Skip To Content

Manage data for S-63 encrypted datasets

在 Standard 或 Advanced 许可等级下可用。

获得 Production Mapping 许可后可用。

获得 ArcGIS Maritime 许可后可用。

The Maritime Chart Service supports both encrypted and unencrypted S-57 datasets within the same datasets folder. There is no technical restriction to set up separate map services. The following sections describe how to best manage your S-63 encrypted datasets.


For the Maritime Chart Service to access S-63 encrypted datasets, the licensee of the Maritime Chart Service technology (data clients) must first request a user permit (USER_PERMIT.TXT) for each license of the Maritime Chart Service it plans to use for S-63 encrypted datasets.

To request a USER_PERMIT.TXT file, contact the Maritime team. Once your USER_PERMIT.TXT files are received, provide those permits to your data server that processes the permit and provides the S-63 encrypted datasets.


You must specify that Esri is the OEM to your data server so they can apply the correct manufacturer key to the encryption process.

Set up your map service to support S-63

To load S-63 encrypted datasets, the following S-63 certificates, permits, and CATALOG.031 file must be in certain folders.

  • IHO certificate (IHO.CRT), or a different Schema Administrator (SA) Digital Certificate
  • User permit (USER_PERMIT.TXT)
  • Cell permit (PERMIT.TXT)
  • Exchange set catalog file (CATALOG.031)

IHO certificate (IHO.CRT)

The Schema Administrator (SA) Digital Certificate is always provided in a file named IHO.CRT by the data server. The IHO.CRT file is available from the IHO site.

The IHO.CRT file must be placed in your controlfiles folder. Each license of Maritime Chart Service requires a unique USER_PERMIT.TXT file.


If you are running multiple map services with the Maritime Chart Service available and require S-63 encrypted datasets for each map service, you need to place the same IHO.CRT file in each controlfiles folder supporting that map service.

Schema Administrator (SA) Digital Certificate

If you require the use of an additional or alternative <NAME>.CRT file to the IHO.CRT file for your data, it is recommended that you place the <NAME>.CRT file in the data's parent folder in the datasets folder. Alternatively, you can put the <NAME>.CRT file at the same level as your PERMIT.TXT file for that data. Both the PERMIT.TXT and <NAME>.CRT files only decrypt datasets at that level and downward in your folder structure. It is recommended that you divide your data in the datasets folder at the top level by the <NAME>.CRT file being used, as well as the data server providing you the data.

NAME.CRT file location

Datasets folder structure


The same USER_PERMIT.TXT file must be provided to each data supplier being used for the system even if they are encrypting data against different Schema Administrators. Any name can be used for the alternative <NAME>.CRT file as long as the file extension is .CRT.

User permit (USER_PERMIT.TXT)

The USER_PERMIT.TXT file that you received from Esri must be placed in your controlfiles folder. Each license of Maritime Chart Service requires a unique USER_PERMIT.TXT file.


If you are running multiple map services with Maritime Chart Service and require S-63 encrypted datasets for each map service, you need to place the same USER_PERMIT.TXT file in each controlfiles folder supporting that map service.

Cell permit (PERMIT.TXT)

The PERMIT.TXT file is provided by your data server when your S-63 encrypted datasets are delivered. Each delivery of encrypted data should have a PERMIT.TXT file. PERMIT.TXT files must be placed in the same location as your S-63 encrypted datasets.

Delivery methods can vary between data servers, so the parent folder that contains the S-63 encrypted datasets that you are loading should be used to store the associated PERMIT.TXT file. The following images are examples of where the PERMIT.TXT file should be located based on S-63 Ed. 1.1.1 section Folder Definitions.


For updates, it is recommended that you put the PERMIT.TXT file, if delivered with the updated datasets, in the individual update folder to ensure that any changes to the encryption keys are taken into account and your updated data and base data are decrypted using the appropriate PERMIT.TXT files.

PERMIT.TXT location for base load
PERMIT.TXT location for update load

Exchange set catalog file (CATALOG.031)

Typically, your S-63 encrypted datasets should be delivered in an exchange set format similar to S-63 Ed. 1.1.1 section Folder Definitions. To decrypt your S-63 datasets, it is required that a CATALOG.031 file exist in the ENC_ROOT folder containing your data. The CATALOG.031 file contains the full path relative to the ENC_ROOT directory for all files contained within the exchange set, including ENC signature files.


Unlike loading unencrypted S-57 datasets, where you can load datasets with or without the existence of a CATALOG.031 file, S-63 encrypted datasets are only processed when a CATALOG.031 file exists. If no CATALOG.031 file is found and your data is encrypted, an 8211 open file error is written to your log file.

Load S-63 encrypted datasets

Once you have ensured that your certificates, permits, and CATALOG.031 file are in the correct location, you can begin loading your S-63 encrypted datasets. The loading process is the same as loading S-57 datasets. The only difference is that S-63 encrypted datasets must have access to the IHO.CRT, USER_PERMIT.TXT, PERMIT.TXT, and CATALOG.031 files to properly decrypt the data.

Load AIO S-63 encrypted datasets

Admiralty Information Overlay (AIO) datasets come encrypted with the same USER_PERMIT.TXT file that your ENC datasets were encrypted with and use the same IHO.CRT and PERMIT.TXT file. If your AIO datasets come with a separate PERMIT.TXT file, place that in the AIO folder in your datasets folder and place the ENC PERMIT.TXT file in the ENC folder. If you have a single PERMIT.TXT file for both, you can place the single PERMIT.TXT file in the dataset folder for both ENC and AIO.

Work with IHO S-64 encrypted test datasets

The International Hydrographic Organization (IHO) maintains both an encrypted and an unencrypted set of test datasets for ECDIS named S-64. Once you have downloaded the test datasets from the IHO website, you need to make modifications to your map service's configuration file and restart your service to use the test data.

There are no special considerations for using the unencrypted S-64 test datasets.

Learn more about managing data for unencrypted S-57 datasets and loading instructions.

  • If you already have S-63 datasets loaded, you should remove those datasets from the service to avoid unwanted SSE13 errors.
  • Since Maritime Chart Service is not a certified ECDIS for navigation, it is not required to conform to the ECDIS requirement laid out in the IMO performance standard and IEC 61174. Some S-64 tests are not necessary to run against MCS.

Update your ServerConfiguration.xml file's S63Options useS64MKey setting to true. This enables the use of IHO S-64 encrypted datasets.

  1. Open the ServerConfiguration.xml file and set S63Options useS64MKey = true.

    All configuration files are in the <ArcGIS Server installation drive>\arcgisserver\directories\maritimeserver\maritimechartservice\controlFilesDirectory folder.


    This location is in your controlFilesDirectory property. Make a copy of the configuration files before you make any changes. Future installations overwrite this location.

    Learn more about modifying the properties of the Maritime Chart Service capability

  2. 单击保存

    The map service must be stopped and restarted for changes to the ServerCongiguration.xml file to be recognized by the service.