|
BLOG
|
Check out this blog from Michael Young discussing upcoming security improvements revolving around TLS in the ArcGIS Platform, including insight into what's coming after the ArcGIS Online TLS updates coming in February. 2019 ArcGIS Transport Security Improvements Take-away's include: February 2019 – ArcGIS Online TLS 1.0 & 1.1 deprecation Upcoming ArcGIS Enterprise 10.7 – TLS 1.0, 1.1, and HTTP disabled by default June 2019 – ArcGIS Online HTTP deprecation + HSTS enforcement And MORE! --Randall
... View more
11-16-2018
08:36 AM
|
0
|
0
|
617
|
|
BLOG
|
Also, I'd be remiss if I didn't add a call to action for users working with older versions of ArcGIS Enterprise to upgrade - preferably to 10.6.1 or 10.7 upon its release. At 10.4.1, we introduced the ability to update supported TLS versions and cipher suites via the ArcGIS Admin API. ArcGIS 10.3.x will be in Mature Support starting in December 2018. Software in mature support will receive no further patches, hot fixes, or service packs. ArcGIS 10.3.x still supports SSLv3. SSLv3 is no longer secure. This issue can be addressed at the web tier by disabling SSLv3 on the web adaptor/reverse proxy server. With this in mind, it's important for users on older versions of ArcGIS Software to be planning upgrades.
... View more
11-16-2018
08:29 AM
|
1
|
0
|
6203
|
|
BLOG
|
In essence, the TLS issues a user may see in ArcGIS Enterprise come down to features that are used when the software acts as a CLIENT, not as a SERVER. ArcGIS Enterprise as a SERVER has supported TLS for some time. It's various client components that can have TLS related issues. An example - the ArcGIS Server print service. When using the print service, ArcGIS Server acts as as client to some GIS Server (quite often that server is itself). The print service makes an export map request to the server, and uses the response to create printed output, and places the output in a virtual directory. At that point, the browser client makes a request to ArcGIS Server to pull the output down.
... View more
11-16-2018
08:22 AM
|
0
|
0
|
6203
|
|
BLOG
|
Good question, and sure thing. When you're working with a stand-alone (unfederated) instance of ArcGIS Server, under the sharing tab, you'll see where you can associate the GIS Server with ArcGIS Online or some other Portal, like this: On a federated instance, this dialog looks like this: In either case, you can update sharing details for a service from manager. If you're working with a stand alone instance of ArcGIS Server, once you've signed into the portal, you can click the little sharing icon next to the secure service 'lock' icon, and share a reference to the service to a group: If your GIS Server is already federated with a Portal, you don't need to sign in because the security model is owned by the Portal, and if you've logged into ArcGIS Server Manager, you're also logged into the Portal. Hope that helps!
... View more
11-16-2018
07:58 AM
|
2
|
0
|
6203
|
|
BLOG
|
Hi, The answer is 'it depends'. The software may be impacted based upon the operating system ArcGIS Server is installed on and the workflows your organization uses. Here's a doc that should help: FAQ: How is ArcGIS Enterprise and its associated software components, ArcGIS Server and Portal for ArcGIS, affected by d…
... View more
11-16-2018
06:52 AM
|
0
|
0
|
6203
|
|
BLOG
|
Hi Joe, Can you elaborate? I know some users who leverage SAML that had enabled the option to encrypt signed assertions needed to update the metadata file provided by ArcGIS Online, but I haven't heard of issues related to tokens per-se.
... View more
11-15-2018
10:24 AM
|
0
|
0
|
1070
|
|
BLOG
|
Important Update for ArcGIS and TLS Esri is committed to providing strong security for the ArcGIS platform by using the latest industry standards and best practices for security protocols. To meet these industry expectations, we are making an important update to ArcGIS Online on April 16, 2019 that is likely to affect most ArcGIS software and custom solutions. With this change, we are enforcing the use of TLS (Transport Layer Security) version 1.2 only and will remove support for earlier TLS versions 1.0 and 1.1. More details about Esri’s support for TLS, including patches and instructions for updating software, can be found by visiting support.esri.com/en/tls. Who is affected? Users of most ArcGIS software or custom solutions using Esri technology may be affected by this planned update to TLS protocol v1.2. What do I need to do now? Go to the Esri TLS Support page for more information and specific actions you may need to take in advance of this update. Visit the GeoNet ArcGIS Platform and Transport Layer Security (TLS 1.2) Forum to ask questions, view additional information and connect with Esri staff subject matter experts.
... View more
11-15-2018
08:21 AM
|
5
|
30
|
10546
|
|
POST
|
Sorry for the delay, just seeing this now. From ArcGIS 10.4 onward, SSLv3 is disabled in the internal web sever used in ArcGIS Enterprise. Disabling SSLv3 at the web tier shouldn't impact Esri software. We've supported TLS 1.0, 1.1 and 1.2 ever since. However, many groups (including Esri and ArcGIS Online in February) need to support ONLY TLS 1.2 to meet regulatory requirements. There are some issues moving to a pure TLS 1.2 environment. Support has a new KB out that discusses those impacts. Esri Support Important Updates for the ArcGIS Platform and Transport Layer Security (TLS) Protocol Support Be on the lookout for patches for ArcGIS Desktop that address some issues related to TLS 1.2. I myself as an ArcGIS Online org admin received this email today: Important Update for ArcGIS and TLS Esri is committed to providing strong security for the ArcGIS platform by using the latest industry standards and best practices for security protocols. To meet these industry expectations, we are making an important update to ArcGIS Online in February 2019 that is likely to affect most ArcGIS software and custom solutions. With this change, we are enforcing the use of TLS (Transport Layer Security) version 1.2 only and will remove support for earlier TLS versions 1.0 and 1.1. More details about Esri’s support for TLS, including patches and instructions for updating software, can be found by visiting support.esri.com/en/tls. Who is affected? Users of most ArcGIS software or custom solutions using Esri technology may be affected by this planned update to TLS protocol v1.2. What do I need to do now? Go to the Esri TLS Support page for more information and specific actions you may need to take in advance of this update. If this email is not applicable to you, please forward this email to the one who manages your ArcGIS software or custom solutions using Esri technology.
... View more
11-15-2018
08:18 AM
|
1
|
0
|
1576
|
|
BLOG
|
Our team is frequently asked questions regarding privacy in our software. Recently, a student asked a question regarding ArcGIS Maps for Power BI. Specifically, his organization required a risk assessment to be completed to understand what, if any, data is transmitted to ArcGIS Online. Happily, Scott Ball provided a thorough answer to this question in his blog here: FAQ - Data Security in ArcGIS Maps for Power BI As this space matures, we'll be aggregating similar privacy and security resources from various Esri Teams and referencing them via this space. --Randall
... View more
11-14-2018
07:08 AM
|
1
|
0
|
1033
|
|
POST
|
Have you tried registering using the FQDN instead of the IP address? I wouldn't expect that the IP address is a CN or a SAN on your cert.
... View more
11-08-2018
12:46 PM
|
0
|
0
|
1169
|
|
BLOG
|
What is Multi-Factor Authentication (MFA)? Multi-Factor Authentication (or MFA/2FA) is a feature that allows a user to provide two distinct pieces of evidence to a software solution to prove that you are who you say you are. Evidence includes supplying two of three factors at login time: something you know (like a password), something you have (like a smart card or soft token supplied via an app) or something you are (like a fingerprint or some other biometric marker). Credentials must be from two of these three factors – for example, providing two passwords is not considered MFA. In ArcGIS.com, multifactor authentication is implemented by requesting a verification code in addition to an ArcGIS Online organization name and password at login time. Why should my organization use MFA? Multi-Factor Authentication helps protect you and your organization by adding an additional layer of security to the login process, making it substantially more difficult for an unauthorized user to impersonate an authorized user when logging into ArcGIS Online. When MFA is enabled and configured, an unauthorized user needs to have both your username and password combination, and also access to your mobile device (which is assumed also requires a PIN or some biometric marker to access). Security Experts report that MFA is considered one of the top five best online security practices currently available. Using MFA can help prevent unauthorized access or changes to your ArcGIS Online organization, and can also help to prevent unauthorized modification or deletion of your organization’s content. How is MFA implemented in ArcGIS Online? Organizations can take advantage of this additional authentication and configure their organization to allow members to enable multifactor authentication on their ArcGIS Online accounts. To use this feature, organization members need to have an ArcGIS account and a mobile device with a supported authentication app installed on it. In ArcGIS Online, two administrators must exist in the organization to configure MFA. This requirement is to help support the potential use case of an administrator themselves losing access to their own device and authentication app. It is strongly recommended that ArcGIS Online administrators enable MFA for their accounts, if not for all ArcGIS Online organization accounts. https://www.nist.gov/itl/tig/back-basics-multi-factor-authentication https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf
... View more
11-05-2018
11:58 AM
|
3
|
15
|
10006
|
|
POST
|
Users experiencing this issue should also consider logging cases with the NAS/SAN vendors. The essential issue here is that the device can't keep up with with the high IO between ArcGIS Server and the remote config-store.
... View more
11-05-2018
08:41 AM
|
4
|
1
|
3247
|
|
BLOG
|
Hi Joe, Sorry for the confusion, and thanks for providing the first comment for this new space! Documentation for many popular identity providers is linked to in the help doc referenced above. Additionally, Esri Support Services just released this KB that speaks to this issue: Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal In terms of timing, the new certificate has already been added to the ArcGIS Online metadata file. Users just need to download the metadata file from ArcGIS Online and upload it into their IDP before November 14th. --Randall
... View more
11-02-2018
01:42 PM
|
0
|
0
|
1070
|
|
BLOG
|
On November 2, 2018, ArcGIS Online's signing and encryption certificates have been updated. ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate is due to expire on November 14th, 2018 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions will continue to work until Nov 13, 2018. Action: Users who have enabled the advanced options 'Enable Signed Requests' and/or 'Encrypt Assertion' will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before November 14, 2018. Customers using these advanced options who do not upload the updated ArcGIS Online metadata file containing the new certificate before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account. To obtain the updated metadata file: a. Login to www.arcgis.com with your administrative credentials b. Click on "Organization" then "Settings" then "Security" c. Scroll down to "Enterprise Logins" then click the "Get Service Provider" button. - This action will download the metadata needed for your IDP. An email containing the following text has already been sent to ArcGIS Online Organization Administrators: "ArcGIS Online will be updating its SAML signing and encryption certificates on November 13th, and we need you to take action to ensure your organization can continue to use your Enterprise Identity Provider (IDP). This certificate is necessary when an Organization has enabled signed requests or encrypted assertions. To enable your IDP to discover our new certificates, you will need to re-register ArcGIS Online as your trusted services provider. The process for this varies by the SAML identity provider used, but tutorials on how to do this can be found in our documentation within the section titled 'Register ArcGIS Online as the trusted service provider'. Esri has documented this process for these popular Identity Providers: ADFS NetIQ Okta OpenAM Shibboleth SimpleSAML If you have any questions, please contact technical support." Esri Support Services has released a KB article describing this issue. See: Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal
... View more
11-02-2018
11:16 AM
|
1
|
7
|
2101
|
|
POST
|
ArcGIS tokens are an Esri specific construct and are not a part of the OGC spec. You'd have to use web tier authentication (basic/digest) if you'd like to use secured OGC services with the clients you mention. See 'Securing OGC services': OGC support in ArcGIS Server—Documentation | ArcGIS Enterprise
... View more
11-01-2018
12:46 PM
|
0
|
0
|
1149
|
| Title | Kudos | Posted |
|---|---|---|
| 1 | 03-05-2026 06:49 AM | |
| 1 | 02-19-2026 07:09 AM | |
| 2 | 02-17-2026 02:27 PM | |
| 3 | 11-17-2025 07:06 AM | |
| 1 | 05-24-2018 07:28 AM |
| Online Status |
Offline
|
| Date Last Visited |
04-10-2026
06:56 AM
|