Setting up OGC (e.g., WFS) authentication on ArcGIS Server 10.2 on AWS Linux

Hi Carlos,

Sorry for the delay.  I was able to establish HTTP Basic authentication after a lot of work.  In summary, it involved the following steps:

• Prerequisites:
  • Telnet/ssh client
  • Ubuntu or root account access or the ability use sudo in front of commands if you are denied access.
  • Make sure you make backup copies of config files before doing any editing so you can revert to them if needed.
• Install and configure Apache Tomcat
  • On ubuntu that is done by entering running, "sudo apt-get update" and then "sudo apt-get install tomcat7"
• Install LDAP
  • In my case, I installed and used OpenLDAP (shown as slapd in Linux), since it was also free.  I entered, "

    sudo apt-get install slapd ldap-utils

• Configure LDAP
  • After learning the basics, and configuring slapd with slapd.conf based on some web searching around, I decided to download a GUI for creating my LDAP hierarchies, mainly just Groups and Users, and then linking Users to Groups via group settings.
  • There are GUIs available for this at least: Apache Directory Studio and Ldap Admin Tool (I downloaded for Mac OSX).
  • I copied the groups and users used on ArcGIS Server so that there would not be any problems.
• Configure Tomcat and ArcGIS Server app to use LDAP for basic authentication
  • Requires adding the right lines to both Tomcat server.xml file within the root conf directory.  Here is a sample:

  • <Realm className="org.apache.catalina.realm.JNDIRealm"

            connectionURL = "ldap://localhost:389"

            connectionName="cn=admin,dc=example,dc=com"

            connectionPassword="connectionAdminPassword"

            userPattern="cn={0},ou=users,dc=example,dc=com"

            roleBase="ou=roles,dc=example,dc=com"

            roleName="cn"

            roleSearch="(uniqueMember={0})"

    />

    </Realm>

• Also add the right lines to the Tomcat manager web app's web.xml file in the web service's directory, e.g., /usr/local/apache-tomcat-7.0.47/webapps/manager/WEB-INF  Here is a sample:

<security-role-ref>

        <role-name>admin</role-name>

        <role-link>cn=admin,ou=roles,dc=example,dc=com</role-link>

    </security-role-ref>

    <security-role-ref>

        <role-name>arcgisserver</role-name>

        <role-link>cn=arcgisserver,ou=roles,dc=example,dc=com</role-link>

    </security-role-ref>

    <security-role-ref>

        <role-name>users</role-name>

        <role-link>cn=users,ou=roles,dc=example,dc=com</role-link>

    </security-role-ref>

    <security-constraint>

        <display-name>Your Portal Name</display-name>

        <web-resource-collection>

                <web-resource-name>Protected Area</web-resource-name>

                <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

                <role-name>admin</role-name>

                <role-name>arcgisserver</role-name>

                <role-name>users</role-name>

        </auth-constraint>

    </security-constraint>

    <login-config>

        <auth-method>BASIC</auth-method>

        <realm-name>Your Portal Name</realm-name>

    </login-config>

  <security-role>

    <description>

      The role that is required to access the admin pages

    </description>

    <role-name>admin</role-name>

  </security-role>

  <security-role>

    <description>

      The role that is required to access the internal pages

    </description>

    <role-name>arcgisserver</role-name>

  </security-role>

  <security-role>

    <description>

      The role that is for customer-accessed pages

    </description>

    <role-name>users</role-name>

  </security-role>

Note that text/tags within these XML configuration files that all tags are case-sensitive!  So make sure that they are used exactly like the example (Lesson-learned, I did not have one letter capitalized and the whole thing wouldn't work as a result).

Restart Tomcat

• Install the ArcGIS Server Java  Web Adaptor on the Apache Tomcat server
  • On AWS/Ubuntu I had to extract the arcgis.war file and then use theTomcat Web Application Manager user interface to deploy the arcgis web manager application (load the arcgis.war file).
  • There is now an arcgis directory within the [TomcatHome]/webapps directory.
  • Go to the [TomcatHome/webapps/arcgis/WEB-INF folder and add the following template (or something like it) to the bottom of the web.xml file:

• Now that the LDAP server is configured properly, change your Security configuration settings within ArcGIS Server Manager from ArcGIS Server's built-in store to one of the LDAP options (I decided to go all LDAP to simplify administration).  This helps some - http://resources.arcgis.com/en/help/main/10.2/index.html#/Securing_services_with_users_and_roles_fro...
  • Enter the following in the LDAP User Store screen:
    • Host name IP
    • Port (389 if you didn't change it)
    • Base DN - an example is "dc=example,dc=com" (using the default LDAP namespace)
    • The URL is populated based on settings above.
    • RDN attribute: "cn" - the prefix of our user names
    • Administrator's DN: "cn=UserWithAdminRoleName",ou=users,dc=example,dc=com"
    • Password: Admin User's password
    • Press the Test Connection button and make sure you get a happy result.  If not, something is wrong with one of the LDAP parameters above or something within the LDAP server (e.g., admin user not assigned to admin group).

• Press the Next button to go to the LDAP Role Store configuration
  • Enter the Base DN of the groups store within LDAP, example: ou=roles,dc=example,dc=com
  • The URL should be populated based on your entry above
  • User Attribute in Role Entry: I used the attribute called "uniqueMember"

• Press the Next button to select the Authentication Tier - change from GIS Server Tier to Web Tier

• You are not done yet...but close.  The only way to configure the ArcGIS Server Web adaptor is to do it via a local server connection.  On a headless AWS ubuntu server this is accomplished via X-Windows on your remote client.  Here is an overview: http://resources.arcgis.com/en/help/main/10.2/index.html#//015500000679000000.

• For this you must do two things:
  • In my case with a local WIndows7 environment, download and install Xming.
  • Alter your terminal emulator settings (in my case, go to pUTTY, Connection, SSH, X11, and enable X11 forwarding).
  • Re-login to your AWS ubuntu server.
  • Run firefox within the terminal client and wait for it to pop up on your local machine within an Xwindow.
  • Enter the address: http://localhost:XXXX/arcgis/webadaptor (the XXXX is the port number of Tomcat if necessary)
  • Select ArcGIS for Server
  • Next screen, enter:
    • Enter GIS Server URL (for us it was http://localhost:6080)
    • Enter ArcGIS Server Manager User Name and Password
    • Optionally enable administrative access to the site via the Web Adaptor (I did).
    • Click on the Configure button and hope for a green screen area result.

• Log in as ArcGIS Server Manager as the admin and check under Security that Users and Roles from LDAP are populated accordingly and ensure that Role Types are assigned properly.  Also check, under Site - Web Adaptor that it shows the an entry for your ArcGIS WebAdaptor.

• You should now be able to close the padlock on your service and then have a user name/password prompt precede access to all your services capabilities, not just the proprietary ones. 

Sorry, this message has been a long one.  My main hope is that it was instructive but also illustrative of the complexity involved.  I originally thought "Basic authentication" would be easy that was definitely not the case. If you need anymore details about a particular section, we can continue the thread.

My not-so-humble opinion is that for its cost, ArcGIS Server should be designed for complete solutions including OGC services.   A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed.

An advanced GIS Practitioner should not require heavy linux/tomcat/etc implementation know-how.  Is there a GIS program out there that teaches all this?  I don't think so.  Luckily I have grown to know enough unix to make me dangerous, and i'm pretty good at googling.  So I managed to accomplish implementing "Basic" authentication with ArcGIS Server with only general guidelines but not without going through a share of turmoil.  

Lastly, just in case you think I actually exist to bash ESRI, I generally like and appreciate ESRI desktop applications.  They are brilliant.  However I see two areas that need improvement for this and other cases:  complete support for OGC services (they are here to stay), and bringing up the level of support within the JAVA/linux server space compared to that provided to Microsoft environments.

At the very least, I expected a white paper to address setting up web-tiered authentication rather than bupkis.

Again, if you'd like any further help with accomplishing some or all of the above steps, then I am at your service.

All the best,

Pete

Hi Peter,

Thank you so much for your response and detailed instructions, your instructions are best of any article from ESRI about this subject

I did all steps that you explained but in JBoss, the Realm authenticate correctly users in LDAP and ArcGIS also configured and runs with LDAP. The problem in my case is that the communication between WebAdapter and GIS Server return an error and have a strange behavior because I register WebAdapter with success and use without problems until configure LDAP, but I don't know why the register don't appear in GIS Server. I'll try again this process and also try to use Tomcat to deploy WebAdapter, ASAP I'll post results here.

Peter, I completely agree with your comments in the end of your response, I'm a Java Architect and I know how this Realms and configurations really runs, the WebAdapter is only a simple proxy to ArcGIS Server, the requirements needed to make use of "Basic Authentication" in WebAdapter says "Give all work to AppServer and administrator os server and have faith" as you say "A robust best-in-class product ensures that nothing much needs to be done outside the ArcGIS Manager GUI once it is installed." and this is not this case, the knowledge need to do this tasks are from a experienced deployer in Java Web Applications with some knowledge in security and LDAP it's not for anyone.

I think ArcGIS Server don't want to be a good OGC player, only make you product compliant to receives the  OGC stamp.

Well thank you for you response Peter, I'll try change some steps that I used here and post results here ASAP.

Thank you,

Carlos

Hi.  Glad I was able to provide some help.  Here are some screen shots illustrating the entries I made and have worked for me within ArcGIS Server Manager using the security configuration wizard.  Some entries are perhaps more intuitive than others.

The Security screen ends up looking like:

Note, afterwards you can view users and groups in the ArcGIS Server Admin interface.  You may have to reassign the "role type" to a particular role (i.e., assign 'admin' role to 'Administrator' role type), but otherwise but everything else is administered via your LDAP admin application.

Hope this helps,

Pete

Hi Peter,

I followed your steps but i would not able to configure tomcat 7 with web adapator arcgis 10.2.1 to open map services running in  Arcgis Server 10.2.1 with LDAP Authentication in windows environment.

Before i move my components into server environment.I have installed tomcat 7 and web adapator in windows 7 this acts has web server with my ASP.NET MVC Application running in same machine.GIS server is an another windows 7 machine with Arcgis server with built in arcgis server roles and users from LDAP of my organisation ,i used web tier authentication here.

But i am facing difficulty in configuring Tomcat and web adapator to communication with Arcgis server in another machine.

Please can you give your suggestions.What i am doing wrong.

Thanks in advance,

santhosh