Not Secure connection in ArcGIS Server

1692
4
Jump to solution
10-05-2017 06:52 AM
MohammadrezaNikfal1
Occasional Contributor

Is it possible to change the secure connection via HTTPS to ArcGIS server and converts it to HTTP? I need to make "HTTP" REST Connection. Every time I get "Not secure" warning in chrome as follows:

0 Kudos
1 Solution

Accepted Solutions
RandallWilliams
Esri Regular Contributor

I think I understand - your web service is actually accessible via both HTTP and HTTPS, but server manager states that the endpoint is HTTPS. That's because Server Manager is accessed via HTTPS, so the endpoint is being reported back in kind. If you're able to access ArcGIS Server Manager on http://server.domain.com:6080/arcgis/manager, then I'm pretty sure that the REST endpoints will be displayed using HTTP in the Capabilities tab. In any event, from what you've written above it sounds like the HTTP endpoint for your web services is accessible, regardless of what server manager is advertising.

The service itself is actually available over HTTP. If you REALLY want server manager to report the service endpoint as only http all the time, and you're willing to accept the risk that comes along with it, you can disable HTTPS completely by following the instructions here:

http://server.arcgis.com/en/server/10.3/administer/windows/configuring-https-only-using-the-default-...

Under "Step 3: Enable SSL for your site", instead of HTTPS_ONLY, you'd select HTTP_ONLY.

View solution in original post

0 Kudos
4 Replies
RandallWilliams
Esri Regular Contributor

What outcome are you after?

In the example screenshot you have above, you're making a connection over HTTPS, but for whatever reason your certificate isn't trusted. Out of the box, this is because ArcGIS Server uses a self-signed certificate for HTTPS, and by definition self-signed certs aren't trusted. By default, ArcGIS Server supports both HTTP and HTTPS connections. Note that while you're getting a 'Not Secure' message in your browser, switching to HTTP would actually be LESS secure because sensitive information is being sent over plain text. Any endpoint where sensitive information (like usernames and passwords) are passed should be accessed over HTTPS.

With that said, unless the GIS Server has been configured to require HTTPS connections, you can reach the server over plain text at http://server.domain.com:6080/arcgis/rest.

The BEST guidance that can be provided would be to obtain a certificate signed by a well known certificate authority, install it on your web server, and configure the web adaptor. That way you'll have a valid, trusted certificate that won't cause your browser to show messages like the one you're describing and at the same time you'll improve your security posture.

0 Kudos
MohammadrezaNikfal1
Occasional Contributor

Thank you sir,

I checked the 6080 port and That works. Is it possible to config the ArcGIS server to produce 6080 REST web address? In my case, in the "Capabilities" tab, there is just HTTPS REST URL.

0 Kudos
RandallWilliams
Esri Regular Contributor

I think I understand - your web service is actually accessible via both HTTP and HTTPS, but server manager states that the endpoint is HTTPS. That's because Server Manager is accessed via HTTPS, so the endpoint is being reported back in kind. If you're able to access ArcGIS Server Manager on http://server.domain.com:6080/arcgis/manager, then I'm pretty sure that the REST endpoints will be displayed using HTTP in the Capabilities tab. In any event, from what you've written above it sounds like the HTTP endpoint for your web services is accessible, regardless of what server manager is advertising.

The service itself is actually available over HTTP. If you REALLY want server manager to report the service endpoint as only http all the time, and you're willing to accept the risk that comes along with it, you can disable HTTPS completely by following the instructions here:

http://server.arcgis.com/en/server/10.3/administer/windows/configuring-https-only-using-the-default-...

Under "Step 3: Enable SSL for your site", instead of HTTPS_ONLY, you'd select HTTP_ONLY.

0 Kudos
MohammadrezaNikfal1
Occasional Contributor

Also, my job is an academic project, so security is not critical.

0 Kudos