Differences between Portal HA machines

1341
8
10-06-2019 08:18 PM
GillPaterson
New Contributor III

I am troubleshooting some issues and came across differences between machines in our Portal HA and am wondering how to "sync" or force the one I think is correct to update the other.

When I go to machine1/arcgis/portaladmin/security/sslCertificate I have two certificates with one missing (machine one is standby)

When I go to machine2/arcgis/portaladmin/security/sslCertificates I have the correct three certificates (machine two is primary)

(In a testing environment the same issue exists but the one with the correct certificates is the standby machine)

There is also a question of what else is different that I cannot see. At this stage the index is the same.

I am thinking that a "sync" button to force the config on each machine to update will fix the issue? or something similar?

I didn't want to just add in the missing certificate to the first machine in case there were other differences that I wasn't aware of.

0 Kudos
8 Replies
JonathanQuinn
Esri Notable Contributor

The certificates within a highly available portal are maintained separately on each portal machine. The sslCertificates API can return different certificates depending on if you've imported different certificates to each machine. Each machine should trust root or intermediate certificates in any certificate chain that Portal is making requests to:

Configuring the portal to trust certificates from your certifying authority—Portal for ArcGIS (10.7 ... 

GillPaterson
New Contributor III

Thanks Jonathon, so just to clarify, it isn't an indication that one machine has lost its sync with the shared config? As we have an automated deployment I am sure that the certificates would have been applied on install to each machine, I will double check, but can I ask if there is a known circumstance where a machine 'loses' a certificate?

0 Kudos
JonathanQuinn
Esri Notable Contributor

No, it's not and I haven't heard of a situation where one of the machines will lose a certificate outside of an administrator deleting it. Are you using chef to deploy the environment?

0 Kudos
GillPaterson
New Contributor III

Yes, we are using powershell and chef

0 Kudos
ChrisAdams
Esri Contributor

Hi Gill,

I noticed this when deploying portal HA with Chef. See #62 for more information.

GillPaterson
New Contributor III

Thanks Chris. I am not sure if there are any consequences of the certificates missing from one of the Portal machines. We are about to do full HA/DR testing so we might find out then.

0 Kudos
JonathanQuinn
Esri Notable Contributor

The only consequence is that machine won't trust the same URLs that the other machine does. At 10.7.1 and earlier, you need to import any certificates into each machine via https://<portal machine>:7443/arcgis/portaladmin to ensure you know where the certificates goes. If you do it through the LB, (https://lb/portal/portaladmin), it may end up on portal 1, or portal 2. Going through the machine URL directly ensures you know where the certificate is getting imported to. At 10.8, we've made improvements which will follow the logic in Server where the Machines API of Portal has a new SSL Certificates resource. This is where you'll manage certificates for each machine rather than at the "site" level. Importing a certificate to trust into either machine will tell the other machine to trust it as well.

GillPaterson
New Contributor III

Thanks Jonathan, I am looking forward to 10.8!

0 Kudos