With a base ArcGIS Enterprise deployment, two options are available for adding ArcGIS GeoEvent Server to configure a base ArcGIS GeoEvent Server deployment—you can either install all the software components, including GeoEvent Server, on a single machine or install the components for real-time event processing on a second machine.
Administrators can use the deployment checklist below to examine specific configurable elements related to a multiple-machine deployment. In this pattern, a base ArcGIS Enterprise deployment and a base GeoEvent Server deployment are deployed on separate machines. Some best practices and common settings administrators will want to check as they deploy the software components are described as part of the checklist.
The information provided below uses information and utilities specific to a Windows environment. Comparable utilities will be required for deployments on Linux which should be familiar to Linux administrators.
Get started
The software components of a base ArcGIS Enterprise deployment should be installed. The ArcGIS Enterprise portal site should be created and configured such that a primary administrator can login to the portal’s administrative API. The ArcGIS Server site for this deployment should be created and you should be able to login to the server’s administrative API. If ArcGIS Server is not yet configured as the Enterprise portal’s hosting server, or federated with the Enterprise portal, that is fine at this point. This checklist will address those steps for doing that after creating and configuring the SSL certificates, checking software licensing, and configuring the hosting server’s geodatabase.
The software components for the base ArcGIS GeoEvent Server deployment should be installed on a second machine. The ArcGIS Server site for this deployment should be created and you should be able to login to the server’s administrative API. This server cannot be used to publish feature services until it has been configured with a managed geodatabase, which you will do later. For now, stop the ArcGIS GeoEvent Gateway and ArcGIS GeoEvent Server services, if they are running, so when GeoEvent Server starts it will interrogate its associated ArcGIS Server and discover the SSL security certificate configuration you will configure below.
Create domain certificates for the ArcGIS Enterprise machine
Both the Portal for ArcGIS and the ArcGIS Server components of the base ArcGIS Enterprise deployment should have SSL certificates configured to enable applications to trust responses from the server machine and web service applications. Self-signed certificates included as defaults should not be used.
Login to the ArcGIS Enterprise machine. On Windows, search for Manage computer certificates and open the Microsoft Management Console. Use the application to create a new domain certificate. It is recommended you create the certificate using an Active Directory Enrollment Policy established by your network administrator.
The certificate you create should specify both a Common Name and a Subject Alternative DNS Name. It is recommended you use the server machine’s fully qualified name (specifying both the hostname and domain suffix) when specifying the certificate parameters. The certificate’s application policies should provide both Server Authentication and Client Authentication for the ArcGIS Enterprise machine.
Once the domain certificate is successfully enrolled, export the certificate as both a PFX certificate file and a CER certificate file. You will use these later to configure the ArcGIS Enterprise software components. The PFX certificate file should include the machine’s private key and include all certificates in the certificate path enabling it to be used as a web server’s certificate. The CER certificate file should not include the machine’s private key and does not need to include the entire certificate path as it will be used as an intermediate certificate to establish trust between machines in the domain.
Create domain certificates for the GeoEvent Server machine
Login to the GeoEvent Server machine, use the Microsoft Management Console application to create a new domain certificate authenticating this second machine. Self-signed certificates included as defaults should not be used to authenticate the ArcGIS Server or GeoEvent Server components. As before, the certificate created should specify the machine’s fully qualified name as the certificate’s Common Name and a Subject Alternative DNS Name. Once you have successfully enrolled the second domain certificate you will need to export the certificate files for use later when configuring the ArcGIS Enterprise software components installed on the two machines.
Export both a PFX certificate file and a CER certificate file. As before, the PFX certificate file should include the machine’s private key and all certificates in the certificate path enabling it to be used as a web server’s certificate. The CER certificate file should not include the machine’s private key and does not need to include the entire certificate path as it will be used only to establish trust between the ArcGIS Enterprise and GeoEvent Server machines.
Bind SSL certificates to HTTPS for each server machine
On Windows, use the Internet Information Services (IIS) Manager application to edit the certificate bindings for the default web site.
Nota:
If the IIS application is not available, use the ArcGIS Web Adaptor installation wizard to configure prerequisites on the web server role. It is not required to complete the installation and configuration of ArcGIS Web Adaptor at this time; you only need to give the installer permission to configure the web server role for the server machine.
Next, either add or edit the existing HTTPS protocol and select the domain certificate you created and enrolled for this server. With two server machines in the system architecture, you will need to perform this twice, once on the ArcGIS Enterprise machine and again on the GeoEvent Server machine.
Configure web server SSL certificates on the ArcGIS Enterprise machine
Login to the ArcGIS Enterprise portal’s administrative API on the ArcGIS Enterprise machine.
- Use the administrative API to import the PFX certificate file for the ArcGIS Enterprise machine and the CER certificate file for the GeoEvent Server machine into the Portal for ArcGIS component. Navigate to Home > Security > SSLCertificates and click Import Existing Server Certificate to import the ArcGIS Enterprise machine’s PFX certificate file.
- Next, select Import Root or Intermediate to import the GeoEvent Server machine’s CER certificate file. It is recommended, when importing the certificates, you use each machine’s fully qualified name as the alias for the certificate to avoid confusion as to which certificate authenticates which machine.
- Once the two certificate files are imported, update the Enterprise portal’s certificate configuration to change the Web Server SSL Certificate from its default (for example, portal) to the alias you assigned to the ArcGIS Enterprise server’s PFX certificate. The Enterprise portal will be restarted which can take several minutes to complete.
Next, still on the ArcGIS Enterprise machine, log into the ArcGIS Server administrative API.
- Repeat the steps above using the ArcGIS Server administrative API to import the same certificate files just added to the Enterprise portal into the ArcGIS Server component. Ensure you do this on the ArcGIS Enterprise machine.
- As before, import the ArcGIS Enterprise machine’s PFX using the Import Existing Server Certificate option. Import the GeoEvent Server machine’s CER using the Import Root or Intermediate certificate option.
- Once the two certificate files are imported, edit the ArcGIS Server machine’s certificate configuration to change the Web Server SSL Certificate from its default (for example, selfsignedcertificate) to the alias you assigned to the ArcGIS Enterprise server’s PFX certificate. The ArcGIS Server component will restart which can take several minutes to complete.
Lastly, logout of the ArcGIS Enterprise administrative APIs, clear the browser’s cache, and open a new browser window.
- You should now be able to load the Enterprise portal content manager and ArcGIS Server Manager without the web browser indicating it cannot establish trust for the two web applications.
- You should be able to click the lock icon on the web browser, confirm the connection is secure, and see the details of the certificate being used to authenticate the server’s web application.
- The certificate being used should be the PFX file which has the server’s private keys and the full certificate path enabling it to be used as a web server’s certificate in your enterprise domain.
Configure web server SSL certificates on the GeoEvent Server machine
Login to the ArcGIS Server administrative API on the GeoEvent Server machine.
- Use the administrative API to import the PFX certificate file for the GeoEvent Server machine and the CER certificate file for the ArcGIS Enterprise machine into the ArcGIS Server component. Use the Import Existing Server Certificate option to import the GeoEvent Server machine’s PFX certificate file. Use the Import Root or Intermediate option to import the ArcGIS Enterprise machine’s CER certificate file.
- Once the two certificate files are imported, edit the ArcGIS Server certificate configuration to change the Web Server SSL Certificate from its default (for example, selfsignedcertificate) to the alias you assigned to the GeoEvent Server machine’s PFX certificate. The ArcGIS Server component will restart when edits to the web server certificate configuration are saved.
- Once the ArcGIS Server service has restarted, restart the ArcGIS GeoEvent Gateway and ArcGIS GeoEvent Server services. This is necessary to allow GeoEvent Server to discover and apply the changes made to its associated ArcGIS Server machine’s security configuration. It is recommended you restart the ArcGIS GeoEvent Gateway first and let it reach a running state before restarting the ArcGIS GeoEvent Server service. Restarting these services can take several minutes.
As a final step, logout of the ArcGIS Server administrative API, clear the browser cache, and open a new browser window. Launch Server Manager on the GeoEvent Server machine and notice the web browser trusts the web application. If you click the lock icon in the web browser, you can confirm the connection is secure and review the certificate’s details. Verify the certificate being used to authenticate the web application is the GeoEvent Server machine’s PFX.
It is important to recognize the ArcGIS Enterprise machine’s CER certificate file imported into ArcGIS Server on the GeoEvent Server machine establishes trust between the GeoEvent Server and responses returned from the ArcGIS Enterprise machine. This may not be immediately obvious from the web browser, but it is critical for server operations on the backend. GeoEvent Server needs to trust the Enterprise portal’s hosting server, the Enterprise portal, and/or a spatiotemporal big data store registered with the Enterprise portal’s hosting server. Responses to requests GeoEvent Server makes to components running on the other machine must be trusted for GeoEvent Server to work as expected.
Configure ArcGIS Data Store on the GeoEvent Server machine
Before you can use ArcGIS GeoEvent Manager to publish feature services on the GeoEvent Server machine the non-federated ArcGIS Server will need a relational data store configured as its own managed geodatabase.
On the GeoEvent Server machine, open https://machine-name.domain:2443/arcgis/datastore in a web browser. The web browser will again likely warn you the Data Store post-installation wizard is not trusted; disregard and proceed to the open the installation wizard. Enter the credentials to allow the post-installation wizard to access the ArcGIS Server administrative API, then either configure or verify the Relational data store type has been configured and registered with the GeoEvent Server machine’s ArcGIS Server. You can also login to Server Manager on this machine and verify the relational database is listed when looking at the server’s data stores and that the database connection validates.
Nota:
It is not a requirement to federate the ArcGIS Server on which GeoEvent Server is run with an Enterprise portal. There are advantages and disadvantages to federation for a GeoEvent Server deployment that you can discuss with an Esri technical advisor.
Configure the ArcGIS Enterprise hosting server
In a web browser, login to the Enterprise portal’s content manager and click Settings. Click Servers and add the GIS Server installed on the ArcGIS Enterprise machine as a federated server. You should have already configured ArcGIS Web Adaptor to act as the server web adaptor enabling you to enter both a services URL and an administrative URL. Once the GIS Server is added, validate it, and then designate this server as the Enterprise portal’s hosting server.
Confirm ArcGIS Enterprise hosting server’s role and license
With the GIS Server on the ArcGIS Enterprise machine federated and configured as the ArcGIS Enterprise portal’s hosting server, login to Server Manager using an Enterprise portal administrator’s credentials. You should be able to login through the web adaptor configured for the hosting server, typically at https://machine-name.domain/server/manager, and verify the Manage Services page lists the SampleWorldCities map service. ArcGIS Pro should be designated as the sample service’s Authoring Application. This indicates the server’s role is a GIS Server supporting an Enterprise portal as a hosting server.
The ArcGIS Server component on the ArcGIS Enterprise machine should be licensed as a GIS Server using either a Standard or an Advanced license. Navigate to Site > Software Authorization and verify either ArcGIS GIS Server Standard or ArcGIS GIS Server Advanced is listed as the server’s roles. This indicates you can use applications such as ArcGIS Pro to publish new hosted feature layers to this GIS Server.
Confirm ArcGIS Server role and license on the GeoEvent Server machine
The ArcGIS Server deployed on the GeoEvent Server machine should be licensed as a GeoEvent Server. Login to Server Manager on the GeoEvent Server machine using an ArcGIS Server site administrator’s credentials. Remember, this ArcGIS Server is not federated with the Enterprise portal, so you will not use Enterprise portal administrator credentials when logging in to the GeoEvent Server machine’s Server Manager. Assuming this ArcGIS Server has been licensed using a GeoEvent Server license, the Manage Services page in Server Manager will not list the SampleWorldCities map service. The sample service only displays when ArcGIS Server is licensed as a GIS Server role.
Navigate to Site > Software Authorization and verify ArcGIS GeoEvent Server is listed beneath the server’s roles. If this is the only server role listed, the server’s role is not a GIS Server. While you cannot use applications such as ArcGIS Pro to publish new hosted feature layers to this stand-alone ArcGIS Server instance, you can use GeoEvent Manager to publish new, empty, feature services. You might want to do this to create an initial empty feature class that an output connector can use to add new and later update existing feature records.
Nota:
There are advantages and disadvantages to a deployment in which each ArcGIS Server maintains its own managed enterprise geodatabase. You might adopt policies, for example, that feature services used by GeoEvent Server are kept on this server while the feature services which underlie your ArcGIS Enterprise hosted feature layers are kept separate on the Enterprise portal’s hosting server. Such a policy could be used to draw a clear distinction between real-time feature services and those which support web maps and dashboards with relatively static data edited using more traditional feature editing workflows. You can discuss the best options for your enterprise with an Esri technical advisor.
Login to GeoEvent Manager on the GeoEvent Server machine
Earlier, as you completed the web server SSL certificate configuration on the GeoEvent Server machine, you had a chance to restart the ArcGIS GeoEvent Gateway and ArcGIS GeoEvent Server services. GeoEvent Server, as it starts up, should have located the certificates used by the server component it runs beneath and incorporated them into its own certificate store. By adopting the server’s certificates GeoEvent Server, by default, will trust responses from its associated ArcGIS Server.
Open a web browser on the GeoEvent Server machine and launch GeoEvent Manager, typically at https://machine-name.domain:6143/geoevent/manager. The web browser should indicate the connection is secure. If you click the lock icon in the web browser, you can select to see the details of the certificate being used to authenticate the server’s web application and verify it is the same certificate used by Server Manager—the certificate with the GeoEvent Server machine’s private keys and full certificate path enabling it to be used as a web server’s certificate in the enterprise domain.
Extend timeout for ArcGIS Server short-lived tokens
The ArcGIS Server on which GeoEvent Server is running has not been federated with the Enterprise portal. This means you will not benefit from single sign-on in which your authorization to continue using GeoEvent Manager is automatically renewed. When you use ArcGIS Server administrator credentials to login to GeoEvent Manager your session is assigned a short-lived token. When this token expires you will be prompted to login to GeoEvent Manager again.
To prevent being frequently challenged to renew your login, you can change the expiry time for the ArcGIS Server short-lived tokens. Login to Server Manager and navigate to Security > Settings. Click to edit the Lifespan of Short-lived Tokens and change the value from its default 60 minutes to something longer like 1440 minutes. This will extend the life of short-lived tokens, so you do not have to login to GeoEvent Manager as frequently.
Configure the GeoEvent Server default server connection to include credentials
Every GeoEvent Server configuration includes a Default server connection. This registered server connection is referred to as a data store in GeoEvent Manager.
In GeoEvent Manager, navigate to Site > GeoEvent > Data Stores and verify the Default server connection validates. This indicates the server’s ArcGIS REST Services Directory is reachable and publicly available services are discoverable.
Nota:
In a non-federated deployment, the default server connection will be an ArcGIS Server type connection to the local ArcGIS Server on which GeoEvent Server is running. If you choose to federate the GeoEvent Server machine’s ArcGIS Server with an Enterprise portal, the GeoEvent Server machine’s default server connection will change to an ArcGIS Enterprise type connection and will require credentials to validate.
This is a non-federated configuration, so the default server connection does not require credentials to validate. However, it is a best practice to always configure the server connection with the credentials of an administrative user so you can use the Default server connection to perform administrative tasks like publishing feature services.
Click to edit the Default server connection and check the checkbox to use credentials. Enter the username and password for an administrative user whose feature services you want GeoEvent Server to discover and use.
Considerations for using the ArcGIS Server primary site administrator (PSA) credentials
The default server connection can use the ArcGIS Server primary site administrator (PSA) credentials in a non-federated deployment. This is the simplest option and the one often chosen by site administrators. The disadvantage is that every time GeoEvent Server crawls the ArcGIS REST Services Directory it will discover and interrogate every map and feature service the administrative user can access. If there are numerous web services published, the interrogation to discover all the layers and layer properties for each service can take a significant amount of time.
The best practice is to limit the number of web services a GeoEvent Server deployment will be able to use by designating an ArcGIS Server administrative user to own as few map/feature services as possible and configure the Default server connection with this user’s credentials. This will ensure service discovery is completed quickly and with minimal interruption to GeoEvent Server operations. Tasks such as importing a GeoEvent Definition, importing geofences from a feature layer, configuring an input to poll a feature service for feature records, or using a processor to enrich event records with records contained in a feature layer all use the default server connection and require its service discovery be completed as quickly as possible.
Set the discovery rate for the GeoEvent Server default server connection
In GeoEvent Server, the frequency for which the default server connection performs service discovery can be set based upon your requirements. Setting the discovery rate to a small value, to ensure GeoEvent Server knows about the web services that exist, is often counterproductive. It forces GeoEvent Server to frequently return to the ArcGIS REST Services Directory, complete a full crawl of the directory as it refreshes a cache of information for all known map/feature services. This takes time and consumes system resources such as CPU and network that could be better allocated to the real-time ingest, adaptation, processing, and dissemination of data. An argument can be made that even a frequent discovery rate of, say, 5 minutes is not fast enough, especially if you have just published a new feature service and you want to use it immediately.
As an alternative, consider setting the Discovery Rate for server connections registered with GeoEvent Server to a larger value, like 1440 minutes, so that a full crawl of the services directory occurs just once a day. The service cache will also be refreshed whenever the ArcGIS GeoEvent Server service is restarted. You can also force a server connection refresh its cache by visiting the Site > GeoEvent > Data Stores page in GeoEvent Manager.