Community

CA Signed SSL Installation with Web Adpater on IIS 7.5

6056
3
08-06-2013 05:12 AM
NathanSommers
by
New Contributor III
‎08-06-2013 05:12 AM
Greetings,

I was wondering if anybody would be able to help me with a question I had in regards to the installation of a CA signed SSL certificate using the web adapter running on IIS 7.5.  I have followed the instructions and the certificate works great when accessing my services at https://gisserver.domain.com:6443/arcgis/manager.  However my question comes into play when I try to use SSL with the web adapter using the following documentation .   My question is at "Step 5: Configure SSL on the ArcGIS Web Adaptor" Item number "1: Enable SSL on the web server hosting the Web Adaptor. For instructions, consult the product documentation specific to your web server".

How are you supposed to enable the HTTPS binding on IIS 7.5 if your SSL certificate is not on the webserver but integrated into the ArcGIS Server?  I try and enable the binding but I cannot without a certificate because I requested the certificate through the GIS Server.

Any help would be much appreciated, I have been struggling with the SSL for a while.

Thank you,

Ian
Tags (2)
0 Kudos
3 Replies
StephanieSnider
by
Occasional Contributor III
‎08-06-2013 12:46 PM
In my experience, you will need a trusted certificate on the web adaptor server as well.  Since the web adaptor directs traffic to the GIS Server, the web adaptor needs the trusted cert. I have trusted certs on both the web adaptor and GIS server.

In case you need it, here's how I get up the 443 binding in IIS on the web adaptor server:

1.  Open IIS 7.5.  Expand to see Sites. 
2.  You should see the Default Web Site.  Select it.
3.  Under Actions on the right, click Bindings...
4.  Add a binding for type https on port 443.
5.  Select a SSL certificate (which should already be loaded to the server by the Network gurus.)  If it isn't, they will need to create the certificate and import it onto the server.  Sorry, I can't explain this process more as it is all a bit voodoo to me.
6.  Click OK.
7.  (for our setup, you may not need).  With the website selected, double click on Authentication under IIS.  Confirm that Anonymous authentication is enabled and everything else is disabled.
NathanSommers
by
New Contributor III
‎08-08-2013 04:17 AM
Thanks for the help Stephanie.  I heard back from ESRI and they said the same thing as you, that we need a certificate on both the GIS Server and the Webserver.  Our GIS Server and Web Adaptor are on the same machine, do you think we will still need two certificates and do know of where this is located in the help documentation?

Thank you,
Ian
0 Kudos
StephanieSnider
by
Occasional Contributor III
‎08-08-2013 07:11 AM
This is something I haven't considered with the GIS Server and the Web Adaptor on the same machine and how certificates are handled, but it seems right.  The GIS Server uses Tomcat as the web server, while the Web Adaptor uses IIS.  Basically you have two different web servers on the same machine.  So I could see where you would need two different certificates on the same machine.  In our case, we have the GIS Server and Web Adaptor on different machines and they both needed the trusted certificates.  This is the ESRI documentation link for setting up the trusted certificate on the GIS Server:  http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_using_a_new_CA_signed_certifi...

However, it lacks detail at sections "Request a CA to sign your certificate" and "Import the CA root certificate into the OS certificate store".  To be honest, I have tried this on two different environments, development and test, and both times had trouble with this part.  Our network admins said that the way they had to create the certificate for the GIS Server was different than the way they normally do it.  This was our procedure (my part and their part):

GIS Admin task:
1. Create a new self-signed certificate:  Login to the ArcGIS Server Admin Directory
2. Navigate to machines > machine name > sslcertificates
3. Click generate, then enter these values:
   * Alias: [Name of certificate]
   * Key Algorithm: RSA
   * Key Size: 2048
   * Signature Algorithm:  SHA1withRSA
   * Common Name:  [Name of server]  This is the name of the server alone.  We found that using the full qualified domain name did not work.
   * Your organizations details.... We set the validity in days to 730, but this may be different for you.
4. Click Generate
5. From Home > machines > name of server > sslcertificates, click on the name of the certificate you created in step 3.
6. Scroll down to the bottom of the page to see generateCSR and click it.
7. Copy the entire text for the CSR and provide it to the network admins or company that will create the trusted certificate. 

Network Admin task.... If anyone else can explain this better, please chime in.  This was what worked for us - GIS and Networks folks together.  I'm providing this part for other organizations that create their own trusted certificates.  If you are getting a certiicate from Verisign or another comapny, you will not need these details as the result will be the 3 certificates:
1. Create a BASE64 certificate using the CSR provided.
2. Take this stacked certificate and import it onto a local PC (Windows 7)
3. Export the certificate in 3 parts (root, intermediate and machine). 
4. Provide GIS Admin with all three certificates.

GIS Admin task:
1. Save certificates to the desktop of the GIS Server
2. From the ArcGIS Server Admin website, navigate to Home > machines > servername > sslcertificates.   Import each certificate (root, intermediate and machine).
3. Navigate to machines > servername and click edit.
4. Enter the name of the Machine SSL certificate in the box for Web server SSL Certificate.
5. Click Save Edits to apply your change.
6. On that page, view the property Web server SSL Certificate to verify that the desired SSL certificate will be used for SSL.

This is important!!!!    �?��?�IF the CA certificate fails and the GIS Server is no longer responsive, here's how you get it back:
1. Log into the GIS Server
2. Navigate to the location for the tomcat server.  We don't use the default location, but I think it is something like this:  ...\ArcGIS\Server\framework\runtime\tomcat\conf
3. Open the server.xml and scroll down to the bottom.
4. On the last line of code, you will see a keyAlias =�?�name of the certificate�?�, the one that you just set.  Since this one isn�??t working, change the alias back the original ESRI selfsigned certificate (SelfSignedCertificate).  keyAlias="SelfSignedCertificate"   Save the file and close.
5. Stop and start the ArcGIS Server service.  Open the Control Panel >  Administrative Tools > Services.  Select ArcGIS Server.  Restart the service.

Now for the Web Adaptor, you will use IIS as the web server.  Again, your network admins will need to create a certificate and load it to the GIS Server.  I'm not sure about the procedure for how they do this.  But once the certificate is loaded to the server, this is where your part picks up.

Create a binding in IIS for https on port 443 using IIS 7.5:
1. Log into Web Adaptor Server.  Open IIS. 
2. Under server name, select Sites. 
3. Select the Default Web Site (or your customized web site),
4. Under "Actions" on the right side of the window, click Bindings.
5. On the Site Bindings window, click Add.
6. Selec Type https.  IPAddress is All Unassigned.  Port is 443
7. Select the SSL certificate that the network admins loaded to the server.  It should be available in the dropdown box.  If not, consult your network staff.
8. View certificate to check.   For us, we setup the certificate for the name of the server and not the fully qualified domain name.
9. Click OK and close the Site Binding window.
10. With the Default Web Site selected, double click Authentication under the IIS section (middle of window).  This worked for us....Confirm that Anonymous authentication is enabled and everything else is disabled.
11. Install Web Adaptor.  It is important that you setup the binding BEFORE you install the web adaptor.  I'm sure you can reconfigure it after the install, but is a more involved process.  This way is much easier.

That is the extent of my certificate knowledge with the GIS Server and Web Adaptor 🙂  Good Luck!!  And please...anyone...feel free to add your experience with this process.