation folder is selected, and select Run as
Administrator.
3. Configure Firefox for Integrated Windows Authentication (optional).
4. Configure smart card authentication (optional).
5. Perform Additional Identity Provider Configuration (optional).
6. Install and configure UMC station clients (optional).

4.5 How to Configure UMC Ring Servers, UM Servers and Agents

Prerequisites

A full UMC Installation has been installed on the machine.

If you want to manage Active Directory users, the UM ring server and the UM server machines have to
be joined to the AD Windows domain.

User Management Component 1.9.1 - UMC Installation Manual

21
A5E39179255-AD
4 How to Configure UMC
4.5 How to Configure UMC Ring Servers, UM Servers and Agents

Procedure

1. Configure the machine you have elected as priority master.

2. Configure the machine you have elected as secondary master (only for redundant scenario).
3. If you have elected one or more machines as UM servers, configure them as follows:
– using the umconf.exe program on the User Management, join the server to the domain
(serverType parameter equals to 0). Refer to the UMCONF User Manual for more details.

4. If you have elected one or more machines as agents, configure them as follows:
– using the umconf.exe program on the User Management, attach the agent to the domain.
Refer to the UMCONF User Manual for more details.

Important:

Please check that:

• the port TCP/4002 is open on all machines or disable firewall on um.Ris.exe, the
UM process responsible for UM machines communications;
• for localhost, the following TCP ports are open: 16, 32, 91, 1001, 2259, 4144.

Additional Operations

The following optional step can be performed on one of the previous machines:

Associate an administrative Role with a user, so that this user can run the umx.exe command or can
log in to the Web UI to manage UM users and groups.

4.5.1 Configuring UM Priority Ring Server

This following steps must be performed using the umconf.exe which is distributed with UMC and
installed in the subdirectory \BIN(32bit) or Wow\Bin (64bit), for more information on UMCONF see the
UMCONF User Manual.

Prerequisites

• (only required to manage Active Directory users) the Windows user specified at step 5 must
have:
– Active Directory access rights;
– Write access on the UMC folder C:\ProgramData\Siemens\UserManagement\CONF or
alternatively they must belong to the Windows group UM Service Account.

Procedure

Using the umconf.exe program on the User Management (UM) ring server machine, perform the
following steps:

User Management Component 1.9.1 - UMC Installation Manual

22
A5E39179255-AD
 4 How to Configure UMC
4.6 Configuring Identity Provider

1. Execute umconf using a Windows user with administrative rights from a command prompt in
the subdirectory \BIN or WoW\BIN.
2. Create a User Management Domain.
3. Perform either of the following operations:
– if you want to configure the machine from scratch, create a User Management user with
administrator role and a password that complies with your organization's password policy,
see UMC Security Concepts for more information;
– if you want to import an existing configuration, import a UMC package.

4. Associate a Windows user who is either a member of UM Service Accounts group or who has
administrative rights to the UMCService, by inserting .\ username and the corresponding
password.
5. If you need to import Active Directory users and groups via the umx tool or via the Web UI,
associate a Windows user with Active Directory access rights to the UPService. See the
UMCONF User Manual and UMX User Manual for more details.

Note: If SADS (secure application data support) is required see the UMX User Manual.

Additional Operations

Additional provisioning configurations can also be performed.

4.5.2 Configuring UM Secondary Ring Server

Procedure

To create another ring server machine:

1. Create the main ring server machine.

2. Join the server using the umconf.exe program. See UMCONF User Manual for more details.
3. If you have configured the AD provisioning on the priority ring server, you have to configure it
also in the secondary ring server.

Additional Operations

Additional Provisioning Configuration can also be performed.

4.6 Configuring Identity Provider

Prerequisites

• The Identity Provider prerequisites have been satisfied.

User Management Component 1.9.1 - UMC Installation Manual

23
A5E39179255-AD
4 How to Configure UMC
4.6 Configuring Identity Provider

• The machine must be a 64 bit UM ring server or UM server.

Procedure

1. Open IIS Manager.

2. In the tree on the left select the Application Pools node.
3. Right click on the node and select Add Application Pool: the following dialog box opens.

4. Insert the parameters as displayed in the previous image and click OK.
5. In the tree on the left select the Default Web Site node.
6. Right click on the node and select Add Application: the following dialog box opens.

7. Insert the parameters as displayed in the previous image and click OK. The path of the
application is C:\Program Files\Siemens\UserManagement\Web\IPSimatic-Logon.
8. Select the created application pool and click on Advanced Settings.

User Management Component 1.9.1 - UMC Installation Manual

24
A5E39179255-AD
 4 How to Configure UMC
4.7 Performing Optional Configurations of the Identity Provider

9. Set to 0 the field Regular Time Interval (minutes) and click OK.

10. To verify that the application works properly, in the tree on the left go to the IPSimatic-Logon
node.
11. Right click on the node and select Manage Application > Browse. The Identity Provider
application opens displaying the login page.

4.7 Performing Optional Configurations of the Identity Provider

The following optional configuration operations can be performed by editing the Identity Provider web.
config file (C:\Program Files\Siemens\UserManagement\WEB\IPSimatic-Logon\Web.config):

• Enable the Identity Provider Log

• Enable the Use of Paths in Cookies
• Enable the Use of Whitelisting
• Enabling Anti Forgery Token
• Disable the Display of the Security Disclaimer
• Enable the Automatic Login
• Enable Login via Smart Card Authentication
• Enable Login via Cookie Adapter or Custom Plugin
• Disable and Hide Window Authentication Link
• Disable the use of the Logon Station in Claims
• Internal Keys

Enabling the Identity Provider Log

Insert the name of the file you want to use as log file in the key <add key="LogFileName" value="" />.

User Management Component 1.9.1 - UMC Installation Manual

25
A5E39179255-AD
4 How to Configure UMC
4.7 Performing Optional Configurations of the Identity Provider

Examples
<add key="LogFileName" value="myFile.log" />
<add key="LogFileName" value="myFile.txt" />

Enabling the Use of Paths in Cookies

This configuration is mandatory if you want to use the IdP with a reverse proxy.

Insert the IdP URL in the key <add key="ClaimIssuerAuthority" value="" />.

Example
<add key="ClaimIssuerAuthority" value="https://myMachine/IPSimatic-Logon" />

Enabling the Use of Whitelisting

Modify the value in the key <add key="EnableWhitelistMembershipService" value="false" /> to true.

Enabling Anti Forgery Token

Modify the value in the key <add key="UseAntiForgeryToken" value="true" /> to true to avoid the
cross-site request forgery on the login and change password pages.

Note: If you have enabled the anti forgery token in the web.config file, problems may
arise for Web Single Sign On in case you have opened different tabs in the browser of the
UMC login page.

Disabling the Display of the Security Disclaimer

Modify the value in the key <add key="UseDisclaimerMessage" value="true" /> to false.

Enabling Automatic Login

Modify the value of the key <add key="AutoLoginMode" value="" /> as follows:

• <add key="AutoLoginMode" value="iwa" /> to enable the automatic login with Windows
authentication;
• <add key="AutoLoginMode" value="pki" /> to enable the automatic login via smart card;
• <add key="AutoLoginMode" value="desktop|<plugin_id>" /> to enable automatic login via
desktop plugin.
• <add key="flexauth:<name_plugin>"/> to enable the automatic login via custom plugin by
specifying the name of the plugin.

To specify multiple plugins seperate the name of each plugin with two ||, for example, <add key=
flexauth:<name_plugin>||<name_plugin>/>

User Management Component 1.9.1 - UMC Installation Manual

26
A5E39179255-AD
 4 How to Configure UMC
4.7 Performing Optional Configurations of the Identity Provider

Enabling Login via Smart Card Authentication

Modify the value of the key <add key="EnablePKI" value="false" /> to true.

Enabling Login via Cookie Adapter or Custom Plugin

Modify the value of the key <add key="EnableFlexAuth" value="false" /> to true.

Disabling and Hiding Windows Authentication Link

Modify the value of the key<add key="EnableIWA" value="true" /> to false.

Disabling the use of the Logon Station in Claims

Modify the value of the key <add key="EnableLogonStation" value="true" /> to false.

Note: If false the name of the machine from which the user has logged on is not retrieved
and therefore included in the claim. The information relative to the logon station is not
used by UMC but may be used other applications.

Internal Keys

The following keys are either for backward compatibility or internal use and as such they must not be
modified:

• <add key="webpages:Version" value="2.0.0.0" />

• <add key="webpages:Enabled" value="false" />
• <add key="ProcessIsWOW64" value="false" />
• <add key="PreserveLoginUrl" value="true" />
• <add key="ClientValidationEnabled" value="false" />
• <add key="UnobtrusiveJavaScriptEnabled" value="true" />
• <add key="AddMESTicket" value="no" />
• <add key="EnableTrustOnWindowsLogin" value="true" />
• <add key="PswExpireDays" value="0"/>
• <add key="HealthCheckPeriod" value="5" />
• <add key="IPRepositoryType" value="session"/>
• <add key="IPRepositoryType" value="cookies"/>
• <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />

User Management Component 1.9.1 - UMC Installation Manual

27
A5E39179255-AD
4 How to Configure UMC
4.8 Configuring Web UI and Service Layer API

4.8 Configuring Web UI and Service Layer API

Important:

UMC contains two IIS 64 bit Native Modules: um.ra.dll and um.slvm64.dll

Prerequisites

• The prerequisites have been satisfied.

• The machine must be a 64 bit UM ring server or UM server.
• The Identity Provider (IdP) has been correctly configured.

Procedure

1. Open the Registry Editor.

2. In the tree on the left go to the HKLM\SOFTWARE\SIEMENS\User Management\WebUI\
Settings node.
3. Right click on the node, select New > Key and insert the WebUI key.
4. Right click on the WebUI node, select New > Key and insert the Settings key.
5. Right click on the Settings node, select New > String Value.
6. Double click on the newly inserted value and set as Value name the string idpaddress and as
Value data the complete IdP URL. According to the IdP configuration the URL has to start with
http or https.
7. Close the Registry Editor.
8. Open IIS Manager.
9. In the tree on the left select the Application Pools node.
10. Right click on the node and select Add Application Pool: the following dialog box opens.

11. Insert the parameters as displayed in the previous image and click OK.
12. In the tree on the left go to the Default Web Site node.

User Management Component 1.9.1 - UMC Installation Manual

28
A5E39179255-AD
 4 How to Configure UMC
4.9 Configuring Remote Authentication

13. Right click on the node and select Add Application: the following dialog opens.

14. Insert the parameters as displayed in the previous image and click OK. The path of the
application is C:\Program Files\Siemens\UserManagement\WEB\Umc.
15. To verify that the application works properly, in the tree on the left go to the UMC node.
16. Right click on the node and select Manage Application > Browse. The Web UI application
opens displaying the login page.

4.9 Configuring Remote Authentication

Prerequisites

• The general UMC prerequisites have been satisfied.

• The machine must be a 64 bit UM ring server or UM server.

Procedure

1. Open IIS Manager.

2. In the tree on the left go to the root node.
3. On the right area of the screen double click on Modules.

User Management Component 1.9.1 - UMC Installation Manual

29
A5E39179255-AD
4 How to Configure UMC
4.10 Configuring Integrated Windows Authentication

4. On the top right corner click on Configure Native Modules: the following dialog box opens.

5. Click on Register: the following dialog box opens.

6. Insert the parameters as displayed in the previous image and click OK.

4.10 Configuring Integrated Windows Authentication

The following procedures allows you to configure Integrated Windows Authentication of the Identity
Provider (IdP) so that you can login on the Web UI using the current Windows session (see the User
Management Component Web User Interface Manual). You have to:

1. Enable the Windows Authentication on IIS.

2. Install the Windows Authentication Role Service.

If you want to use Firefox, you must also perform some manual browser configurations.

Prerequisites

• The Identity Provider prerequisites have been satisfied.

• The machine must be a 64 bit UM ring server or UM server.

Enabling the Windows Authentication on IIS

1. Open IIS Manager.

User Management Component 1.9.1 - UMC Installation Manual

30
A5E39179255-AD
 4 How to Configure UMC
4.10 Configuring Integrated Windows Authentication

2. In the tree on the left select the IPSimatic-Logon node.

3. Double click on Authetication.

4. Verify that the authentication settings are the following:

5. Right click on the IPSimatic-Logon node and select Add Application to add the
WinAuthSite application, the path is for instance C:\Program Files\Siemens\
UserManagement\web\ipsimatic-logon\WinAuthSite. Then click OK.

User Management Component 1.9.1 - UMC Installation Manual

31
A5E39179255-AD
4 How to Configure UMC
4.10 Configuring Integrated Windows Authentication

6. In the tree on the left select the WinAuthSite node and set the following authentication
settings.

Installing the Windows Authentication Role Service

1. Open Server Manager.

2. In the tree on the left select the Web Server (IIS) node.
3. Install the Windows Authentication Role Service.

User Management Component 1.9.1 - UMC Installation Manual

32
A5E39179255-AD
 4 How to Configure UMC
4.11 Configuring Firefox for Integrated Windows Authentication

4.11 Configuring Firefox for Integrated Windows Authentication

The following procedure allows you to configure Firefox to work with the Integrated Windows
Authentication of the Identity Provider (IdP) so that you can login on the Web UI using the current
Windows session (see the User Management Component Web User Interface Manual). The string
<domain> can be:

• equal to the computer name, if the machine on which the IdP is installed does not belong to an
Active Directory domain (example: myMachine);
• equal to a FQDN (Fully Qualified Domain Name) such as <computerName>.<domainName>.
<extension>, if the machine on which the IdP is installed belongs to an Active Directory domain
(example: myMachine.siemens.com).

Prerequisites

The configurations of IIS for the Integrated Windows Authentication have been performed.

Procedure

1. Navigate to the URL about:config in Firefox. Click the I'll be careful, I promise! button.
2. In the Search dialog box, search for the preference network.negotiate-auth.allow-non-fqdn.
3. Double click on the property to set the value to true and close the window.

User Management Component 1.9.1 - UMC Installation Manual

33
A5E39179255-AD
4 How to Configure UMC
4.12 How to Configure Smart Card (PKI) Authentication

4.12 How to Configure Smart Card (PKI) Authentication

The following configuration steps must be performed to enable authentication via smart card.

The operations can be performed in any order.

Procedure

1. Configure Smart Card Authentication Infrastructure.

2. Configure Smart Card Web Application (not needed if you configure UMC via script).
3. Enable Login via Smart Card Authentication.
4. Set Account Policy for Smart Card Authentication.

4.12.1 Configuring Smart Card Authentication Infrastructure

Server side

The Smart Card Authentication can only be configured on machines where the Identity Provider has
been configured. IIS authentication via certificate must be correctly configured in order for it to function.

Important:

The following IIS configuration recommendations must be taken into account:

• checks on the revocation list must be supported;

• Client Authentication Issuer certificate in the Certificate Manager has to be
installed;
• the Trusted Root Certification Authorities store has to contain only self signed
certificates;
• the use of the Client Authentication Issuer on 443 port or on the IdP port has to be
enabled.

Client side

The following steps are needed to configure client side Smart Card authentication:

• smart card drivers must be installed on each client machine;

• if you use Firefox, the additional configuration for Security Devices must be performed.

4.12.2 Configuring Smart Card Web Application

This procedure is not needed if you have used the IdP_WebUI_configurator.bat script to configure
UMC.

User Management Component 1.9.1 - UMC Installation Manual

34
A5E39179255-AD
 4 How to Configure UMC
4.12 How to Configure Smart Card (PKI) Authentication

Procedure

1. Open IIS Manager.

2. Right click on the IPSimatic-Logon node and select Add Application to add the PkiAuthSite
application, the path is for instance C:\Program Files\Siemens\UserManagement\web\
ipsimatic-logon\PkiAuthSite. Then click OK.
3. In the tree on the left select the PkiAuthSite node.

4. Double click on SSL Settings and set the values as follows.

User Management Component 1.9.1 - UMC Installation Manual

35
A5E39179255-AD
4 How to Configure UMC
4.12 How to Configure Smart Card (PKI) Authentication

5. To verify that the smart card authentication application is correctly configured, open a browser
instance.
6. Insert a smart card in the smart card reader.
7. Open the page at the following address: https://<address>/ipsimatic-logon/pkiauthsite/info.
aspx; a json file opens displaying smart card information.

In case the json file is not correctly displayed, we suggest that you enable on IIS the detailed error
responses and carefully verify smart card authentication infrastructure configuration.

4.12.3 Setting Account Policy for Smart Card Authentication

The smart card authentication mechanism is based on a matching between the user data stored on the
smart card and the data stored in UMC.

Procedure

1. To configure the data matching, go to the UMC Web UI account policy page with the proper
access rights.
2. Define the field to be retrieved from the smart card to identify the user in UMC.
3. Select either of the following authentication options:
– simple authentication (no alias): in this case the selected field, CN (Common Name),
Subject, Alternate Subject, is compared with the UMC user name; if they correspond the
user is authenticated.
– alias authentication: in this case you have to define an alias for a user in the user detail
dialog; the value stored in the field is compared with the UMC alias, if they correspond the
user is authenticated.

For more information see the account policy documentation in the User Management Component Web
User Interface Manual.

User Management Component 1.9.1 - UMC Installation Manual

36
A5E39179255-AD
 4 How to Configure UMC
4.13 Installing and Configuring UMC Station Client

Alternative Operations

• You can also define an alias using the dedicated UMX command. See UMX User Manual for
more details.
• For AD users the alias can be set in the importing phase, for more information see Additional
Provisioning Configuration.

Example

Consider the following user with the following values:

User name = John_Brown

Alias = [email protected]

For instance, the following two cases can occur depending on the account policy selection:

• Authenticate using CN: if value stored in the CN in the smart card is John_Brown (UMC user
name value), the user is authenticated; otherwise authentication fails;
• Alias Authentication using CN: if value stored in the CN in the smart card is john.
[email protected] (UMC alias value), the user is authenticated; otherwise authentication
fails.

4.13 Installing and Configuring UMC Station Client

CAUTION:

No checks are currently performed at setup level on the UMC station client installation.
Over-installation of the UMC station client causes serious system malfunctioning. In
particular you must not install the UMC station client on a machine where you have
already installed full UMC.

UMC Station Client can be configured in either of the two following ways:

• in the UMC Web UI,

• via script.

Prerequisites

• The Windows user logged in must have administrative rights.

• Full UMC installation or UMC station client has been executed on your machine. During the
installation you have simply to proceed with the wizard.
• The UMC Web UI has to be properly configured for the UMC system, see Configuring Web UI.
• If you are using HTTPS a valid SSL certificate must have been acquired from a Certification
Authority or a self-signed SSL certificate has been created.

User Management Component 1.9.1 - UMC Installation Manual

37
A5E39179255-AD
4 How to Configure UMC
4.14 Enabling HTTPS in a HTTP UMC Scenario

Configuring UMC Station Client in the Web UI

1. Connect to the UMC Web UI at the following address: http://<myServer>/umc or https://

<myServer>/umc depending on the configuration.
2. Login with a UMC user with the built-in role Administrator.
3. Click on the Register button.

Configuring UMC Station Client via Script

1. Login with a UMC user with the built-in role Administrator.

2. Launch the regx.ps1 script located in the subdirectory \BIN of the 32 bit installation folder.
3. The script requires the following parameters:
– UMC Server name (only a ring master);
– user (who must own the UM_REGCLIENT function right);
– password.

Result

The system registers the machine as a UMC station client machine that provides a claim in which
certified logon station details are included.

4.14 Enabling HTTPS in a HTTP UMC Scenario

According to the configurations you have done on the UMC Web components, you have to perform
one of the following alternative procedures:

• Configure UMC Web components via script (IdP_WebUI_configurator.bat).

• Configure UMC Web components manually or customize them.

Prerequisites

A UMC Web component is installed and configured on your machine and IIS is not configured for
HTTPS.

Configuring UMC Web components via script (no customization)

1. Configure IIS for the HTTPS protocol.

2. Launch the script REMOVE_IdP_WebUI_configurator.bat. The batch file can be found in C:\
Program Files\SIEMENS\UserManagement\BIN, if the default installation folder is selected.
Note that the script works on a 64 bit machine only.
3. Launch the configuration script IdP_WebUI_configurator.bat to configure UMC Web
Components.

User Management Component 1.9.1 - UMC Installation Manual

38
A5E39179255-AD
 4 How to Configure UMC
4.14 Enabling HTTPS in a HTTP UMC Scenario

Configuring UMC Web components manually or customizing their configuration

1. Configure IIS for the HTTPS protocol.

2. If you have performed any modification to the IIS configuration after launching the
configuration script IdP_WebUI_configurator.bat or you have configured UMC not using this
script, you have to enable HTTP protocol manually .

User Management Component 1.9.1 - UMC Installation Manual

39
A5E39179255-AD
5 Configuring the Identity Provider in a High
Availability/Reliability Scenario
The high availability and reliability of the Identity Provider (IdP) is supported thanks to the Network
Load Balancing (NLB) technology. Network Load Balancing is a clustering technology that enhances
the scalability and availability of TCP/IP-based services such as Web applications (i.e. UMC Identity
Provider). To scale performance, the NLB distributes the incoming IP traffic over several web servers
by using a virtual IP address for the entire Web server group and rerouting client requests to the
servers of the group. Each server is characterized by a network address that identifies the entire group
and a dedicated network address. It also ensures high availability by detecting host failures and
automatically redistributing traffic to the surviving hosts.

UMC has been tested with Network Load Balancing service included in Microsoft Windows Server. For
more information about Microsoft Network Load Balancing concepts and installation procedures, see
documentation at Microsoft TechNet
(http://technet.microsoft.com).

UMC specific information on NLB configuration can be found in the following sections:

• Supported Network Configuration

• Supported Client Affinity
• High Availability Reliability General Issues
• NLB and Health State Integration

5.1 Supported Network Configuration

Network Load Balancing can operate in two modes: Unicast (default) and Multicast. UMC IdP grants
support of the following network configuration:

• NLB in Unicast mode, which ensures that it operates properly with all routers;
• Two network adapters for each cluster host, which is the minimum number of adapters to permit
communication among cluster hosts when NLB is operating in Unicast mode.

5.2 Supported Client Affinity

In Network Load Balancing, three client affinity settings are possible to assist in preserving client
sessions; they are: none, single client (default), and class C.

In order to reduce the impact on performances of the session sharing, UMC IdP grants the support of
the single client default affinity mode, which redirects all the requests coming from the same client (IP
adddress) to the same host. A custom session state provider is needed in order to manage the IdP
session properly.

UMC has been tested with NCache Open Source software. To guarantee the correct level of security
we suggest to use NCache with:

User Management Component 1.9.1 - UMC Installation Manual

40
A5E39179255-AD
 5 Configuring the Identity Provider in a High Availability/Reliability Scenario
5.3 High Availability/Reliability General Issues

• an encrypted channel;
• enabled command authorization mechanism.

NCache Web.config Configuration

After having configured properly NCache, you need to uncomment the following sections of the Identity
Provider web.config file (e.g. C:\Program Files\Siemens\UserManagement\WEB\IPSimatic-Logon\
web.config). The name of the cache (cacheName) has to be equal to the one configured in NCache.

<assemblies>
<add assembly="Alachisoft.NCache.SessionStoreProvider, Version=4.4.0.0,
Culture=neutral, PublicKeyToken=1448E8D1123E9096" />
</assemblies>

<sessionState cookieless = "false" cookieName="UMCSSOSession"

regenerateExpiredSessionId = "false" mode = "Custom" customProvider =
"NCacheSessionProvider" timeout = "20">
<providers>
<add name = "NCacheSessionProvider" type = "Alachisoft.NCache.Web.
SessionState.NSessionStoreProvider" sessionAppId = "test" cacheName =
"UMC" writeExceptionsToEventLog = "true"/>
</providers>
</sessionState>

5.3 High Availability/Reliability General Issues

• The level of availability/reliability of the system depends on many factors, such as the IT
infrastructure, the redundancy of the UMC architecture, the adopted NLB service and session
state provider.
• The choices related to the previous factors have a deep impact on the system security. The triad
of the security quality attributes is granted as follows:
– integrity, the assurance that the information is trustworthy and accurate, is granted by our
system;
– confidentiality, a set of rules that limits access to information, is granted thanks to third party
software that manage redundancy, such as NLB and NCache;
– availability, the reliable access to the system by authorized people, is granted thanks to
third party software that manage redundancy, such as NLB and NCache.

• If you want to have the Integrated Windows Authentication mechanism working properly without
asking user credentials, you have to use Kerberos in order to authenticate against IIS. Kerberos
requires a specific configuration in an NLB scenario. Please refer to Microsoft Technical
documentation for more details (see for instance http://blogs.msdn.com/b/vivekkum/archive/
2008/06/15/step-by-step-kerberos-in-nlb-with-shared-content.aspx).

User Management Component 1.9.1 - UMC Installation Manual

41
A5E39179255-AD
5 Configuring the Identity Provider in a High Availability/Reliability Scenario
5.4 Health State Service

• If you configure a Reverse Proxy in order to use multiple web servers you must increase the
value of the query string length on all the web servers, via IIS Manager to the values specified in

the following screenshot.

5.4 Health State Service

UMC Health State is an HTTP/HTTPS service that provides information on the health state of the
authentication via UMC Identity Provider. The protocol depends on IIS configuration.

The value of the health state is contained in the field status of the HTTP response header:

• status = 200, the authentication can be performed successfully;

• status = 404, the authentication cannot be performed.

The health state information is derived from the one provided by the Health Check Service described in
UMC Release Notes.

Example URL

https://<host_name>/ipsimatic-logon/GetHealthState

User Management Component 1.9.1 - UMC Installation Manual

42
A5E39179255-AD
 5 Configuring the Identity Provider in a High Availability/Reliability Scenario
5.5 NLB and Health State Integration

Additional parameters

An additional parameter can be used in the request: mode=checkring. In this case the the value of
the field status is computed as follows:

• status = 404, if the machine is a UM ring server, is a master and is in safe mode; or the
machine is a UM server and is in degraded mode; else
• status = the one returned by the HTTP request http://<host name>/Idpsimatic_logon/
GetHealthState.

https://<host_name>/ipsimatic-logon/GetHealthState?mode=checkring

5.5 NLB and Health State Integration

UMC health state service can be used in a high availability/reliability scenario based on NLB
technology to start/stop the use of UMC machines running the Identity Provider according to the result
provided by the health state. We here provide an example script developed in PowerShell that queries
the status of a node and stops or starts it according to UMC status using Microsoft Windows Server
NLB powershell commands. The script can be scheduled to run periodically via Windows task
scheduler.

PowerShell Script Example

CAUTION:

The sample code is provided for illustrative purposes only. It has not been thoroughly
tested under all conditions. Therefore, we cannot guarantee or imply its reliability,
serviceability, or function.

In the example two machines VM-UMC-N1 and VM-UMC-N2 are configured in NLB and their status is
checked via the PowerShell function CheckNodeHS. According to the status, the node is stopped or
started.

CheckNodeHS

Function CheckNodeHS([string]$nodeToCheck)
{
$url="https://"+$nodeToCheck+"/IPSimatic-Logon/GetHealthState"
$r = [System.Net.WebRequest]::Create($url)

#Ignore certificate exception

[System.Net.ServicePointManager]::ServerCertificateValidationCallback =
{$true}

User Management Component 1.9.1 - UMC Installation Manual

43
A5E39179255-AD
5 Configuring the Identity Provider in a High Availability/Reliability Scenario
5.5 NLB and Health State Integration

try
{
$resp = $r.GetResponse()
}
catch [Net.WebException]
{
#404 is handled with an exception
}
if($resp.StatusCode -match "OK")
{
#200 returned
Write-Host "Node "+$nodeToCheck+ " OK"
Start-NlbClusterNode $nodeToCheck
}
else
{
#any other value than 200
Write-Host "Node "+$nodeToCheck+ " NOT OK"
Stop-NlbClusterNode $nodeToCheck
}
}

Script

#MAIN
cls
Import-Module NetworkLoadBalancingClusters
$node1="VM-UMC-N1"
$node2="VM-UMC-N2"
$nodeStatus = Get-NlbClusterNode -hostname "VM-UMC-N1"
$status1 = $nodeStatus[0].State.ToString()
$status2 = $nodeStatus[1].State.ToString()
if ($status1 -match "converged" -and $status2 -match "converged")
{
Write-Host "NLB status is good"
}
else
{
Write-Host "NLB status is NOT good"
Write-Host "Node 1: status is" $status1
Write-Host "Node 2: status is" $status2
}
CheckNodeHS($node1)
CheckNodeHS($node2)

User Management Component 1.9.1 - UMC Installation Manual

44
A5E39179255-AD
6 How to Configure Custom Plugin Authentication
UMC provides a way to fully customize authentication by developing your own desktop authentication
plugin. The authentication in this case is weak, some limitations apply to weak authentication, for
example, it cannot be used to authenticate on the UMC Web UI.

Prerequisites

In the following procedure two machine roles are involved:

• the server machine that is a master ring server; a master is a priority ring server or a secondary
ring server where safe mode has been disabled and that is promoted to be a master;
• the client machine is a registered UMC station client.

Procedure

1. Develop one of the two types of plugins:

– Stateful Plugin, which stores the identity and allows you to retrieve its value using
properties,
– Stateless Plugin, which does not store the identity and provides its value using events.

2. Enable login via custom plugin.

3. Register the plugin on the server using the dedicated umconf command; see UMCONF User
Manual for more details.
4. Activate the plugin on the client machine; we provide an example to build a script to perform
this operation.

Result

The plugin is listed on the login page of the client machine, it is also possible to use query strings to
automatically login, see the UMC Web User Interface manual for more information.

User Management Component 1.9.1 - UMC Installation Manual

45
A5E39179255-AD
6 How to Configure Custom Plugin Authentication
6.1 Setting User Alias for Plugin Authentication

6.1 Setting User Alias for Plugin Authentication

The plugin authentication mechanism matches the identity provided by the plugin to a user alias or
username stored in UMC.

Depending on the plugin used two different methods can be used to provide the alias:

• Stateful plugin uses the LoadIdentity method

• Stateless plugin uses the RetrieveIdentity method

To configure this data matching using the UMC Web UI, you can define an alias for a user in the
account policy tab of the user detail dialog; the value stored in the field is compared with the loaded
identity and if they correspond the user is authenticated. For more information see the User
Management Component Web User Interface Manual.

To define an alias you can also use the dedicated UMX command. See UMX User Manual for more
details.

Example

Consider a user with the following value for the user alias:

Alias = [email protected]

The call of the LoadIdentity method would be: LoadIdentity("[email protected]").

6.2 Implementing a Stateful Plugin

To develop a custom StatefulPlugin .Net plugin you have to define a class that implements the abstract
class StatefulPlugin, which is part of the namespace PluginDevice. A .Net dll has to be released in a
folder together with:

• PluginDesign.dll,
• um.PluginDesign.dll

Both dlls can be found in C:\Program Files\Siemens\UserManagement\Wow\BIN.

In what follows we document the abstract method that you have to implement and the two methods
that must be used to implement it.

Initialize

This is the abstract method in which you have to implement the plugin logic.

protected abstract void Initialize();

User Management Component 1.9.1 - UMC Installation Manual

46
A5E39179255-AD
 6 How to Configure Custom Plugin Authentication
6.2 Implementing a Stateful Plugin

ChangeStatus

This method has to be called once the plugin changes the status.

public void ChangeStatus(DeviceStatus deviceStatus)

LoadIdentity

This method must be called to load the identity. The string identity to be passed as input parameter
can be either the name or the user alias set for authentication.

protected void LoadIdentity(string identity)

Example

The following is a .Net example which returns the Windows identity of the current user.

using um.PluginDevice;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Principal;
using System.Text;
using System.Threading.Tasks;
using PluginDevice;
using System.Threading;
namespace WindowsPlugin
{
public class StatefulWindowsPlugin : StatefulPlugin
{
protected override void Initialize()
{
this.ChangeStatus(DeviceStatus.Connected);
var currentWindowsIdentity = WindowsIdentity.GetCurrent();
this.LoadIdentity(currentWindowsIdentity.User.Value);
}
}
}

User Management Component 1.9.1 - UMC Installation Manual

47
A5E39179255-AD
6 How to Configure Custom Plugin Authentication
6.3 Implementing a Stateless Plugin

6.3 Implementing a Stateless Plugin

To develop a custom StatelessPlugin .Net plugin you have to define a class that implements the
abstract class StatelessPlugin, which is part of the namespace PluginDevice.

A.Net dll has to be released in a folder together with:

• PluginDesign.dll,
• um.PluginDesign.dll

Both dlls can be found in C:\Program Files\Siemens\UserManagement\Wow\BIN.

In what follows we document the two abstract methods that you have to implement and the method
that you have to use to implement it.

Initialize

This is the abstract method in which you have to implement the plugin logic.

protected abstract void Initialize();

ChangeStatus

This method must be called once the plugin changes the status.

public void ChangeStatus(DeviceStatus deviceStatus)

RetrieveIdentity

This is the abstract method in which you have to implement the plugin logic to retrieve the identity. The
returned value must match either the user alias set for authentication or the username.

protected abstract string RetrieveIdentity()

Example

The following example is a .Net example which returns the Windows identity of the current user.

using PluginDevice;
using um.PluginDevice;

User Management Component 1.9.1 - UMC Installation Manual

48
A5E39179255-AD
 6 How to Configure Custom Plugin Authentication
6.4 Building a Script for Plugin Activation

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Principal;
using System.Text;
using System.Threading.Tasks;
using System.Threading;
namespace WindowsPlugin
{
public class StatelessWindowsPlugin : StatelessPlugin
{
protected override void Initialize()
{
this.ChangeStatus(DeviceStatus.Connected);
}
protected override string RetrieveIdentity()
{
var currentWindowsIdentity = WindowsIdentity.GetCurrent();
return currentWindowsIdentity.User.Value;
}
}
}

6.4 Building a Script for Plugin Activation

In what follows we provide an example of a PowerShell script to register a plugin. To plugin id can be
retrieved by using the dedicated umconf command to list the registered plugin on the server. See
UMCONF User Manual for more details.

$plugin=@{
piuid = Read-Host -prompt '[plugin UID]'
path = Read-Host -prompt '[plugin path]'
name = Read-Host -prompt '[plugin class name]'
desc= 'not used'
type = Read-Host -prompt '[plugin type (stateful/stateless) ]'
adapter = '.net'
}

$json = $plugin | ConvertTo-Json

$response = Invoke-RestMethod 'https://localhost:16/slsso/umconf/

register_plugin' -Method post -UseDefaultCredentials -Body $json
-ContentType 'application/json'

write-host $response

User Management Component 1.9.1 - UMC Installation Manual

49
A5E39179255-AD
7 How to Configure Authentication via Cookie Adapter
UMC provides a way to configure authentication based on cookies. A cookie adapter is released with
UMC application which allows an external authentication system to integrate with UMC authentication
mechanism via cookies. This functionality has been designed to use a third-party IAM together with
UMC Web SSO. In this scenario authentication is managed by a "proxy" and forwarded to the UMC
adapter using a cookie.

The adapter is a umc-cookie-adapter.zip file that can be found for instance in C:\Program Files\
Siemens\UserManagement\WEB\add-ons.

Prerequisites

Three machine roles are involved in the following procedure:

• the UMC machine which is a master ring server; a master is a priority ring server or a secondary
ring server where safe mode has been disabled and that is promoted to be a master;
• the external authentication system machine, where Node.js is installed;
• the client machine which is a machine where you have authenticated at least once with the user
selected for authentication.

In order to protect the cookie adapter, a lockdown procedure must be implemented.

Procedure

1. Copy the file umc-cookie-adapter.zip from UMC machine to the external authentication
system machine and unzip it.
2. Generate a pair of private/public keys in the external authentication system machine.
3. Register the cookie adapter in the UMC machine using the dedicated umconf command; see
UMCONF User Manual for more details.
4. List the plugin to retrieve the fingerprint/keyid in the UMC machine using the dedicated
umconf command; see UMCONF User Manual for more details.
5. Enable login via cookie adapter in the UMC machine.
6. Define the user alias for the cookie adapter authentication via Web UI.
7. Edit the file default.json in the external authentication system machine.
8. Edit the script UMC_Cookie_Federation_Adapter_Start.bat in the external authentication
system machine to set the related local environment variable.
9. Launch UMC_Cookie_Federation_Adapter_Start.bat to start the application in the external
authentication system machine.
10. Open the Idp login page on a client machine, the cookie adapter plugin is listed in a drop-down
menu on the right together with the list of plugins activated for authentication.
11. If you select to authenticate via cookie adapter, you are authenticated with the user with whom
the alias corresponding to the identity retrieved from the cookie adapter is associated.

User Management Component 1.9.1 - UMC Installation Manual

50
A5E39179255-AD
 7 How to Configure Authentication via Cookie Adapter
7.1 Implementing a Lockdown Procedure

7.1 Implementing a Lockdown Procedure

To protect the cookie adapter, a lockdown procedure must be implemented to restrict access to the
cookie adapter. Access must be restricted to only allow proxy access. Creating and implementing the
lockdown procedure is the responsibility of the application owner. Once you have implemented the
lockdown procedure, it is very important that you test it to verify whether it works. This can be
accomplished by attempting to access the application by various means, all of which should fail. Your
test should be repeated any time you make a change to your system to validate the lockdown
procedure has not been removed or modified.

7.2 Generating a Private/Public Keys Pair

A pair of private/public keys must be generated which use RSA encoding of at least 2048 bits; we
highly recommend that the private key is encoded with an encryption cipher. To do so you can use, for
instance, OpenSSL tool with the following commands:

• to generate the private key: openssl genrsa -des3 -out private.pem 2048;
• to extract the public key: openssl rsa -in private.pem -outform PEM -pubout -out public.pem.

When generating the private key, you will be asked to insert a passphrase, which must be used to set
the local environment variable in UMC_SIGN_PASSPHRASE
UMC_Cookie_Federation_Adapter_Start.bat.

Public key is required during web adapter registration using the appropriate umconf command (see
UMCONF User Manual for more details).

The fingerprint associated in the public key (sha1) must be set in the appropriate property in the
configuration file default.json.

7.3 Configuring the Cookie Adapter

The file default.json is located in umc-cookie-adapter\config.

Configuration JSON example

{
"app": {
"port": 1987,
"endPoint": "/cookie-adapter",
"cookieName": "x-login-user",
"rejectSelfSSL": false,
"testPage": "/testpage",
"debugMode": false,
"enableHttps": false

User Management Component 1.9.1 - UMC Installation Manual

51
A5E39179255-AD
7 How to Configure Authentication via Cookie Adapter
7.3 Configuring the Cookie Adapter

},
"bouncePage": {
"formName": "config/umc-cookie-adapter.html",
"formEncoding": "utf-8"
},
"keys": {
"privateKey": "config/key.pem",
"certKey": "",
"cert": ""

},
"token": {
"lifetime": 180,
"lifetimeUnit": "seconds",
"jwtHeader": {
"alg": "RS256",
"typ": "JWT",
"kid": "e670121515d18baead7cae858a0d1e8d0ba71db4"
},
"jwtPayload": {
"issuer": "UMC Flex Auth",
"typ": "PLG",
"plgId": "3d8203e3-8d5b-48eb-8522-44c30cc33cb0"
}
}
}

JSON description

The following tables contain the properties for each object.

app Object

The app object has the following properties:

Property Type Description

port integer Port number for listening.

endPoint string POST path for retrieving user information.

cookieName string Cookie name. To be modified.

rejectSelfSSL boolean true for rejecting self signed SSL, false otherwise.

testPage string Path for testing GET requests.

debugMode boolean true for disabling form auto submit, false otherwise.

enableHttps boolean true to enable https between adapter and UMC, false otherwise.

User Management Component 1.9.1 - UMC Installation Manual

52
A5E39179255-AD
 7 How to Configure Authentication via Cookie Adapter
7.3 Configuring the Cookie Adapter

bouncePage Object

The bouncePage object has the following properties:

Property Type Description

formName string Relative path of form definition.

formEncoding string formName encoding.

keys Object

The keys object has the following properties:

Property Type Description

privateKey string Relative path of private key used to sign json web token. To be modified.

certKey string Cert key file required by https configuration. To be modified if enableHttps is
true.

cert string cert file with https server certificate. To be modified if enableHttps is true.

token Object

The token object has the following properties:

Property Type Description

lifetime integer Session lifetime.

lifetimeUnit string Session lifetime unit.

jwtHeader NA See below for the description.

jwtPayload NA See below for the description.

jwtHeader Object

The jwtHeader object has the following properties:

Property Type Description

alg string RS256 by default.

typ string JWT by default.

kid string Fingerprint of public key. To be modified.

User Management Component 1.9.1 - UMC Installation Manual

53
A5E39179255-AD
7 How to Configure Authentication via Cookie Adapter
7.3 Configuring the Cookie Adapter

jwtPayload Object

The jwtPayload object has the following properties:

Property Type Description

issuer string UMC Flex Auth by default.

typ string PLG by default.

plgId string Plugin id assigned during registration. To be modified.

User Management Component 1.9.1 - UMC Installation Manual

54
A5E39179255-AD
8 How to Configure Teamcenter Manufacturing Web
Integration
Integration with Teamcenter Manufacturing via Web allows the users to use Teamcenter Manufacturing
to authenticate on UMC, this method provides strong authentication, see UMCONF User Manual for
more information on security levels.

The following machines are involved in this configuration and must be configured in this order:

1. Configure the Teamcenter Machine

2. Configure the Web Server
3. Configure the UMC Server

Note: The Web Server described in the following must be reachable by all Clients and the
UMC Server.

Configuring the Teamcenter Manufacturing Machine

The following steps must be performed on the machine where Teamcenter Manufacturing is installed
and configured.

Prerequisites

Teamcenter 10.1.7 has been installed and configured along with Teamcenter Security Services.

Procedure

1. Retrieve the TC Login Service URL.

2. Specify "UMC" as the TeamCenter Security Services Application ID. If you specify an ID
which is not "UMC", you must modify the tcAppId in the default.json, as described in the
following procedure.

Configuring the Web Server for Integration with Teamcenter Manufacturing

The Web server configuration consists in configuring the Web adapter that UMC provides for
integration with Teamcenter Manufacturing.

The adapter is a tcss-web-adapter.zip file that can be found for instance in C:\Program Files\
Siemens\UserManagement\WEB\add-ons.

User Management Component 1.9.1 - UMC Installation Manual

55
A5E39179255-AD
8 How to Configure Teamcenter Manufacturing Web Integration
7.3 Configuring the Cookie Adapter

Prerequisties

NodeJS 6.11.3 has been installed and binary path should be contained in PATH system environments.

Procedure

1. Copy the file tcss-web-adapter.zip from UMC machine and unzip it.
2. Generate a pair of private/public keys.
3. Edit the file default.json.
4. Edit the script tcss-web-adapter.bat to set the UMC_SIGN_PASSPHRASE local environment
variable.
5. Launch tcss-web-adapter.bat to start the application.
6. Take note of location of the Public Key file and the URL of the Web Plugin as they are required
for the next procedure.

Configuring the UMC Server for Integration with Teamcenter Manufacturing

The following steps must be performed on the UMC Server in order to integrate Teamcenter
manufacturing with UMC.

Prerequisities

• The TCSS Web Adapter has been launched on the Web Server.
• UMC full installation has been installed and configured.
• The user specified must have the functional right UM_Admin.
• If you are using HTTPS a valid SSL certificate must have been acquired from a Certification
Authority, or a self-signed SSL certificate must have been created.

Procedure

1. Enable login via custom plugin.

2. Run the powershell script TCSS_Web_Adapter_Server_Configuration.ps1 as administrator,
which can be found in the \Wow\BIN under the installation path.
3. Insert the username and password, the url of the adapter, which must be reachable by all the
machines which use the adapter, and the location of Public Key. For example:

UMC Admin Username: manager

UMC Admin Password: manager
Public Key File full path: C:\Users\Administrator\Desktop\
tcss-web-adapter\config\public.key

User Management Component 1.9.1 - UMC Installation Manual

56
A5E39179255-AD
 8 How to Configure Teamcenter Manufacturing Web Integration
8.1 Generating Private and Public Keys for Teamcenter Web Integration

endPoint URL (TCSS Web Adapter endPoint): http://web-endpoint:1988/

tcss_web
Plugin registration succesfully

4. After running the powershell script, for each machine where the Identity Provider is installed, it
is necessary to perform the Recycle of the application pool of the Identity Provider
(SimaticLogonPool, for configuration via script) in IIS Manager.

CAUTION:
Performing the Recycle of the application pool can cause service interruption.

8.1 Generating Private and Public Keys for Teamcenter Web Integration
A pair of private/public keys must be generated which use RSA encoding of at least 2048 bits; we
highly recommend that the private key is encoded with an encryption cipher. To do so you can use, for
instance, OpenSSL tool with the following commands:

• to generate the private key: openssl genrsa -des3 -out private.pem 2048;
• to extract the public key: openssl rsa -in private.pem -outform PEM -pubout -out public.key.

When generating the private key, you will be asked to insert a passphrase, which must be used to set
the local environment variable in UMC_SIGN_PASSPHRASE, as described in the next steps of How
to Configure Teamcenter Manufacturing Web Integration.

The fingerprint associated in the public key (sha1) must be set in the appropriate property in the
configuration file default.json.

8.2 Configuring the TCSS Web Adapter

The file default.json is located in tcss-web-adapter\config.

The properties which must be modified are:

• ssoServiceURL
• ssoLoginURL
• domainName
• In the keys Object:
– privateKey

• in the jwtHeader Object

– kid

See the example and tables below for details.

User Management Component 1.9.1 - UMC Installation Manual

57
A5E39179255-AD
8 How to Configure Teamcenter Manufacturing Web Integration
8.2 Configuring the TCSS Web Adapter

Note: If the IdP has been configured with HTTPS Protocol, and there is no reverse proxy
configured, enableHttps must be set to true and you must modify the keys Object:

• certKey
• cert

Configuration JSON example

{
"app": {
"port": 1988,
"endPoint": "/tcss_web",
"endPointSetPluginId": "/tcss_web/setpluginid",
"responseEndPoint": "/tcss_web/getresponse",
"ssoServiceURL": "http://vmtc101b.swqa.tst:7001/tcssoservice",
"ssoLoginURL": "http://vmtc101b.swqa.tst:7001/tcssols",
"tcAppId": "UMC",
"tcAppUserId": "TCSSO_APP_USER_ID",
"tcAppSessionKeyToken": "TCSSO_SESSION_KEY",
"tcDisableApplet": "true",
"rejectSelfSSL": false,
"checkPage": "/checkpage",
"debugMode": false,
"enableHttps": false,
"domainName": "mydomain"
},
"bouncePage": {
"formName": "config/umc-tcss-adapter.html",
"formResponseName": "config/umc-tcss-adapter-response.html"
},
"keys": {
"privateKey": "config/private.key",
"certKey": "config/certKey.pem",
"cert": "config/cert.cer"
},
"token": {
"lifetime": 180,
"lifetimeUnit": "seconds",
"jwtHeader": {
"alg": "RS256",
"typ": "JWT",
"kid": "88FACEFCD6ED416BC6D516D10E09ABBBDA85FDC6"
},
"jwtPayload": {
"issuer": "UMC Flex Auth",
"typ": "PLG",
"plgId": "4c0c2e5c-6e95-4ed1-aa13-591da04c30f8"
}
}
}

User Management Component 1.9.1 - UMC Installation Manual

58
A5E39179255-AD
 8 How to Configure Teamcenter Manufacturing Web Integration
8.2 Configuring the TCSS Web Adapter

JSON description

The following tables contain the properties for each object.

app Object

The app object has the following properties:

Property Type Description

port integer Port number for listening.

endPoint string The relative path of endpoint the TCSS Web adapter, if this
value is modified the values of: responseEndPoint and
endPointSetPlugin must also be modified.

endPointSetPlugin string The relative path of the plugin ID of the end point.

responseEndPoint string The relative path of the endpoint response.

ssoServiceURL string The url of the Teamcenter Security Services identity service. To
be modified.

ssoLoginURL string The url of the Teamcenter Security Services login service. To
be modified.

rejectSelfSSL boolean true to reject self signed SSL, false otherwise.

checkPage string Path for testing GET requests.

debugMode boolean true for disabling form auto submit, false otherwise.

enableHttps boolean true to enable https between adapter and UMC, false
otherwise. Note that if the Identity Provider has been
configured with HTTPS this must be set to "true".

domainName string The name of the windows domain which is specified in the
Teamcenter Security Service.

tcAppId string The application ID which has been configured in Teamcenter

Security Service, only to be modified if the ID is not "UMC".

tcAppUserId string For Internal use only, the default value is:
TCSSO_APP_USER_ID

tcAppSessionKeyToken string For internal use only, the default value is:
TCSSO_SESSION_KEY

tcDisableApplet boolean For internal use only us , the default value is: true

checkPluginId boolean For internal use only use, the default value is: true.

bouncePage Object

The bouncePage object has the following properties:

User Management Component 1.9.1 - UMC Installation Manual

59
A5E39179255-AD
8 How to Configure Teamcenter Manufacturing Web Integration
8.2 Configuring the TCSS Web Adapter

Property Type Description

formName string Relative path of form definition.

formEncoding string formName encoding.

keys Object

The keys object has the following properties:

Property Type Description

privateKey string Relative path of private key used to sign json web token. To be modified.

certKey string Cert key file required by https configuration. To be modified if enableHttps is
true.

cert string cert file with https server certificate. To be modified if enableHttps is true.

token Object

The token object has the following properties:

Property Type Description

lifetime integer Session lifetime.

lifetimeUnit string Session lifetime unit.

jwtHeader NA See below for the description.

jwtPayload NA See below for the description.

jwtHeader Object

The jwtHeader object has the following properties:

Property Type Description

alg string RS256 by default.

typ string JWT by default.

kid string Fingerprint of public key. To be modified.

jwtPayload Object

The jwtPayload object has the following properties:

User Management Component 1.9.1 - UMC Installation Manual

60
A5E39179255-AD
 8 How to Configure Teamcenter Manufacturing Web Integration
8.2 Configuring the TCSS Web Adapter

Property Type Description

issuer string UMC Flex Auth by default.

typ string PLG by default.

plgId string Plugin id assigned during registration.

User Management Component 1.9.1 - UMC Installation Manual

61
A5E39179255-AD
9 How to Configure Teamcenter Manufacturing RAC
Integration
Integration with Teamcenter Manufacturing allows the users to log into UMC using Teamcenter
Manufacturing from Rich Application Client (RAC). This integration method provides strong
authentication, see UMCONF User Manual for more information on security levels.

The following machines are involved in this configuration and must be configured in this order:

1. Configure the Teamcenter Machine

2. Configure the Web Server
3. Configure the UMC Server
4. Configure UMC Clients

Configuring the Teamcenter Manufacturing Machine

The following steps must be performed on the machine where Teamcenter Manufacturing is installed
and configured.

Prerequisites

Teamcenter 10.1.7 has been installed and configured along with Teamcenter Security Services.

Procedure

1. Retrieve the TC Login Service URL.

2. Specify "UMC" as the TeamCenter Security Services Application ID. If you specify an ID which
is not "UMC", you must modify the tcAppId in the default.json, as described in the following
procedure.

Configuring the Web Server

The Web Server configuration consists in configuring the web adapter (TCSS Rac Web Adapter in
what follows) that UMC provides for integration with Teamcenter Manufacturing.

The adapter is a tcss-rac-adapter.zip file that can be found, for instance, in C:\Program Files\
Siemens\UserManagement\WEB\add-ons.

Prerequisties

• NodeJS 6.11.3 has been installed and binary path should be contained in PATH system
environments.

User Management Component 1.9.1 - UMC Installation Manual

62
A5E39179255-AD
 9 How to Configure Teamcenter Manufacturing RAC Integration
8.2 Configuring the TCSS Web Adapter

Procedure

1. Copy the file tcss-rac-adapter.zip from UMC machine and unzip it.
2. Generate a pair of private/public keys.
3. Edit the file default.json.
4. Edit the script tcss-rac-adapter.bat to set the UMC_SIGN_PASSPHRASE local environment
variable.
5. Launch tcss-rac-adapter.bat to start the application.
6. Take note of location of the Public Key file and the URL of the TCSS RAC Web Adapter as
they are required for the next procedure.

Configuring the UMC Server

The following steps must be performed on the UMC Server in order to integrate Teamcenter
manufacturing with UMC.

Prerequisities

• UMC full installation has been installed and configured.

• The TCSS RAC Web Adapter has been launched on the Web Server.
• The user specified must have the functional right UM_Admin.
• If you are using HTTPS a valid SSL certificate must have been acquired from a Certification
Authority, or a self-signed SSL certificate must have been created.

Procedure

1. Enable login via custom plugin.

2. Run the powershell script TCSS_RAC_Adapter_Server_Configuration.ps1 as administrator,
which can be found in the \Wow\BIN under the installation path.
3. Insert username and password, the location of the Public Key file and the URL of the TCSS
RAC Web Adapter, which must be reachable by all the machines which use the adapter. For
example

UMC Admin Username: manager

UMC Admin Password: manager
Public Key File full path: C:\Users\Administrator\Desktop\
tcss-rac-adapter\config\public.key
endPoint URL (TCSS RAC Adapter endPoint): http://rac-endpoint:1987/
tcss_rac
Plugin registration succesfully

User Management Component 1.9.1 - UMC Installation Manual

63
A5E39179255-AD
9 How to Configure Teamcenter Manufacturing RAC Integration
9.1 Generating Private and Public Keys for Teamcenter RAC Integration

4. After running the powershell script, for each machine where the Identity Provider is installed, it
is necessary to perform the Recycle of the application pool of the Identity Provider
(SimaticLogonPool, for configuration via script) in IIS Manager.

CAUTION:
Performing the Recycle of the application pool can cause service interruption.

Configuring UMC Clients

The following steps must be performed on all the UMC Station Clients, which are the machines where
RAC is installed. The powershell script allows you to register a client, if it has not already been
registered, and to configure integration with Teamcenter.

Prerequisities

• The user specified must have the functional right UM_Admin.

• Teamcenter RAC is installed and configured.
• UMC full or Station Client installation has been installed and the machine has been configured
as a Station Client.
• If you are using HTTPS a valid SSL certificate must have been acquired from a Certification
Authority or a self-signed SSL certificate has been created.

Procedure

1. Launch the powershell script TCSS_RAC_Adapter_Client_Configuration.ps1 which can be

found in the \Wow\BIN under the installation path.
2. Insert the username, password and the location of the UMC Server. For example:

UMC Server (like https://umc-server): http://umc-hostname

UMC Admin Username: manager
UMC Admin Password: manager
Client registration procedure has been started... @{result=success}
Register plugin result: @{result=success}

9.1 Generating Private and Public Keys for Teamcenter RAC Integration
A pair of private/public keys must be generated which use RSA encoding of at least 2048 bits; we
highly recommend that the private key is encoded with an encryption cipher. To do so you can use, for
instance, OpenSSL tool with the following commands:

• to generate the private key: openssl genrsa -des3 -out private.pem 2048;
• to extract the public key: openssl rsa -in private.pem -outform PEM -pubout -out public.pem.

User Management Component 1.9.1 - UMC Installation Manual

64
A5E39179255-AD
 9 How to Configure Teamcenter Manufacturing RAC Integration
9.2 Configuring the TCSS RAC Adapter

When generating the private key, you will be asked to insert a passphrase, which must be used to set
the local environment variable in UMC_SIGN_PASSPHRASE, as described in the next steps of How
to Configure Integration with RAC Teamcenter Manufacturing.

The fingerprint associated in the public key (sha1) must be set in the appropriate property in the
configuration file default.json.

9.2 Configuring the TCSS RAC Adapter

The file default.json is located in tcss-rac-adapter\config.

The properties which must be modified are:

• ssoServiceURL
• ssoLoginURL
• domainName
• In the keys Object:
– privateKey

• in the jwtHeader Object

– kid

See the example and tables below for details.

Note: If the IdP has been configured with HTTPS Protocol, and there is no reverse proxy
configured, enableHttps must be set to true and you must modify the keys Object:

• certKey
• cert

Configuration JSON example

{
"app": {
"port": 1987,
"endPoint": "/tcss_integration",
"endPointSetPluginId": "/tcss_integration/setpluginid",
"rejectSelfSSL": false,
"checkPage": "/checkpage",
"debugMode": false,
"enableHttps": false,
"domainName": "mydomain",
"ssoServiceURL": "http://vmtc101b.swqa.tst:7001/tcssoservice",
"ssoLoginURL": "http://vmtc101b.swqa.tst:7001/tcssols",
"tcAppId": "UMC",
"tcAppUserId": "TCSSO_APP_USER_ID",
"tcAppSessionKeyToken": "TCSSO_SESSION_KEY",

User Management Component 1.9.1 - UMC Installation Manual

65
A5E39179255-AD
9 How to Configure Teamcenter Manufacturing RAC Integration
9.2 Configuring the TCSS RAC Adapter

"tcDisableApplet": "true",
"checkPluginId": true
},
"bouncePage": {
"formName": "config/umc-cookie-adapter.html",
"formEncoding": "utf-8"
},
"keys": {
"privateKey": "config/private.key",
"certKey": "config/certKey.pem",
"cert": "config/cert.cer"
},
"token": {
"lifetime": 180,
"lifetimeUnit": "seconds",
"jwtHeader": {
"alg": "RS256",
"typ": "JWT",
"kid": "88FACEFCD6ED416BC6D516D10E09ABBBDA85FDC6"
},
"jwtPayload": {
"issuer": "UMC Flex Auth",
"typ": "PLG",
"plgId": "b82370af-c3b4-4f54-9007-c34b7233d005"
}
}
}

JSON description

The following tables contain the properties for each object.

app Object

The app object has the following properties:

Property Type Description

port integer Port number for listening.

endPoint string The relative path of endpoint the TCSS Rac adapter, if this
value is modified the values of endPointSetPlugin must also be
modified.

endPointSetPlugin string For internal use only, and depends on the value of the previous
property.

rejectSelfSSL boolean true to reject self signed SSL, false otherwise.

checkPage string Path for testing GET requests.

User Management Component 1.9.1 - UMC Installation Manual

66
A5E39179255-AD
 9 How to Configure Teamcenter Manufacturing RAC Integration
9.2 Configuring the TCSS RAC Adapter

Property Type Description

debugMode boolean true for disabling form auto submit, false otherwise.

enableHttps boolean true to enable https between adapter and UMC, false
otherwise. Note that if the Identity Provider has been
configured with HTTPS this must be set to "true".

domainName string The name of the windows domain which is specified in the
Teamcenter Security Service.

ssoServiceURL string The url of the Teamcenter Security Services identity service. To
be modified.

ssoLoginURL string The url of the Teamcenter Security Services login service. To
be modified.

tcAppId string The application ID which has been configured in Teamcenter

Security Service.

tcAppUserId string For Internal use only, the default value is:
TCSSO_APP_USER_ID

tcAppSessionKeyToken string For internal use only, the default value is:
TCSSO_SESSION_KEY

tcDisableApplet boolean For internal use only, the default value is: true

checkPluginId boolean For internal use only, the default value is: true.

bouncePage Object

The bouncePage object has the following properties:

Property Type Description

formName string Relative path of form definition.

formEncoding string formName encoding.

keys Object

The keys object has the following properties:

Property Type Description

privateKey string Relative path of private key used to sign json web token. To be modified.

certKey string Cert key file required by https configuration. To be modified if enableHttps is
true.

cert string cert file with https server certificate. To be modified if enableHttps is true.

User Management Component 1.9.1 - UMC Installation Manual

67
A5E39179255-AD
9 How to Configure Teamcenter Manufacturing RAC Integration
9.2 Configuring the TCSS RAC Adapter

token Object

The token object has the following properties:

Property Type Description

lifetime integer Session lifetime.

lifetimeUnit string Session lifetime unit.

jwtHeader NA See below for the description.

jwtPayload NA See below for the description.

jwtHeader Object

The jwtHeader object has the following properties:

Property Type Description

alg string RS256 by default.

typ string JWT by default.

kid string Fingerprint of public key. To be modified.

jwtPayload Object

The jwtPayload object has the following properties:

Property Type Description

issuer string UMC Flex Auth by default.

typ string PLG by default.

plgId string Plugin ID assigned during registration.

User Management Component 1.9.1 - UMC Installation Manual

68
A5E39179255-AD
10 How to Upgrade to UMC 1.9.1

Prerequisites

• A previous version of UMC is installed and configured for all the machines of the scenario you
need to upgrade.
• Follow the general recommendations for UMC upgrade.

Workflow

1. Upgrade UM secondary ring server.

2. Upgrade UM priority ring server.
3. Upgrade all the UM servers giving precedence to the ones belonging to the NLB cluster.
4. Upgrade all the UM agents.
5. Upgrade all the UMC station clients.

10.1 General Recommendations

In this page you can find a set of general recommendations to be followed to perform UMC upgrade
correctly.

• If a previous version of UMC is only installed and NOT configured, you simply have to install
and configure UMC as if it were the first installation.
• If a previous version of UMC is installed in a directory different from the default one, you have to
uninstall the system according to the dedicated uninstall procedure (see the documentation
relative to the version) and reinstall it from scratch.
• During the upgrade procedure, no UMC command can be executed except the one that are part
of the procedure.
• If you have installed and configured UMC 1.0, you have first to upgrade to UMC 1.1 (see UMC
1.1 Release Notes) and then upgrade the system.
• If you have installed UMC 1.1 in a HTTP scenario, you have to convert the scenario from HTTP
to HTTPS after upgrading.
• Upto UMC 1.9, all the machines in a redundant scenario had to be upgraded, as of UMC 1.9,
we support long-term mixed scenarios. Thus, if you have a version which is older than 1.9 and
you want to have a mixed version scenario, first you have to upgrade all the UMC installations
you have to UMC 1.9.
• All the clients who access UMC Web applications must clean the browser cache in order to
correctly display UMC pages.
• To know the machine role you can use the umconf Show Status command. See the UMCONF
User Manual for more details.
• As of UMC 1.6, user name length of up to 100 characters is supported. In the case of a mixed
scenario, with machines where a version older than UMC 1.6 is installed, the management of

User Management Component 1.9.1 - UMC Installation Manual

69
A5E39179255-AD
10 How to Upgrade to UMC 1.9.1
10.2 Upgrading UM Secondary Ring Server

users with long user names (more than 30 characters) might cause problems. We strongly
suggest that you align all the machines to the most recent UMC version as soon as possible.

10.2 Upgrading UM Secondary Ring Server

General Recommendations

• Before upgrading the system, in case you have performed customizations of the Identity
Provider on the web.config file (e.g. C:\Program Files\Siemens\UserManagement\WEB\
IPSimatic-Logon\Web.config), we strongly suggest that you save a local copy of this file.
Consider that running configuration scripts, e.g. IdP_WebUI_configurator.bat, can modify the
web.config file, e.g. to configure Http.
• During the upgrading procedure only the priority ring server is available; thus, for a minimum
amount of time, you do not have system redundancy support.
• During the upgrading procedure, session loss may occur.

Procedure

1. If NLB is configured, remove the secondary ring server from the NLB cluster.
2. If UMC Web components were configured on the machine, stop the application pools of the
UMC applications in IIS Manager.
3. Close all the running applications.
4. Launch the installer and select to upgrade the system. In case the installation asks you to
reboot the system, perform the system reboot. When the system reboots the installer
automatically starts.
5. Run the command umconf -U to upgrade the system. Refer to the UMCONF User Manual for
more details
6. If UMC Web components were configured on the machine:
– manually perform Identity Provider web.config customizations, if any,
– start the application pools of the UMC applications in IIS Manager.

7. If NLB was configured:

– reconnect the machine to the NLB cluster;
– remove the priority ring server and all the other UM servers (if any) from the NLB cluster.

10.3 Upgrading UM Priority Ring Server

General Recommendations

• Before upgrading the system, in case you have performed customizations of the Identity
Provider on the web.config file (e.g. C:\Program Files\Siemens\UserManagement\WEB\

User Management Component 1.9.1 - UMC Installation Manual

70
A5E39179255-AD
 10 How to Upgrade to UMC 1.9.1
10.4 Upgrading UM Server

IPSimatic-Logon\Web.config), we strongly suggest that you save a local copy of this file.
Consider that running configuration scripts, e.g. IdP_WebUI_configurator.bat, can modify the
web.config file, e.g. to configure Http.
• During the upgrading procedure only the secondary ring server is available; thus, for a minimum
amount of time, you do not have system redundancy support and UMC database modifications
are not possible.
• During the upgrading procedure, session loss may occur.

Procedure

1. If UMC Web components were configured on the machine, stop the application pools of the
UMC applications in IIS Manager.
2. Close all the running applications.
3. Launch the installer and select to upgrade the system. The system may ask you to reboot
before or after upgrading UMC, in which case you must perform the system reboot. If the
reboot is performed before upgrading the installer will automatically starts when the system
reboots.
4. Run the command umconf -U to upgrade the system. Refer to the UMCONF User Manual for
more details.
5. If UMC 1.1 is installed in a standalone scenario in HTTP and you want to enable HTTPS
upgrading to UMC 1.4, then you have to perform this additional procedure.
6. If UMC Web components were configured on the machine:
– manually perform Identity Provider web.config customizations, if any;
– start the application pools of the UMC applications in IIS Manager.

7. If NLB was configured, reconnect the machine to the NLB cluster.

10.4 Upgrading UM Server

General Recommendations

• Before upgrading the system, in case you have performed customizations of the Identity
Provider on the web.config file (e.g. C:\Program Files\Siemens\UserManagement\WEB\
IPSimatic-Logon\Web.config), we strongly suggest that you save a local copy of this file.
Consider that running configuration scripts, e.g. IdP_WebUI_configurator.bat, can modify the
web.config file, e.g. to configure Http.
• During the upgrading procedure, session loss may occur.

Procedure

1. If UMC Web components were configured on the machine, stop the application pools of the
UMC applications in IIS Manager.
2. Close all the running applications.

User Management Component 1.9.1 - UMC Installation Manual

71
A5E39179255-AD
10 How to Upgrade to UMC 1.9.1
10.5 Upgrading UM Agent

3. Launch the installer and select to upgrade the system. In case the installation prompts you to
reboot the system, perform the system reboot. When the system reboots, the installer
automatically starts.
4. Run the command umconf -U to upgrade the system. Refer to the UMCONF User Manual for
more details.
5. If UMC Web components were configured on the machine:
– manually perform Identity Provider web.config customizations,
– start the application pools of the UMC applications in IIS Manager.

6. If the UM server was connected to NLB cluster, reconnect the machine to the cluster.

10.5 Upgrading UM Agent

Procedure

1. Close all the running applications.

2. Launch the installer and select to upgrade the system. In case the installation prompts you to
reboot the system, perform the system reboot. When the system reboots the installer
automatically starts.
3. Run the command umconf -U to upgrade the system. Refer to the UMCONF User Manual for
more details.

10.6 Upgrading UMC Station Client

Procedure

1. Close all the running applications.

2. Launch the installer and select to upgrade the system. In case the installation prompts you to
reboot the system, perform the system reboot. When the system reboots the installer
automatically starts.

Result

The machine is automatically registered and no additional steps are needed.

User Management Component 1.9.1 - UMC Installation Manual

72
A5E39179255-AD
11 How to Uninstall UMC
Depending on the UMC installation, follow either of these procedures:

• Uninstall Full UMC

• Unistall UMC Station Client

11.1 Uninstalling Full UMC

CAUTION:

If UMC is also configured, the database files are not removed by the uninstallation
procedure. This procedure has to be performed on all the machines, UM ring servers, UM
servers and agents. We suggest that you perform the procedure on the UM agents first.

Procedure

1. If the machine is a 64 bit ring server where the Web Components have been configured,
launch the script REMOVE_IdP_WebUI_configurator.bat. The batch file can be found in C:\
Program Files\SIEMENS\UserManagement\BIN, if the default installation folder is selected.
Note that the script works on a 64 bit machine only.
2. Delete the database files, the registry entries and so on by executing the umconf -D -f
command. Please refer to the UMCONF User Manual for more details.
3. Open Program and Features from the Control Panel.
4. Select the UMC entry and right click.
5. Select Uninstall.
6. The uninstall setup is launched: proceed with the uninstallation steps.

11.2 Uninstalling UMC Station Client

Procedure

1. Open Program and Features from the Control Panel.

2. Select the UMC Station Client entry and right click.
3. Select Uninistall.
4. The uninstall setup is launched: proceed with the uninstallation steps.

User Management Component 1.9.1 - UMC Installation Manual

73
A5E39179255-AD
12 Appendix
In this section you can find the following information:

• Importing a Windows Local User on an Agent

• UMC Processes
• Event Logging
• Log Forwarding Service
• Additional Provisioning Configuration

12.1 Importing a Windows Local User on an Agent

Windows local user can be imported on an agent machine using a Powershell script called Siemens.
UMC.ImportUser.ps1 which can be found in %ProgramFiles(x86)%\Siemens\UserManagement\BIN.

1. Run Powershell as Administrator.

2. Insert -server followed by the UMC server name.
3. Insert -user followed by username of the UMC user running the command, the user specified
must have the UM_Admin function right.
4. Insert -pwd followed by password of the UMC user running the command.
5. Insert -username followed by the computer name\ name of the windows local user to import.
6. Click Enter

Example

.\Siemens.UMC.ImportUser.ps1 -server myumcservername -user

myumcadminusername -pwd myumcpassword -username mycomputername\
nameofwindowslocaluser

12.2 Troubleshooting

General

Problem Description Solution Additional

Links

Cannot Authenticate with unexpected Give access to the user that is launching the NA
problem. umtracer gpclib shows a command to the CONF directory of UMC (auth.
tentative to use pipes to open a users, for example).
connection to local machine.

User Management Component 1.9.1 - UMC Installation Manual

74
A5E39179255-AD
 12 Appendix
12.2 Troubleshooting

Problem Description Solution Additional

Links

IdP shows a compilation error and IIS_IUSRS has no access to windows TEMP NA
raises an error while trying to access folder.
a temp folder (windows temp or
temporary asp.net files)

Web UI: cannot enter a UMC web umc_pool application pool was configured to NA
application with error "Cannot run in 32 bit mode. Set the flag "Enable 32 bit"
connect to server" to FALSE in umc_pool configuration.

UMC Web UI shows the following IIS features missing: Basic authentication, NA
error Error on Login: An error Windows authentication, asp.net 4.5 was not
occurred during communication with installed.
the server.

Identity Provider Login pages shows IIS features missing: Basic authentication, NA
error related to unknown Keys or Windows authentication, asp.net 4.5 was not
security error related to webconfig. installed.
Relaunch Idp_webui_, and so on.

UMCONF error 4 while joining. The list of UMC rings is already full - check on NA
ring master with umconf -t and unjoin the
secondary ring.

Windows 7 OS, Authentication error Security KB missing - see User Management NA

(4 or 1) while trying to auth, crash of Component Installation Manual.
um.server.exe, errors on
LadLibraryEX()

Windows Integrated Authentication. The AD (kerberos) is misconfigured. See the

IdP page ask for credential even if link below to prevent issues in our test domain
the user is correctly logged in the AD controller: https://blogs.msdn.microsoft.com/
(the client is joined to the same AD chiranth/2014/04/17/setting-up-kerberos-
than the web server). authentication-for-a-website-in-iis/

SMART CARD: Error 403.7 forbidden Enable CRL (Client Revocation List), refer to NA
when trying to open info.aspx page your IT department for details.
and / or trying to authenticate.

Provisioning

Problem Description Solution Additional Links

You cannot configure the Verify that the ring server machine is joined NA
provisioning. to the Windows domain.

In the UMC Web UI you
display undefined in the
domain drop down list to
import users/groups.
Verify that the ring server machine is joined NA
to the Windows domain, that you have
configured the UMC Provisioning service
UPService.exe and that the Windows user
associated to the service has Active
Directory access rights.

User Management Component 1.9.1 - UMC Installation Manual

75
A5E39179255-AD
12 Appendix
12.3 UMC Processes

Problem Description Solution Additional Links

The import buttons do not Verify that you have configured the UMC See the Basic Post
appear in the UMC Web UI. Provisioning service UPService.exe and Setup Instructions of
check that the value of the registry key the Release Notes, the
HKEY_LOCAL_MACHINE\SOFTWARE\ UMCONF User Manual
Siemens\User Management\WebUI\Settings\ and UMX User Manual
domains_support is set to yes. for the commands.

You perform the import of Verify that the Group scope is Universal. See the UMCONF
an AD group and the User Manual.
members are not imported.

The search to import AD
users/groups returns 0 and
you presume that your
search criteria will return
many data.
You may have to modify the Active Directory See the Functional
administration limit MaxPageSize. Consider Limitations of the
that the AD default is 1000, if your search Release Notes.
returns more that 1000 results you have to
modify this value to a value higher then the
number of search results.

The import of an AD group You may have to modify the Active Directory See the Functional
having a high number of administration limit MaxValRange. Limitations of the
associated users is not Release Notes.
successful.

You experience an Check the CPU workload of your antivirus NA

excessive slowness in program as the antivirus can influence the
operations involving AD AD provisioning performances.
provisioning (such as the
import of users, the
alignment of AD
modifications and so on).

12.3 UMC Processes

Service Display Name Service Description Process Process Description

Name

UMC Secure Implements IPCSecCom. UMC Secure

Communication Service Communications for UMC exe Communication Service

um.Ris.exe UMC RIS Server

um.ffsyssrv. UMC FFSYS Server

exe

um.kei.exe UMC Certification Server

um.sso.exe UMC Single SignOn

Server

um.jei.exe UMC Join Server

User Management Component 1.9.1 - UMC Installation Manual

76
A5E39179255-AD
 12 Appendix
12.4 Event Logging

Service Display Name Service Description Process Process Description

Name

UMCService UMC Core Service UMCService. UMC Core Service

exe

um.server.exe UMC Agent Server

um. UMC RACRM Server

RACRMSRV.
exe

um.ring.exe UMC Ring Server

um. UMC RAC Server

RACSERV.
exe

um.ELGSrv. UMC Event Log Server

exe

UPService UMC Provisioning Service UPService. UMC Provisioning Service

exe

um.piisrv.exe UMC Provisioning Server

12.4 Event Logging

UMC provides event logging. UMC event logging provides a mechanism to store the history of events
that has been raised using the UMC component. Event data will be stored in one or more files. The
um.ELGSrv.exe server is available to manage the event logging.

The following table summarizes logged events.

Event Logged

Authentication

Successful login

Unsuccessful Login

Change Password

Ticket Validation

Session
Management

Session Creation

Session Deletion

Configuration

User Management Component 1.9.1 - UMC Installation Manual

77
A5E39179255-AD
12 Appendix
12.4 Event Logging

Event Logged

User Create/Delete/Modify (only from

WEBUI)

Role Create/Delete/Modify (only from

WEBUI)

Group Create/Delete/Modify (only from

WEBUI)

Unlock User (only from

WEBUI)

Global Account Policies changes

Custom
operation

It will be possible to insert log entries for custom operations

using the SL-APIs.

Event logging offers the following features.

• In a redundant scenario, log files can potentially be generated from different servers.
Mechanisms to manage reconciliation of data produced by different servers are available.
• Internal APIs allows one to write UMC events and to search UMC events related to a given
date.
• A UMC Web UI page (with limited reading capabilities) has been created to display event data
and to search them according to an input date. The old value and the new value of UMC data
related to the event are displayed.
• The log forwarding allows one to forward the log files to another application (e.g. UAF or
SIMATIC IT Production Suite). It is based on an http(s) protocol in order to be platform
independent.
• A UMX command to list event log records is provided.

User Management Component 1.9.1 - UMC Installation Manual

78
A5E39179255-AD
 12 Appendix
12.5 Log Forwarding Service

12.5 Log Forwarding Service

UMC provides the log forwarding functionality that allows forwarding UMC logs to an external
application in order, for instance, to store them in an external repository. By now, the log forwarding
can be realized by an external application through a c++ plug-in that implements the IElgLog interface.
The figure below describes the information flow through the different machines involved in the
functionality.

12.5.1 IElLog

This provider is used to decouple the implementation and to integrate a custom provider for log
forwarding.

class IElLog : public IFMCProvider

{
public:
virtual unsigned short SaveLog(const time_t timestamp,const std::string&
log,const std::string& seqid)
{
return 0;
}
virtual unsigned short Invalidate(const time_t timestamp, const std::
string& seqid)
{
return 0;
}
};

Functions

• SaveLog: This function is used to save the log entry in the repository.
• Invalidate: This function is used to rollback an entry in case of failure.

User Management Component 1.9.1 - UMC Installation Manual

79
A5E39179255-AD
12 Appendix
12.5 Log Forwarding Service

12.5.2 Log Forwarding Service C++ Plug-in

According to this approach, the external application should implement a provider that exposes the
IElLog interface. The binary has to be built for x86 usage and without Unicode setting (character
encoding is not set).

The provider is public and cannot replace the one used internally in order to decouple the
implementation of ELG from the UMC Service functionalities.

Example

The following code provides an example of C++ plug in implementation.

#include <string>

class IFMCProvider
{
public:
virtual void DisposeProvider() = 0;
};

class IElLog : public IFMCProvider

{
public:
virtual unsigned short SaveLog(const time_t timestamp, const std::string&
log, const std::string& seqid) { return 0; }
virtual unsigned short Invalidate(const time_t timestamp, const std::string&
seqid) { return 0; }
};
#define LF_S_SUCCESS 0
#define LF_E_WRONGPAR 10
#define LF_E_INTERR 12
#define LF_E_UNSUPPORTED_FUNCTION 13
#define LF_E_NOTINITED 14

class lfsample : public IElLog

{
public:
lfsample() = default;
~lfsample() = default;
public:

virtual unsigned short SaveLog(const time_t timestamp, const std::string&

log, const std::string& seqid) {

//TO DO

//add your code here

//log contains the description of the log message

User Management Component 1.9.1 - UMC Installation Manual

80
A5E39179255-AD
 12 Appendix
12.5 Log Forwarding Service

return LF_E_UNSUPPORTED_FUNCTION;

virtual unsigned short Invalidate(const time_t timestamp, const std::string&

seqid) {

//TO DO

//add your code here

//yet not supported

return LF_E_UNSUPPORTED_FUNCTION;
}

virtual void DisposeProvider() {

//reference counter needed only if singleton

delete this;
}
private:
};
IFMCProvider* OSAL_GetProvider(const char* providername, const char*
securityticket, unsigned short* res)
{

//Customize if necessary

IFMCProvider* provider = new lfsample();

//if present the securityticket used to identity the caller.

return provider;
}

Configuration

Log forwarding via C++plug-in needs a configuration step. You have to add the following section in the
registry:

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Siemens\User Management\ODK\elg_log_fwd

• Name: binary
• Type: String

User Management Component 1.9.1 - UMC Installation Manual

81
A5E39179255-AD
12 Appendix
12.6 Additional Provisioning Configuration

Security Measures

ACL in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Siemens\User Management\ODK is

protected in order to allow the access only to administrators.

You have also to protect the folder where the library is stored and prevent library tampering using a
strong signature and an application whitelisting.

12.6 Additional Provisioning Configuration

In order to make the import of Active Directory users and groups configurable, a file named
piisrv_config.json is created in %program data%\siemens\usermanagement\conf.

The editing of this file is optional. The following rules apply in computing the list of the domains from
which users and/or groups can be imported:

• if the property domains is not empty, this list is considered for import, otherwise
• the field query_for_domains defines the AD input query to compute the domain list.

After modifying the file, you have to:

• copy the file in each machine where the provisioning is configured and
• manually restart the UPService.

The file must have the following JSON format.

Configuration JSON example

{
"add_alias_to": "",

"domains": [{
"name": "domain1"
}],
"purge_time": "720",
"query_for_domains": "(objectcategory=crossref)",
"query_for_groups": "",
"query_for_user": "",
"query_for_users": "",
"recycle_time":
"1440"
}

User Management Component 1.9.1 - UMC Installation Manual

82
A5E39179255-AD
 12 Appendix
12.6 Additional Provisioning Configuration

JSON description

Property Type Description

add_alias_to string The name of the AD field that has to be used as alias.

domains string It is an array of domains where each domain object contains the
name. Formatted as follows: [{"name":"domain1"},{"name":"domain2"}]
}, note that the domain suffix must not be used. By default the array is
empty.

purge_time string If a user is deleted from AD, it is flag as offline. Offline users are
permanently deleted from UMC database, after a number of minutes
indicated in this field. The default is 24 hours (720 minutes). The
following constraint must be valid: purge_time<recycle_time.

query_for_domains string AD query, see Microsoft documentation for more details. The query "
(objectcategory=crossref)" is the default one. If the query in the file
contains an error, the default query is executed.

query_for_users string Not used.

query_for_groups string Not used.

query_for_user string Not used.

recycle_time string Number of minutes before provisioning server restart. The default is
24 hours (1440 minutes). The following constraint must be valid:
purge_time<recycle_time.

User Management Component 1.9.1 - UMC Installation Manual

83
A5E39179255-AD