Set up SSL using Cloud Builder
In this topic
- Upload a new certificate for the ELB
- Use an existing certificate for the ELB
- Configure the ELB health check in HTTPS-only scenarios
In some cases you may want to require encrypted communication with your ArcGIS Server site using HTTPS. This requires that your Elastic Load Balancer (ELB) and ArcGIS site use an SSL certificate. The Elastic Load Balancer (ELB) must use an SSL certificate you obtain from a trusted Certificate Authority (CA). ArcGIS Server Cloud Builder on Amazon Web Services can install your SSL certificate into the ELB for you at the time you create a site. Also, by default, it enables SSL on the ArcGIS Server instances using the out-of-the-box, self-signed certificate. You may continue to use this certificate for the ArcGIS Server or replace it with a new CA-issued certificate.
On the Security panel of Cloud Builder, you will find options for uploading and installing SSL certificates on your site.
Upload a new certificate for the ELB
Amazon Web Services (AWS) allows you to upload and store SSL certificates in the cloud as part of its Identity and Access Management (IAM) service. You don't have to learn how to use this service directly, because Cloud Builder provides a front end to it. Using Cloud Builder, you can upload one or more SSL certificates to AWS IAM; then you can choose to apply any one of those certificates whenever you build a site. The certificate will be installed for you.
You may upload an existing SSL certificate or create a new SSL certificate. You must ensure that your SSL certificate meets the criteria mentioned in the To update an SSL certificate for an HTTPS load balancer section in the topic Update an SSL Certificate for a Load Balancer. When generating the ELB's SSL certificate, you must also ensure that the common name used matches the public DNS (hostname) of the ELB. To generate the private and public keys for a new SSL certificate, you will need to use an SSL management tool or software product such as OpenSSL.
Note:
An SSL certificate created using the ArcGIS Server Administrator Directory is managed in an internal read-only keystore and cannot be exported for use with the Amazon ELB.
To upload a new SSL certificate and install it on the ELB, do the following:
- Copy the private and public keys corresponding to your SSL certificate to a folder on the computer running Cloud Builder.
- Start creating or updating a site using Cloud Builder.
- In the Security panel of Cloud Builder, check Install SSL certificate.
- From the Choose SSL certificate drop-down list, choose <Upload certificate>.
- Supply the Certificate name by entering a unique name for the SSL certificate. Do not include the path in this value.
- Supply the location of the Private key corresponding to the SSL certificate you want to upload. The private key must be an RSA key in PEM-encoded format.
- Supply the location of the Public key certificate corresponding to the SSL certificate you want to upload. The public key must be in PEM-encoded format.
- Click Upload.
- In the Choose SSL certificate drop-down list, ensure your new certificate is selected.
Use an existing certificate for the ELB
If you've already uploaded a certificate using Cloud Builder, you can do the following to install it on a site:
- Start creating or updating a site using Cloud Builder.
- In the Security panel of Cloud Builder, check Install SSL certificate.
- From the Choose SSL certificate drop-down list, choose your certificate name.
Configure the ELB health check in HTTPS-only scenarios
When you select an SSL certificate, Cloud Builder configures your site so that it can receive both HTTP and HTTPS requests. If you later modify ArcGIS Server so that it is only allowed to receive HTTPS requests, you must update the Elastic Load Balancer (ELB) health check using the following steps:
- Log in to the AWS Management Console and display the page for the EC2 region where your site resides.
- Click Load Balancers.
- Check the check box next to the load balancer named arcgis-<your site>.
- In the lower panel, click the Health Check tab.
- Click Edit Health Check.
- Change the Ping Protocol to HTTPS.
- Change the Ping Port to 6443 and click Save.