administering arcgis enterprise...security best practices for arcgis enterprise 1. configure https...
TRANSCRIPT
Administering ArcGIS EnterpriseScott Cecilio
ArcGIS Enterprise software components
Portal for ArcGIS
ArcGIS Data Store
ArcGIS Web Adaptor (portal)
ArcGIS Web Adaptor (server)
ArcGIS ServerHosting server
Key Administrator Endpoints
• Portal for ArcGIS
- Home page
- Portal Administrator Directory
• ArcGIS Server
- ArcGIS Server Manager
- ArcGIS Server Administrator Directory
• Command Line Utilities
- Portal
- Server
- Data Store
Portal Home Page
• Organization Section
- Updating Home Page
- Custom application templates
- Custom basemaps
- Configure Utility Services
- Federate ArcGIS Servers
- Configure Hosting Server
- Define Roles
- Collaboration
- Security
Overview of Configurable Organization Settings within Portal for ArcGIS
• Web browser based administrative console
• Pre-installed web services in System and Utilities folders
• Site, Security, and Logs/Statistics information available
ArcGIS Server Manager
Overview of ArcGIS Server Manager
ArcGIS REST API
ArcGIS Server Administrator Directory
Portal Administrator Directory
• Virtualized interfaces for the ArcGIS REST API• Designed to help administer ArcGIS Enterprise
programmatically• Works with many scripting languages that can make
HTTP requests• Work with advanced system settings and properties
• Configuring certificates and other security settings• Unregister web adaptors• Import/Export for backing up site configurations
Command Line Utilities
• Found in the installation directories for:- Portal for ArcGIS
- ArcGIS Server
- ArcGIS Data Store
• Administer from batch files or command line
• Perform tasks such as:- Scan your portal and server for security best practices
- Recover portal when no administrator accounts are available
- Start and stop server-based services
- Publish services from service definition (.sd) files
- Back up or restore a server site configuration
ArcGIS Enterprise Administrative URLs
Portal Home Page
https://myhost.domain.com/webadaptor/home/
Portal Administrator Directory
https://myhost.domain.com/webadaptor/portaladmin/
ArcGIS Server Manager
https://myhost.domain.com/webadaptor/manager
ArcGIS Server Administrator Directory
https://myhost.domain.com/webadaptor/admin
Portal Administrator Directory
Portal Administrator Directory
• The Portal Administrator Directory allows you to perform certain administrative functions not available in the ArcGIS Enterprise portal website
• Accessed via https://[webadaptorhost.domain.com]/[web adaptor]/portaladmin
Portal Administrator Directory
• System- Properties
- Configure properties like your portal’s WebContextURL, PrivatePortalURL
- Languages- When you or members of your portal search for content,
results may be returned that do not apply to your specific language. Limit those results by changing this setting.
Portal Administrator Directory
• System
- Web Adaptors- Unregister ArcGIS Web Adaptor with your portal
- Directories- change the location of the portal content directory
Portal Administrator Directory
• Security
- Config- Configure user and group identity stores, configure default user level and role, enable/disable automatic
account creation
- SSL Certificates- Import root and intermediate certificates to establish trust chains, as well as import existing server
certificates to replace internal self-signed certs
Portal Administrator Directory
• Federation
- Federate new ArcGIS Servers
- Update federation information
Portal Administrator Directory
• Logs- Query, view, configure, and delete portal logs
Portal Administrator Directory
• Machine- Portal Health Check, Unregister Machines
Portal Administrator Directory
• License- Authorize apps such as Insights, Drone2Map, ArcGIS Pro, and more…
Securing Your Enterprise Deployment
Security best practices for ArcGIS Enterprise
1. Configure HTTPS
2. Disable anonymous access
3. Restrict the portal’s proxy capability
4. Configure CA-signed server certificates
5. Disable the ArcGIS Portal Directory
6. Configure your firewall to work with portal
7. Specify the default token expiration time
8. Restrict file permissions
http://enterprise.arcgis.com/en/portal/latest/administer/windows/security-best-practices.htm
Configure HTTPS
• From the ArcGIS Server admin, and the Portal My Organization settings disable all HTTP communication
• Additionally disable HTTP communication in Portal and ArcGIS Server to use only HTTPS communication
| Disable Anonymous Access
SSL Touch Points in ArcGIS Enterprise
Web Server Portal for ArcGIS
FederatedArcGIS Server
External SSLArcGIS Server
Client WebBrowser
Secure LDAP
** Client browser must
trust CA chain
** Client browser must
trust CA chain
** Web Server must
trust CA chain
** Portal must trust CA
chain of LDAP
** Portal must trust CA chain
of ArcGIS Server
** Portal must trust CA chain
of ArcGIS Server** Web Server must trust CA chain
if :7443 is using CA signed
** Print Task
ArcGIS Server and OS must trust
CA chain to Portal, Web Server, and
External ArcGIS Servers
Secure Communication Via ArcGIS Web Adaptor
• The first step to implementing secure communication is installing and configuring the Web Adaptor
- Moves traffic from 6443/6080 (ArcGIS Server) and 7443/7080 (Portal) to 443/80
ArcGIS Server
Portal forArcGIS
CA SignedSSL Certificate
https://my.webserver.com
6443
7443
/portal
/server
• Moving traffic to default ports allows ArcGIS to take advantage of signed server certificates at the web tier
ArcGIS Enterprise - Server Certificates and Trust Stores
• Self-signed certificates to support communication on ports:- Portal for ArcGIS (7443)
- ArcGIS Server (6443)
- ArcGIS Data Store (2443)
• The Portal Administrator directory provides tools to Import Intermediate or Root certificates and Existing Server Certificates, as well as the ability to generate a new Certificate Signing Request.
Updating internal ArcGIS Enterprise Certificates
• When working in closed environments you must import root and intermediate certificates in addition to the existing server certificate!
- Hybrid environments using signed certificates from known CA’s may not need this step (e.g. CA is DigiCert)
• Option to *not* restart Portal service after importing certificates- Introduced at 10.6
- At 10.5/10.5.1 Portal service restarted automatically
- At 10.4.1 and prior Portal service needed to berestarted manually
Portal for ArcGIS
Demonstration
Securing Your Enterprise Deployment
Configure and Customize yourArcGIS Enterprise Deployment
Managing access to your ArcGIS EnterpriseUnderstanding identity stores
Built-in Identity Store Enterprise Identity Store
Performs authenticationManagement of account credentials external
to Portal for ArcGIS
Stores portal account user names and passwords Leverage enterprise accounts
Stores roles and group membership Leverage enterprise groups
Auto account creation
AB
C
Customizing the Home Page
A. Background
B. Banner
C. Featured Content
D. Description D
Enabling On-Premises Utility Services in PortalPower specific functionality in your Portal
• Printing – enable the Print Service of an ArcGIS Server and use the Export Web Map Task.
• Geometry – utilize the Geometry Services of an on-premises ArcGIS Server
• Routing - Utilize Esri Streetmap Premium Routing Services published on-premises
- Custom Routing Service
• Geocoding - World Geocoding Service On-Premises
- Esri Streetmap Premium Geocode Services published on-premises
- Custom Geocoding Service
• Analysis Utility Services – e.g. Hydrology, Elevation, and Network
Additional Configurations
• ArcGIS Online
• ArcGIS Online
• Living Atlas
Additional Configurations
config.jsWhat is this? Should I touch it?
• Located at:
- <Install Directory>\customizations\10.7.0\framework\webapps\arcgis#home\js\arcgisonline
• Detailed in the Portal Administrator Help
• Provides additional configuration of the Portal UI
• Requires restart of portal and clearing cache from web browser
• Warning:
- Use extreme caution when editing; ALWAYS MAKE A BACKUP!
- Not maintained during upgrade!
http://enterprise.arcgis.com/en/portal/latest/administer/windows/set-advanced-portal-options.htm
config.jsImportant Settings for Disconnected Environments
• Disable ability to search ArcGIS Online | searchArcGISOnlineEnabled
• Add Security Classification Banners | classificationBanner
• Add Footer Links | footerLinks
• Restrict My Organization page to Portal Admins only | restrictOrganizationPageToAdmin
• Enable/Disable Show Social Media Links | showSocialMediaLink
Demonstration
Configure and Customize your ArcGIS Enterprise
Advanced Enterprise WorkflowsBackup | Restore | Upgrading
Advanced Enterprise WorkflowsBackup | Restore | Upgrading
• Reduced requirements for running the tool- Different machine names
- Different internal URLs
• Incremental backups- To an S3 bucket (10.6)
• Cloud specific- Different regions for primary and standby data centers
- Ability to save a WebGIS DR backup to an S3 bucket
- Storying backups to Azure BLOB storage (10.6)
Backing up your ArcGIS Enterprisewebgisdr utility
Backing up your ArcGIS Enterprise
What the Tool Backs up What the Tool doesn’t backup
Settings(Portal, Server, Data Store)
EGDB or file based data
Portal ContentMap service cache tiles | Hosted Tile
layer caches
GIS ServicesReferenced data sources for web
services
ArcGIS Data Store data(relational, scene tiles)
Spatiotemporal big data store backups
webgisdr utility – What is backed up?
Backing up your ArcGIS Enterprisewebgisdr utility – Backup Restore Mode
Information for the backup portal content S3 bucket
Backing up your ArcGIS Enterprisewebgisdr utility – Amazon S3
Storing the WebGIS DR backup in an S3 bucket
Backing up your ArcGIS Enterprisewebgisdr utility – Amazon S3
Credentials for the backup portal content container
Backing up your ArcGIS Enterprisewebgisdr utility – Azure
• Backup- Runs concurrently
- No downtime while exporting
- Sample syntax
• Restore- Runs sequentially
- Data Store Server Portal
- Downtime while restoring
- Sample syntax
Backing up your ArcGIS Enterprisewebgisdr utility – Usage
Advanced Enterprise WorkflowsBackup | Restore | Upgrading
Advanced Enterprise Workflows: Upgrading
• Take snapshots of your machines
• Make backups of your ArcGIS Enterprise:- Content directories for Portal for ArcGIS
- Configuration store and content directories for ArcGIS Server
- Content directories for ArcGIS Data Store
• DO NOT unfederate your Hosting server or other federated ArcGIS Servers
• Extensive documentation available on upgrading
Considerations before upgrading
Advanced Enterprise Workflows: Upgrading
1. Upgrade Portal for ArcGIS
2. Upgrade your Portal’s ArcGIS Web Adaptor1. Uninstall old Web Adaptor first
3. Upgrade ArcGIS Server1. In a multi-node ArcGIS Server site, recommended to upgrade one server at a time
2. Hosting Server first
4. Upgrade your Server’s ArcGIS Web Adaptor1. Uninstall old Web Adaptor first
5. Upgrade ArcGIS Data Store 1. Relational
2. Tile-Cache
3. Spatiotemporal
Recommended order of Upgrades
http://enterprise.arcgis.com/en/portal/latest/install/windows/upgrade-portal-for-arcgis.htm
Demonstration
Advanced Enterprise Workflows
Conclusion
• Key Administrative Endpoints
• Portal Administrator Directory
• Securing your Enterprise Deployment- Security Best Practices
- SSL trust chains
• Customize and Configure you ArcGIS Enterprise Deployment- Configure Homepage
- Utility Services
- config.js
• Advanced Enterprise Workflows- Backup | Restore
- Upgrade