We have Test and Production ArcGIS Servers (10.0 - soon to be 10.1/2) with all services (Tiled, Feature, Dynamic) secured using default arcgis security provider (SQL Server) and with both web servers having CORS enabled.
Our production system works well by indexing our service items (with embedded credentials) in 'My Content' in our organisation and many webmaps created using these items. We would like to be able to index our test services as items also, however as our organisation has an SSL-only option we are unable to do that (as mentioned in the other forum thread). We are working in a highly secure environment and must have SSL configured for our organisation. It seems the SSL-only option on the organisation attempts to route some requests through the AGOL proxy page - which obviously can't see our internal server name and results in a HTTP 500 server error - see image below.
[ATTACH=CONFIG]24418[/ATTACH]
We have confirmed that we are able to add our Test services and view them in a public account on arcgis online.
Are there any workflows that will allow us to test these internal services and have truly isolated Test and Production items (Webmaps and service references) in AGOL? Currently we are having to modify webmaps and services that are being used by many users without the ability to test our changes.
I've asked a few developers here and got these responses...
You can definitely use CORS at 10.0 but you need to configure it yourself, which is straightforward. I use and refer people to http://enable-cors.org/ for steps on how to do this.
Once they enable CORS for their server they can use services on internal servers on CORS-enabled browsers (FF, Chrome, Safari).
Note that if they're planning to move to 10.1 or 10.2, those versions have CORS enabled by default.
Also, I noticed they mentioned that they have CORS enabled on both their test and production servers. However the screenshot indicates the rest/info request failed. If CORS is enabled, this request would have succeeded.
One other thing to check is if they're using self-signed certificates for their server. Browsers disallow ajax requests to such servers. To prevent this, they need to open the server's services directory in a separate tab and add a security exception. Another solution is to install a proper Verisign signed certificate. From the two failed requests (rest/info and the next one) in the screenshot, it seems to me that they may indeed have self-signed certificate.
I've asked a few developers here and got these responses...
You can definitely use CORS at 10.0 but you need to configure it yourself, which is straightforward. I use and refer people to http://enable-cors.org/ for steps on how to do this.
Once they enable CORS for their server they can use services on internal servers on CORS-enabled browsers (FF, Chrome, Safari).
Note that if they're planning to move to 10.1 or 10.2, those versions have CORS enabled by default.
Also, I noticed they mentioned that they have CORS enabled on both their test and production servers. However the screenshot indicates the rest/info request failed. If CORS is enabled, this request would have succeeded.
One other thing to check is if they're using self-signed certificates for their server. Browsers disallow ajax requests to such servers. To prevent this, they need to open the server's services directory in a separate tab and add a security exception. Another solution is to install a proper Verisign signed certificate. From the two failed requests (rest/info and the next one) in the screenshot, it seems to me that they may indeed have self-signed certificate.
It was the self-signed certificate problem. We have now added the certificate to our trusted root certificate store and accepted the certificate in the browser and it seems to work.
