AnsweredAssumed Answered

Setting up SSL with a signed certificate in a multi-tier server architecture

Question asked by madgame on Jun 24, 2014
As the subject implies, I recently tried to setup SSL in a multi-tier environment where the IIS Web Server/ESRI WebAdaptor and the GIS Server ran in differenct Virtual Machines.  I'm using ArcGIS Server 10.1, here's how I did it.

1)  I acquired a Signed Certificate directly from the CA, I did NOT use the ESRI CSR-generation steps.
2)  I installed the Signed Certificate and CA Root Certificates on the IIS server and followed Microsoft's cryptic instructions for enabling SSL for a particular website.
3)  Most importantly, the WebAdaptor dojo.js and init.js scripts MUST use the domain name (not IP Address) that matches the domain name in the certificate.  (I'll explain why later)
4)  The GIS Server was configured to use the SelfSignedCertificate (default) and I left it that way because the IIS Server handles authentication.

1)  If you access the website using an IP instead of a domain name (and it's PKI-controlled), it's not uncommon to receive certificate errors upfront becuse the URL you accessed doesn't match the URL of the certificate.  In a multi-tiered architecture, everything still behaves ok because the user acknowledges the URL mismatch and certificate errors are ingnored for the remainder of the session.
2)  However, If you access the website using a domain name, and there are no top-level certificate errors, your IE browser may crash when trying to access the dojo scripts (if the dojo scripts were setup with IP addresses instead of a domain name).  This is because IE thinks you are trying to access a different site to download the dojo scripts, which would break the security architecture.  Normally, this is reported to you innocently and the user has to acknowledge it, but with ArcGIS Server, it just crashes the browser.
3)  At some point, while trying various things, loading/unloading certificates into ArcGIS server, my services became locked (not open to the public).  This was reported conspicuously in the browser's developer tools console as a errorError: Token Required error.  I had to unlock them through the Manager website.