ArcGIS Enterprise on development Server

AndreaB_ · ‎05-06-2024

Hi all,

I have successfully installed ArcGIS Enterprise 11.1 on a single machine on a Production server. It has GIS Server, Portal, Data Store (relational and tile cache), 2 web adaptors, and Image Server. It has a CA-signed Certificate on all of the apps and is open to the public through an F5 and using DNS address and Portal is configured to use a WebContext URL.

I am now setting up a GIS development server. I am going to install ArcGIS Enterprise 11.1. However, in dev I'm not going to have a CA-signed certificate, nor is it going to be open to the public through the F5 or have a DNS address.

So what are my steps in this scenario? For example, I am to the step that says "enable HTTPS on your web server" so in Prod I used the CA-signed certificate. What do I do here? Maybe I don't do this step?

And later when I used the DNS address in Prod, I think here I would just use the machine name.

I appreciate any help and ideas. Thanks!

A_Wyn_Jones · ‎05-08-2024

This is a good question - in your dev environment, you could skip this step but keep in mind that you may receive "unexpected behaviour" as per: https://enterprise.arcgis.com/en/portal/latest/administer/windows/scan-your-portal-for-security-best...

This may show itself as issues with printing secured content.

A workaround would be to import (on the dev client and Enterprise machine) either the default selfSignedCertificate or your own self-signed cert as shown in this article: https://enterprise.arcgis.com/en/server/latest/administer/windows/configuring-https-using-a-self-sig...

under the "Import the certificate into the OS certificate store" section.

Regarding DNS, as a workaround, you could use a host file like this on the Enterprise machine:

mymachine.dev.com 10.0.0.1

madeupDNS.dev.com 10.0.0.1

Make sure the ArcGIS Server doesn't rename itself to "madeupDNS.dev.com" https://developers.arcgis.com/rest/enterprise-administration/server/renamemachine.htm#:~:text=Versio....

Your client machine in dev would need a host file like this:

madeupDNS.dev.com 10.0.0.1

Then you can config Portal webcontextURL etc. I'm assuming you have 1 Enterprise machine and 1 Client machine in your dev - you would have to do this for every client machine which isn't ideal.

I'd urge you to make sure you have a test environment setup like your production - hosts files can introduce some weird and wonderful conditions which I try to avoid wherever possible.

In an ideal world, you would have another domain/subdomain for your dev environment and access to a CA certificate

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

View solution in original post

A_Wyn_Jones · ‎05-23-2024

Hi @AndreaB_,

Sorry for the slow reply - it's not recommended to include your machine names as a SAN in your certificate. This will expose the machine names of your deployment and is generally a information security risk.

The cert with your friendly DNS alias should be configured with your web server solution (IIS and web adaptor for example) and should only certify https://myfriendlyDNS.domain.com/portal

If you want to certify machine endpoints e.g. https://myPortalmachine.domain.com:7443/arcgis/portaladmin then I would suggest creating another certificate for this endpoint which only includes the machine name on the certificate.

With the config I just explained above, you could use your wildcard certificate freely on your Web Server solution between dev, test and prod without having to worry about the SANs. You will have to maintain the certificates for the machine separately though - once you've done it a few times it becomes a very quick job 🙂

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

View solution in original post

A_Wyn_Jones · ‎05-08-2024

This is a good question - in your dev environment, you could skip this step but keep in mind that you may receive "unexpected behaviour" as per: https://enterprise.arcgis.com/en/portal/latest/administer/windows/scan-your-portal-for-security-best...

This may show itself as issues with printing secured content.

A workaround would be to import (on the dev client and Enterprise machine) either the default selfSignedCertificate or your own self-signed cert as shown in this article: https://enterprise.arcgis.com/en/server/latest/administer/windows/configuring-https-using-a-self-sig...

under the "Import the certificate into the OS certificate store" section.

Regarding DNS, as a workaround, you could use a host file like this on the Enterprise machine:

mymachine.dev.com 10.0.0.1

madeupDNS.dev.com 10.0.0.1

Make sure the ArcGIS Server doesn't rename itself to "madeupDNS.dev.com" https://developers.arcgis.com/rest/enterprise-administration/server/renamemachine.htm#:~:text=Versio....

Your client machine in dev would need a host file like this:

madeupDNS.dev.com 10.0.0.1

Then you can config Portal webcontextURL etc. I'm assuming you have 1 Enterprise machine and 1 Client machine in your dev - you would have to do this for every client machine which isn't ideal.

I'd urge you to make sure you have a test environment setup like your production - hosts files can introduce some weird and wonderful conditions which I try to avoid wherever possible.

In an ideal world, you would have another domain/subdomain for your dev environment and access to a CA certificate

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

AndreaB_ · ‎05-14-2024

Thank you so much! Exactly the info I needed. I'm going to proceed to set up a dev DNS and a CA certificate to use in dev.

Side question on that - for Prod we are using a * wildcard CA certificate for our whole domain (example *.address.org) with the GIS machine name added in the SAN. Do you think I could use that CA cert for Dev (it's going to be the same domain, for example, my prod is prod.address.org, and this would be dev.address.org)? also I read somewhere that you should have the GIS machine name listed in the SAN - but maybe don't need that? (If I do need that I'll need a new Cert just for dev listing the dev machine in SAN.)

Thanks!

A_Wyn_Jones · ‎05-23-2024

Hi @AndreaB_,

Sorry for the slow reply - it's not recommended to include your machine names as a SAN in your certificate. This will expose the machine names of your deployment and is generally a information security risk.

The cert with your friendly DNS alias should be configured with your web server solution (IIS and web adaptor for example) and should only certify https://myfriendlyDNS.domain.com/portal

If you want to certify machine endpoints e.g. https://myPortalmachine.domain.com:7443/arcgis/portaladmin then I would suggest creating another certificate for this endpoint which only includes the machine name on the certificate.

With the config I just explained above, you could use your wildcard certificate freely on your Web Server solution between dev, test and prod without having to worry about the SANs. You will have to maintain the certificates for the machine separately though - once you've done it a few times it becomes a very quick job 🙂

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

AndreaB_ · ‎05-23-2024

Hi @A_Wyn_Jones ,

Good to know! I know I read somewhere, I think in Esri docs, that I should add the machine name as a SAN. But I wouldn't be able to find that now, I'm sure, and it could just be old advice.

I will use the wildcard cert on dev.

Thank you!