Use the Web adapter with AWS Certificate Manager?

963
8
Jump to solution
11-09-2018 06:43 AM
MikeSchonlau
Occasional Contributor II

We use SSL certificates from AWS Certificate Manager. These certificates are not downloaded as files and deployed on the servers like other SSL's. We use them with AWS Elastic Load Balancers (ELB). We use the ELB's in place of the ArcGIS Web Adapter.

I am now planning a deployment of Portal. My deployment will require using the ArcGIS Web Adapter to support Roads & Highways. I'm curious if there is a way to continue using my AWS SSL's and ELB's as well as the Web Adapter? If not, I imagine I will have to go buy an SSL certificate from a different provider to put on my Portal machine. Thoughts about AWS ELB's and the ArcGIS Web Adapter co-existing? 

Thanks

Mike S.

0 Kudos
1 Solution

Accepted Solutions
JacobBoyle412
Esri Contributor

You'll need to go into your Portal admin page as the primary login and go to: System Properties—ArcGIS REST API: Administer your portal | ArcGIS for Developers 

Then, update the PrivatePortalURL and WebContextURL to the Load Balancer DNS.  This will tell portal that the new DNS entry for the Load Balancer is the correct URL. 

you'll want to do everything through these URLs going forward.

Jacob is a Sr. Solution Architect for Esri Professional Services and loves conservation planning, woodworking, LEGO, and his dogs.

View solution in original post

8 Replies
JacobBoyle412
Esri Contributor

the easiest thing to do is use an AWS ALB as a pass-through to your Web Adapter host and let the ALB manage the SSL. 

Jacob is a Sr. Solution Architect for Esri Professional Services and loves conservation planning, woodworking, LEGO, and his dogs.
0 Kudos
MikeSchonlau
Occasional Contributor II

I've been tinkering with this, but without success. I'm not sure which port(s) the load balancer should be forwarding to. I thought 443 because the Web Adaptor is forwarding to 7443. And would I add my EC2 instance to my target group over 443 or 7443? Or would I add the Web Adaptor url over 443 to the target group? Any thoughts on this would be appreciated. Thanks 

0 Kudos
JacobBoyle412
Esri Contributor

Michael, 

The load balancer (ALB) should forward to the Web Adapter over 443, then the Web Adapter should take over from there. 

now, on the ALB settings in AWS Console under EC2, click load balancers, click your load balancer, click listeners. Then under Rules, click the rule for 443(80 may be the same rule), click the Health Checks tab, and confirm the following rules are set for ArcGIS Server and Portal for ArcGIS:

Portal: <Your_Context>/portaladmin/healthCheck

ArcGIS Server:  <Your_Context>/rest/info/healthCheck

Jacob is a Sr. Solution Architect for Esri Professional Services and loves conservation planning, woodworking, LEGO, and his dogs.
0 Kudos
MikeSchonlau
Occasional Contributor II

Thanks for the feedback, Jacob.

My test setup was very similar to your suggestion, except for my health check url. When I go to my Portal sign in page from an external ip or domain name, I keep getting this redirect error.

My load balancer has listeners for 80 and 443, both forwarding to a target group that is pointing to my Portal health check url over https (443). My target is healthy. I can reach the Web Adaptor - Portal endpoint from the server itself using machine name, private ip, and localhost. When I try to reach the Web Adaptor - Portal sign in externally, using the external ip, public dns, or the Route 53 domain that I have pointing to the ALB, I get the redirect error above. 

This is from the browser console:

Invalid 'X-Frame-Options' header encountered when loading 'https://<mydomain.com>/arcgis/sharing/rest/oauth2/authorize?client_id=arcgisonline&redirect_uri=https://<mydomain.com>/arcgis/home/postsignin.html&response_type=token&display=iframe&parent=https://<mydomain.com>&expiration=20160&locale=en': 'ALLOW-FROM https://<mydomain.com>' is not a recognized directive. The header will be ignored.

***I have not yet setup and configured ArcGIS Server to federate with this Portal***

Any ideas??

0 Kudos
JacobBoyle412
Esri Contributor

You'll need to go into your Portal admin page as the primary login and go to: System Properties—ArcGIS REST API: Administer your portal | ArcGIS for Developers 

Then, update the PrivatePortalURL and WebContextURL to the Load Balancer DNS.  This will tell portal that the new DNS entry for the Load Balancer is the correct URL. 

you'll want to do everything through these URLs going forward.

Jacob is a Sr. Solution Architect for Esri Professional Services and loves conservation planning, woodworking, LEGO, and his dogs.
MikeSchonlau
Occasional Contributor II

Jacob

This worked! You are a genius. I will email Jack D and tell him you deserve a raise, a promotion, and more vacation. Thanks!!!

0 Kudos
JacobBoyle412
Esri Contributor

Thanks!  Feel free to PM me or post to this section of GeoNet if you have any further issues. 

Jacob is a Sr. Solution Architect for Esri Professional Services and loves conservation planning, woodworking, LEGO, and his dogs.
0 Kudos
AndrewCullen
New Contributor

Great - this is a really helpful post, Jacob. Took me a few tries, but I also have this configuration working well for me now.

Two additional questions:

  • Is there any reason this wouldn’t be considered a valid production configuration?
  • Do both the PrivatePortalURL and the WebContextURL have to remain the constant after federation? I’m wondering if there is a way to take an ami from one environment and, by changing the WebContextURL, use it in a second environment 

Thanks in advance

Andrew

0 Kudos