Embed Size (px)
Citation preview
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
An Azteca Systems Inc. White Paper
9/17/2013
For use with Cityworks Server AMS/PLL 2012.1 SP2 & above
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
2
COPYRIGHT INFORMATION © Copyright 2013 by Azteca Systems, Inc. All rights reserved. Azteca Systems, Inc. 11075 S. State St., Suite 24 Sandy, UT, 84070, U.S.A. TRADEMARKS: Cityworks®, the Azteca logo, and Azteca Systems products referenced herein are either trademarks or registered trademarks of Azteca. Other product and company names mentioned herein may be the trademarks of their respective owners. CHANGES ARE PERIODICALLY ADDED TO THIS INFORMATION. AZTECA MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME. IN NO EVENT SHALL AZTECA AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA, OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE, OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF SOFTWARE, DOCUMENTS, OR FAILURE TO PROVIDE SERVICES. No part of this document may be reproduced or transmitted in any form.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
3
Table of Contents
Implementing SSL (HTTPS) with Server AMS and ArcGIS Server ......................................................... 4
Creating Corresponding Host File Entries ....................................................................................... 4
Creating a Trusted SSL Certificate ................................................................................................. 5
Configuring the HTTPS Binding in IIS Manager ............................................................................... 5
Installing the Web Adaptor to Run with SSL (HTTPS) ..................................................................... 7
Setting Up Secured Services in ArcGIS Server and Server AMS/PLL ................................................... 10
Creating a User and Role in ArcGIS Server Manager ..................................................................... 10
Setting Permissions at the Folder Level in ArcGIS Server Manager ................................................. 11
Modifying the WebAppSettings.config File to Pass ArcGIS Server Tokens Seamlessly ...................... 13
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
4
Implementing SSL (HTTPS) with Server AMS and ArcGIS Server
Hypertext Transfer Protocol Secure (HTTPS) is a commonly used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.
Technically, it is not a protocol, but rather a result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol. Essentially adding the security capabilities of SSL/TLS to
standard HTTP communications.
In a standard deployment on the Internet, HTTPS provides authentication of the web site and
corresponding web server that one is communicating with. It provides bidirectional encryption of
communications between a client and server, which protects against eavesdropping and tampering with
and/or forging the contents of the communication. Properly implemented, this provides a reasonable
guarantee that one is communicating with precisely the web site that one intended to communicate with,
as opposed to an imposter, while also ensuring that the contents of communications between the user
and site cannot be read or forged by any 3rd party.
Creating Corresponding Host File Entries
We are going to create a corresponding host file entry to match up with the trusted SSL certificate and
domain aliases that will be subsequently created. This allows us not to be concerned with the host name
– which in the case of an Amazon EC2 AMI, changes every time the machine stops running (i.e., when it
is shutdown).
Open Windows Explorer and navigate to C:\Windows\System32\drivers\etc.
Right-click the Hosts file and choose to Edit with Notepad++.
Add the following entry at the bottom and save the file.
127.0.0.1 cityworks.training.com
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
5
This entry will be used as part of the URL in accessing our Server AMS site (HTTPs on 443), while
also being used as part of the URL in accessing our GIS Services via the Web Adaptor (HTTPS on
6443).
Creating a Trusted SSL Certificate
There are simpler processes for creating an SSL certificate, but the one detailed below guarantees that
the certificate is trusted and alleviates any warning messages stating otherwise. Ideally, one would
purchase a signed certificate from a trusted source, but this is a legitimate alternative while waiting to
acquire one. Please make sure that the Internet Information Services (IIS) 6.0 Resource Kit Tools, only
the SelfSSL Version 1.0 piece, is downloaded ahead of time – as it is on the training machines.
Double-click the SelfSSL shortcut on the Desktop.
Type in the following in the tool command line – SelfSSL /N:CN=*.mydomain.com /V:10000 /T.
The *mydomain.com would be replaced with *.training.com in this case. This command line
syntax sets the certificate in the Trusted Root Certification Authorities for that machine and then
sets the bindings (https – 443) for site 1 (typically the Default WebSite) to that certificate.
SelfSSL /N:CN=*.training.com /V:10000 /T
When prompted, type in ‘Y’ to confirm replacing the SSL settings for site 1.
Type in ‘exit’ to close the tool command line window.
Configuring the HTTPS Binding in IIS Manager
A domain alias for the new binding we just created using the SelfSSL script now needs to be provided.
This will allow for both the Server AMS and ArcGIS Server sites to run together under the Default Web
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
6
Site. Remember you need to either go HTTP or HTTPS for both sites and the GIS Services here, as there
is no allowance for using a mix of protocols.
Double-click the Internet Information Services (IIS) Manager shortcut on the Desktop.
Click on the plus sign next to the server to expand it.
Click on the plus sign next to Sites and highlight Default Web Site.
Right-click on the Default Web Site and choose Edit Bindings… or click on the Bindings… link
under the Actions heading at the top right of the form.
Select the https 443 binding and click on the Edit… button in the Site Bindings form.
Provide the following under Host name: - cityworks.training.com and click OK to set this
value.
Click on the Browse cityworks.training.com on *:443 (https) link now showing under the Browse
Web Site. You will notice that the IIS 7 welcome screen is returned, indicating that
https://cityworks.training.com/ is a resolvable address.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
7
Installing the Web Adaptor to Run with SSL (HTTPS)
The next step is to install the Web Adaptor on port 443, it will run on 6443 once installed in an https
environment as opposed to 6080 (port 80).
Open the WebAdaptor folder on the Desktop and navigate to the Setup.exe under the IIS folder.
Right-click on the Setup.exe and Run as administrator – click the Next button once the Welcome
screen appears.
Accept the license agreement and click Next.
Choose to install the Cross-domain policy files as part of the selected features, although the
clientaccesspolicy.xml, which is essentially the same thing but provided by Microsoft as opposed
to Adobe, already exists at C:\\inetpub\wwwroot as part of the Server AMS install requirements.
Click Next.
Select the Default Web Site (443) option as the web site for the Web Adaptor and click Next.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
8
Keep the default of ‘arcgis’ for the virtual directory entry that will correspond to the Web Adaptor
and click Next.
Click Install.
Once the install finishes, click Finish – the link to the Web Adaptor page will attempt to open –
but will not work at this point.
Provide the following address to access the ArcGIS Administrator page, as we need to make a
configuration change – http://localhost:6080/arcgis/admin. Enter arcgis as the user name and
password as the password, given these are the credentials for your Primary Site Admin in
ArcGIS Server.
Navigate to security -> config -> update and select the HTTPS Only option from the Protocol:
dropdown under the Security Configuration heading. This will switch the ArcGIS Server
Administrator to solely be accessed from https://localhost:6443/arcgis/admin, as administrative
access will not be enabled via the Web Adaptor.
Provide the following address to access the Web Adaptor page –
http://localhost/arcgis/webadaptor.
Enter the following in the corresponding fields in the Web Adaptor page and click Configure.
GIS Server URL: https://cityworks.training.com:6443
Administrator Username: arcgis
Administrator Password: password
Do not click on the checkbox next to the Enable administrative access option, unless you wish for
a user with access rights to be able to hit the ArcGIS Server Manager and/or Administrator using
only the alias (i.e., https://cityworks.training.com/arcgis/manager or
https://cityworks.training.com/arcgis/admin).
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
9
Once the configuration successfully finishes, the Status will show the GIS Server (server name)
registered.
Open a new tab and provide the following address to access the GIS Service REST Services
Directory using the Web Adaptor – https://cityworks.training.com/arcgis/rest/services. This will
match what is being referenced in the REST URLs that are provided under GIS Services -> Server
Setup -> Designer.
Log back into the ArcGIS Server Administrator – https://localhost:6443/arcgis/admin
(arcgis/password) - and navigate to system -> webadaptors -> config to show the Shared key:
value under the Web Adaptors Configuration heading.
Open a new tab, log into the ArcGIS Server Manager – https://localhost:6443/arcgis/manager
(arcgis/password) - and navigate to Security -> Settings -> Token Settings -> Edit Token
Settings (click on pencil icon next to the Token Settings heading) to show the Shared key: value
under the Edit the token settings and click Save heading. Ensure both shared key value entries
match.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
10
Setting Up Secured Services in ArcGIS Server and Server AMS/PLL
Creating a User and Role in ArcGIS Server Manager
Log into the ArcGIS Server Manager – https://localhost:6443/arcgis/manager (arcgis/password) -
and navigate to Security -> Users.
Click on the New User button and provide the following credentials.
Username: cwid
Password: Cwid1
Repeat Password: Cwid1
Email: [email protected]
Full name: Cityworks ID
Description: Token User
Click on the Create button to create the user.
Click on Roles under Security and then on the New Role button. Provide the following
credentials.
Role name: Users
Description: Role for token users
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
11
Role Type: User (default bullet)
Click on the icon (person with plus sign) next to the cwid user to add it as a member of the
Users role.
Click on the Create button to create the role and set its member.
Setting Permissions at the Folder Level in ArcGIS Server Manager
Click on Services at the top of the screen and highlight the KSMMS folder.
Click on Edit Folder Security button (unlocked lock icon).
Click on the bullet next to the Private, available only to selected users option.
Click on the icon (person with plus sign) next to the Users role to add it under Allowed roles and
hit the Save button.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
12
When clicking off and back on the KSMMS folder, the Edit Folder Security button will now show
as a locked lock icon. The folder and all GIS Services contained within it can now only be
reached if providing the user credentials for the cwid user in the Users role.
Open a new tab and provide the following address to access the GIS Service REST Services
Directory using the Web Adaptor – https://cityworks.training.com/arcgis/rest/services. You will
see that only the Utilities folder is visible.
Click the Login link and provide the cwid user credentials (cwid/Cwid1) in the ArcGIS Server
REST API Login screen.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
13
Click the Login button. The KSMMS folder is now visible – click on it to access the GIS Services
under it.
Just for review, for HTTPS (SSL), the following rules apply:
With https enabled on the ArcGIS Server, you must define the GIS services (REST URLs) in
Designer with either all https or all http but not mixed and matched http and https.
If you are going to access your REST endpoint using https, then your Server AMS/PLL site needs
to also utilize https, whether in an all-in-one or a distributed environment.
To learn more about configuring HTTPS (SSL) via the Web Adaptor in ArcGIS Server 10.1, click on the
link below:
http://resources.arcgis.com/en/help/main/10.1/index.html#/Enabling_SSL_on_ArcGIS_Server_when_acce
ssed_through_the_ArcGIS_Web_Adaptor/015400000600000000
Modifying the WebAppSettings.config File to Pass ArcGIS Server Tokens Seamlessly
Server AMS/PLL 2012.1 SP3 and 2013, the current releases at this moment, fully support token-based
security models with ArcGIS.com (formerly, ArcGIS Online) and “localized” instances (onsite or another
vendor’s configuration).
The corresponding settings in the WebAppSettings.config at …\WebSite have to be populated to
allow access to the secure services REST URL endpoints without getting a prompt from ArcGIS Server.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
14
The AGSOnlineId value needs to be the name of an ArcGIS Server user who belongs to an
ArcGIS Server role that has at least User rights to the secured services.
You could also use the Primary Site Admin credentials. However, providing those credentials
opens a security risk as opposed to a user who only has User rights. A user with only User rights
cannot even log into ArcGIS Server Manager, whereas a Primary Site Admin mostly certainly can
and also make any number of modifications to the instance.
The AGSOnlinePwd value needs to be the password of an ArcGIS Server user who belongs to
an ArcGIS Server role that has at least User rights to the secured services.
The AGSSecureUrl value needs to be the URL to the ArcGIS Token Service form. This is
always the same to a degree for every site – http or https://<server_name> or
<server_IP> or <server_alias>/arcgis (virtual directory name)/tokens/ (make sure
the final ‘/’ is present as this path leads to the generate token form). If utilizing ArcGIS.com
(formerly, ArcGIS Online), there is no need to define this value, as the software is automatically
set to read that default value.
The AGSOnlineTimeOut value is automatically set at 60 minutes to match the Esri default for a
short-lived token.
It is now time for us to apply what was just covered and set up the values under the ArcGIS Online
Configuration heading. The reason why the heading is named as such is because the genesis of the
configuration was to provide a solution for secured ArcGIS Online services as an addition to the
Cityworks Online concept.
Navigate to D:\CWAdmin\Sites\KSMMSII\WebSite and double-click the
WebAppSettings.config file to open it.
Provide cwid as the AGSOnlineId value.
Provide Cwid1 as the AGSOnlinePwd value.
Provide https://cityworks.training.com/arcgis/tokens/ as the AGSSecureUrl value.
Copy the URL above into your browser to view the ArcGIS Token Service form.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
15
Leave the AGSOnlineTimeOut value at its default.
Save the modifications to the WebAppSettings.config file and exit.
Open Firefox and provide the following address to access the Server AMS/PLL site –
https://cityworks.training.com/KSMMSII.
Log in using the credentials of pwadmin/pwadmin and click on the Side by side or
Maximize the map button at the top right of the page to load up the map page panel with the
corresponding GIS Services. Notice how this skips the authentication pop-up form when the GIS Services load in the map
page panel. Otherwise, you would receive the authentication required pop-up form from ArcGIS Server per Esri standards.
Externalizing ArcGIS Server & Server AMS/PLL Sites Securely
16
