ArcGIS Desktop; specific to Windows OS....ArcGIS Server Components: An Introduction to Server IT. Abstract: An introduction to the basics of ArcGIS Server’s back end configuration
57
ArcGIS Server Components: An Introduction to Server IT
ArcGIS Server Components:An Introduction to Server IT
Presenter
Presentation Notes
Abstract: An introduction to the basics of ArcGIS Server’s back end configuration. Learn about web server certificates, SQL Server roles and schemas, and security options for a single-sign-on environment, such as IWA and AD FS. Presentation is aimed at bridging the gap between GIS and IT for Server installation and configuration. Workflows illustrated for Server Administrator and ArcGIS Desktop; specific to Windows OS.
Outline
• Web Adaptors & Web Server• Web Server Certificates• Portal Security Settings• SQL Server & Management Studio
Platform Illustrated:Windows 2012 R2 StandardIIS Web ServerSQL Server 2012ArcGIS Enterprise 10.4 & 10.5
Ariana TothGIS Specialist
ArcGIS Server Site Architecture
Web Server = IISWeb Adaptor = ArcGIS Web Adaptor
Physical Server – connected to via a virtual machine
ArcGIS Server
Presenter
Presentation Notes
Server = ArcGIS Server unless I specifically say Physical Server.
Web Adaptors & Web Server
Web Server vs Web Adaptor
“A web server is any Internet server that responds to HTTP requests to deliver content and services. Depending on context, the term can refer to the hardware or Web server software on the server.”
- Techopedia
“The Web Adaptor is a web application that runs in a front-end web server. One of the Web Adaptor's primary responsibilities is to forward HTTP requests from end users to the back-end GIS Server in a round-robin fashion.”
- ESRI
Presenter
Presentation Notes
When IT people hear the term “web adaptor” they often think of IIS, which is a web server.
Web Server Certificates
Presenter
Presentation Notes
Importance of certificates and how to obtain them. SSL = Secure Sockets Layer = Encrypted connection (https) SSL (aka digital) certificates verify that the web address actually belongs to that organization (i.e. the site is safe.)
Types of Certificates
1. CA Certificate - should be used for production systems, particularly if your deployment of ArcGIS Server is going to be accessed from users outside your organization
2. Domain Certificate - an internal certificate signed by your organization's certificate authority
3. Self-Signed Certificate - commonly used on websites that are only available to users on the organization's internal (LAN) network
Presenter
Presentation Notes
A CA (certificate authority) is usually a trusted third party that can attest to the authenticity of a website. Ex: Go Daddy Domain and Self-Signed Certificates are free and easy to create. To create a domain certificate, you cannot be logged in as a local administrator.
Types of Certificates
1. CA Certificate - should be used for production systems, particularly if your deployment of ArcGIS Server is going to be accessed from users outside your organization
2. Domain Certificate - an internal certificate signed by your organization's certificate authority
3. Self-Signed Certificate - commonly used on websites that are only available to users on the organization's internal (LAN) network
Domain Certificate Creation & Installation
• Create new domain certificate• Apply certificate to bindings in IIS• Import certificate to ArcGIS Server (optional)• Import certificate to Portal for ArcGIS
Do NOT follow these instructions from ESRI to generate a certificate.
mmc.exe > certlm
Presenter
Presentation Notes
Due to recent updates to Chrome and Firefox browsers, ESRI now recommends this workflow for creating certificates – their documentation has not yet been updated to reflect this. Go to mmc.exe (Certificates – Local Computer), not certmgr.msc (Certificates – Current User)
mmc.exe > certlm
Presenter
Presentation Notes
File> certlm> Personal> RIGHT-CLICK Certificates> All Tasks> Request New Certificate
New Web Server Certificate
Presenter
Presentation Notes
New requirement for browser updates: Alternative Name – DNS must be set to FQDN.
Create Password! Export with private key. Copy and paste to Enterprise Trust as well.
fqdn
Export Certificate
Presenter
Presentation Notes
Create Password! Export with private key. Copy and paste to Enterprise Trust folder as well.
IIS Manager – SSL Certificate
Presenter
Presentation Notes
Define ports 80 and 443. Default Web Site Bindings Edit Port 443 Add newly created certificate.
IIS Manager
Presenter
Presentation Notes
ESRI recommends leaving bindings in IIS unassigned (* instead of a specific IP) and they don’t usually use duplicate ports. http [::1], https [::1] ‘::1’ is local_host in IPv6, or IPv6 loopback address.
Server Administrator Directory
Presenter
Presentation Notes
Updating the certificate on the Server is not necessary unless you will have users accessing your REST endpoint directly, and do not want them to receive a certificate error. Otherwise, importing to Portal should be enough. You can leave the default SSC on Server. Import certificate
Server Administrator Directory
FQDN
CertName.pfx
Presenter
Presentation Notes
Again, your certificate name will be your fully qualified domain name.
<machine name>
<certificate name>
<machine name>
machine name
Presenter
Presentation Notes
Once your certificate is imported, go back to your machine and edit to apply the certificate.
Presenter
Presentation Notes
Enter the name of your new certificate…
Presenter
Presentation Notes
…and then the new name will be reflected here.
Portal Administrator Directory 10.4
Presenter
Presentation Notes
Similar process in Portal 10.4 – Import certificate, then edit Portal to use the new certificate.
domain certificate
Portal Administrator Directory 10.5
Presenter
Presentation Notes
Portal 10.5 looks a bit different but uses the same steps.
domain certificate
Portal Administrator Directory 10.5
<certificate name>
domain certificate
Portal Administrator Directory 10.5
Presenter
Presentation Notes
Update Portal
Portal Administrator Directory 10.5
Presenter
Presentation Notes
Actually changing from “portal” to domain certificate.
domain certificate
Portal Administrator Directory 10.5
Presenter
Presentation Notes
Certificate name will update here.
Portal Security Settings
Presenter
Presentation Notes
I’m going to quickly show you a couple of Portal Security Settings http://server.arcgis.com/en/portal/latest/administer/windows/security-best-practices.htm#ESRI_SECTION1_42767D241AA54256A1CC9255CCD6108E
Portal > Edit Settings 10.4
Presenter
Presentation Notes
Create new Role called Viewer. Change DEFAULT ROLE from User to Viewer.
Portal > Edit Settings 10.5
Presenter
Presentation Notes
A Level 1 user is the most basic user level. Level 1 users are content viewers and do not have privileges to own items. This level corresponds to the Esri default Viewer role in Portal for ArcGIS. A Level 2 corresponds to the Esri default roles of User, Publisher, and Administrator. Level 2 users are content contributors and have privileges to create content and conduct other tasks within Portal for ArcGIS.
Portal Identity Store Options
• Built-in Portal Identity Store• Portal admin controls user creation
• Integrated Windows Authentication (IWA)• Single-Sign on experience
• Active Directory Federation Services (AD FS)• Security Assertion Markup Language (SAML) authentication
If you choose to use the built-in store, there are ways to create multiple users at once through a command script.
Ideal Uses
Built-in Identity Store: Large Organizations
IWA: Small Organizations
AD FS:Exposed Organizations
Security: Integrated Windows Authentication
Presenter
Presentation Notes
Json for configuring IWA. Provide user name and password for an account with a non-expiring password.
SQL ServerRDBMS
(Relational Database Management System)
Data Storage
Presenter
Presentation Notes
Many of you are familiar with seeing ArcGIS Enterprise illustrated like this. (Left) But it’s important to understand that your data resides in a RDBMS outside of Server (Also registered folders) assuming that you are not copying data to your Server.
SQL Server
• The machine running ArcGIS Server requires native client software• SQL Server Management Studio (SSMS) should not be installed on a
virtual machine for performance reasons• User and default schema must match
ArcCatalog – Add Database Connection
Presenter
Presentation Notes
Use database authentication for the most control over your data.
SQL Server Management Studio (SSMS)
SQL Server Instance
Data
Presenter
Presentation Notes
Mainly going to deal with Instance-level Logins (also show up as users within a database) and User Schemas, which are specific to the database. But while we’re here, I’m also going to show you the difference between server roles and database roles.
SQL Server Management Studio (SSMS)
SQL Server Instance
Data
Presenter
Presentation Notes
But while we’re here, I’m also going to show you the difference between server roles and database roles.
db_datawriter
db_datareader
Presenter
Presentation Notes
Lots of info here – mainly take note of “db_datareader” and “db_datawriter.”
Create New SQL Database Login
Presenter
Presentation Notes
Right-click Logins to create a new login at the Instance level.
Create New SQL Database Login
domain\domain\domain\domain\domain\
Presenter
Presentation Notes
Server Roles – provides server-wide permissions
Create New SQL Database Login
domain\domain\domain\domain\domain\
Presenter
Presentation Notes
User Mapping - controls database-specific role membership. We want to assign a user-specific schema that has not yet been created, so we’re going to see what happens if we leave these 2 fields blank.
Create New Database Schema
domain\domain\domain\
domain\domain\domain\
Presenter
Presentation Notes
At the Database level, in Security folder, Create new Schema. These can be assigned at the Table level as well.
Create New Database Schema
domain\domain\domain\
domaindomaindomain
Presenter
Presentation Notes
This is basically a user’s permissions schema. Assign permissions.
Apply New Schema
Data
Presenter
Presentation Notes
db_krikli is not a schema option yet for Data because we didn’t create it there. dbo is the default schema that was assigned when we left the field blank. Best practice would be to assign db_datareader as a placeholder until a unique user schema is created.
ArcCatalog – Database Server
For this workflow you must be logged into your machine as a server administrator.
ArcCatalog – Database Server
<server instance>
ArcCatalog – Database Server
<server instance>
domain
Presenter
Presentation Notes
This creates a domain user and schema in SQL.
Effects in SSMS
Domain user kkeeleyhas been added to all databases
A user schema has also been created in all databases
domain\domain\domain\
domain\domain\domain\
domain\
domain\domain\
Effects in SSMS
New user schema does not contain any permissions
domain\
domain\
Questions?
Thank you!
Presenter
Presentation Notes
Special Thanks to Zach, Ryan, and Andrew from ESRI Support.