As an ArcGIS Server administrator, you can specify which secure sockets layer (SSL) protocols and encryption algorithms ArcGIS Server uses to secure communication. For example, your organization may be required to use specific SSL protocols and encryption algorithms. Specifying that ArcGIS Server use the certified protocols and algorithms ensures that your site remains in compliance with your organization's security policies.
Default SSL protocols
By default, ArcGIS Server enables the following protocols:
- TLSv1
- TLSv1.1
- TLSv1.2
Default encryption algorithms
ArcGIS Server is limited to the following encryption algorithms and enables all of them by default:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
See Cipher suites reference below for more information on these encryption algorithms.
You'll use the ArcGIS Server Administrator Directory to specify which SSL protocols and encryption algorithms your site will use.
- Open the ArcGIS Server Administrator Directory and sign in as an Administrator of your site. The URL is in the format https://gisserver.domain.com:6443/arcgis/admin.
- Click Security > Config > Update.
- In the SSL Protocols text box, specify the protocols to be used. If specifying multiple protocols, separate each protocol with a comma. For example: TLSv1.2, TLSv1.1.
Note that if you're planning to disable TLSv1 from the site, you need to ensure the web server hosting the Web Adaptor is able to fully communicate over TLSv1.1 or TLSv1.2. If you're using a Java Web Adaptor, the web server hosting the Web Adaptor must be using Java 8.
- In the Cipher Suites text box, specify the encryption algorithms to be used. If specifying multiple algorithms, separate each algorithm with a comma. For example: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA.
- Click Update. An error is returned if an invalid protocol or cipher suite is specified.
Cipher suites reference
| Cipher ID | Name | Key exchange | Authentication algorithm | Encryption algorithm | Bits | Hashing algorithm |
|---|---|---|---|---|---|---|
| 0x00C02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE | RSA | AES_128_GCM | 128 | SHA256 |
| 0x00C027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE | RSA | AES_128_CBC | 128 | SHA256 |
| 0x00C013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE | RSA | AES_128_CBC | 128 | SHA |
| 0x00C012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ECDHE | RSA | 3DES_EDE_CBC | 168 | SHA |
| 0x00009C | TLS_RSA_WITH_AES_128_GCM_SHA256 | RSA | RSA | AES_128_GCM | 128 | SHA256 |
| 0x00003C | TLS_RSA_WITH_AES_128_CBC_SHA256 | RSA | RSA | AES_128_CBC | 128 | SHA256 |
| 0x00002F | TLS_RSA_WITH_AES_128_CBC_SHA | RSA | RSA | AES_128_CBC | 128 | SHA |
| 0x00000A | TLS_RSA_WITH_3DES_EDE_CBC_SHA | RSA | RSA | 3DES_EDE_CBC | 168 | SHA |
Terminology
- ECDHE—Elliptic-Curve Diffie-Hellman
- RSA—Rivest, Shamir, Adleman
- AES—Advanced Encryption Standard
- GCM—Galois/Counter Mode (A mode of operation for cryptographic block ciphers)
- CBC—Cipher Block Chaining
- 3DES—Triple Data Encryption Algorithm
- SHA—Secure Hashing Algorithm