topic Re: Make Portal 10.5 use mutual authentication (PKI) in ArcGIS Enterprise Questions

Make Portal 10.5 use mutual authentication (PKI)

Anonymous User — Tue, 30 May 2017 15:53:49 GMT

When Portal makes web requests to other secure services (e.g. print task that calls a map service), it doesn't use the client cert loaded via /arcgis/portaladmin/security/sslCertificates.

It looks like Portal adds these certs to a keystore (C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks). This keystore seems legit after testing it programmatically outside Portal to create a SSL context and make web requests with.

Portal however isn't using them as a client with requests it makes. Is this normal?

For example, in the ArcGIS Server logs for a Print gp task that is calling a secure map service, we get an error like:

A certificate is required to complete client authentication (WinINet ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED, 12044), URL = <SECURE_MAP_SERVICE_BEHIND_WEBTIER_AUTH>

Re: Make Portal 10.5 use mutual authentication (PKI)

Anonymous User — Tue, 30 May 2017 19:52:06 GMT

The closest post on this seems to be https://community.esri.com/message/655741-push-json-to-an-external-website-adapter-does-not-work-if-external-site-requires-mutual-authenication?sr=search&searchId=e97d80b8-4194-4be7-9fd0-32e67866de09&searchIndex=2 where MBramer-esristaff‌ mentions HTTPS connections requiring client certificates.

Re: Make Portal 10.5 use mutual authentication (PKI)

Anonymous User — Sat, 11 Dec 2021 21:23:38 GMT

After some investigation I found the ARCGIS_JAVA_OPTS environment variable in C:\Program Files\ArcGIS\Portal\framework\runtime\tomcat\bin\catalina.bat.

Including the following JVM settings made Portal use the client PKI cert in the keystore:

ARCGIS_JAVA_OPTS = -Djavax.net.ssl.keyStore="C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=* -Djavax.net.ssl.trustStore=* -Djavax.net.ssl.trustStorePassword=*


‍‍‍