AnsweredAssumed Answered

Make Portal 10.5 use mutual authentication (PKI)

Question asked by mjschmo on May 30, 2017
Latest reply on Jun 5, 2017 by mjschmo

When Portal makes web requests to other secure services (e.g. print task that calls a map service), it doesn't use the client cert loaded via /arcgis/portaladmin/security/sslCertificates.

 

It looks like Portal adds these certs to a keystore (C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks).  This keystore seems legit after testing it programmatically outside Portal to create a SSL context and make web requests with. 

 

Portal however isn't using them as a client with requests it makes.  Is this normal?

 

For example, in the ArcGIS Server logs for a Print gp task that is calling a secure map service, we get an error like:

 

A certificate is required to complete client authentication (WinINet ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED, 12044), URL = <SECURE_MAP_SERVICE_BEHIND_WEBTIER_AUTH>

Outcomes