Configuring Security

You can use the Manager (in ArcGIS Server 9.3) to configure and setup security. All the security related options are grouped under a new menu called 'Security' in the Manager.

Through the new 'Security' menu, you can configure and setup Principal Store, manage users and roles, export Token Service and enable security on your GIS Server.

This document will cover each of the security options in detail.

Option : Settings

This option allows you to configure and setup the Principal Store, choose the authentication mechanism for securing your GIS services and enable security on your GIS Server.

Each of the tabs are covered here in detail.

Tab : Security for GIS Services

The GIS Server will start challenging user requests only when security is enabled.

Enabling Security

Before enabling security on your GIS Server, you need to configure and setup a Principal Store (that contains user and role information) and apply permissions on your GIS services and Web Applications. Ideally, enabling security on your GIS Server must be last step in setting up a secured site.

To enable security on your GIS Server, you need to click the checkbox on this page and choose the authentication scheme for securing your GIS services.

ArcGIS Server at 9.3 provides 2 authentication schemes to secure your GIS services namely the Java EE Managed Authentication and ArcGIS Managed Authentication based on Tokens.

Java EE Managed Authentication

The permission information is written to the WEB.xml file for the service handler applications (REST and SOAP) deployed in the internal Java EE containers. The internal web container will challenge user requests to the secured GIS services.

Note**: This authentication mechanism is available only when the Principal Store is configured to be the Default Database.
Note**: When using this authentication mechanism, you need to have atleast 1 role access to a resource (which can be a folder or a service).
Note**: Special Roles (like Everyone, Authenticated, Anonymous) are have no meaning for Java EE Managed Authentication. The system cannot restrict you from adding the Special Roles access to the resources but Java EE Managed Authentication cannot provide you with the behavior exposed by these roles. These roles can only be used with the ArcGIS Managed Authentication based on Tokens.
Note**: Everytime you change the permissions on a resource and you are using Java EE Managed Authentication, you need to click the 'Save' button on the Security for GIS Services tab under Security > Settings page. This will re-deploy the service handlers with the updated permissions.




ArcGIS Managed Authentication based on Tokens

When you select ArcGIS Managed Authentication based on Tokens, you will also need to setup your Token Service. You can start a Token Service on your ArcGIS Server instance or choose to use a Token Service that has been running on some other machine.

Note**: This authentication mechanism is available when Principal Store is configured to use any of the supported data stores.

To start a Token Service on your ArcGIS Server instance, you need to configure the expirations times and enter a key (text string) that the Token Service will use to encrypt the tokens.







For more information on tokens and Token Service, see the 'Tokens and Token Service' topic in the documentation.

Disabling Security
Note**: By disabling security, all your GIS services and applications will be accessable to all. Please use caution while proceeding with this step.

To disable security, you need to perform the following steps:

1. Stop the Server Object Manager (SOM)
2. Edit the 'Server.dat' file located at /<arcgis_home>/server/system. Change the value of 'SecurityEnabled' element from 'true' to 'false' and save the changes.
3. Start the Server Object Manager (SOM)
4. Log into the Manager. Go to Security > Settings page. In the 'Security for GIS Services' tab, verify that the checkbox is unchecked and click the 'Save' button to disable security.

Tab : Security Store

ArcGIS Server at 9.3 ships with a light-weight embedded database system. By default, the Principal Store (also called Security Store) is configured to use this database to maintain user and role information. But you can configure ArcGIS Server to use user and role information present a Relational Database (for example: Microsoft's SQL Server or MySQL etc) or Directory Server (for example: LDAP or Microsoft's Active Directory) or a combination of both. You can also configure the ArcGIS Server to access this information from a proprietary store by writing extensions (using the principal store API) and then setting it up so that Manager will connect to your proprietary store through your extension.

For more information on how to write extensions using the Principal Store API, see the Extending the Principal Store topic in the documentation.

The table below shows the different combinations of data stores that can be used with the ArcGIS Server as a Principal Store. The attribute (for example: (R/W)) associated with each of the store means R=read access and W=write access. ArcGIS can R/W to a relational database but only read information present in a Directory Server.

The screenshot below shows the web page for configuring the Security Store.

Security Store Configuration

You begin setting up the Security Store by clicking the 'Configure' button on the Security Store page. This will bring up a wizard that will help you setup the user and role store individually. The wizard will only allow the supported configuration for user and role stores (see the table above).

Step 1 of 3: Configure a User Store

Select the store which will hold user information. Enter the connection parameters (so that ArcGIS can connect and access the information) for the data store by clicking the 'Configure' button associated with the particular data store.







Step 2 of 3: Configure a Role Store

Select the store which will hold the role information.







Step 3 of 3: Security Store Configuration Summary

This page summarizes the store configuration. If you are satisfied with the configuration you can click 'Finish' or make the necessary edits.






Note**: If you have changed the Security Store configuration after you have enabled security on your GIS Server, you need go to Security for GIS Services tab under Security > Settings and click the 'Save' button. This will re-deploy all the service handlers with the latest Security Store configuration.

Configuring External Database

ser and role information can be maintained in a relational database server other than the embedded database (default database). While choosing the type of store for users and roles, if you select the 'External Database' option and click 'Configure' button, a dialog will pop up that will ask you for connection parameters to this external database.

The screenshot below shows the dialog for configuring an external database.

The table below describes each of the fields and buttons in the 'Configure External Database' dialog:

For more information on the JDBC driver (classname) and JDBC URL please read the documentation for your database server.

Configuring LDAP

ArcGIS Server can leverage user and role information that is available in an LDAP. The Server treats LDAP as a read-only source of user/role information and hence you cannot use Manager to add/edit/delete users or roles from the LDAP.

The screenshot below shows the dialog for configuring an LDAP as a user store.

The following table describes each of the fields and buttons in 'Configure LDAP' dialog:

ArcGIS Server can use the role information in an LDAP maintained in the following 2 ways:

Role as Entry

Here, every role is an independent node in the LDAP tree. Each of these nodes is uniquely identifiable by its DN. Users (identified by its unique DN) that have been assigned to this role are maintained as values to some attribute of this node.

For example: Roles maintained as independent entries within an LDAP

DN:CN=Editors,OU=Roles,DC=mycompany,DC=com

CN:Editors

Description:Groups of editors

uniqueMember: CN=User1,OU=Users,DC=mycompany,DC=com

uniqueMember: CN=User2,OU=Users,DC=mycompany,DC=com

uniqueMember: CN=User3,OU=Users,DC=mycompany,DC=com







Role as Attribute

Here, every role is maintained as a value of the user node's attribute. Each role can either be a string or some DN of a node that holds the role information.

For example: Roles maintained a attribute information for a user entry

DN: CN=User1,OU=Users,DC=mycompany,DC=com

CN=User1

SN=User1

Description:Editors

Description:Viewers

Description:Administrators

The screenshot below shows the dialog for configuring the LDAP as a role store when roles are maintained as an independent entry.

The following table describes each of the fields of the dialog:

The screenshow below shows the dialog for configuring the LDAP as a role store when the roles are maintained as attribute information of a user entry.

The following table describes each of the fields of the dialog:

Configuring Active Directory

ArcGIS Server can leverage user and role information that is available in Microsoft's Active Directory. The Server treats Active Directory as a read-only source of user/role information and hence administrators cannot use the Manager to add/edit/delete users or roles.

The screenshot below shows the dialog for configuring an Active Directory as a user store.

The following table describes each of the fields of the dialog:

ArcGIS Server can leverage role information maintained in the following 2 ways:

Role as Entry

Here, every role is an independent node in the Active Directory tree. Each of these nodes is uniquely identifiable by its DN. Users (identified by its unique DN) that have been assigned to this role are maintained as values to some attribute of this node.

For example: Roles maintained as independent entries within an Active Directory

DN:CN=Editors,OU=Roles,DC=mycompany,DC=com

CN:Editors

Description:Groups of editors

uniqueMember: CN=User1,OU=Users,DC=mycompany,DC=com

uniqueMember: CN=User2,OU=Users,DC=mycompany,DC=com

uniqueMember: CN=User3,OU=Users,DC=mycompany,DC=com







Role as Attribute

Here, every role is maintained as a value of the user node's attribute. Each role can either be a string or some DN of a node that holds the role information.

For example: Roles maintained a attribute information for a user entry

DN: CN=User1,OU=Users,DC=mycompany,DC=com

CN=User1

SN=User1

Description:Editors

Description:Viewers

Description:Administrators

The screenshot below shows the dialog for configuring the Active Directory as a role store when roles are mainatained as independent entry.

The following table describes each of the fields of the dialog:

The screenshow below shows the dialog for configuring the Active Directory as a role store when roles are maintained as attribute information of user entries.

The following table describes each of the fields of the dialog:

Option : Users

The 'Users' under the 'Security' menu are users that consume the services published by the ArcGIS Server over the web (SOAP/REST). Hence these users are also called 'Web Users'.

The Manager accesses this user information from the user store that is configured while configuring the Security Store.

For more information on how to setup the user store, please see the 'Configuring Security Store' topic of the documentation.

Adding a new user

The 'Users' link under the 'Security' tab lists all the web users currently in the system. To add a new user, click the 'Add User' button on the page. A dialog box will open in which you can enter user information.

The table below describes each of the fields in the 'Add User' dialog.

When the user information is added to the dialog, click the 'Save' button.

Deleting a user

The 'Users' link under the 'Security' tab lists all the web users currently in the system. To delete a particular user, click the Delete icon for the particular user.

Editing user information

To edit information associated with a particular user, click on the Edit icon for the particular user. This will open a dialog that is similar to the Add User dialog. You can take away the assigned roles by moving the roles out of the Member Of list.

Listing assigned roles

To view the roles that are assigned to a particular role, click the '+' icon for a particular user.

Option : Roles

A 'role' can be considered as an entity that has been assigned certain privileges. In a role based access control system you assign privileges to roles instead of an individual user. When a user is added to a role, the user automatically inherits all the privileges assigned to the role.

The Manager accesses this role information from the role store that is configured while configuring the Security Store.

For more information on how to setup the role store, please see the 'Configuring Security Store' topic of the documentation.

Adding a new role

The 'Roles' link under the 'Security' tab lists all the roles currently in the system. To add a new role, click the 'Add Role' button on the page. A dialog box will open in which you can enter role information.

The table below describes each field of the 'Add Role' dialog:

Deleting a role

The 'Roles' link under the 'Security' tab lists all the roles currently in the system. To delete a particular role, click the Delete icon for the particular role.

Editing role information

To edit information associated with a particular role, click on the Edit icon for the particular role. This will open a dialog that is similar to the Add Role dialog. You can take away the users to which this role has been assigned by moving the users from Role Members list to Available Users list.

Listing users that are assigned a role

To view the users that are currently being assigned to a particular role, click the '+' icon.

Option : Exporting Token Service

The 'Exporting Token Service' link under the 'Security' provides you with an ability to export the token service web application so that it can be deployed in a application server. You can deploy the token service web application onto a centralized application server that is accessible to all the instances of the ArcGIS Server in a distributed system.

You can configure the Token Service to look up user and role information from the configured Security Store or you can setup a new Security Store configuration for this exported Token Service. You also need to enter a shared key that will be used to encrypt/decrypt the token generated by the token service and the short lived (default) and long lived (maximum) token expiration times.

For more information on the Token Service, see the 'Token Service' topic in the documentation.

When the 'Export' button is clicked, Manager generates a '.WAR' file that can be deployed on any web server.

Securely Deploying Token Service

When deploying a Token Service application in an application container (web server), you need to make sure that SSL (Secure Socket Layer) is enabled on the application container. Users must consume your token service over HTTPS (secure HTTP). SSL technology allows clients and web servers to communicate over a secure channel. When the channel is secured using SSL, data sent over it is encrypted.

When fetching tokens from the token service, you need to send your username and password. To avoid any sniffing of plain text password fields over the wire, it is highly recommended that you use token service over an SSL connection.

For more information on setting up SSL for you application container, please see the relevant topics in the web server documentation.