Enabling SSL on ArcGIS Server when accessed through ArcGIS Web Adaptor
In this topic
- Create a new self-signed certificate
- Request a CA to sign your certificate
- Configure ArcGIS Server to use the SSL certificate
- Configure each GIS server in your deployment
- Enable SSL for your site
- Configure SSL on ArcGIS Web Adaptor
- Access your site using SSL
When ArcGIS Web Adaptor has been configured to forward requests to your ArcGIS Server site, you need to enable SSL on the web server hosting ArcGIS Web Adaptor and enable SSL on each GIS server machine participating in the ArcGIS Server site. To get started, follow the steps in the sections below.
Create a new self-signed certificate
- Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin.
- Browse to machines > [machine name] > sslcertificates.
- Click generate.
- Provide values for the parameters on this page:
Option Description Alias
A unique name that easily identifies the certificate.
Key Algorithm
Use RSA (the default) or DSA.
Key Size
Specifies the size in bits to use when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For DSA, the key size can be between 512 and 1,024. For RSA, the recommended key size is 2,048 or greater.
Signature Algorithm
Use the default (SHA1withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used for DSA: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withDSA.
Common Name
Use the domain name of your server name as the common name.
If your server will be accessed on the Internet through the URL https://www.gisserver.com:6443/arcgis/, use www.gisserver.com as the common name.
If your server will only be accessible on your local area network (LAN) through the URL https://gisserver.domain.com:6443/arcgis, use gisserver as the common name.
Organizational Unit
The name of your organizational unit, for example, GIS Department.
Organization
The name of your organization, for example, Esri.
City or Locality
The name of the city or locality, for example, Redlands.
State or Province
The full name of your state or province, for example, California.
Country Code
The abbreviated code for your country, for example, US.
Validity
The total time in days during which this certificate will be valid, for example, 365.
Subject Alternative Name
The subject alternative name (SAN) is an optional parameter that defines alternatives to the common name (CN) specified in the SSL certificate. There cannot be any spaces in the SAN parameter value.
If no SAN is defined, a website can only be accessed (without SSL certificate errors) by using the common name in the URL. If a SAN is defined and a DNS name is present, the website can only be accessed by what is listed in the SAN. Multiple DNS names can be specified if desired. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the SSL certificate is created using the following SAN parameter value:
DNS:www.esri.com,DNS:esri,IP:10.60.1.16
- Click Generate to generate the certificate.
Request a CA to sign your certificate
If ArcGIS Web Adaptor will be the only gateway to your site and your organization's IT security policy allows the use of self-signed certificates, you can skip this section. However, if users will occasionally bypass ArcGIS Web Adaptor and access ArcGIS Server directly or your IT policies disallow the use of self-signed certificates, it is recommended to request a CA to sign your certificate by following the steps below.
- Open the self-signed certificate you created in the previous section, and click generateCSR. Copy the contents into a file, usually with a *.csr extension.
- Submit the CSR to a CA of your choice. You can obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, they'll send you a *.crt or *.cer file.
- Save the signed certificate received from the CA to a location on your computer. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your computer.
- Log in to the ArcGIS Server Administrator Directory: http://gisserver.domain.com:6080/arcgis/admin.
- Click machines > [machine name] > sslcertificates > importRootOrIntermediate to import the root certificate provided by the CA. If the CA issued any additional intermediate certificates, import those as well.
- Navigate to machines > [machine name] > sslcertificates.
- Click the name of the self-signed certificate that you submitted to the CA.
- Click importSignedCertificate, and browse to the location where you saved the signed certificate received from the CA.
- Click Submit. This replaces the self-signed certificate you created in the previous section with the CA-signed certificate.
Configure ArcGIS Server to use the SSL certificate
To specify the SSL certificate that ArcGIS Server should use, complete the following steps:
- Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin.
- Browse to machines > [machine name].
- Click edit.
- Type the name of the SSL certificate that you want to use in the Web server SSL Certificate field.
- Click Save Edits to apply your change.
- On the current page, view the property Web server SSL Certificate to verify that the desired SSL certificate will be used for SSL.
Configure each GIS server in your deployment
If you have a multiple-machine deployment of ArcGIS Server, you must configure each GIS server in your deployment to use the SSL certificate. Repeat the steps in the previous section to configure the certificate with each of your GIS servers.
Enable SSL for your site
- Log in to the ArcGIS Server Administrator Directory at http://gisserver.domain.com:6080/arcgis/admin.
- Browse to security > config > update.
- For the Protocol parameter, choose the HTTP and HTTPS option and click Update. This automatically restarts your ArcGIS Server site.
- After your site is restarted, verify that you can access the URL https://gisserver.domain.com:6443/arcgis/admin. If you do not get a response from this URL, ArcGIS Server was unable to use the specified SSL certificate. Check your SSL certificate, and configure ArcGIS Server to use a new or different SSL certificate.
- If you can access the URL https://gisserver.domain.com:6443/arcgis/admin, browse to security > config > update.
- For the Protocol parameter, choose the HTTPS Only option, and click Update. ArcGIS Server is restarted.
- Once the server restarts, test that you can access the HTTPS URL of ArcGIS Server, for example, https://gisserver.domain.com:6443/arcgis/rest/services.
Configure SSL on ArcGIS Web Adaptor
Enable SSL on the web server hosting ArcGIS Web Adaptor. For full instructions, consult the product documentation specific to your web server. To learn more about SSL, see Enabling SSL on your web server.
Legacy:
At 10.2.1 and earlier versions, you were required to reconfigure ArcGIS Web Adaptor after updating the communication protocol of ArcGIS Server. At 10.2.2 and later versions, this is no longer necessary.
Access your site using SSL
Once SSL has been configured, you can securely access ArcGIS Server directly though HTTPS using port 6443 or the Web Adaptor URL. If you rename ArcGIS Server while SSL is enabled, you can continue to access ArcGIS Server using SSL; however, you must generate a new SSL certificate and configure ArcGIS Server to use it. The URLs are formatted as follows:
ArcGIS Server Manager | Access Manager through GIS server: https://gisserver.domain.com:6443/arcgis/manager. Access Manager through ArcGIS Web Adaptor (only applies if administrative access is enabled): https://webadaptor.domain.com/arcgis/manager. |
ArcGIS Server Services Directory | Access Services Directory through GIS server: https://gisserver.domain.com:6443/arcgis/rest/services. Access Services Directory through ArcGIS Web Adaptor: https://webadaptor.domain.com/arcgis/rest/services. |