Technical Reference Manual

Introduction

Companies across industries, such as automotive, aviation, and high tech, create and manage their intellectual property (IP) based on drawings. These drawings are created digitally using computer-aided design (CAD) applications and are shared with users outside the organization owing to business considerations. It's essential to understand the potential risks associated with sharing business information. Comprehensive security measures are essential to reducing risks and safeguarding sensitive data. HaloCAD, a purpose-built data protection solution, is designed to help organizations achieve this objective effectively.

How does HaloCAD protect your Data?

HaloCAD effortlessly integrates Microsoft Purview Information Protection (MPIP), formerly known as Microsoft Information Protection (MIP), the leading technology for Enterprise Digital Rights Management (EDRM). It acts as a shield for your CAD files by automatically labeling them with MPIP and manages data assets across your environment. HaloCAD modules can be used either in standalone mode or in combination with HaloCAD for PLM, which automatically protects file downloads, decrypts files during upload, and returns them to the PLM vault.

HaloCAD Add-on for CAD applications

About this Manual

This manual provides administrators with the information required to successfully deploy HaloCAD components. It explains how to set up the HaloCAD environment, describes the overall architecture, lists the prerequisites and system requirements for each component, and offers step-by-step guidance for installation and configuration. The manual covers the HaloCAD Add-on for CAD, the HaloCAD Reader Add-on for CAD, and HaloCAD for PLM and PDM, along with detailed explanations to ensure smooth implementation and usage.

The term HaloCAD Add-on for CAD is a generic reference to supported CAD applications such as AutoCAD, Inventor, Revit, Creo, Solid Edge, NX, SOLIDWORKS, and DraftSight. Wherever this term appears in the manual, it refers to these supported CAD applications.

Features

1. Business infrastructure: HaloCAD connects effortlessly with existing infrastructure, making it simple to use and manage.

2. CAD: HaloCAD add-on seamlessly extends MPIP security to CAD files.

3. Usage rights: Both template-based (or static) labels and user-defined (custom permissions) labels are integrated for seamless protection.

4. Data security: Sensitive information is protected persistently regardless of where it is moved, including mobile and cloud platforms.

5. Data Access and Usage: Policy enforcement for managing sensitive file access and usage.

   1. Policies specify who has access to sensitive files and what actions they can do with them.

   2. Furthermore, it specifies how data may be used, such as restrictions on viewing, editing, copying, printing, exporting, relabeling, or modifying the rights. Watermarks can be applied to documents that contain sensitive information.

6. Seamless integration with PLM: Automatically protects file downloads, decrypts files during upload, and returns them to the PLM vault.

Quick Start Installation Summary - Standalone HaloCAD Add-on

The image below illustrates the high-level process of setting up the HaloCAD Add-on for CAD.

Quick start installation steps for HaloCAD Standalone Add-on

Reference Manuals

The table below describes where to obtain information in the HaloCAD documentation set.

HaloCAD standalone add-on reference documentation

Quick Start Installation Summary - Integrated with PLM/PDM

The image below illustrates the high-level process of setting up the HaloCAD Add-on for CAD with HaloCAD for PLM/PDM environment.

Quick start installation steps for HaloCAD for PLM/PDM

Reference Manuals

The table below describes where to obtain information in the HaloCAD documentation set.

HaloCAD for PLM/PDM reference documentation

HaloCAD Architecture 

The architecture is designed to provide secure and efficient management of CAD and PLM data through three core components: HaloCAD Add-on for CAD, HaloCAD for PLM, and the HaloENGINE

HaloCAD Add-on for CAD

A standalone solution that contains the HaloCAD PROTECT feature. It enables access to protected files, enforces associated privileges, and allows controlled modification of MPIP labels via direct interaction with the user.

HaloCAD Add-on for CAD leverages the Microsoft Purview Information Protection solution to provide persistent document security. During the process of creating a new CAD file, the user downloads MPIP labels using valid credentials, selects a suitable label, and applies it to the file. In the standalone add-on, no automation is available, as setting labels is done manually. Protected files can only be opened and modified by authorized users, and thus, protection remains even when multiple users access the file. The user’s rights are governed by pre-established policies. The following figure shows the HaloCAD Add-on for CAD as a standalone add-on.  

Note: When HaloCAD (standalone add-on) is integrated with HaloCAD for PLM, files are automatically protected based on predefined rules before the end user can access them. Please refer to the paragraph below.

HaloCAD as a standalone add-on

HaloCAD for PLM

HaloCAD for PLM (HaloCAD for Teamcenter, HaloCAD for Windchill, and HaloCAD for Autodesk Vault)

This solution integrates seamlessly with the PLM application, including the features of HaloCAD PROTECT and HaloCAD MONITOR, while utilizing Microsoft Purview Information Protection (MPIP), formerly Microsoft Information Protection (MIP), to provide Enterprise Digital Rights Management (EDRM) capabilities.

HaloCAD for PLM operates continuously in the background, monitoring file uploads and downloads. It connects to Azure Rights Management (Azure RMS) to download sensitivity labels and handle file encryption and decryption.

During a file upload, it checks whether the file is already encrypted and, if so, automatically decrypts it before allowing it to be checked into the PLM Vault. Similarly, whenever a file is downloaded, HaloCAD for PLM automatically enforces protection according to defined action rules, ensuring that all file operations adhere to security rules and keep data safe. It operates independently during the file check-in or upload process. However, during file check-out or download, it depends on the rules defined in the Classification Engine.

HaloCAD for PLM

HaloENGINE—The core of the architecture is HaloENGINE, a Java-based classification engine responsible for implementing business logic. It integrates with Azure Rights Management (Azure RMS) to download sensitivity labels and make them available for configuration. HaloENGINE uses metadata to classify and organize data while enforcing classification schemas and action rules. All file downloads must comply with the rules defined in this engine, making it the central component of the architecture.

During file download, HaloENGINE receives relevant metadata from HaloCAD for PLM, determines the appropriate action based on the configured rules, and forwards the label and action information to HaloCAD for PLM for file processing (encryption).

HaloCAD for PDM (HaloCAD for SOLIDWORKS PDM)

This solution integrates HaloCAD PROTECT and MONITOR capabilities with the respective PDM application. It connects to Azure Rights Management (Azure RMS) to download sensitivity labels and handle file encryption and decryption.

SOLIDWORKS PDM folders are actively monitored to ensure file security and compliance. When files are cut or copied from a SOLIDWORKS PDM folder to a non-SOLIDWORKS PDM folder, they are automatically intercepted and protected before reaching the destination. Conversely, when previously encrypted SOLIDWORKS application files or PDF files are copied or moved into a SOLIDWORKS PDM folder, they are seamlessly decrypted and saved for use within the environment.

HaloENGINE—A Java-based classification engine that implements business logic. As described in HaloCAD for PLM, it provides similar functionality when integrated with PDM.

It integrates with Azure Rights Management (Azure RMS) to download sensitivity labels and make them available for configuration. HaloENGINE uses metadata to classify and organize data while enforcing classification schemas and action rules. All file copy/move must comply with the rules defined in this engine, making it the central component of the architecture.

HaloCAD for PDM

For comprehensive details, please refer to the respective manuals as per your PLM environment:

1. If your environment is integrated with Windchill PLM, refer to the HaloCAD for Windchill Installation Manual.

2. If your environment is integrated with Teamcenter PLM, refer to the HaloCAD for Teamcenter Installation Manual.

3. If your environment is integrated with Autodesk Vault PLM, refer to the HaloCAD for Autodesk Vault Installation Manual.

4. If your environment is integrated with SOLIDWORKS PDM, refer to the HaloCAD for SOLIDWORKS PDM Installation Manual.

HaloCAD Reader Add-on for CAD

Secude offers a standalone reader add-on for the CAD application that allows you to view MPIP-protected files containing sensitive data. It enforces ‘read-only’ privileges to all users and thus even authorized users cannot sneak sensitive information out by copying it or taking a screenshot. Additionally, it does not support the setting or modification of labels. The following figure shows the HaloCAD Reader Add-on for CAD. Note: When a HaloCAD MPIP-protected file is shared with partners/suppliers, they don't need to install the HaloCAD Add-on for CAD on their machines; instead just this simple reader add-on is sufficient. 

HaloCAD Reader Add-on for CAD

Microsoft Purview Information Protection

HaloCAD solution effortlessly integrates Microsoft Purview Information Protection to protect your sensitive documents. Microsoft Purview Information Protection is an industry document security solution that enables businesses to ensure that only authorized users can open the protected content while also regulating what they can do with it, such as print, edit, or save. Even if sensitive data is leaked accidentally or maliciously, unauthorized parties cannot view it in clear text, thus leaving it useless.

Prerequisites

The prerequisites and dependencies for installing and configuring the HaloCAD add-ons are summarized in this section. 

Register an Application in Microsoft Entra ID - Public client/native

This section will guide you through registering an application, obtaining the Client ID and Directory ID, and assigning permissions to the application.

Create an Application

Follow the instructions below to register an application:

1. Log in to the Microsoft Entra admin center using an account that has administrator privileges.

2. If you have access to multiple tenants, click the Settings icon in the top menu and select the tenant for which you want to register the application from the Directories + subscriptions menu.

3. You will be directed to the homepage.

   

   Selecting Microsoft Entra ID

4. Click Identity > Applications > App registrations on the left of the navigation pane.

5. On the App registrations page, click the New registration page or Register an Application button (this button appears only if no applications have already been created).

   

   New application registration

6. On the Register an application page, enter the registration details for your application.

   

   Application details

7. In the Name field, enter an appropriate application name.

8. Under Supported account types, select which account you would like your application to support. For detailed information on these types, please see Microsoft documentation.

   1. To target only accounts that are internal to your organization, select Accounts in this organizational directory only.

   2. To target only business or educational customers, select Accounts in any organizational directory.

   3. To target the widest set of Microsoft identities and to enable multitenancy, select Accounts in any organizational directory and personal Microsoft accounts.

   4. To target the widest set of Microsoft identities, select Personal Microsoft account only.

   5. Under Redirect URI: Select Public client/native (mobile & desktop), and then type a valid redirect URI for your application. For example, https://localhost.

   6. When finished, click Register.

9. The home page of the new application is created and displayed.

   

   Application ID and Tenant ID

10. Once registration is complete, the following values are shown on the portal. To copy and save the ID value in a text editor, hover your cursor over it and click the Copy to clipboard icon.

    1. Application ID – It is also referred to as Client ID.

    2. Directory ID – It is also referred to as Tenant ID.

Add Required Permissions

To protect content using the MIP SDK, you need to provide the following API permission(s) for the created application ID.

1. In the sidebar of the new application page, select API permissions. The API permissions page for the new application registration will appear.

2. Click Add a permission button. The Request API permissions page will appear.

3. Under the Select an API setting, select APIs my organization uses. A list appears, containing the applications in your directory that expose APIs.

4. Type in the search box or scroll to find the required API that is mentioned in the table below, “Required Permissions”.

5. For example, type Microsoft Information Protection Sync Service. You can see the API listed as shown in the figure below:

   

   Searching for permissions

6. Now, click on the displayed API. You can see two permissions on the page − Delegated permissions and Application permissions.

7. Click the Delegated permissions button and then, under the Permission section, select the check box against "Read all unified policies a user has access to".

   

   Adding permission

8. Click Add permissions. (Repeat the steps outlined above to add the other required permissions listed in the table below.)

9. You will return to the API permissions page, where the permissions have been saved and added to the table. Please note that administrator consent is not necessary for Delegated permissions.

   

   API Required permissions

10. The following table lists the required permissions.

Required permissions

Registering an Application in Microsoft Entra ID - Web

Creating an application in Microsoft Entra ID is similar to the steps in the previous section. However, for HaloCAD for PLM, some variations apply.

1. Under Redirect URI, select Web.

2. Add the permissions listed in the following table.

3. Click Grant admin consent for your <company>.

4. When the confirmation dialog appears, select Yes to approve.

5. After the consent is granted, the Status column changes to Granted.

Required permissions #1

Additional Permission (Only for Decryption)

The permissions mentioned above are adequate for applying the MPIP label to a file with the owner as SPN (Service Principal Name) ID or any user email ID. Additionally, the HaloENGINE Tomcat Service requires the following superuser privilege for the decryption function when the owner is not as SPN.

Required permissions #2

Upload the Certificate in the Azure Portal 

The HaloENGINE Tomcat Service relies on certificate-based authentication to access MPIP services. Therefore, you must enter your certificate information in the registered application before proceeding with the configuration.

Prerequisites: 

1. Certificate: 

   1. Ensure that you have a valid certificate containing the following key properties: -KeyExportPolicy Exportable and -KeySpec Signature.

   2. The certificate can also be self-signed. Note: As a best practice and for security reasons, use a self-signed certificate only in a test environment. It is not recommended for production environments.

2. Local Computer certificate store: The certificate required for MPIP authentication must be installed in the Local Computer certificate store, along with the Root CA and Intermediate CA certificates.

   1. If the certificate is CA-signed, install all related certificates in their respective stores (Root, Intermediate, and Personal).

   2. If the certificate is self-signed, install it in both the Trusted Root Certification Authorities and Personal stores of the Local Computer.

To upload the public key of the certificate, follow the steps below: 

1. In the sidebar of the new application page, select Certificate & secrets. 

2. Under the Certificate section, click Upload certificate. The Upload certificate dialog appears as shown in the figure below:

   

   Upload certificate #1

3. Click on the folder icon to select the certificate and click Open. For illustration purposes, the file DESKTOP001.cer is used.

4. Now, click Add. The certificate will get uploaded, and its thumbprint will be displayed on the page as shown in the figure below:

   

   Upload certificate #2

The following table lists the Azure application types that need to be registered when using HaloCAD and HaloCAD for PLM.

HaloCAD and Azure Application Type

Create and Configure the Sensitivity Labels

As an administrator, you can create, configure, and publish sensitivity labels for various levels of content sensitivity based on your organization's classification taxonomy. Use names or terms that are familiar to your users. Consider starting with label names like Personal, Public, General, Confidential, and Highly Confidential if you don't already have a taxonomy in place. For more details, please refer to Microsoft online documentation.

Office 365 Subscription Details

1. Fully configured Microsoft Purview Information Protection.

2. An Azure subscription is required to use Azure RMS and the MPIP functionality.

3. A working Microsoft Entra ID service must be available.

4. Transport Layer Security (TLS) 1.2 or higher must be enabled to ensure the use of cryptographically secure protocols at all client workstations. Please refer to the section “ Enable Support for TLS 1.2 at the Client Workstation for Microsoft Entra ID ”.

5. To avail the revoke access feature, the user should be assigned to the Microsoft Purview Information Protection Premium P1/P2 license. (Not required for reader add-on)

6. Audit logging: Your Azure subscription must include Log Analytics on the same tenant as Microsoft Entra ID.

Recommended URLs, Addresses, and Ports for MPIP

MIP SDK doesn't support the use of authenticated proxies. So, make sure you set the Microsoft 365 endpoints to bypass the proxy. View a list of endpoints at “ Microsoft Online Documentation ”. However, Microsoft recommends the following:

Recommended endpoints

Secude License Manager for HaloCAD

To communicate with Secude License Manager for HaloCAD, the following URL and port must be whitelisted in the customer's proxy:

Recommended license manager endpoint

Enable Support for TLS 1.2 at the Client Workstation for Microsoft Entra ID

To improve the security posture of the tenant and to remain in compliance with industry standards, Microsoft Entra ID stopped supporting the following Transport Layer Security (TLS) protocols and ciphers:

1. TLS 1.1

2. TLS 1.0

3. 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

In order for the HaloCAD for CAD add-on to be able to authenticate to Microsoft Entra ID, TLS 1.2 must be activated on the respective client workstation. Please see this Microsoft article to enable TLS 1.2 .

In summary, the following steps must be performed: 

1. Update the Windows Operating System

2. Update .NET Framework

3. Set the following registry settings:

Registry entries

License Activation

A license for a product is necessary for access to features and support, legal compliance, security, and reliability. The primary Secude licensing method uses a Key-based license that regulates and allows access to the application's features. Therefore, to enable features, we suggest obtaining the license key from Secude support before installing HaloCAD.

Key-based License
Upon purchase or registration with Secude, a special "license key" is provided to the user to control the use of the application. The license key, which is an alphanumeric code, must be provided by the administrator when the application is installed or activated. By entering this key, the entire functionality of HaloCAD is unlocked, and the user's authorization to use it is validated.

The following methods are available to activate the license in HaloCAD.

1. Tool-based automatic initialization and license activation: This includes generating an encrypted configuration file with the license key and Azure application details. Using this file, the installer will complete the installation, application initialization, and license activation automatically. Refer to the section “ Secure Installation ” for more information.

2. UI-based manual license activation: This provides a straightforward installation method without automatic license activation. The administrator must manually activate the license by entering the license key into the HaloCAD license screen after launching the CAD application. Refer to the section “ UI-based Manual License Activation ” for more information.

3. License activation through silent mode: Uses the encrypted configuration file to initialize the application and activate the license automatically. For more details about silent mode, refer to the Silent Mode section of the HaloCAD Installation Manual that comes with your purchased application.

4. License activation via System Center Configuration Manager (SCCM): For deploying and activating the HaloCAD add-on throughout an organization, an encrypted configuration file (containing the license key information and Azure application details) is used together with the installer. For additional information on SCCM, please refer to the HaloCAD Installation Manual.

The following is a high-level diagram that illustrates license activation.

License activation

Secure Installation (Recommended)

As a best practice, any application secrets should not be shared with end-users, third parties, or any trusted vendors. However, to avail of HaloCAD features (standard add-on and reader add-on) there is a need to share such sensitive information for a successful installation.

To overcome this challenge, Secude offers an admin utility tool that can write and encrypt data, including Azure application specifics (Application ID, Tenant ID, and Redirect URI), Cloud type details, and a license key in an encrypted configuration file. It uses the RSA algorithm for cryptography, allowing only the HaloCAD installer to access the configuration file with the private key during the initialization process, effectively masking the Initialization screen from the user.

An administrator can create an encrypted JSON file using this admin tool and share it with internal/external parties without disclosing the original tenant details.

HaloCAD Admin Utility Tool

The HaloCAD product package comprises an additional component—hc.admintool.exe.

Prerequisites: Before executing the admin tool, make sure you have the necessary information.

1. Azure application details for initialization

2. Cloud type details

3. A license key

How to Encrypt the Configuration File

1. From the product package, move the admintool folder to your preferred location. For example, C:\Users\superdocs\Desktop\admintool.

2. Open the Command Prompt with elevated rights (Run as Administrator).

3. Navigate to the directory of the admintool folder and type hc.admintool.exe and press Enter.

   

   Admin tool with help command

4. Enter the required details. For example, 
   Cloud type: Commercial - hc.admintool.exe v6ca776-c74e-437d-98ef-662ecb5751tt https://localhost 9c1cfc28-1ec6-44ea-bec6-e3492ef0cd16 B27N-CMTO-LWGH-AKEQ Commercial
   Cloud type: US_DoD - hc.admintool.exe v6ca776-c74e-437d-98ef-662ecb5751tt https://localhost 9c1cfc28-1ec6-44ea-bec6-e3492ef0cd16 B27N-CMTO-LWGH-AKEQ US_DoD
   Cloud type: Custom - hc.admintool.exe v6ca776-c74e-437d-98ef-662ecb5751tt https://localhost 9c1cfc28-1ec6-44ea-bec6-e3492ef0cd16 B27N-CMTO-LWGH-AKEQ Custom https://api.aadrm.com/ https://dataservice.protection.outlook.com/

5. The output window will now appear as follows: 

   

   Admin tool displaying the output

6. The following admin tool, along with its help command, is specific to the HaloCAD add-on for Creo.

   

   Admin tool with help command for Creo add-on

   

   Admin tool displaying the output with ECTR integration (only for Creo add-on)

7. The following admin tool, along with its help command, is specific to the HaloCAD for SOLIDWORKS PDM.

   

   Admin tool displaying the output for SOLIDWORKS PDM

8. Results:

   1. The hc.conf.json file will be replaced by an encrypted file named hc.conf.enc.

   2. You can now share the configuration file with external users. With this file, users can install the HaloCAD add-on on their workstations seamlessly, without requiring any additional configuration details.

   3. Configuration files created with earlier releases are not supported. Always use the admin tool included in the installation package to generate a new configuration file.

What to do next

1. Place the encrypted file hc.conf.enc in the same directory as the HaloCAD installer you have purchased.

2. To start the interactive installation, double-click the installer and follow the steps provided in the Installation Manual for your purchased add-on.

UI-based Manual License Activation

This section describes how to activate a license using the HaloCAD user interface.

Prerequisite: Ensure that the HaloCAD installation is complete by following the instructions provided in the Installation Manual.

To complete the license activation, carry out the following steps:

Note: If you encounter any issues while activating the license, please refer to the “Troubleshooting” chapter in the Operations Manual.

1. Open the CAD application for which the add-on was purchased.

2. HaloCAD programmatically sends a license validation request to Secude's License Manager, and the following warning message appears:

   

   HaloCAD license warning message

3. Click OK.

4. Go to the HaloCAD tab and click About to see the status of your license. You will see None on the screen, indicating that the license has not yet been enabled.

   

   License Status: None

5. Click Activate.

6. The HaloCAD License Activation screen will appear.

   

   HaloCAD activation screen

7. Enter the license key for the standard add-on for protection. Note: Ensure you enter the license key provided specifically for the reader add-on when using it. Interchanging license keys results in activation failure.

8. Click Activate.

   Results:

   1. You will receive the following confirmation message:

      

      Activation success message

   2. Click OK.

   3. As a result, you will see Active on the screen, indicating that the license has been activated.

      

      License Status: Active

9. Related tasks:

   1. If you click the pencil icon (Click to change label) to label the file, the Rights Management Service prompts you to sign in. Click OK, and then enter your credentials.

   2. After successfully authenticating, the labels can be retrieved from the Azure RMS, and the HaloCAD Ribbon is activated. For more details, please refer to the Operations Manual.

License Expiry

The license will expire on the specified date, and launching the CAD application will result in the following HaloCAD warning message: "The license is invalid." After clicking OK, you will receive another warning message stating, “User has no valid license. Please contact your administrator.” Therefore, you must acquire a new license to renew it.

Prerequisite: Before reactivating it, ensure that you have a new license key from Secude.

Option 1 - Using the admin tool (automatic activation)

1. Run the admin tool with the new license key, as explained in the section “ How to Encrypt the Configuration File ”.

2. Navigate to the configuration directory containing the old hc.conf.enc file and replace it with the one created in the previous step.

3. Restart the application.

   Results:

   1. The HaloCAD license key is now automatically activated.

   2. You can start protecting CAD files.

Option 2 - Using the About UI (manual activation)

1. Open the CAD application.

2. Go to the HaloCAD tab and click About.

3. Click Activate.

4. Enter the new key that Secude has provided.

   Results:

   1. The HaloCAD license key is now manually activated.

   2. You can start protecting CAD files.

Appendix

Third-Party Libraries

Third-party software/code is included or bundled with Secude's products according to its appropriate license. Secude conducts testing to make sure the third-party products are compatible with and perform as intended with Secude applications.

The third-party libraries and dependencies used by the HaloCAD Add-on for CAD are shown in the table below.

Third-party libraries