Incorrect AVA format

2615
8
10-12-2016 06:32 AM
AdrianWelsh
MVP Honored Contributor

Have you ever gotten this error when dealing with generating a self-signed security certificate for ArcGIS Server (10.4)?  Incorrect AVA format

I was following the steps outlined here:

Configuring HTTPS using a self-signed certificate—Documentation (10.4) | ArcGIS for Server 

I changed the "Common Name" parameter and matched it to what my "Alias" parameter is. I tried a few different parameters but cannot figure out how to not get an "incorrect AVA format", whatever that means.

Backstory: I am attempting to generate a new SSL Certificate because when I try to load a map service that I published to my server to an existing web map that I have, I get this message:

"Error

Unable to establish a secure connection to the layer. The layer, <layer name>, cannot be added to the map."

In my AGOL organizational settings, the "Use HTTPS Only" option is checked off, so I would think any security should be allowed.

(note: having it either on OR off displays the same behavior)

Also, I'm tagging vangelo-esristaff‌ since he seems to know these kinds of questions!

Anyways, any help is appreciated!

0 Kudos
8 Replies
AndyOmmen
Esri Contributor

Hi Adrian,

When inputting the certificate parameters, make sure not to use invalid characters, specifically commas. Are you planning on importing your self-signed certificate into your enterprise trusted root store? If not, I doubt the client side web browser will accept the SSL content returned from it's request and you'll probably get the same error message in AGOL.  Without going into a lot of web security detail, self-signed certificates should only be used within a testing environment where the same workstation will accessing the SSL content via client application. If your intentions are to have other users access your web maps and view the SSL content, then you will need to go down the route of accessing a CA signed certificate or domain certificate if the content will only be accessed within your organizations domain.  Do your map services need to be SSL enabled? This might be an IT requirement that you can't get around but if not then try accessing the map service over HTTP. I hope this helps

Thanks

Andy

AdrianWelsh
MVP Honored Contributor

Andy,

Thanks so much for the reply. It was the comma that was causing problems with the certificate. I did get it generated.

Though, I am still having issues with loading any of my server data onto a web map. It is likely I will need to make a new certificate while directly on the server machine. I will have to try that tomorrow. Though, I really an unclear on what I need to do in order to have my server data accessible to the public for use within web maps.

Thanks again,

Adrian

0 Kudos
AndyOmmen
Esri Contributor

Hi Adrian,

Are you using a HTTPS URL when adding your map service data into the web map? If so, it sounds like AGOL is rejecting the service since the web browser that you are using to interact w/ AGOL doesn't trust the self-signed certificate the SSL service is providing. You now need to determine whether or not you really need to use the SSL or HTTPS enabled map services. When logged into the Server admin directory, go to security > config and look at the Protocol setting. Is it set to HTTP and HTTPS? If so, try loading a map service w/ the following URL format http://<servername>.<yourdomain>.com:6080/arcgis/rest/services/... into a web map (if using Web Adaptor the URL will omit the 6080 port and the server name might be different). 

For public access, you really should use a Web Adaptor that is running on a dedicated web server or have some other load balancing technology setup that distributes client requests to your ArcGIS Server. If you have to provide SSL enabled map services for public use, then you'll have to use a CA signed certificate in order for the public to access your content.  The ArcGIS Server help talks about the various environments you can implement. I hope this helps

Thanks

Andy

AdrianWelsh
MVP Honored Contributor

Andy,

I am not using an HTTPS URL for adding the map. This is how my security is set up:

I am using the web adaptor, so I do not put in the :6443 or the :6080. I do not believe I have to provide a SSL enabled map services, so I would not think I would need a CA signed certificate (not sure what the is either). So, I'm a little stuck.

Thanks again for your help,

Adrian

AndyOmmen
Esri Contributor

Hi Adrian,

The SSL certificates only come into play when a client application (AGOL, web app, etc.) tries to access a map service using the HTTPS protocol. If you are unable to access non-SSL enabled map services within AGOL, then it sounds like it could be a firewall issue. Can you access the rest services using a URL similar to http://webserver.domain.com/ArcGIS/rest/services from your workstation using a web browser? If not, then your Web Adaptor might not be able to get outside of your firewall due to a security setting.

AdrianWelsh
MVP Honored Contributor

Andy,

Sorry for the late reply. I have been out of town. So, I am able to open up my server REST services in a blank web map when I am not logged into my organizational account. So I am guessing the issue lies within my organizational settings, though I am not sure where to look. 

My security settings for my organization are the same as they were in my original post screen shot. Any suggestions on what I need to change? Or is it still a change that needs to happen on the server side?

0 Kudos
AdrianWelsh
MVP Honored Contributor

Andy,

I appreciate the help you have given me so far. Do you think at this point it is worth talking with Esri support?

0 Kudos
RandallWilliams
Esri Regular Contributor

Yes. Support should be able to help.

0 Kudos