2 Replies Latest reply on Jan 15, 2018 3:39 PM by guyhu RSS
    guyhu Newbie

    EMS & client certificate

    Did anyone have any luck yet with using a client certificate for the EMS?

    I'm using EMS version 5-3-1-1113-Win32-fips.


    The EMS is connecting to the server using TLS 1.2 and is validating the server's SHA512 certificate chain correctly.

    I receive a 403 from the server however, indicating that the client certificate was not sent by the EMS. Other applications are able to authenticate to the server with the same client certificate.


    The EMS output using loggerlevel TRACE does not show anything related to the client certificate. Was it found, loaded, even in the correct format, ...?

    I tried both using an unencrypted pem key_file, as an encrypted pem key_file with a plain text key_passphrase.


    [INFO ] 2016-02-10 10:56:45,657 wsems-fips.exe: Using config file: C:\Program Files\ThingWorx\MicroServer\etc\config.json

    [FORCE] 2016-02-10 10:56:45,658 wsems-fips.exe: Starting up ....

    [FORCE] 2016-02-10 10:56:45,658 wsems-fips.exe: Initializing EMS ....

    [FORCE] 2016-02-10 10:56:45,658 main: Using config file C:\Program Files\ThingWorx\MicroServer\etc\config.json

    [INFO ] 2016-02-10 10:56:45,658 wsems-fips.exe: Creating the WsEms proxy.

    [TRACE] 2016-02-10 10:56:45,658 wsEmsProxy::wsEmsProxy: Constructor called

    [INFO ] 2016-02-10 10:56:45,658 wsems-fips.exe: Starting HTTP Server.

    [INFO ] 2016-02-10 10:56:45,658 wsems-fips.exe: Initializing the ThingWorx REST interface.

    [TRACE] 2016-02-10 10:56:45,658 wsEmsProxy::initialize: Method entered

    [DEBUG] 2016-02-10 10:56:45,659 SDK: twWs_Create: Initializing Websocket Client for bcme-cca-rpa1:443//Thingworx/WS

    [DEBUG] 2016-02-10 10:56:45,659 SDK: twTlsClient_Create: Initializing TLS Client

    [FORCE] 2016-02-10 10:56:45,659 httpServer: starting http server port=8000

    [DEBUG] 2016-02-10 10:56:45,662 httpServer: http server bound to port=8000.

    [DEBUG] 2016-02-10 10:56:45,758 SDK: twApi_Initialize: Websocket Established after 0 tries

    [DEBUG] 2016-02-10 10:56:45,758 SDK: subscribedPropsMgr_Initialize: Initializing subscribed properties manager

    [DEBUG] 2016-02-10 10:56:45,778 jsonConfigurator::getJsonEntity: Key validation_criteria not found

    [TRACE] 2016-02-10 10:56:45,778 SDK: twFileManager_AddVirtualDir: Adding __staging__ to vdir list

    [INFO ] 2016-02-10 10:56:45,778 wsEmsProxy::initialize: Initialization complete!

    bcme-cca-rpa1:443-->[INFO ] 2016-02-10 10:56:45,778 wsems-fips.exe: Starting the connection.

    [TRACE] 2016-02-10 10:56:45,778 SDK: twApi_Connect: Delaying 12 milliseconds before connecting

    [DEBUG] 2016-02-10 10:56:45,790 SDK: twTlsClient_Reconnect: Re-establishing SSL context

    [DEBUG] 2016-02-10 10:56:45,790 SDK: twTlsClient_Connect: Connecting to server

    [DEBUG] 2016-02-10 10:56:45,842 SDK: twTlsClient_Connect: TLS connection established

    [TRACE] 2016-02-10 10:56:45,842 SDK: twWs_Connect: Connected to bcme-cca-rpa1:443

    [TRACE] 2016-02-10 10:56:45,842 SDK: twWs_Connect: Sent request:

    GET /Thingworx/WS HTTP/1.1





      "appKey": "8762825b-5429-4cc1-85d7-ff6081f6d539",

      "certificates": {

        "allow_self_signed": false,

        "cert_chain": [ "C:\\Program Files\\ThingWorx\\MicroServer\\certs\\Idylla-ACC-ConsoleCA.pem", "C:\\Program Files\\ThingWorx\\MicroServer\\certs\\Idylla-ACC-RootCA.pem" ],

        "client_cert": "C:\\Program Files\\Thingworx\\MicroServer\\certs\\console.pem",

        "key_file": "C:\\Program Files\\Thingworx\\Microserver\\certs\\consolekeydecrypted.pem",

        "validate": true


      "logger": {

        "level": "TRACE"


      "ws_connection": {

        "encryption": "fips",

        "verbose": true


      "ws_servers": [


          "host": "bcme-cca-rpa1",

          "port": 443




      • Re: EMS & client certificate
        pchung Collaborator

        Did you configure Tomcat to accept the client side certificate?

          • Re: EMS & client certificate
            guyhu Newbie

            I'm connecting to an IIS reverse proxy, a client certificate is required.

            As mentioned, other applications (.NET) are able to send the client certificate and authenticate. I am also able to use my browser to access the TW Composer over the reverse proxy using the same client certificate.


            We tried the same setup with the C SDK and it also fails. However, after fixing some code in the SDK, the SDK is able to send the client certificate and authenticate to the same proxy server and communication with the backend TW server succeeds.


            Perhaps the EMS is also impacted by https://www.ptc.com/appserver/cs/view/case.jsp?n=12927521?

            Can I suggest to also add logging for client certificate loading?