HTTPS is a means of encrypting communications to and from a web server. HTTPS also allows a client application the ability to confirm the identity of the web server. When using HTTPS, each web server where HTTPS is enabled must send a certificate to clients. The certificate contains a statement of identity (gis.mycity.gov) and a public key that the client can use to send encrypted information to the web server.
Portal for ArcGIS often transmits information that needs to be encrypted; therefore, HTTPS is always enabled in the portal. It’s strongly recommended that the certificate used be signed by a corporate (internal) or commercial Certificate Authority (CA). The portal itself comes with a self-signed certificate. A self-signed certificate means that a client can’t verify the identity of the server. Replacing the self-signed certificate with a CA-signed certificate greatly improves the security of your deployment.
There are two ways to use a CA-signed certificate with the portal:
- Generate new CA-signed certificate—Generate a certificate signing request (CSR), have it signed by your CA, and then import it into the portal.
- Use an existing CA-signed certificate—If you already have an existing CA-signed certificate assigned to the portal machine, import it into the portal.
Note:
These workflows apply to HTTPS communication with Portal for ArcGIS over port 7443 only. To generate or import a CA-signed certificate for the web adaptor, please consult the documentation for the web server where the web adaptor is installed.
For full instructions on these processes, see the steps in the sections below.
Generate new CA-signed certificate
You can enable HTTPS using a new certificate signed by a corporate (internal) or commercial CA. The steps are:
Generate a new certificate
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Generate.
Note:
If your portal is highly available, you should instead navigate to Machines > [machine] > SSLCertificates > Generate, then repeat the following steps for each portal machine. - In the Generate Certificate page, enter the following information:
- Alias—A unique name that identifies the name of the certificate (for example, portalcert).
- Key Algorithm—RSA (the default) or DSA.
- Key Size—Specifies the size (in bits) used when generating the cryptographic keys used to create the certificate. The larger the key size, the harder it is to break the encryption; however, the time to decrypt encrypted data increases with key size. For RSA, the recommended key size is 2,048 or greater. For DSA, the key size can be between 512 and 1,024.
- Signature Algorithm—Use the default (SHA256withRSA). If your organization has specific security restrictions, then one of the following algorithms can be used with DSA: SHA384withRSA, SHA512withRSA, SHA1withRSA,SHA1withDSA.
- Common Name—This field is optional and is used for backwards compatibility with older web browsers and software. It is recommended to use the fully qualified domain name of your portal machine as the common name.
- Organizational Unit—A department name that would be meaningful to a user of your site (for example, GIS Department).
- Organization—The name of your organization (for example, Esri).
- City or Locality—The name of your city or locale (for example, Redlands).
- State or Province—The name of your state or province (for example, California).
- Country Code—The two-letter country code where your organization resides (for example, US).
- Validity—The number of days the certificate will be valid (for example, 365).
- Subject Alternative Name—The subject alternative name (SAN) is used to validate that the SSL certificate presented by the website being accessed was issued for that website.
If this parameter is left empty, the fully qualified domain name of the local machine is used as the default value. The SAN field supports multiple values; however, it must include the fully qualified domain name of the website. The SAN parameter value cannot contain spaces.
Using SAN, a certificate allows the use of different URLs to access the same website. For example, the URLs https://www.esri.com, https://esri, and https://10.60.1.16 can be used to access the same site if the certificate is created using the following parameter values:
CN=www.esri.com
SAN=DNS:www.esri.com,DNS:esri,IP:10.60.1.16
- Click Generate. A link to your certificate appears on the certificates page.
Request a CA to sign your certificate
In order for web browsers to trust your certificate, it must be verified and countersigned by a CA, such as your organization, Verisign, or Thawte.
- On the certificates page, click the name of your certificate.
- Click GenerateCSR. On the Generate CSR page, copy the CSR content and paste it into a file. Save the file with the .csr extension (for example, portalcert.csr).
- Submit the CSR to a CA. It's recommended you obtain a Distinguished Encoding Rules (DER) or Base64 encoded certificate. If the CA requests the type of web server the certificate is for, specify Other\Unknown or Java Application Server. After verifying your identity, the CA will send you a file with the .crt or .cer extension.
- Save the signed certificate received from the CA to a location on your portal machine. In addition to the signed certificate, the CA will also issue a root certificate. Save the CA root certificate to your portal machine.
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Import Root or Intermediate.
Note:
If your portal is highly available, you should instead navigate to Machines > [machine] > SSLCertificates > Import Root or Intermediate, then repeat the following steps for each portal machine. - Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued any additional intermediate certificates, import those as well. Portal for ArcGIS will restart automatically for each imported certificate. Do not import the signed certificate.
- Return to the SSLCertificates page.
- Click the name of the certificate you generated in the previous section (for example, portalcert).
- Click Import Signed Certificate and browse to the location of the signed certificate you received from the CA.
- Click Import. The certificate you created in the previous section is replaced with the CA-signed certificate.
Configure Portal for ArcGIS to use the CA-signed certificate
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Update.
Note:
If your portal is highly available, you should instead navigate to Machines > [machine] > SSLCertificates > Update, then repeat the following steps for each portal machine. - In the Web server SSL Certificate field, enter the alias of the CA-signed certificate. The alias you specify should match the alias of the certificate that was replaced with the CA-signed certificate in the previous section.
- Click Update.
The CA-signed certificate will now be used for HTTPS.
Verify you can access your portal using HTTPS
Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.
Use an existing CA-signed certificate
If you already have a certificate issued by a corporate (internal) or commercial CA, you can use this certificate to enable HTTPS.
Import the root CA certificate
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > SSLCertificates > Import Root or Intermediate.
Note:
If your portal is highly available, you should instead navigate to Machines > [machine] > SSLCertificates > Import Root or Intermediate, then repeat the following steps for each portal machine. - Browse to the location of the root certificate provided by the CA. Click Import. If the CA issued any additional intermediate certificates, import those as well. Do not import the CA-signed certificate.
- Restart the Portal for ArcGIS service.
Import the existing CA-signed certificate
Caution:
To import the certificate into your portal, the certificate and its associated private key must be stored in the PKCS#12 format, which is represented by a file with either the .p12 or .pfx extension.
- Click Security > SSLCertificates > Import Existing Server Certificate.
Note:
If your portal is highly available, you should instead navigate to Machines > [machine] > SSLCertificates > Import Existing Server Certificate, then repeat the following steps for each portal machine. - On the Import Existing Server Certificate page, specify the following information:
- Certificate password—Enter the password to unlock the file containing the certificate.
- Alias—Enter a unique name that easily identifies the certificate (for example, rootcert).
- Browse to the location of the existing CA-signed certificate. Click Import.
Configure Portal for ArcGIS to use the CA-signed certificate
- Click Security > SSLCertificates > Update.
Note:
If your portal is highly available, you should instead navigate to Machines > [machine] > SSLCertificates > Update, then repeat the following steps for each portal machine. - In the Web server SSL Certificate field, enter the alias of the existing CA-signed certificate.
- Click Update.
The existing CA-signed certificate will now be used for HTTPS.
Verify you can access your portal using HTTPS
Test the following URL to verify that you can access the portal using HTTPS: https://portalhost.domain.com:7443/arcgis/home.