topic Re: Use the Web adapter with AWS Certificate Manager? in ArcGIS Enterprise Questions

Use the Web adapter with AWS Certificate Manager?

MikeSchonlau — Fri, 09 Nov 2018 14:43:15 GMT

We use SSL certificates from AWS Certificate Manager. These certificates are not downloaded as files and deployed on the servers like other SSL's. We use them with AWS Elastic Load Balancers (ELB). We use the ELB's in place of the ArcGIS Web Adapter.

I am now planning a deployment of Portal. My deployment will require using the ArcGIS Web Adapter to support Roads & Highways. I'm curious if there is a way to continue using my AWS SSL's and ELB's as well as the Web Adapter? If not, I imagine I will have to go buy an SSL certificate from a different provider to put on my Portal machine. Thoughts about AWS ELB's and the ArcGIS Web Adapter co-existing?

Thanks

Mike S.

Re: Use the Web adapter with AWS Certificate Manager?

JacobBoyle412 — Fri, 09 Nov 2018 22:30:52 GMT

the easiest thing to do is use an AWS ALB as a pass-through to your Web Adapter host and let the ALB manage the SSL.

Re: Use the Web adapter with AWS Certificate Manager?

MikeSchonlau — Fri, 16 Nov 2018 05:33:14 GMT

I've been tinkering with this, but without success. I'm not sure which port(s) the load balancer should be forwarding to. I thought 443 because the Web Adaptor is forwarding to 7443. And would I add my EC2 instance to my target group over 443 or 7443? Or would I add the Web Adaptor url over 443 to the target group? Any thoughts on this would be appreciated. Thanks

Re: Use the Web adapter with AWS Certificate Manager?

JacobBoyle412 — Mon, 19 Nov 2018 18:17:31 GMT

Michael,

The load balancer (ALB) should forward to the Web Adapter over 443, then the Web Adapter should take over from there.

now, on the ALB settings in AWS Console under EC2, click load balancers, click your load balancer, click listeners. Then under Rules, click the rule for 443(80 may be the same rule), click the Health Checks tab, and confirm the following rules are set for ArcGIS Server and Portal for ArcGIS:

Portal: <Your_Context>/portaladmin/healthCheck

ArcGIS Server: <Your_Context>/rest/info/healthCheck

Re: Use the Web adapter with AWS Certificate Manager?

MikeSchonlau — Mon, 19 Nov 2018 20:58:44 GMT

Thanks for the feedback, Jacob.

My test setup was very similar to your suggestion, except for my health check url. When I go to my Portal sign in page from an external ip or domain name, I keep getting this redirect error.

My load balancer has listeners for 80 and 443, both forwarding to a target group that is pointing to my Portal health check url over https (443). My target is healthy. I can reach the Web Adaptor - Portal endpoint from the server itself using machine name, private ip, and localhost. When I try to reach the Web Adaptor - Portal sign in externally, using the external ip, public dns, or the Route 53 domain that I have pointing to the ALB, I get the redirect error above.

This is from the browser console:

Invalid 'X-Frame-Options' header encountered when loading 'https://<mydomain.com>/arcgis/sharing/rest/oauth2/authorize?client_id=arcgisonline&redirect_uri=https://<mydomain.com>/arcgis/home/postsignin.html&response_type=token&display=iframe&parent=https://<mydomain.com>&expiration=20160&locale=en': 'ALLOW-FROM https://<mydomain.com>' is not a recognized directive. The header will be ignored.

***I have not yet setup and configured ArcGIS Server to federate with this Portal***

Any ideas??

Re: Use the Web adapter with AWS Certificate Manager?

JacobBoyle412 — Mon, 19 Nov 2018 21:35:54 GMT

You'll need to go into your Portal admin page as the primary login and go to: System Properties—ArcGIS REST API: Administer your portal | ArcGIS for Developers

Then, update the PrivatePortalURL and WebContextURL to the Load Balancer DNS. This will tell portal that the new DNS entry for the Load Balancer is the correct URL.

you'll want to do everything through these URLs going forward.

Re: Use the Web adapter with AWS Certificate Manager?

MikeSchonlau — Mon, 19 Nov 2018 22:06:41 GMT

Jacob

This worked! You are a genius. I will email Jack D and tell him you deserve a raise, a promotion, and more vacation. Thanks!!!

Re: Use the Web adapter with AWS Certificate Manager?

JacobBoyle412 — Mon, 19 Nov 2018 22:24:24 GMT

Thanks! Feel free to PM me or post to this section of GeoNet if you have any further issues.

Re: Use the Web adapter with AWS Certificate Manager?

AndrewCullen — Tue, 19 Mar 2019 20:30:34 GMT

Great - this is a really helpful post, Jacob. Took me a few tries, but I also have this configuration working well for me now.

Two additional questions:

Is there any reason this wouldn’t be considered a valid production configuration?
Do both the PrivatePortalURL and the WebContextURL have to remain the constant after federation? I’m wondering if there is a way to take an ami from one environment and, by changing the WebContextURL, use it in a second environment

Thanks in advance

Andrew