Setting up OGC (e.g., WFS) authentication on ArcGIS Server 10.2 on AWS Linux

11102
7
09-08-2014 11:04 AM
PeterVaziri
New Contributor II

Hi,

 

I've been hunting around for what I thought would be an easy answer.  Does anyone know, or know of a resource that I can access, which lets me assign users/passwords to potential WFS or WMS users?  Currently, once a service is locked for private access via ArcGIS Server Manager, the only way you can access it is via the default service mapping capability via ArcGIS Server and not WMS or WFS.  I need to be able to expose my OGC web services to a limited set of user accounts.

 

I know that the "help" says that I'm to rely on knowing how to set up HTTP Basic or HTTP Digest for OGC service authentication since it is decoupled from ESRI's ArcGIS Server implementation.  However, I'm having a difficult time finding where to find files like .htaccess. 

 

I'm running ArcGIS Server 10.2 on an AWS EC2 linux box.  The web server is server is listed as cloudflare-ngnix and I have no clue about how it works.  So...I'm thinking that since this isn't a straight-forward Apache config edit operation, it is currently above my head.

 

Does anybody have experience setting up OGC web mapping service authorization running ArcGIS Server 10.2 within an EC2 AWS Linux environment?  I'd just love a step-by-step guide.

 

Thanks in advance,

Pete

0 Kudos
7 Replies
CarlosLacerda
New Contributor

Hi Peter I'm working in the same issue that you also using ArcGIS Server 10.2. I can't access Arcgis services that have security restrictions using WMS/WFS protocol, only using arcgis server user connection in arcmap it's run. In my tests if I change the authentication method of GIS Server to Web using Webadaptor the problem persists. I configured Webadaptor in JBoss AS to use HTTP Basic authentication using the same LDAP server that is configured in ArcGIS Server using JBoss realms, but when I access the WMS service from ArcMap JBoss require credentials, I enter credentials in ArcMap but Webadaptor can't communicate correctly with GIS Server. If a access services direct from browser through Webadpater the same return the folowing error after authentication "Unable to decrypt user credentials from web adaptor" I stoped at this point and don't found any documentation that explains how to configure and use HTTP Basic authentication with ArcGIS Server, using token mechanism all is ok but I also need to expose WMS/WFS services without token mechanism of ArcGIS Server. I suspect that this feature of HTTP Basic authentication only runs on Webadpator using IIS but I never tried this using IIS.

If you have some news about this issue and can share I'll be very happy or when I have I'll post here.

Regads,

Carlos Lacerda

0 Kudos
PeterVaziri
New Contributor II

Hi Carlos,

Sorry for the delay.  I was able to establish HTTP Basic authentication after a lot of work.  In summary, it involved the following steps:

  • Prerequisites:
    • Telnet/ssh client
    • Ubuntu or root account access or the ability use sudo in front of commands if you are denied access.
    • Make sure you make backup copies of config files before doing any editing so you can revert to them if needed.
  • Install and configure Apache Tomcat
    • On ubuntu that is done by entering running, "sudo apt-get update" and then "sudo apt-get install tomcat7"
  • Install LDAP
    • In my case, I installed and used OpenLDAP (shown as slapd in Linux), since it was also free.  I entered, "
      sudo apt-get install slapd ldap-utils
  • Configure LDAP
    • After learning the basics, and configuring slapd with slapd.conf based on some web searching around, I decided to download a GUI for creating my LDAP hierarchies, mainly just Groups and Users, and then linking Users to Groups via group settings.
    • There are GUIs available for this at least: Apache Directory Studio and Ldap Admin Tool (I downloaded for Mac OSX).
    • I copied the groups and users used on ArcGIS Server so that there would not be any problems.
  • Configure Tomcat and ArcGIS Server app to use LDAP for basic authentication
    • Requires adding the right lines to both Tomcat server.xml file within the root conf directory.  Here is a sample:
    • <Realm className="org.apache.catalina.realm.JNDIRealm"
              connectionURL = "ldap://localhost:389"
              connectionName="cn=admin,dc=example,dc=com"
              connectionPassword="connectionAdminPassword"
              userPattern="cn={0},ou=users,dc=example,dc=com"
              roleBase="ou=roles,dc=example,dc=com"
              roleName="cn"
              roleSearch="(uniqueMember={0})"
      />
      </Realm>

    • Also add the right lines to the Tomcat manager web app's web.xml file in the web service's directory, e.g., /usr/local/apache-tomcat-7.0.47/webapps/manager/WEB-INF  Here is a sample:
<security-role-ref>
        <role-name>admin</role-name>
        <role-link>cn=admin,ou=roles,dc=example,dc=com</role-link>
    </security-role-ref>
    <security-role-ref>
        <role-name>arcgisserver</role-name>
        <role-link>cn=arcgisserver,ou=roles,dc=example,dc=com</role-link>
    </security-role-ref>
    <security-role-ref>
        <role-name>users</role-name>
        <role-link>cn=users,ou=roles,dc=example,dc=com</role-link>
    </security-role-ref>
    <security-constraint>
        <display-name>Your Portal Name</display-name>
        <web-resource-collection>
                <web-resource-name>Protected Area</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <role-name>admin</role-name>
                <role-name>arcgisserver</role-name>
                <role-name>users</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Your Portal Name</realm-name>
    </login-config>
  <security-role>
    <description>
      The role that is required to access the admin pages
    </description>
    <role-name>admin</role-name>
  </security-role>
  <security-role>
    <description>
      The role that is required to access the internal pages
    </description>
    <role-name>arcgisserver</role-name>
  </security-role>
  <security-role>
    <description>
      The role that is for customer-accessed pages
    </description>
    <role-name>users</role-name>
  </security-role>

Note that text/tags within these XML configuration files that all tags are case-sensitive!  So make sure that they are used exactly like the example (Lesson-learned, I did not have one letter capitalized and the whole thing wouldn't work as a result).

Restart Tomcat

  • Install the ArcGIS Server Java  Web Adaptor on the Apache Tomcat server
    • On AWS/Ubuntu I had to extract the arcgis.war file and then use theTomcat Web Application Manager user interface to deploy the arcgis web manager application (load the arcgis.war file).
    • There is now an arcgis directory within the [TomcatHome]/webapps directory.
    • Go to the [TomcatHome/webapps/arcgis/WEB-INF folder and add the following template (or something like it) to the bottom of the web.xml file:

  • Now that the LDAP server is configured properly, change your Security configuration settings within ArcGIS Server Manager from ArcGIS Server's built-in store to one of the LDAP options (I decided to go all LDAP to simplify administration).  This helps some - http://resources.arcgis.com/en/help/main/10.2/index.html#/Securing_services_with_users_and_roles_fro...
    • Enter the following in the LDAP User Store screen:
      • Host name IP
      • Port (389 if you didn't change it)
      • Base DN - an example is "dc=example,dc=com" (using the default LDAP namespace)
      • The URL is populated based on settings above.
      • RDN attribute: "cn" - the prefix of our user names
      • Administrator's DN: "cn=UserWithAdminRoleName",ou=users,dc=example,dc=com"
      • Password: Admin User's password
      • Press the Test Connection button and make sure you get a happy result.  If not, something is wrong with one of the LDAP parameters above or something within the LDAP server (e.g., admin user not assigned to admin group).
    • Press the Next button to go to the LDAP Role Store configuration
      • Enter the Base DN of the groups store within LDAP, example: ou=roles,dc=example,dc=com
      • The URL should be populated based on your entry above
      • User Attribute in Role Entry: I used the attribute called "uniqueMember"
    • Press the Next button to select the Authentication Tier - change from GIS Server Tier to Web Tier
  • For this you must do two things:
    • In my case with a local WIndows7 environment, download and install Xming.
    • Alter your terminal emulator settings (in my case, go to pUTTY, Connection, SSH, X11, and enable X11 forwarding).
    • Re-login to your AWS ubuntu server.
    • Run firefox within the terminal client and wait for it to pop up on your local machine within an Xwindow.
    • Enter the address: http://localhost:XXXX/arcgis/webadaptor (the XXXX is the port number of Tomcat if necessary)
    • Select ArcGIS for Server
    • Next screen, enter:
      • Enter GIS Server URL (for us it was http://localhost:6080)
      • Enter ArcGIS Server Manager User Name and Password
      • Optionally enable administrative access to the site via the Web Adaptor (I did).
      • Click on the Configure button and hope for a green screen area result.
  • Log in as ArcGIS Server Manager as the admin and check under Security that Users and Roles from LDAP are populated accordingly and ensure that Role Types are assigned properly.  Also check, under Site - Web Adaptor that it shows the an entry for your ArcGIS WebAdaptor.

  • You should now be able to close the padlock on your service and then have a user name/password prompt precede access to all your services capabilities, not just the proprietary ones. 

Sorry, this message has been a long one.  My main hope is that it was instructive but also illustrative of the complexity involved.  I originally thought "Basic authentication" would be easy that was definitely not the case. If you need anymore details about a particular section, we can continue the thread.

My not-so-humble opinion is that for its cost, ArcGIS Server should be designed for complete solutions including OGC services.   A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed.

An advanced GIS Practitioner should not require heavy linux/tomcat/etc implementation know-how.  Is there a GIS program out there that teaches all this?  I don't think so.  Luckily I have grown to know enough unix to make me dangerous, and i'm pretty good at googling.  So I managed to accomplish implementing "Basic" authentication with ArcGIS Server with only general guidelines but not without going through a share of turmoil.  

Lastly, just in case you think I actually exist to bash ESRI, I generally like and appreciate ESRI desktop applications.  They are brilliant.  However I see two areas that need improvement for this and other cases:  complete support for OGC services (they are here to stay), and bringing up the level of support within the JAVA/linux server space compared to that provided to Microsoft environments.

At the very least, I expected a white paper to address setting up web-tiered authentication rather than bupkis.

Again, if you'd like any further help with accomplishing some or all of the above steps, then I am at your service.

All the best,

Pete

CarlosLacerda
New Contributor

Hi Peter,

Thank you so much for your response and detailed instructions, your instructions are best of any article from ESRI about this subject

I did all steps that you explained but in JBoss, the Realm authenticate correctly users in LDAP and ArcGIS also configured and runs with LDAP. The problem in my case is that the communication between WebAdapter and GIS Server return an error and have a strange behavior because I register WebAdapter with success and use without problems until configure LDAP, but I don't know why the register don't appear in GIS Server. I'll try again this process and also try to use Tomcat to deploy WebAdapter, ASAP I'll post results here.

Peter, I completely agree with your comments in the end of your response, I'm a Java Architect and I know how this Realms and configurations really runs, the WebAdapter is only a simple proxy to ArcGIS Server, the requirements needed to make use of "Basic Authentication" in WebAdapter says "Give all work to AppServer and administrator os server and have faith" as you say "A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed." and this is not this case, the knowledge need to do this tasks are from a experienced deployer in Java Web Applications with some knowledge in security and LDAP it's not for anyone.

I think ArcGIS Server don't want to be a good OGC player, only make you product compliant to receives the  OGC stamp.

Well thank you for you response Peter, I'll try change some steps that I used here and post results here ASAP.

Thank you,

Carlos

0 Kudos
PeterVaziri
New Contributor II

Hi.  Glad I was able to provide some help.  Here are some screen shots illustrating the entries I made and have worked for me within ArcGIS Server Manager using the security configuration wizard.  Some entries are perhaps more intuitive than others.

SecurityConfigWizard_1.PNG

SecurityConfigWizard_2.PNG

SecurityConfigWizard_3.PNG

SecurityConfigWizard_4.PNG

SecurityConfigWizard_5.PNG

The Security screen ends up looking like:

Final_Security_View.PNG

Note, afterwards you can view users and groups in the ArcGIS Server Admin interface.  You may have to reassign the "role type" to a particular role (i.e., assign 'admin' role to 'Administrator' role type), but otherwise but everything else is administered via your LDAP admin application.

Hope this helps,

Pete

0 Kudos
Santhosh_KumarRamanathan
New Contributor

Hi Peter,

I followed your steps but i would not able to configure tomcat 7 with web adapator arcgis 10.2.1 to open map services running in  Arcgis Server 10.2.1 with LDAP Authentication in windows environment.

Before i move my components into server environment.I have installed tomcat 7 and web adapator in windows 7 this acts has web server with my ASP.NET MVC Application running in same machine.GIS server is an another windows 7 machine with Arcgis server with built in arcgis server roles and users from LDAP of my organisation ,i used web tier authentication here.

But i am facing difficulty in configuring Tomcat and web adapator to communication with Arcgis server in another machine.

Please can you give your suggestions.What i am doing wrong.

Thanks in advance,

santhosh

0 Kudos
SdnomiarEgo
New Contributor

How to properly configure Tomcat to allow secure acces to services, did i miss something?


Users and roles are created in ApacheDS and are visible on ArcGIS Manager. Link to free wms service works, after changing service security to private QGIS throws an error - forbidden.

Windows server 2012 R2
ArcGIS Server 10.5
ApacheDS 2.0.0-M23
Apache-tomcat 7.0.65
Web Adaptor Java Windows 105_154008
Windows firewall - off

ApacheDS configuration:

users:

cn: username1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: username1
uid: username1
userPassword: userpassword

groups:

cn: Administrators
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=username1,ou=users,ou=system

ArcGIS Server Security - Configuration Settings

1.User and Role Management - Users from an existing enterprise system (LDAP or Windows Domain) and roles from ArcGIS Server's built-in store

2.Enterprise Store Type - LDAP

3.LDAP User Store:

Host name: vms12
Port: 10389
Base DN: ou=system
URL: ldap://vms12:10389/ou=system
RDN attribute: uid
Administrator's DN: uid=admin,ou=system
4.Authentication Tier - Web Tier

Tomcat configuration:

C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml

<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:10389"
connectionName="uid=admin,ou=system"
connectionPassword="password"
userBase="ou=system"
userSubtree="true"
userSearch="(uid={0})"
roleBase="ou=system"
roleName="cn"
roleSearch="(uniquemember={0})"
roleSubtree="true"
/>
</Realm>

C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>WMS Services</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>

</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WMS services</realm-name>
</login-config>

<security-role>
<description>
The role that is required to access the HTML Manager pages
</description>
<role-name>Administrators</role-name>
</security-role>

0 Kudos
GavinCollins1
Esri Contributor

I have registered an ArcGIS Web Adaptor in Apache Tomcat with an ArcGIS Server site using Web Tier Authentication via LDAP with an Active Directory instance. 

I can configure Basic Authentication successfully however with Digest enabled, attempts to log into ArcGIS Server fail. Has anyone successfully implemented Digest authentication?

Thanks,

Gavin 

Peter Vaziri

0 Kudos