Where do I verify the SSL settings with Enterprise config

416
12
Jump to solution
10-19-2018 12:57 PM
CollinJohnston
Occasional Contributor III

I'm having trouble migrating a print service from 10.3.1 to 10.6.1. The big changes are that we are in azure and that we now have a portal in the mix. So the security is brand new to me and I'm stuck getting a print service to work. During my troubleshooting I came across an admin page that is showing a self signed cert is assigned to Portal. This stands out to me as possibly being an issue. 

I do not see SSL warning anywhere and we can access our site and port with https. 

From the portaladmin/security/sslcertifiactes/portal

I see there is a Self signed. Is this not what I should see? Where can I validate my SSL is setup correctly?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
CollinJohnston
Occasional Contributor III

Anyone following or involved in this thread, I am happy to report a solution. In the end it was not related to SSL settings and Jonathan is correct with the explanation of self signed ok in this configuration. I'm not sure it's logged as an official bug, but I can sure as heck tell you that this is not behavior I woudl expect. 

My 10.6.1 print service was being denied access to the map service because of the Definition Query that we are including in our print request. Really simply, this definition query is restricting any features who's ID are not in the single ID query. This ends up being a single point and a few radius rings in my scenario. 

Once we were able to pull the print code apart enough to find the query was failing. I sent this and the print web map documentation to support. They almost instantly responded with the solution.  "Does this map service contain dynamic layers? To check, look in ArcGIS Server Manager and go to the Map Service > Capabilities under Dynamic Workspaces and see if the checkbox next to "Allow per request modification of layer order and symbology" is selected. Unless you are using this ability, this should not be checked. Server Manager may require a restart for this change to take effect."

My answer was no, there are no dynamic layers. So I unchecked this box and VIOLA! it works. amazing. So default check box on position at 10.6.1 will not play nice with definition query in the print request. At 10.3.1 it was fine. Further digging with ESRI relieved  "This is kind of an odd bug/resurface and initially started in 10.2 and reoccurred in 10.5. It seems to be pretty complex and I am not 100% positive of why enabling/disabling dynamic layers would interfere with layerDefinitions especially since Dynamic layers only increase the amount of interaction that users are able to have with the maps."

Hope this helps someone out there, I lost almost 3 weeks working on this a few hours a day. 

View solution in original post

12 Replies
BillFox
MVP Frequent Contributor

Hi Collin,

You'll have to get a CA signed cert (wildcard if you can) and web adaptors going

The new TLS issues may hit you too

You can jump in here: Enable HTTPS on your web server—Portal for ArcGIS (10.6) | ArcGIS Enterprise 

-Bill

0 Kudos
JonathanQuinn
Esri Frequent Contributor

In general, self signed certificates are fine within an Enterprise deployment. Can you describe the issue you're running into? Are you not seeing layers when you print? Do you see any errors in the Server logs?

BillFox
MVP Frequent Contributor

Here's the bit about CA-signed that was in my head.

SSL certificates

Portal for ArcGIS comes preconfigured with a self-signed server certificate, which allows the portal to be initially tested and to help you quickly verify that your installation was successful. You must request a certificate from a trusted certificate authority (CA) and configure the portal to use it. The certificate can be signed by a corporate (internal) or commercial CA.

You should configure each applicable ArcGIS component in your organization with a certificate from a corporate or commercial CA. Common examples include ArcGIS Web Adaptor and ArcGIS Server. For example, ArcGIS Server also comes with a preconfigured self-signed certificate. If you'll be federating an ArcGIS Server site with your portal, it's very important that you request a CA-signed certificate and configure the server and Web Adaptor to use it.

For more information, see Security best practices.

Portal for ArcGIS 10.6.x system requirements—ArcGIS Enterprise system requirements | ArcGIS Enterpri... 

0 Kudos
CollinJohnston
Occasional Contributor III

Bill - Thanks for the link. We have done all of the steps listed. Big Caveat though... we used a vendor to help us since we moved to Azure while upgrading to Enterprise 10.6.1. Therefore I did not personally install the cert on the GIS server. I'm wondering if this was done....Also, what TLS issues are you referring to?

but I now see the next post by Jonathan..... ESRI, help! 

Thank you Jonathan, that is a piece of news I was not expecting with SSL and Enterprise. interesting... 

My issue seems very straightforward, of course if it was I wouldn't be here! I'm so stuck and don't really know where to turn. This works fine at 10.3.1 ::::: 

When we print a map from our web application we are getting a result which does not contain our own map service features. The print service will function properly in that it is picking the proper template provided during publishing, it will display the correct extent and it will include the ESRI basemap service that is part of the web application. Everything but our own service. The AGS logs are showing an error which seems to line up with how many visible layers should be included from our map service, see screen shot. 

I've worked with tech support to verify the GP service works by adding the service as the print service in an AGOL web app using our own map service. Works fine. What am I missing trying to do this from my custom app?

0 Kudos
CollinJohnston
Occasional Contributor III

hoping to breathe some life into this. Still no fix. Have yet another ticket in with support (enterprise team) to see how we get this working. 

Anyone know how the javascript api version interacts with Portal/SSL/Security/IIS?  Doing more troubleshooting I looked to see this application is built on v 3.16. I'm seeing we are now at v4 (4.9) and I'm wondering if this plays into the mix?

0 Kudos
BillFox
MVP Frequent Contributor

Hi Collin,

How about a review of what you can get to work, such as a simple out of the box template of web app builder and default printing?

Is that working for you and just this custom option is giving you grief?

-Bill

CollinJohnston
Occasional Contributor III

Hi Bill! 

Right, so:

I can print using default service from web app template (WAB) using my map service. I can print using print service from web app template (WAB) using my map services, and I'm even getting my template options from the print widget. 

I am using a secured print service using credentials for an Admin Portal user. 

Is there something with my web application which needs additional Portal login credentials or is this tied up in IIS as app pool identities etc? I'm just not seeing where I can configure the print service to have access to map service when originating from my web application. 

JonathanQuinn
Esri Frequent Contributor

If you run the ExportWebMapTask GP tool on your Desktop providing the same webmap_as_json from your application, does it work there?

0 Kudos
CollinJohnston
Occasional Contributor III

Oh, that's great suggestion. SO, I've captured the webmap_as_json string from my browser when I request a print from my application. 

I have then accessed the service and added that json from my machine via REST, from Arcmap/catalog 10.3.1 on my machine by navi to the service and launching>add json>run GP, from a desktop VM in Azure (Server VM is also in Azure GIS) arcmap/catalog 10.6.1 by navi to service>launch GP tool >add json>run tool. 

Same result all three times, which matches the app results. Proper template, extent, basemap. No Map Service data.