Community

Make Portal 10.5 use mutual authentication (PKI)

1543
2
05-30-2017 08:53 AM
by Anonymous User
Not applicable
‎05-30-2017 08:53 AM

When Portal makes web requests to other secure services (e.g. print task that calls a map service), it doesn't use the client cert loaded via /arcgis/portaladmin/security/sslCertificates.

It looks like Portal adds these certs to a keystore (C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks).  This keystore seems legit after testing it programmatically outside Portal to create a SSL context and make web requests with. 

Portal however isn't using them as a client with requests it makes.  Is this normal?

For example, in the ArcGIS Server logs for a Print gp task that is calling a secure map service, we get an error like:

A certificate is required to complete client authentication (WinINet ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED, 12044), URL = <SECURE_MAP_SERVICE_BEHIND_WEBTIER_AUTH>

Tags (3)
2 Replies
by Anonymous User
Not applicable
‎05-30-2017 12:52 PM

The closest post on this seems to be https://community.esri.com/message/655741-push-json-to-an-external-website-adapter-does-not-work-if-... where MBramer-esristaff‌ mentions HTTPS connections requiring client certificates. 

0 Kudos
by Anonymous User
Not applicable
‎06-05-2017 12:24 PM

After some investigation I found the ARCGIS_JAVA_OPTS environment variable in C:\Program Files\ArcGIS\Portal\framework\runtime\tomcat\bin\catalina.bat. 

Including the following JVM settings made Portal use the client PKI cert in the keystore:

ARCGIS_JAVA_OPTS = -Djavax.net.ssl.keyStore="C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=* -Djavax.net.ssl.trustStore=* -Djavax.net.ssl.trustStorePassword=*
0 Kudos