Differences between Portal HA machines

GillPaterson · ‎10-06-2019

I am troubleshooting some issues and came across differences between machines in our Portal HA and am wondering how to "sync" or force the one I think is correct to update the other.

When I go to machine1/arcgis/portaladmin/security/sslCertificate I have two certificates with one missing (machine one is standby)

When I go to machine2/arcgis/portaladmin/security/sslCertificates I have the correct three certificates (machine two is primary)

(In a testing environment the same issue exists but the one with the correct certificates is the standby machine)

There is also a question of what else is different that I cannot see. At this stage the index is the same.

I am thinking that a "sync" button to force the config on each machine to update will fix the issue? or something similar?

I didn't want to just add in the missing certificate to the first machine in case there were other differences that I wasn't aware of.

JonathanQuinn · ‎10-07-2019

The certificates within a highly available portal are maintained separately on each portal machine. The sslCertificates API can return different certificates depending on if you've imported different certificates to each machine. Each machine should trust root or intermediate certificates in any certificate chain that Portal is making requests to:

Configuring the portal to trust certificates from your certifying authority—Portal for ArcGIS (10.7 ...

GillPaterson · ‎10-07-2019

Thanks Jonathon, so just to clarify, it isn't an indication that one machine has lost its sync with the shared config? As we have an automated deployment I am sure that the certificates would have been applied on install to each machine, I will double check, but can I ask if there is a known circumstance where a machine 'loses' a certificate?

JonathanQuinn · ‎10-07-2019

No, it's not and I haven't heard of a situation where one of the machines will lose a certificate outside of an administrator deleting it. Are you using chef to deploy the environment?

GillPaterson · ‎10-07-2019

Yes, we are using powershell and chef

ChrisAdams · ‎02-04-2020

Hi Gill,

I noticed this when deploying portal HA with Chef. See #62 for more information.

GillPaterson · ‎02-04-2020

Thanks Chris. I am not sure if there are any consequences of the certificates missing from one of the Portal machines. We are about to do full HA/DR testing so we might find out then.

JonathanQuinn · ‎02-04-2020

The only consequence is that machine won't trust the same URLs that the other machine does. At 10.7.1 and earlier, you need to import any certificates into each machine via https://<portal machine>:7443/arcgis/portaladmin to ensure you know where the certificates goes. If you do it through the LB, (https://lb/portal/portaladmin), it may end up on portal 1, or portal 2. Going through the machine URL directly ensures you know where the certificate is getting imported to. At 10.8, we've made improvements which will follow the logic in Server where the Machines API of Portal has a new SSL Certificates resource. This is where you'll manage certificates for each machine rather than at the "site" level. Importing a certificate to trust into either machine will tell the other machine to trust it as well.

GillPaterson · ‎02-04-2020

Thanks Jonathan, I am looking forward to 10.8!