This topic describes how to best manage your S-63 encrypted datasets. The Maritime Chart Service supports both encrypted and unencrypted S-57 datasets within the same datasets folder. There is no technical restriction to set up separate map services.
Requesting USER_PERMIT.TXT from OEM
For the Maritime Chart Service to read S-63 encrypted datasets, the licensee of the Maritime Chart Service technology (data clients) must first request a user permit (USER_PERMIT.TXT) for each license of the Maritime Chart Service it plans to use for S-63 encrypted datasets.
To request a USER_PERMIT.TXT file, send an email to email@example.com. Once your USER_PERMIT.TXT files are received, provide those permits to your data server, which processes the permit and provides the S-63 encrypted datasets.
You must specify on your data server that Esri is the OEM so it can apply the correct manufacturer key to the encryption process.
Setting up your map service to support S-63
To load S-63 encrypted datasets, the following S-63 certificates and permits as well as your CATALOG.031 file must be in certain folders.
- IHO certificate (IHO.CRT), or a different Schema Administrator (SA) Digital Certificate
- User permit (USER_PERMIT.TXT)
- Cell permit (PERMIT.TXT)
- Exchange set catalog file (CATALOG.031)
IHO certificate (IHO.CRT)
The Schema Administrator (SA) Digital Certificate is always provided in a file named IHO.CRT by the data server. The IHO.CRT file is available from IHO at https://www.iho.int.
The IHO.CRT file must be placed in your controlfiles folder. Each license of Maritime Chart Service requires a unique USER_PERMIT.TXT file.
If you are running multiple map services with the Maritime Chart Service available and require S-63 encrypted datasets for each map service, you need to place the same IHO.CRT file in each controlfiles folder supporting that map service.
Schema Administrator (SA) Digital Certificate
If you require the use of an additional or alternative <NAME>.CRT file to the IHO.CRT for your data, it is recommended that you place the <NAME>.CRT file in the data's parent folder in the datasets folder. Alternatively, you can put the <NAME>.CRT file at the same level as your PERMIT.TXT file for that data. Both the PERMIT.TXT and <NAME>.CRT files only decrypt any datasets at that level and downward in your folder structure. It is recommended that you divide your data in the datasets folder at the top level by the <NAME>.CRT file being used, as well as the data server providing you the data.
The same USER_PERMIT.TXT file must be provided to each data supplier being used for the system even if they are encrypting data against different Schema Administrators. Any name can be used for the alternative <NAME>.CRT file as long as the file extension is crt.
User permit (USER_PERMIT.TXT)
The USER_PERMIT.TXT file that you received from Esri must be placed in your controlfiles folder. Each license of Maritime Chart Service requires a unique USER_PERMIT.TXT file.
If you are running multiple map services with Maritime Chart Service and require S-63 encrypted datasets for each map service, you need to place the same USER_PERMIT.TXT file in each controlfiles folder supporting that map service.
Cell permit (PERMIT.TXT)
The PERMIT.TXT file is provided to you by your data server when your S-63 encrypted datasets are delivered. Each delivery of encrypted data should have a PERMIT.TXT file. PERMIT.TXT files must be placed in the same location as your S-63 encrypted datasets.
Delivery methods can vary between data servers, so the parent folder that contains the S-63 encrypted datasets that you are loading should be used to store the associated PERMIT.TXT file. The following images are examples of where the PERMIT.TXT file should be located based on S-63 Ed. 1.1.1 section 18.104.22.168 Folder Definitions.
For updates, it is recommended that you put the PERMIT.TXT file, if delivered with the updated datasets, in the individual update folder to ensure that any changes to the encryption keys are taken into account and your updated data and base data are decrypted using the appropriate PERMIT.TXT files.
Exchange set catalog file (CATALOG.031)
Typically, your S-63 encrypted datasets should be delivered in an exchange set format similar to S-63 Ed. 1.1.1 section 22.214.171.124 Folder Definitions. To decrypt your S-63 datasets, it is required that a CATALOG.031 file exist in the ENC_ROOT folder containing your data. The CATALOG.031 file contains the full path relative to the ENC_ROOT directory for all files contained within the exchange set, including ENC signature files.
Unlike loading unencrypted S-57 datasets, where you can load datasets with or without the existence of a CATALOG.031 file, loading S-63 encrypted datasets is only processed when a CATALOG.031 file exists. If no CATALOG.031 file is found and your data is encrypted, an 8211 open file error is written to your log file.
Loading S-63 encrypted datasets
Once you have ensured that your certificates and permits, as well as your CATALOG.031 file, are in the correct location, you can begin loading your S-63 encrypted datasets. The loading process is the same as loading S-57 datasets. The only difference is that S-63 encrypted datasets must have access to the IHO.CRT, USER_PERMIT.TXT, PERMIT.TXT, and CATALOG.031 files to properly decrypt the data.
Loading AIO S-63 encrypted datasets
Admiralty Information Overlay (AIO) datasets come encrypted with the same USER_PERMIT.txt file that your ENC datasets were encrypted with and use the same IHO.CRT and PERMIT.TXT file. If your AIO datasets come with a separate PERMIT.TXT file, place that in the AIO folder in your datasets folder directory and place the ENC PERMIT.TXT file in the ENC folder. If you have a single PERMIT.TXT file for both, you can place the single PERMIT.TXT file in the dataset folder for both ENC and AIO.
Working with IHO S-64 encrypted test datasets
The International Hydrographic Organization (IHO) maintains both an encrypted and an unencrypted set of test datasets for ECDIS named S-64. Once you have downloaded the test datasets from the IHO website, you need to make modifications to your map service's configuration file and restart your service to use the test data.
There are no special considerations for using the unencrypted S-64 test datasets.
- If you already have S-63 datasets loaded, you should remove those datasets from the service to avoid unwanted SSE13 errors.
- Since Maritime Chart Service is not a certified ECDIS for navigation, it is not required to conform to the ECDIS requirement laid out in the IMO performance standard and IEC 61174. Some S-64 tests are not necessary to run against MCS.
Update your ServerConfiguration.xml file S63Options useS64MKey setting to true. This enables the use of IHO S-64 encrypted datasets.
- Open the ServerConfiguration.xml file and set the S63Options useS64MKey = true.
All configuration files are located at <ArcGIS Server installation drive>:\arcgisserver\directories\maritimeserver\maritimechartservice\controlFilesDirectory.
This location is in your controlFilesDirectory property. Make a copy of the configuration files before you make any changes. Future installations overwrite this location.
- Click Save.
- Stop and restart your map service.