As a portal administrator, you can specify which secure sockets layer (SSL) protocols and encryption algorithms the portal's internal web server uses to secure communication. For example, your organization may be required to use specific SSL protocols and encryption algorithms. Specifying that the portal use the certified protocols and algorithms ensures that your portal remains in compliance with your organization's security policies.
Default SSL protocols
By default, the portal enables the following protocols:
- TLSv1
- TLSv1.1
- TLSv1.2
Default encryption algorithms
The portal is limited to the following encryption algorithms and enables all of them by default:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
See Cipher suites reference below for more information on these encryption algorithms.
You'll use the ArcGIS Portal Directory to specify which SSL protocols and encryption algorithms the portal will use.
- Open the ArcGIS Portal Directory and sign in as an Administrator of your organization. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > SSLCertificates > Update.
- In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma. For example: TLSv1.2, TLSv1.1.
Note that if you're planning to disable TLSv1 from the portal, you need to ensure the web server hosting the Web Adaptor is able to fully communicate over TLSv1.1 or TLSv1.2. If you're using a Java Web Adaptor, the web server hosting the Web Adaptor must be using Java 8.
- In the Cipher Suites text box, specify the encryption algorithms to be used. If specifying multiple algorithms, separate each algorithm with a comma. For example: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA.
- Click Update. An error is returned if an invalid protocol or cipher suite is specified.
Cipher suites reference
| Cipher ID | Name | Key exchange | Authentication algorithm | Encryption algorithm | Bits | Hashing algorithm |
|---|---|---|---|---|---|---|
| 0x00C02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE | RSA | AES_128_GCM | 128 | SHA256 |
| 0x00C027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE | RSA | AES_128_CBC | 128 | SHA256 |
| 0x00C013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE | RSA | AES_128_CBC | 128 | SHA |
| 0x00C012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ECDHE | RSA | 3DES_EDE_CBC | 168 | SHA |
| 0x00009C | TLS_RSA_WITH_AES_128_GCM_SHA256 | RSA | RSA | AES_128_GCM | 128 | SHA256 |
| 0x00003C | TLS_RSA_WITH_AES_128_CBC_SHA256 | RSA | RSA | AES_128_CBC | 128 | SHA256 |
| 0x00002F | TLS_RSA_WITH_AES_128_CBC_SHA | RSA | RSA | AES_128_CBC | 128 | SHA |
| 0x00000A | TLS_RSA_WITH_3DES_EDE_CBC_SHA | RSA | RSA | 3DES_EDE_CBC | 168 | SHA |
Terminology
- ECDHE—Elliptic-Curve Diffie-Hellman
- RSA—Rivest, Shamir, Adleman
- AES—Advanced Encryption Standard
- GCM—Galois/Counter Mode - a mode of operation for cryptographic block ciphers
- CBC—Cipher Block Chaining
- 3DES—Triple Data Encryption Algorithm
- SHA—Secure Hashing Algorithm