Making backups with PSA Disabled: How?

225
4
09-20-2017 07:55 AM
ThomasColson
MVP Frequent Contributor

So we're required to follow all of the ArcGIS Server Security "Best Practices", which include disabling the PSA account...which now results in Back up and restore your ArcGIS Server site configuration—ArcGIS Server Administration (Windows) | A...  no longer working, as it complains that either the u and p is missing when I don't include, or when I do include it, fails and complains they're wrong. Anybody else have a work-around for this? Some .py code that will enable, then disable, the PSA as part of the routine?

0 Kudos
4 Replies
JakeSkinner
Esri Esteemed Contributor

Hi Thomas,

Below is a python snippet you can use to enable/disable the PSA:

import urllib, urllib2, json

username = "agsAdmin"
password = "gis12345"

# Generate token
tokenURL = 'http://<server.domain.com>:6080/arcgis/admin/generateToken/'
params = {'f': 'pjson', 'username': username, 'password': password, 'client': 'requestip'}
req = urllib2.Request(tokenURL, urllib.urlencode(params))
response = urllib2.urlopen(req)
data = json.load(response)
token = data['token']

# Enable PSA
psaURL = 'http://<server.domain.com>:6080/arcgis/admin/security/psa/enable'
params = {'f': 'pjson', 'token': token}
req = urllib2.Request(psaURL, urllib.urlencode(params))
response = urllib2.urlopen(req)
data = json.load(response)
print(data)

# Disable PSA
psaURL = 'http://<server.domain.com>:6080/arcgis/admin/security/psa/disable'
params = {'f': 'pjson', 'token': token}
req = urllib2.Request(psaURL, urllib.urlencode(params))
response = urllib2.urlopen(req)
data = json.load(response)
print(data)
0 Kudos
ThomasColson
MVP Frequent Contributor

Thanks, but there's a catch: to generate a token you need a user name and pw....and if the PSA is initially disabled, using the PSA login results in "

Failed to log in. Invalid username or password specified."

when trying to generate a token. BTW, this is in an https-only, Windows Active Directory-Web Adapter only, environment. 

0 Kudos
JakeSkinner
Esri Esteemed Contributor

You should be able to use another account that is part of your Administrator group to generate the token.  Are you using web tier authentication?

0 Kudos
ThomasColson
MVP Frequent Contributor

Yes, but the problem continues...can't "bake" AD login credentials into a .py that's tied to Windows Task Scheduler, can't add a service account to the admin role, all AD logins are by PIV-card only....the real solution here would be to create a "Backup" role in the ArcGIS Server web-tier security scheme, and allow site backups to be triggered by service accounts coming from AD, not a PSA. I can easily generate a token at the admin interface, but the backup scripts are running nightly, automated. This was working fine 'till I started paying attention to the "Highly Secure" doc. 

0 Kudos