Portal 10.6.1 fails to load CA-signed Server certificates (portaladmin)
After configuring a Portal 10.6.1 machine from scratch, we have tried to load a CA-signed Server certificate through /portaladmin but it fails but there are not any error message to found anywhere. The web interface just plainly returns without an error.
Bias ProcMon we have founded that the loading process is started as:
"C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\keytool.exe" -importkeystore -noprompt -destalias esrinl.com -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass portal.secret -srckeystore C:\Users\SVC-PO~1\AppData\Local\Temp\3f197469-451d-43a8-a642-af05d4b496c234558828440621475899837007361998\Q:EWI__Crypto__Certificatesesrinl.com.p12 -srcstoretype PKCS12 -srcstorepass ******** -srcalias *.esrinl.com -destkeypass ******** -deststoretype JKS -J-Duser.language=en
Looking closely, the p12 container is temporarily store under $env:TEMP ... having in its name "Q:" ... and obviously this not possible, as ProcMon states:
<event>
<ProcessIndex>785</ProcessIndex>
<Time_of_Day>09:08:22.7509261</Time_of_Day>
<Process_Name>keytool.exe</Process_Name>
<PID>42652</PID>
<Operation>QueryDirectory</Operation>
<Path>C:\Users\svc-portal\AppData\Local\Temp\6c8dcf85-ca76-44b4-bcd0-cc64e17cc657678222220559960898291853642410002\Q:EWI__Crypto__Certificatesesrinl.com.p12</Path>
<Result>NAME INVALID</Result>
<Detail>Filter: Q:EWI__Crypto__Certificatesesrinl.com.p12</Detail>
</event>
Our solution? Just use a line like:
"C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\keytool.exe" -importkeystore -noprompt -destalias esrinl.com -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass ******** -srckeystore Q:\EWI\__Crypto__\Certificates\esrinl.com.p12 -srcstoretype PKCS12 -srcstorepass ******** -srcalias "*.esrinl.com" -destkeypass portal.secret -deststoretype JKS
And the value of "-srcalias" is the CommonName (CN) of the certificate.
Edgar.
Just forgot to mention a simple step: run the latter keytools command in a CMD box as Adminitrator
There have been issues with certain characters in certificates causing problems during importing. I would contact Support and provide them information about your certificate. At the very least, Portaladmin should be returning meaningful error messages.
This issue has already been logged as BUG-000112506 and is unique to Edge or Internet Explorer when the portaladmin url is in the 'Local Intranet' security zone. There are a few workarounds until this issue gets addressed. One is to use a different browser. Another is to adjust the Internet Explorer options so the portaladmin url is not considered part of the 'Local Intranet' security zone. A third is to access the .pfx file using a UNC path instead of directly through the Q: drive. I agree with Jonathan that a better error message would be helpful here.
To be honest, I believe we are talking about different issues. In our case, we have tried on browsers like Edge, Internet Explorer, Firefox, Otter, Opera, Chrome, SeaMonkey. With all of them we had the same issue, SeaMonkey and alikes do know nothing about Internet Zones or use it.
ProcMon capture also shows clearly that Portal starts KeyTools inside a CMD box with a wrong pointer to the pfx file (i.e. containing the drive letter followed by a “:”). I do not see why or at which stage the Internet Explorer would interfere with parameters passed (Q:\....pfx) to the Portal browser process.
Of course, it could the JavaScript code running on the browser which is creating the wrong path – but then this is Esri stuff an not browser related.
This isn't a general issue of being unable to import a certificate into the Portal, though. I tested this at 10.6.1 with ProcMon running as well and this is the command line arguments that are run:
.\keytool -importkeystore -noprompt -destalias wildcard -destkeystore "C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks" -deststorepass ********** -srckeystore C:\Users\********\AppData\Local\Temp\61bd17d1-bd5b-48d7-88ff-9bda9db631c7871289888969767251519029737619274\wildcard.pfx -srcstoretype PKCS12 -srcstorepass ******** -srcalias le-esriwebserversha256-59365631-8570-4756-b0f3-352b478cacbf -destkeypass ******** -deststoretype JKS -J-Duser.language=en
I suggest you contact Technical Support so they can take a look and determine why the path is constructed incorrectly.
Jonathan,
We are not saying that always happen, as we have had upgrades and new installations that went smoothly – so the issue does not always come-up. Or even cause by the same issue, they just show similar symptoms. On one case one of my colleagues recursed to configuring SchUseStrongCrypto (but did not work for us)
Regarding our last experience, we were baffled that we could not succeed loading a valid certificate.
Did it happened on my machine? Definitely. Could happen on other machines? Possibly but not necessarily. ProcMon was used on my machine because it seemed to us not a wise thing to do on a customer’s almost-in-production machine.
A question (just looking for differences): the certificate you imported, was on a “regular filesystem”? Like not encrypted, standard MS-paths? I ask because due to company policies all our drives are encrypted, and the certificate was sitting on a VeraCrypt driver.
By the way, last week I have submitted the ticket to Esri Support NL and they forwarded it to Esri Inc.
Edgar.
You are my hero. Thank you. I've been fighting with this for days. As an addendum, the arcgis\portaladmin page will give you Error response of "Unable to import certificate Code: 500" and the Catalina logs under ArcGIS\portal\framework\runtime\tomcat\logs will show following errors:
09-Dec-2020 14:29:07.682 SEVERE [https-jsse-nio-7443-exec-4] com.esri.commons.web.rest.resources.BaseResource.buildErrorResponse Unable to import certificate
com.esri.commons.web.rest.HttpException: Unable to import certificate
at com.esri.commons.web.rest.resources.BaseResource.buildErrorResponse(BaseResource.java:236)
at com.esri.arcgis.portal.admin.rest.security.SSLResource.importExistingServerCert(SSLResource.java:487)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205)
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:910)
at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:858)
at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:812)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.esri.commons.web.AppFilter.doFilter(AppFilter.java:274)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.esri.arcgis.portal.admin.rest.filters.AdminFilter.doFilter(AdminFilter.java:87)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at com.esri.arcgis.portal.util.TomcatValve.invoke(TomcatValve.java:43)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.Exception: Unable to import certificate
at com.esri.arcgis.portal.admin.core.security.SSLManager.importKeyStore(SSLManager.java:277)
at com.esri.arcgis.portal.admin.core.security.SSLManager.importExistingServerCertificate(SSLManager.java:258)
at com.esri.arcgis.portal.admin.rest.security.SSLResource.importExistingServerCert(SSLResource.java:479)
... 50 more
Caused by: java.lang.Exception: Unable to import existing certificate.
at com.esri.arcgis.portal.util.KeyTool.importKeyStore(KeyTool.java:633)
at com.esri.arcgis.portal.admin.core.security.SSLManager.importKeyStore(SSLManager.java:273)
... 52 more
Caused by: java.lang.Exception: No certificates found.
at com.esri.arcgis.portal.util.KeyTool.importKeyStore(KeyTool.java:618)
... 53 more