SSP has implemented several ArcGIS Server / ArcGIS Online (AGOL) solutions for our clients, each with their own set of intricacies depending on infrastructure and/or other IT requirements. When we set up our pattern of implementing these solutions, we never really had an issue with SSL Certificates until recently. Therefore, a quick post was in order to explain a few things when setting up your environment.
As part of the overall strategy when connecting your ArcGIS Server to the internet in order to expose your data to AGOL, a commercial Certificate Authority (CA) certificate is required. Self-signed certificates should only be used internally to your organization for testing purposes.
There are many places to purchase an SSL certificate on the internet, some are inexpensive and require little proof that you are the owner of the domain, and others are more stringent. There are also several certificate providers (CAs) that are well-known and trusted by all browsers. Others are not.
In a recent example, the certificate was purchased by one of those “others” and was not recognized by any browser. Also, in some cases, a certificate purchased by a well-known company may also provide challenges in that an intermediate root certificate needs to be installed on the web server as an extra step. If the CA chain is not complete or not trusted, you will know immediately by the following message from your browser (IE shown):
To compound this issue, AGOL will not allow you to store the credentials for a secured service to your map. The option to save the credentials will not be present at all, and would require the user to enter in their credentials each and every time they want to use the service. If you do not see the “option to save” as shown below, your site is not properly secured.
Here are some simple guidelines to follow:
- Follow the instructions for securing your ArcGIS Server completely. (Configuring ArcGIS Server security)
- Purchase a well-known and trusted certificate (Comodo, GeoTrust, GoDaddy*, Thawte, Verisign, to name a few)
- Test your setup from inside and outside your firewall
- If you get a certificate error, investigate the issue and correct it – do not apply the broken certificate to your browser – it will not help the AGOL credential storage issue
- Once working properly, use a secured site analyzer (https://www.ssllabs.com/ssltest/) to make sure that your web server is not vulnerable to attack (disable SSL 3.0, use a minimum of TLS 1.0, patch OpenSSL for the Heartbleed attack, etc)
We hope you find these tips useful in successfully implementing your ArcGIS Server / AGOL environment. Now start publishing and using those cool Esri apps!
*In some cases, you will need to install the intermediate root certificate with GoDaddy certificates. Please follow their published instructions to avoid issues.
What do you think?