Creating SSL Certificates for ArcGIS Server - do i need to use AGS Admin Interface

Anonymous User · ‎11-28-2012

ESRI documentation indicates how do generate SSL certificates via its admin interface. Can i assume there are no issues creating certificates using IIS (assuming you have IIS on each of your GIS servers)?

Brad

PeterBuwembo · ‎11-28-2012

Yes, you do need to use the admin interface to create a certificate then generate a CSR for that cert and submit it for signage to
the Organization's CA. The SSL certificate requested from IIS will only work for IIS and you will not be able to import it into ArcGIS
Server as this is known to fail. If you happen to do this somehow, you will then not be able to publish anything or start services with this cert in place.

If you are not planning on exposing the ArcGIS server directly to the outside of your organization then you can use the selfSigned
SSL cert. that comes with Server 10.1. Install the web adaptor on the IIS server and configure IIS to use the true valid SSL cert fromyour CA. As long as the communication from web adaptor to ArcGIS server has SSL through and through, you should be fine.

I hope this information is helpful.

Anonymous User · ‎11-29-2012

Pete,

You indicate a certificate generated from IIS is ''known to fail'. Is this by design or a bug?

Re web adaptor & trusted CA issued cert - presumably you this cert could originate via IIS as opposed to ArcGIS Admin? Or again, are you forced to go through the admin interface? Futhermore, on a deployment scenario with multiple web servers (with web adaptors/load balanced), presumably one can share the cert with a similar common name across each? Or are you against forced to have unique certs from web server (with web adaptors)...

Hopefully i've explained myself clear enough...

Brad

MartinRick · ‎12-04-2012

Hi there,

after installing my ArcGIS Server 10.1 on a windows 7 maschine I also configured the WebAdaptor with the IIS in order to have a single point of intrance to the Server Site. Everything is just fine for HTTP.

But now I would like to use SSL as well which should be possible with the WebAdaptor according to the resource center:

http://resources.arcgis.com/en/help/main/10.1/index.html#//015400000600000000

The final chapter of the article deals with the SSL configurationon the WebAdaptor and here I run into trouble. Is it possible to use the deault SSL certificate (selfSignedCertificate) with the IIS 7 in order to enable SSL? This is the first step in the instructions and since the IIS does not accept .cer-files as certificates, I have actually no idea how to get to the point that the user can use the WebAdaptor-URL to enter the AGS Manager or the REST service directory.

For testing purposes it would be great to get some instructions how to use a self signed certificate to enable SSL while using the WebAdaptor.

Regards,

Martin

P.s. By the way it would be great to get some more information which Authentification tier has to be used in the admin connection security configuration GIS_SERVER vs WEB_ADAPTOR

ZacharyHart · ‎12-05-2012

Martin, i've been through a near exact scenario you are dealing with at the release of 10.1 some time back (the only difference being that we were having the certificate countersigned by a CA); the documentation is a bit vague at the point of IIS. Regarding your specific situation, did you look at the security tutorial here?:http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_the_default_self_signed...

The order of operations is important. At the end, you will essentially re-register your GIS server with the web adaptor (web adaptor config from start menu) but will supply something like https://(machine name or FQDN):6443 [my apologies if you were already aware of that].

As you correctly point out, there isn't any way for IIS to import any export from the GIS server, at least no way that we found even after importing the CA signed certificate to the windows certificate manager. Our solution was to secure our web-server with a different CA signed certificate. You need to configure your web site for SSL as well; let me know what problems you're running into.

Lastly, I presume your question about authentication tier is referring to the configuration on your admin site home>security>config>update

Your authentication tier has to do with how you've configured your security: at your GIS server (Token based/built-in) or at the web-tier (in your case IIS/windows based authentication). The current configuration on your admin site should simply be a reflection of that. Perhaps someone else could shed some light on why you would want to change it at that level.

Brad, my take away from all of the endeavors in getting our site secured is that we need to look at the web server and GIS server independently and therefore each as being capable of only generating and importing certificates which originate from itself. So for your web server it must originate from IIS. Let me know if you find the exact answer regarding sharing the cert from one web-server to another (might be possible if they are exactly the same?) as the answer will likely come from your IT and not ESRI.

MartinRick · ‎12-05-2012

Hi Zachary,

thank you very much for the quick reply. Since I do not have a countersigned certificate, I would like to explain the architecture shortly. My question in this context is if it is possible to use the SSL secured communication through the WebAdaptor with a selfsigned certificate.
Since this is only a testing maschine the WebAdaptor and the ArcGIS Server run on the same maschine which is a notebook with windows 7. So the idea is that the IIS Webserver uses the default selfsigned certificate from the ArcGIS Server as well.
In this scenario would be no need for a second certificate which means the IIS WebServer loopsthrough the selfsigned certificate directly to the ArcGIS Server.

Regards,
Martin

ZacharyHart · ‎12-05-2012

Hi Zachary,

thank you very much for the quick reply. Since I do not have a countersigned certificate, I would like to explain the architecture shortly. My question in this context is if it is possible to use the SSL secured communication through the WebAdaptor with a selfsigned certificate.
Since this is only a testing maschine the WebAdaptor and the ArcGIS Server run on the same maschine which is a notebook with windows 7. So the idea is that the IIS Webserver uses the default selfsigned certificate from the ArcGIS Server as well.
In this scenario would be no need for a second certificate which means the IIS WebServer loopsthrough the selfsigned certificate directly to the ArcGIS Server.

Regards,
Martin

I dont think you can enable SSL on the GIS server without configuring your web server to be SSL enabled. So you're going to have to configure IIS7 to be SSL enabled: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

My question in this context is if it is possible to use the SSL secured communication through the WebAdaptor with a selfsigned certificate

Yes, you can and the tutorials clearly suggest this.

Regardless of the web server and GIS server being on the same device, you need to think about them as separate servers....the web adaptor provides a means for the web server to 'talk' to the GIS server. I do not believe there is anyway to use the certificate generated from AGS as your IIS/web site's certificate, there isn't any means for it to be imported.

Did you follow the steps in the tutorial I linked to in my other post?

Anonymous User · ‎12-05-2012

I can confirm i have a trusted CA cert on IIS (web adaptor) with self-sign (via ags admin interface) running on the GIS servers (all very straight fwd in the end, just register your cert against IIS & your web adaptor install will recognise the availabity of port 443). We also have a reverse proxy in our DMZ (note we are using an alternative to those documented by ESRI, namely http://managedfusion.com/products/url-rewriter/). An oustanding query of mine is HOW you config ags not to use port 6080/6443 for communication to hthe GIS servers (documentation infers this is the case but i'm now not sure this actually is the case beyond the web server (adaptor) teir

More details to follow when time permits.. Brad

ZacharyHart · ‎12-05-2012

Brad, can you please confirm that your 2 certificates were generated independentantly? One from AGS, and the other from IIS.

MartinRick · ‎12-05-2012

Hi Brad and Zachary,

if I understand you right, you have to use a trusted certificate on your Web Server which is independent from from the self-signed certificate created by the AGS.

This is no problem, I just wanted to know if the self-sigend certificate from the AGS is theoretically useable as the only certificate when using the webAdaptor.

Furthermore it would be interesting if it is possible to use the self-signed certificate from the IIS instead.

Finally if none of the self-signed versions work it is still possible to generate certificate with the IIS Manager (http://support.microsoft.com/kb/228991) or purchase a trusted certificate from CA.

Martin