Building Trust within Your Environment Using SSL Certificates

2054
0
12-03-2019 06:19 AM
BrendanBladdick3
Esri Contributor
6 0 2,054

In order to build full trust within your environment it is important to have all your machines trust each other. This is especially important if Portal, Server, Data Store and Web Adaptor are all on different machines as within most environments the communication will be terminated if there is invalid trust which is caused by invalid certificates.

This blog will be short, sweet and to the point.

You will need the following to put inside of portal and server sslcertificate store if -->

You have an external environment:

  • Domain CA root certificate (.cer)
  • Domain CA intermediate certificate (if you have one) (.cer)
  • Public CA root certificate (.cer)
  • Public CA intermediate certificate (if you have one) (.cer)
  • Domain CA end/server certificate for each machine (if you have two or more server machines you need one for each then one for the portal machine) (.pfx)

You have an internal environment:

  • Domain CA root certificate (.cer)
  • Domain CA intermediate certificate (if you have one) (.cer)
  • Domain CA end/server certificate for each machine (if you have two server machines we need one for each then one for the portal machine) (.pfx)

Then import each certificate into the server/portal internal web server through the admin endpoint starting with both Public CA and Domain CA Root Certificates - then all the Public CA and Domain CA intermediate certificates - then importing the domain CA pfx certificate for that specific machine to be used in order for valid certificate trust when accessing portal/server through the port (7443/6443)

你也可以导入Domain CA certificate into the Data Store however most of the time this is not necessary.

How to import certificates into Portal, Server & Data Store:

Portal -->Import a certificate into the portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise

Server -->Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows...

Data Store -->Replace ArcGIS Data Store SSL certificate—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise

A little bit about why this is important:

Security best practices—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise

Best practices for configuring a secure environment—ArcGIS Server Administration (Windows) | ArcGIS ...

Directly from the above documentation -->

"LikeArcGIS Server, the ArcGIS Enterprise portal also comes with a preconfigured self-signed certificate. If you'll befederating your site with a portal, you should request a certificate from a trusted CA and configure the portal to use it.

Configuring a certificate from a trusted authority is a secure practice for web-based systems and will also prevent users from encountering any browser warnings or other unexpected behavior. If you choose to use the self-signed certificate included withArcGIS Serverand the ArcGIS Enterprise portal during testing, you will experience the following:

  • Warnings from your web browser, from ArcGIS Desktop, or from ArcGIS Pro about the site being untrusted. When a web browser encounters a self-signed certificate, it will typically display a warning and ask you to confirm that you want to proceed to the site. Many browsers display warning icons or a red color in the address bar for as long as you are using the self-signed certificate.
  • The inability to open a federated service in the portal'sMap Viewer, add a secured service item to the portal, log in toArcGIS Server Manageron a federated server, or connect to the portal fromArcGIS Maps for Office.
  • Unexpected behavior when configuring utility services, printing hosted services, and accessing the portal from client applications.
Caution:

The above list of issues you will experience when using a self-signed certificate is not exhaustive. It's imperative that you use a CA-signed certificate to fully test and deploy your portal."