Certificates in ArcGIS Enterprise - Required?

1064
7
09-07-2021 06:02 AM
JohnSteed1
New Contributor III

We are operating a deployment of ArcGIS Enterprise on Linux boxes, in AWS.
We have found the management of certs across our enterprise to be a tedious management task, especially when we make infrastructure changes to the environment.


Can ArcGIS Enterprise on Linux operate cert-free in our own private environment?  If so, is there any literature for this?

0 Kudos
7 Replies
ReeseFacendini
Esri Regular Contributor

Do you have an application load balancer configured with your AWS setup?

0 Kudos
JonathanEpstein
New Contributor III

Hi @ReeseFacendini .   I work with @JohnSteed1 .    We don't have an ALB per se, but we have a lot of other machinery which include Certs and SSL, fronting our ArcGIS environment.    By the time we reach our ArcGIS environment, we can safely using HTTP from a security perspective.   But we don't know whether this will come back to bite us in other ways, and are seeking guidance on that.

My limited knowledge of this subject suggests that the use of HTTP instead of HTTPS is lightly documented.   For example, I believe that we can subtract (443-80) from many port numbers to reference an HTTP port, e.g. 2080 on arcserver instead of 2443.

 

0 Kudos
ReeseFacendini
Esri Regular Contributor

@JonathanEpstein starting at Enterprise 10.7, all traffic must go over HTTPS.  Downgrading to HTTP will cause issues with all aspects of the system, and lead to very odd errors within the logs (once things stop working).  If your Enterprise system is being access through a web server that sits in front of everything, and that's where the SSL cert lives, then no you don't have to worry about dealing with certs on Portal or ArcGIS Server.

0 Kudos
JonathanEpstein
New Contributor III

Thanks @ReeseFacendini but what you've written is self-contradictory to me.

How can one use HTTPS on the arcgis servers, without managing Certs on those servers?

Are you saying that we could use self-signed Certs on arcgis, rather that our real Certs which reside on our own "web server" ?

0 Kudos
ReeseFacendini
Esri Regular Contributor

Our software comes with self-signed certs, in order get up and running out of the box.  Keeping the actual cert at the "web server" tier, and the self-signed certs in place on the different components, you won't need to go in and update the certs every time they expire.

0 Kudos
JonathanEpstein
New Contributor III

Thanks @ReeseFacendini this is now very clear.    Are there any known challenges using these (provided) self-signed Certs on ArcGIS 10.7.1 ?

0 Kudos
ReeseFacendini
Esri Regular Contributor

No there are no issues using the self-signed certs that are provided within Server & Portal