Portal proxy gives a 500 error when trying to list Relational Data Stores from GIS Server

5043
4
Jump to solution
12-18-2017 09:33 PM
LucasScharenbroich
Occasional Contributor

I reinstalled a Relational Data Store for a Base Enterprise 10.5.1 deployment and Portal does not appear to be able to find the registered Managed Database.  When loading a Portal page, it attempts to query ArcGIS Server for a list of managed databases via the Portal proxy page (<webadapter>/sharing/proxy) but the proxy is giving an HTTP 500 error.

Trying to load the proxy page directly in a browse shows a 403 tomcat error page.

Stripping the proxy and attempting to query the ArcGIS Server REST endpoint directly returns the expected result

Looking for any suggestion on resolving this problem.

0 Kudos
1 Solution

Accepted Solutions
JonathanQuinn
Esri Notable Contributor

If you're using a wildcard certificate from a domain signing authority, you need to configure Portal to trust the root domain certificate:

Configuring the portal to trust certificates from your certifying authority—Portal for ArcGIS (10.5.... 

The problem is that Portal will attempt to validate *.domain.com against the host of the services URL, services.domain.com.  Since it doesn't match exactly, it checks the domain certificate.  Since it doesn't trust the root certificate, the request fails.  Once you import the root certificate into Portal, then you shouldn't have a problem.

View solution in original post

4 Replies
JonathanQuinn
Esri Notable Contributor

What version is this?  Do you see any errors in the portal logs?  You won't be able to load the proxy page in a browser yourself as it expects certain headers which are sent by Portal itself, but not by your browser when opening the full URL manually.

0 Kudos
LucasScharenbroich
Occasional Contributor

This is running 10.5.1.  The errors in the log file say that the SSL certificate could not be validated, but unclear what the exact issues is.  We have the same wildcard certificate installed on Portal, Server, the Data Store and the Web Adaptors.

Error. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

It seems the way to fix this is to get the right certificates into the underlying Java keystore. Not too keen on doing this manually if there's a process that I can execute at the portal level to make this work.

Would un-federating and re-federating the ArcGIS Server be a way forward here? This is a test environment, so there are not too many services that would need to be re-shared.

0 Kudos
JonathanQuinn
Esri Notable Contributor

If you're using a wildcard certificate from a domain signing authority, you need to configure Portal to trust the root domain certificate:

Configuring the portal to trust certificates from your certifying authority—Portal for ArcGIS (10.5.... 

The problem is that Portal will attempt to validate *.domain.com against the host of the services URL, services.domain.com.  Since it doesn't match exactly, it checks the domain certificate.  Since it doesn't trust the root certificate, the request fails.  Once you import the root certificate into Portal, then you shouldn't have a problem.

LucasScharenbroich
Occasional Contributor

Bingo!

We had a GoDaddy intermediate bundle for IIS in p7b format that Portal was unable to import.  I retrieved the .crt intermediate certificate bundle from the GoDaddy certificate Repository and was able to import that successfully.

Trust is working as expected now and Portal is showing "Feature Layer" and "Tile Layer" as item options under the "Create" drop-down menu in the My Content page as expected.

Many Thanks! 

0 Kudos