SSL/TLS certificates in a fresh ArcGIS Enterprise Builder install

2742
10
Jump to solution
09-30-2019 10:14 AM
BenO_Connor
New Contributor II

Hello all,

After doing a base installation of ArcGIS Enterprise using Enterprise Builder 10.7.1 I notice the WebAdaptors are nicely using the domain certificate I configured in IIS. However I also noticed that the ArcGIS Server, Data Store, and Portal are using self-signed certificates (a different one each).

My initial question is if this is expected after an Enterprise Builder installation or have I gone wrong somewhere?

And then, if this is expected, is the best practice to reconfigure the Server, Portal, and Data Store to use the domain certificate? Or is there a reason to not reconfigure all 3?

Thank you in advance for any advice.

Kind regards,

Ben

0 Kudos
1 Solution

Accepted Solutions
JonathanQuinn
Esri Notable Contributor

In a base deployment, such as one created using the Enterprise Builder, there are 4 certificates as there are 4 separate web servers that require HTTPS communication:

1) The web server hosting the web adaptors - this will likely be a CA signed certificate, such as one from a well-known provider, (Digicert, Verisign, etc), or your domain certificate authority

2) Portal for ArcGIS

3) ArcGIS Server

4) ArcGIS Data Store

The last 3 certificates are created automatically by the individual components and issued to the common name, or CN, of the machine as a self-signed certificate. None of these are going to be trusted by the machine or any other machines in your network by default. You can configure each to use your own certificate if you'd like:

Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

Import a certificate into the portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

ArcGIS Data Store command utility reference—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

It'd be up to you and your IT staff on whether you're OK with leaving the self-signed certificates. There is a convenience factor of setting up the web server certificate to use one that all machines trust by default as well.

View solution in original post

10 Replies
MichaelVolz
Esteemed Contributor

Can you point me to the documentation that showed you how to configure a domain certificate in IIS?  I have gone through the base installation of ArcGIS Enterprise using Enterprise Builder 10.7.1, but I get the following error message:

0 Kudos
JonathanQuinn
Esri Notable Contributor

The installation of the Enterprise Builder will set up IIS and the HTTP endpoint for you, but it won't configure the HTTPS endpoint. You need to do that yourself, which is likely what Ben O'Connor‌ has done.

BenO_Connor
New Contributor II

Hi Michael,

Yeah, as Jonathan Quinn‌ suggested I had configured the certificate in IIS myself. I'm not sure if the below is the best way, but this is the process I followed to make a Windows Server 2016 machine ready for Enterprise Builder:

1) Enabling IIS and required components: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/enable-iis-2016-components-server.ht...

2) Asking our IT department to issue a certificate signed by our internal domain CA, for the target machine ArcGIS Enterprise was to be installed to. (they supplied a password protected .pfx format certificate)

3) Adding that certificate to the target machine's certificate store. (There was an "Import" option in IIS Manager > [MachineName] > Server Certificates, but I could have just double clicked the .pfx and followed the wizard)

4) Identified the "Default Web Site" in IIS Manager (this was the only website listed in my IIS so I assumed Enterprise Builder would automatically choose it).

5) Added a binding so that "Default Web Site" listens for HTTPS traffic on port 443 and uses the certificate I had just imported. I effectively followed ESRI's instructions in the Bind the certificate to the website from here: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/enable-https-on-your-web-server-serv...

I had completed those steps before doing the Enterprise Builder installation. But I would guess it could be done at a later stage. Maybe someone else could comment on that.

MichaelVolz
Esteemed Contributor

Ben:

Thanks for the very thorough response.  I thought from the documentation as well as technical support that self signed certificates that are created for the Enterprise Builder would enable me to simply setup a portal using only the self signed certificates in a sandbox/development environment. Unfortunately as I have now learned the self signed certificates can be used for Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store, but not the web adaptors.

0 Kudos
JonathanQuinn
Esri Notable Contributor

Self-signed certificates can be used for the web adaptors as well, but you'd need to make sure any clients accessing the site trust those certificates, which is difficult to manage. So while it would work, there's a bit of overhead in working with self-signed certificates at the web server as well. The best approach is to use certificates that the machines that are going to access your portal trust by default.

0 Kudos
MichaelVolz
Esteemed Contributor

Jonathan:

Does this error message mean that the self-signed certificate that is automatically setup for Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store would need to be manually setup for the web adaptors, as I cannot get past this step in the configuration of the ArcGIS Enterprise Build?

0 Kudos
JonathanQuinn
Esri Notable Contributor

Yes, can you reach https://<server>.<domain>.<com> in your browser and see the IIS splash page? If not, you'll need to set up the HTTPS binding. You can try to use a self-signed certificate.

Once you can reach https://<server>.<domain>.com in your browser, see if the Configuration Wizard proceeds. If it doesn't, you may need to add the certificate to the Trusted Root Certification Authorities store on the machine and any other machines you expect to use the deployment.

Or, use a certificate that all machines in your network trust by default .

0 Kudos
JonathanQuinn
Esri Notable Contributor

In a base deployment, such as one created using the Enterprise Builder, there are 4 certificates as there are 4 separate web servers that require HTTPS communication:

1) The web server hosting the web adaptors - this will likely be a CA signed certificate, such as one from a well-known provider, (Digicert, Verisign, etc), or your domain certificate authority

2) Portal for ArcGIS

3) ArcGIS Server

4) ArcGIS Data Store

The last 3 certificates are created automatically by the individual components and issued to the common name, or CN, of the machine as a self-signed certificate. None of these are going to be trusted by the machine or any other machines in your network by default. You can configure each to use your own certificate if you'd like:

Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

Import a certificate into the portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

ArcGIS Data Store command utility reference—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

It'd be up to you and your IT staff on whether you're OK with leaving the self-signed certificates. There is a convenience factor of setting up the web server certificate to use one that all machines trust by default as well.

BenO_Connor
New Contributor II

Hi Jonathan,

Super! That clears it up for me. We'll most likely replace the self-signed certificates with the domain CA ones.

Kind regards,

Ben

0 Kudos