Setting up SSL

Release 9.3 E-mail This Topic Printable Version Give Us Feedback

This topic describes how to set up your Internet Information Server (IIS) Web server to serve Web pages and other resources via Hypertext Transfer Protocol Secure (HTTPS). HTTPS is the standard approach for secure communications between client and server over the Internet. HTTPS enables the communication to be encrypted so that if it is intercepted, the third party cannot easily view and use the information. You should ensure that any sensitive information transferred to your server is secured through HTTPS. Any login should use HTTPS, as should pages that transfer data that you do not wish to be viewed by parties other than the end user.

To serve pages and other resource via HTTPS, you must obtain and install a certificate for Secure Sockets Layer (SSL) on the IIS server. Normally you obtain the SSL certificate from a certificate authority (CA) that is generally recognized by browsers and other Internet-capable client software. If the certificate is issued by a CA that is recognized by the browser, the communication with the server occurs with no special action required by the user. Hence for production servers, obtaining a CA-issued certificate is highly recommended. See Obtaining and installing an SSL certificate from a certificate authority for information.

Once you have an SSL certificate installed, you can access Web pages and other resources on the server using HTTPS. If the resource carries sensitive information, it is recommended that you require clients to use HTTPS to use the resource. See Requiring the use of HTTPS for details.

For development and testing purposes, using a self-signed SSL certificate may be adequate. Browsers and other clients will not automatically accept such certificates and will display a warning message for the certificate. See Using a self-signed SSL certificate for details.

Determining whether a SSL certificate is installed

If you are not certain whether a SSL certificate is installed on your IIS Web server, follow the steps below.
  1. Open Internet Information Services (IIS) Manager, from Control Panel - Administrative Tools.
  2. In the left pane of IIS Manager, expand the tree to find your server, then Web Sites within your server, then Default Web Site. (If additional Web Sites have been created, you may need to apply these steps to the one where your ArcGIS Server instance website is installed.)
  3. Right-click on Default Web Site and choose Properties from the context menu. The Properties window for the web site opens.
  4. In the Properties of the website, click the Directory Security tab. Under the Secure communication section of this tab panel, if a View Certificate button appears, then an SSL certificate has been installed. If a Request Certificate button appears, then no SSL certificate has been installed.

Obtaining and installing an SSL certificate from a certificate authority

This section outlines the procedure for obtaining and installing an SSL certificate from a certificate authority (CA). For complete information, please consult your system administrator, outside consultant, or other resources on security. See this page at Microsoft for more information on using SSL in IIS: Using SSL to Encrypt Confidential Data.

  1. Create a request for a certificate using IIS Manager. For instructions, see Request a Server Certificate. (This applies to Windows Server 2003. Other products may differ.)
  2. Send the request to a recognized certificate authority. For a list of CAs that work with Microsoft software, see Microsoft Root Certificate Program Members.
  3. Once you obtain the certificate, install the certificate into the IIS server. For instructions, see Install a Server Certificate. (This page applies to Windows Server 2003. Other products may differ.)

After the certificate is installed, clients can access pages and other resources using the HTTPS protocol. You can also require that HTTPS be used when accessing a resource.

If you later need to remove an SSL certificate, please refer to IIS documentation on tools such as HTTPCfg (for Windows XP/Server 2003) or netsh (for Vista/Server 2008).

SSL port on the Web server

SSL requests to the Web server are sent to a specific port on the server. A port (or TCP port) tells the destination machine what program will handle the request. By default, Web servers handle SSL requests on port 443. If the default port is used, then clients do not need to specify the port in the request. If a non-default port is set on the Web server, then URLs must include it, for example, https://gis.example.com:8443/mywebapp.

You can use a non-default SSL port for your IIS Web site, but you should set it before installing ArcGIS Server (specifically, the ArcGIS Server Web applications, or ArcGIS instance). If you install your ArcGIS Server instance, and then configure SSL to non-default port, you may need to update the SSL port value in ArcGIS Server. Likewise, if you change the SSL port after configuring security for your ArcGIS Server, then you will need to update ArcGIS Server with the new port number.

You only need to update the SSL port in ArcGIS Server if you have enabled or intend to enable security for GIS Web services, and the security will use tokens. The services security will use tokens if you store users in SQL Server or a custom provider.

To update the ArcGIS Server instance with a new or non-default SSL port number:

  1. Using a text or XML editor, open the file <ArcGIS instance>\Security\web.config. The <ArcGIS instance> is typically the folder C:\Inetpub\wwwroot\ArcGIS, but if you have a different location for your IIS Web Site, or installed the ArcGIS Web applications to another name, locate the folder and use its Security folder.
  2. In the security web.config, find this setting (your SSL port value may differ):

    <add key="SSLPort" value="443" />

    and change the value to to new SSL port number. Save and close the file.
  3. If you have not yet configured security, you may skip the remaining steps for now. Otherwise, open ArcGIS Server Manager, log in, and go to Security-Settings. Click Configure in this panel.
  4. Follow the wizard to configure security to the user and role location desired. Even if you have previously configured security, you need to repeat the process to have the new SSL port picked up.
  5. After completing the security wizard, test access to your secured services to confirm that the settings have been applied correctly.

Requiring the use of HTTPS

You should require clients to use HTTPS to access Web pages and resources with sensitive data. This includes login pages but may also include whole Web applications.

Using HTTPS adds overhead to communications between client and server. Use or require HTTPS only for resources that should not be disclosed to third parties.

If you want to require HTTPS for an ArcGIS Server service or folder, you can use ArcGIS Server to require HTTPS. For details, see Requiring HTTPS for folders and services in the topic Securing Internet connections to services.

You can also use the IIS Web server to require HTTPS (SSL) for a Web application, Web page or other resource:

  1. Start IIS Manager by opening Control Panel, then Administrative Tools, then Internet Information Services.
  2. Expand the Web Sites node and, in turn, expand the Web site that contains the resource to restrict to HTTPS. By default, IIS serves sites in the Default Web Site. In the Web site, navigate through the tree to find the Web application, folder, Web page, or other resource you want to restrict to HTTPS.
  3. Right-click the resource and choose Properties. The Properties dialog box opens for the resource.
  4. Click the Directory (or File) Security tab. On this tab, in the Secure Communications area, click the Edit button. If this button is not available, then the IIS server does not have an SSL certificate installed. See the previous section "Obtaining and installing an SSL certificate from a certificate authority" to obtain and install a certificate.
  5. On the Secure Communications dialog box that opens, check the box to Require secure channel (SSL).
  6. Click OK to close this dialog box, as well as the Properties dialog box, for the resource. Close IIS Manager.
  7. Test by attempting to retrieve the resource using http://. You should see a message that HTTPS is required. Retrieve the resource using https://.

Note that if clients request a page or resource via HTTP when it requires HTTPS, they are not automatically redirected to the HTTPS URL of the resource. It is possible to programmatically redirect such requests (search Internet resources for a variety of developer resources), but no out-of-the-box tools are available. Make sure your users are aware that they need to use https:// to access the resource.

Using a self-signed SSL certificate

For development and testing, a self-signed SSL certificate may be adequate. Using a self-signed certificate is not recommended for production sites. Browser users will see a security warning when loading a resource from a site that uses a self-signed certificate. You should not trust any self-signed certificate unless you are certain of the identity of the server and organization you are connecting to. In addition to browser issues, some server applications may have problems working with self-signed certificates. Some tips are included in the steps below for some server applications, but for other types of applications, you may need to install the certificate for the server in a way that the server and application recognize it.

Self-signed certificates can be generated in a number of ways. Consult texts on security, security experts, or Web sites for options.

On Windows Server 2008 and Windows Vista, the IIS Manager has a built-in tool for generating a self-signed SSL certificate.

For Windows Server 2003 and Windows XP, the following procedure uses the SelfSSL tool in the IIS 6.0 Resource Kit to create and install a self-signed SSL certificate.

  1. Download and install the IIS 6.0 Resource Kit from Microsoft.

    Install at least the SelfSSL tool. Other tools are optional.

    This tool is supported on Windows Server 2003 and Windows XP. Other platforms may require a different tool.

  2. Run SelfSSL and install the certificate at the IIS machine:
    • a) On the IIS machine, click Start > Programs > IIS Resources > SelfSSL > SelfSSL. This opens a command prompt window to the SelfSSL location.
    • b) Type the command to create and install a certificate. This example creates a certificate good for 365 days, for the server as www.example.com, and which will be trusted by the local browser:

      SelfSSL /V:365 /N:CN=www.example.com /T
      

      The name (N) argument must be set to the name that users will enter for the server. See the SelfSSL Help for more information on options, such as installing on a nondefault IIS Web site.

    • c) Close the SelfSSL window by typing "exit" and pressing the Enter key.
  3. Test the certificate by opening a browser and loading a page on the server using https://... You should get a warning that the certificate is not from a known certificate authority. Click to proceed, and the page should load normally.
  4. If you will use secured ArcGIS services in a Web ADF application running on a different server, then you should import the certificate into the certificate store of the Local Computer. See the instructions below.

The certificate will only be recognized when requested with the name as specified with the N argument above (or the machine name, if N is not specified). For example, if the machine name "myserver" default is used and the client requests the page with the fully qualified domain name "myserver.example.com", the client will warn that the name on the certificate does not match the request.

Installing the self-signed certificate on client computers

With a self-signed certificate, the client will display a warning at the start of each session with the server. If you create a Web ADF application that uses a secured service on a server with a self-signed certificate, the service may not work in the application. To avoid these security warnings and issues, you can export the certificate from the server and import it at client machines. This should only be done for internal test and development purposes, not for production sites. To export the certificate:

  1. IIS Manager, open expand the tree and right-click Default Web Site and choose Properties.
  2. In the Directory Security tab, and under Secure Communications, click View Certificate.
  3. In the Certificate window, click Details tab, then Copy to File.
  4. In the Certificate Export Wizard, accept all defaults (don't export private key; use DER format), name the file (for example, mymachine-ssl-cert-export.cer), and click Finish. By default, the certificate file is put in \Windows\System32\inetsrv\, but you can save it to any location.
  5. Share certificate with client machines, via e-mail, file share or on the Web server.

Once the certificate is available, import it at a client machine.

On Windows XP and Server 2003:

  1. Obtain a copy of the certificate file produced earlier and save it locally.
  2. Double-click on the .cer file to display certificate information.
  3. Click Install Certificate.
  4. In Certificate Import Wizard that opens, click Next.
  5. In the Certificate Store panel of the wizard, choose where to install the certificate.
    • If the computer will only run client applications (ArcGIS Desktop or browsers), keep the option to "Automatically select the certificate store based on the type of certificate".
    • If the computer is a Web server that will host .NET Web ADF applications, then click the option to Place all certificates in the following store. Then click the Browse button, and in the Select Certificate Store dialog that opens, check the option to Show physical stores. Expand the Trusted Root Certificate Authorities, and select the Local Computer folder. Click OK to return to the Certificate Import Wizard. (Note: If the computer will run client applications as discussed above, you should re-run the import wizard after finishing step 6, and choose to install the certificate using the automatically-select option.)
  6. Click Next, then Finish. A message should display that the certificate import was successful. Close the Certificate dialog.

On Windows Vista or Server 2008:

  1. Click Start, then click Run. In the Run command box, type mmc.exe and click OK. The Microsoft Management Console (MMC) will open.
  2. In the MMC, click File, then Add/Remove Snap-in...
  3. In the Add or Remove Snap-ins dialog, click on Certificates, then click the Add button.
  4. In the Certificates snap-in dialog that opens, click My user account, then Finish.
  5. Click OK in the Add or Remove Snap-ins dialog. The Certificates snap-in is added to the MMC window.
  6. Expand the Certificates-Current User node, then expand Trusted Root Certification Authorities to see its Certificates sub-node.
  7. Right-click on the Certificates node within the Trusted Root Certification Authorities and click All Tasks, then Import...
  8. In the Certificate Import Wizard that opens, click Next, then in the File To Import panel, click Browse and navigate to the certificate file you saved locally. Select it in the Open-file dialog and click OK. The path and name are displayed in the File To Import panel.
  9. Click Next. In the Certificate Store panel, verify that the option to Place all certificates in the following store is selected, and that the certificate store displayed is Trusted Root Certification Authorities. Click Next.
  10. View the summary information for the certificate import, then click Finish.
  11. If the computer is a Web server that will host .NET Web ADF applications, then repeat steps 2 through 10, but in step 4, choose Computer account instead of My user account.

Once you perform these steps, Internet Explorer and other IE-based clients can use https with the server without warnings. Browsers other than Internet Explorer may require a separate acceptance of the certificate.

If the GIS Web services will be access from an ArcGIS Server Java Web ADF application, you will need to install the certificate into the Java Manager's Java Runtime Environment (JRE), using the keytool. Any redeployment of the application to a different Web server will require adding the certificate to the Web server's JRE.