Building Trust within Your Environment Using SSL Certificates

1388
0
12-03-2019 06:19 AM
BrendanBladdick3
Esri Contributor
6 0 1,388

In order to build full trust within your environment it is important to have all your machines trust each other. This is especially important if Portal, Server, Data Store and Web Adaptor are all on different machines as within most environments the communication will be terminated if there is invalid trust which is caused by invalid certificates.

This blog will be short, sweet and to the point.

You will need the following to put inside of portal and server sslcertificate store if -->

 

You have an external environment:

  • Domain CA root certificate (.cer)
  • Domain CA intermediate certificate (if you have one) (.cer)
  • Public CA root certificate (.cer)
  • Public CA intermediate certificate (if you have one) (.cer)
  • Domain CA end/server certificate for each machine (if you have two or more server machines you need one for each then one for the portal machine) (.pfx)

 

You have an internal environment:

  • Domain CA root certificate (.cer)
  • Domain CA intermediate certificate (if you have one) (.cer)
  • Domain CA end/server certificate for each machine (if you have two server machines we need one for each then one for the portal machine) (.pfx)

 

Then import each certificate into the server/portal internal web server through the admin endpoint starting with both Public CA and Domain CA Root Certificates - then all the Public CA and Domain CA intermediate certificates - then importing the domain CA pfx certificate for that specific machine to be used in order for valid certificate trust when accessing portal/server through the port (7443/6443)

You can also import the Domain CA certificate into the Data Store however most of the time this is not necessary.

 

How to import certificates into Portal, Server & Data Store:

 

Portal --> Import a certificate into the portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

 

Server --> Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

Data Store --> Replace ArcGIS Data Store SSL certificate—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

A little bit about why this is important:

Security best practices—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

Best practices for configuring a secure environment—ArcGIS Server Administration (Windows) | ArcGIS ...

Directly from the above documentation -->

"Like ArcGIS Server, the ArcGIS Enterprise portal also comes with a preconfigured self-signed certificate. If you'll be federating your site with a portal, you should request a certificate from a trusted CA and configure the portal to use it.

Configuring a certificate from a trusted authority is a secure practice for web-based systems and will also prevent users from encountering any browser warnings or other unexpected behavior. If you choose to use the self-signed certificate included with ArcGIS Server and the ArcGIS Enterprise portal during testing, you will experience the following:

  • Warnings from your web browser, from ArcGIS Desktop, or from ArcGIS Pro about the site being untrusted. When a web browser encounters a self-signed certificate, it will typically display a warning and ask you to confirm that you want to proceed to the site. Many browsers display warning icons or a red color in the address bar for as long as you are using the self-signed certificate.
  • The inability to open a federated service in the portal's Map Viewer, add a secured service item to the portal, log in to ArcGIS Server Manager on a federated server, or connect to the portal from ArcGIS Maps for Office.
  • Unexpected behavior when configuring utility services, printing hosted services, and accessing the portal from client applications.
Caution:

The above list of issues you will experience when using a self-signed certificate is not exhaustive. It's imperative that you use a CA-signed certificate to fully test and deploy your portal."