How many CA Certificates do I need?

1742
9
Jump to solution
05-26-2017 08:04 AM
JanieGoddard
Occasional Contributor III

I have a forward facing web server with a web adaptor for Portal and a second web adaptor for ArcGIS Server.

I have a server behind the firewall with both Portal and ArcGIS Server on it. My security is allowing anonymous and both Http and Https on both Portal and ArcGIS Server.

So I understand I need a CA certificate on the forward facing web server. So do I need a CA certificate on the internal server on each Portal and ArcGIS Server? Or do I need just one CA certificate on the internal server?

I also don’t understand, if when you bind the certificate, if you bind it to the Default web site or the actual site for each Portal and again on Server?

Thanks,

Janie

1 Solution

Accepted Solutions
DerekLaw
Esri Esteemed Contributor

Hi Janie,

Thanks for the clarification.

> So I don't need a CA Certificate on the internal web server that houses both Portal and ArcGIS Server?

From a technical implementation perspective, no. You should be all set and your Portal-GIS Server deployment should work fine.

However, personally - when I do a set-up, I like to import the CA certificate into both Portal and the GIS Server's internal web servers. This is NOT a requirement, but a personal preference. Also, I typically have the web server (with the web adaptors), GIS Server, and Portal all running on the same machine - so I only have to get 1x CA certificate.

It sounds like in your case you would need 2x CA certificates: one for the external web server (hosting your web adaptors), and the other for the machine with both Portal and the GIS Server installed.

Hope this helps,

View solution in original post

9 Replies
DerekLaw
Esri Esteemed Contributor

Hi Janie,

Your question is a little confusing. First you say,

> I have a server behind the firewall with both Portal and ArcGIS Server on it.

This implies both are installed on the same machine. But then you say,

> So do I need a CA certificate on the internal server on each Portal and ArcGIS Server?

Which implies they are on separate machines? Can you please clarify?

FYI, in general you would enable a CA certificate on the external facing web server where your web adaptors are installed on. This could include both the web adaptor for the GIS Server and for Portal.

On this statement,

> I also don’t understand, if when you bind the certificate, if you bind it to the Default web site or the actual site for each Portal and again on Server?

You would bind it to the 'Default web site' where both web adaptors for the GIS Server and Portal are installed.

Hope this helps,

0 Kudos
JanieGoddard
Occasional Contributor III

Hi Derek,

   Thanks so much for answering!

To Clarify. Yes both Portal and Server are on the same server machine behind the Firewall. My confusion is to whether the CA Certificate is put on each product or on the Default website of the server they are both on. That is my confusion.

So your answers are as I understand it, that I need one CA Certificate on the external facing web server where my two web adaptors are. I bind it to the Default Web Site. This takes care of both web adaptors. 

So I don't need a CA Certificate on the internal web server that houses both Portal and ArcGIS Server?

Thanks,
Janie

0 Kudos
DerekLaw
Esri Esteemed Contributor

Hi Janie,

Thanks for the clarification.

> So I don't need a CA Certificate on the internal web server that houses both Portal and ArcGIS Server?

From a technical implementation perspective, no. You should be all set and your Portal-GIS Server deployment should work fine.

However, personally - when I do a set-up, I like to import the CA certificate into both Portal and the GIS Server's internal web servers. This is NOT a requirement, but a personal preference. Also, I typically have the web server (with the web adaptors), GIS Server, and Portal all running on the same machine - so I only have to get 1x CA certificate.

It sounds like in your case you would need 2x CA certificates: one for the external web server (hosting your web adaptors), and the other for the machine with both Portal and the GIS Server installed.

Hope this helps,

JanieGoddard
Occasional Contributor III

Hi Derek,

   Thanks! I'm going to try to get the two certificates. One for the Web Server with the web adaptors and the second one for the internal server with Portal and Server on it. I'm also planning on federating the server and using that server as the hosting server.

Thanks,
Janie

0 Kudos
JanieGoddard
Occasional Contributor III

Hi Derek,

You said:

    Also, I typically have the web server (with the web adaptors), GIS Server, and Portal all running on the same machine - so I only have to get 1x CA certificate.

    So all of this is on the forward facing web server isn't it?

    Where is your SQL Server in this setup? On the forward facing server or an internal server?

    I'm trying to use Enterprise Builder to install Enterprise 10.6.1 on a new machine.

Thanks,
Janie

0 Kudos
DerekLaw
Esri Esteemed Contributor

Hi Janie,

> So all of this is on the forward facing web server isn't it? Where is your SQL Server in this setup? On the forward facing server or an internal server?

I'm not clear on what you're asking. In my case, all of the ArcGIS Enterprise components are installed on a single machine - not sure what you mean by "forward facing web server". Also, what do you mean by SQL Server? For an enterprise geodatabase that powers your web services? or something else?

> I'm trying to use Enterprise Builder to install Enterprise 10.6.1 on a new machine

You're following the steps here, right?

ArcGIS Enterprise Builder configuration after installation—ArcGIS Enterprise Builder Installation Gu...

Hope this helps,

0 Kudos
JanieGoddard
Occasional Contributor III

Hi Derek,

    Yes SQL Server is what I'm using with the Enterprise Geodatabase to power my web services. I'm putting it on an internal server behind the firewall.

    I'm wanting to use Enterprise Builder 10.6.1 to load all my ArcGIS Software on a single web server. The Windows web server, that has IIS on it, is in a DMZ. Using the Enterprise Builder, I would load the two web adaptors, ArcGIS Enterprise (server), ArcGIS Portal, and the Data Store on this web server. I have my CA SSL certificate too.

      Yes that is the documentation I'm using. I love the Enterprise Builder. It makes it so easy to install and make all the components configured correctly in one task.

Thanks,

Janie

0 Kudos
DerekLaw
Esri Esteemed Contributor

Hi Janie,

Apologies for the late reply. I have been out of the office on business travel the last several weeks.

Thanks for the clarification. Ok, so going back to your original questions:

> So all of this is on the forward facing web server isn't it? ... Where is your SQL Server in this setup? On the forward facing server or an internal server?

In my case, all components of ArcGIS Enterprise are installed on a single machine - which would be the forward facing web server. My enterprise geodatabase is also running on the same machine.

> I'm wanting to use Enterprise Builder 10.6.1 to load all my ArcGIS Software on a single web server.

In your case, you could still import the security certificate into both Portal for ArcGIS and the GIS Server - even if they are on the same machine.

Hope this helps,

JanieGoddard
Occasional Contributor III

Hi Derek,

    Thanks for your answer. That clears up a lot!

Janie