SSL on ArcGIS Server 10.1 Windows

6047
11
10-22-2012 09:41 AM
christopherfricke2
New Contributor III
I am setting up ArcGIS Server 10.1 on a windows box that already has an SSL Certificate installed.

However, after running through the instructions in the documentation (stepping over the actual request for the SSL certificate), I am unable to access the rest endpoint on 6433.  (http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_a_new_CA_signed_certifi...)


  • Everything works great for 6080.

  • I get a timeout message when I access the server on 6433 through Firefox.

  • The Server log throws the following error every time I try to access the site on 6433 (I have about 30 of these) - <Msg time="2012-10-22T13:32:46,85" type="WARNING" code="7709" source="Admin" process="3104" thread="1" methodName="" machine="LOCALHOST" user="" elapsed="">The Web Server was found to be stopped when it should have been started. Restarting it.</Msg>


Possible scenarios that I think could be causing this:
    Certificate is for IIS not Apache Tomcat/whatever ArcGIS Server uses.  If this is the case, the documentation does not specify what SSL certificate is required.
    [LIST=1]Machine name is Localhost not the real Hostname.  If this is the case, than it should be included in the documentation.


I know a few people have run into issues with this, how have you all been able to fix this issue?
0 Kudos
11 Replies
JeffSmith
Esri Contributor
Usually that error is thrown when the process monitor scans ports 6080 and 6443 and determines one of them is not being used.  It assumes Tomcat may not be running and tries to restart it.  In your case it sounds like it is happening only when trying to access it though.

After enabling both HTTP and HTTPS access through the arcgis/admin page, did you try restarting the ArcGIS Server service?

Regarding the SSL certificate, there is not a unique certificate for IIS or Tomcat.  They are all the same.  Does https work for you when you use a self-signed certificate instead of importing one?
0 Kudos
christopherfricke2
New Contributor III
Incidentally I talked with Esri Support and thought I figured out this issue.

For others reading, if you want to use SSL and ArcGIS Server and the web adapter on the same machine, do not setup your CA Cert on arcgis server.  Use a self-signed certificate on ArcGIS Server.  The Web Adapter (with IIS cert) will act as a reverse proxy and will your requests will appear to the outside world correctly.  However, this means that you cannot use 6433 for administrative purposes when accessed from the outside.


To answer your quest Jeff:
* Yes I have restarted the ArcGIS Server service
* Now the arcgis server locks up after a few hours.  Although the folders in the rest end point still appear, all of the services are gone.  This is pretty strange, because you would figure if arcgis server is down than nothing would appear.
* The previous error still appears in my logs, however now it is followed with some new fun:

<Msg time="2012-10-30T18:40:35,14" type="WARNING" code="7709" source="Admin" process="4312" thread="1" methodName="" machine="LOCALHOST" user="" elapsed="">The App Server was found to be stopped when it should have been started. Restarting it.</Msg>

<Msg time="2012-10-30T18:41:38,174" type="SEVERE" code="6749" source="Admin" process="4312" thread="1" methodName="" machine="LOCALHOST" user="" elapsed="">Error while starting AppServer.  Required port '4,000' already in use.</Msg>

<Msg time="2012-10-30T18:41:38,174" type="SEVERE" code="6550" source="Admin" process="4312" thread="1" methodName="" machine="LOCALHOST" user="" elapsed="">Failed to start the server machine 'LOCALHOST'. Error while starting AppServer.  Required port '4,000' already in use.</Msg>


To me this looks like it decided TomCat is not running, then decided to restart it.  However, TomCat was actually running and now ArcGIS server is totally confused at what to do next.

I need to do some more diagnostics to fully understand what is causing this.
0 Kudos
DavidCordes
New Contributor III
Christopher,

    The message you are seeing that says "the app server was not started" is expected.  When you change SSL settings, a restart of the application server is required.  There is another internal component that monitors ArcGIS Server processes and during the restart it noticed that the app server was indeed not running (though it was only for a few seconds) and correctly reported that.  This particular message was logged at 'warning' level.  If a particular event happens that we know for sure is a "bad thing" then it gets logged at the 'severe' level.  If it's something that may be bad, but may also be normal then we log it as a 'warning'.  In this case (changing SSL settings) it is safe to ignore this particular error message.

      The error message that says "port 4000 is in use" is a severe error and is not normal when changing SSL settings.  That is something that does need to be addressed immediately if that is continuing to happen.  That usually means that ArcGIS Server did not shut down cleanly for some reason.  The quickest way to resolve it is to reboot the machine.  Typically when you stop ArcGIS Server the software waits for a period of time for a clean shutdown (about 30 seconds).  If it's not able to cleanly shut down then it forcibly kills left-over processes.  That kill usually works but for some reason it sounds like one of the processes was not able to even be forcibly killed.  That's fairly unusual and if a reboot does not solve the problem or if you see it reoccur in the future then I would open up an Esri support incident for that issue.

     ArcGIS Server does support using CA-issued certificates but it must be from a CSR (certificate signing request) generated by ArcGIS Server.  There are several things that can be wrong with a certificate that might prevent port 6443 from working - unfortunately these are hard to diagnose.  The self-signed certificate for ArcGIS Server provides protection against packet sniffing along the network because all your traffic is encrypted but does not provide protection against a man-in-the-middle + DNS spoofing attack.  If you want to protect against the possibility that hackers can modify your DNS records and set up a server on your network to intercept ArcGIS Server traffic then you should use a CA-issued certificate.  This type of "man in the middle" attack is moderately difficult to pull-off.  Each organization has to decide which level of security they wish to use, but if your organization has strong security requirements or you are a potential target for a focused attack on your organization then you should consider using a CA-issued certificate.
0 Kudos
GerryReidel
New Contributor II

Regarding the SSL certificate, there is not a unique certificate for IIS or Tomcat.  They are all the same.  Does https work for you when you use a self-signed certificate instead of importing one?


I have found that there IS a difference. I was using GoDaddy as my CA, and when you download the certificate, it asks your where you intend to use it. I was choosing IIS7. ArcGIS for Server would not import the intermediate certificate, and security could not be enabled. On the advice of Esri tech suppport, I chose "other" and proceded without trouble.
0 Kudos
RobRob
by
New Contributor
I have found that there IS a difference. I was using GoDaddy as my CA, and when you download the certificate, it asks your where you intend to use it. I was choosing IIS7. ArcGIS for Server would not import the intermediate certificate, and security could not be enabled. On the advice of Esri tech suppport, I chose "other" and proceded without trouble.


This is correct.
I recently had the same issue and replacing "IIS" with "other" resolved the problem.
0 Kudos
MartinWills
New Contributor
ArcGISServer 10.1 with image server extension, Win server 2008R2, Apache Tomcat

I too am having issues with getting SSL to work properly. I followed the directions in the ESRI documentation exactly. Logged into server machine RDP, used ArcGIS self signed cert, made changes here: http://localhost:6080/arcgis/admin, restarted ArcGIS server in services panel. It killed all image services on the machine. I rebooted whole server multiple times, finally reverted back to non SSL in admin but when doing that I sometimes got error message that another admin process was in use and it couldn't do it and even when it did appear to work and I logged off admin than logged back in it still had SSL settings in place. But it did eventually revert to non SSL however I still had no services and had to log-in to ArcGIS manager interface and manually restart 50 plus service.

This should be much easier to accomplish. Once again ESRI has released beta software for testing by users. I'm still SOL with SSL connections - afraid to go and try it again 'cause our state government users got very upset.

After discussion with two peers in other states I think this desire for SSL connections to ArcGIS Server services is becoming more common so perhaps in next iteration of ArcGIS server this should be initialized at install by default?
0 Kudos
EdJuarbe
New Contributor III
I too have been trying to get the CA certificate registered correctly in ArcServer 10.1 SP1...  In a nutshell, I've come to the conclusion that it is not possible due to a bug in the program:

http://support.esri.com/en/bugs/nimbus/role/beta10_1/TklNMDgzNzM4

So in short...

Unless using the Web Adaptor (and have an IIS website to deal with), then you do not have to configure via IIS.

As for ArcServer 10.1... the closest you can get in the admin API is to create the self-signed certificate until you upgrade to 10.2...

I just wish ESRI and support would acknowledge and document directly this situation instead of keeping it so vague.   I went through three support techs before I found the bug info...and still it was ...try this...try that... until I got to this conclusion.
0 Kudos
JeffSmith
Esri Contributor
Ed,
ArcGIS Server 10.1 can definitely handle CA SSL certs.  The caveat is that the CSR has to be generated through the Server Admin API.  In 10.1 you cannot import a pre-existing CA SSL cert through the Admin API.  This is what the NIM that you referred to addresses and what has been added in 10.2.
0 Kudos
Mtclimber03
Occasional Contributor
I was running into this same issue myself. I'm running 10.1 SP1 and was able to successfully implement this workflow using an existing CA cert. The setup was extremely sensitive and would only work for me when done in the following sequence.

1)Install CA cert. on IIS
2)Enable https and http in AGS Admin.
3)Restart Server (this is key)
4)Log back into AGS Admin. Choose and save settings *again for the "self signed" cert. (the default one)
5)Run web adapter with the "https://xxxxx:6443/arcgis/admin" for admin dir.

These items in this specific order were the only way I successfully implemented using SSL with an existing CA certificate while maintaining http & https access. It was  a lot of trial and error to make this work. Hope this helps some of you out there.
0 Kudos