Setting up SSL

This topic describes how to set up your Internet Information Services (IIS) Web server to serve Web pages and other resources via Secure Hypertext Transfer Protocol (HTTPS). HTTPS is the standard approach for secure communications between client and server over the Internet. HTTPS enables the communication to be encrypted so that if it is intercepted, the third party cannot easily view and use the information. You should ensure that any sensitive information transferred to your server is secured through HTTPS. Any login should use HTTPS, as should pages that transfer data that you do not want to be viewed by parties other than the end user.

To serve pages and other resources via HTTPS, you must obtain and install a certificate for Secure Sockets Layer (SSL) on the IIS server. Normally you obtain the SSL certificate from a certificate authority (CA) that is generally recognized by browsers and other Internet-capable client software. If the certificate is issued by a CA that is recognized by the browser, the communication with the server occurs with no special action required by the user. Hence, for production servers, obtaining a CA-issued certificate is highly recommended. See Obtaining and installing an SSL certificate from a certificate authority for information.

Once you have an SSL certificate installed, you can access Web pages and other resources on the server using HTTPS. If the resource carries sensitive information, it is recommended that you require clients to use HTTPS to use the resource. See Requiring the use of HTTPS for details.

For development and testing purposes, using a self-signed SSL certificate may be adequate. Browsers and other clients will not automatically accept such certificates and will display a warning message for the certificate. See Using a self-signed SSL certificate for details.

NoteNote:

This topic contains steps for IIS 6 (Windows Server 2003) and IIS 7 (Windows Vista, Windows 7, and Windows Server 2008). If you are using IIS 5.1 (Windows XP), you can follow the steps for IIS 6.

Determining whether an SSL certificate is installed

If you are not certain whether an SSL certificate is installed on your IIS Web server, follow the steps below:

Steps for IIS 6

Steps:
  1. Open Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the left pane of IIS Manager, expand the tree to find your server, then Web Sites within your server, then Default Web Site. (If additional Web sites have been created, you may need to apply these steps to the one where your ArcGIS Server instance Web site is installed.)
  3. Right-click Default Web Site and choose Properties from the context menu.
  4. In the Properties dialog box for the Web site, click the Directory Security tab. Under the Secure Communications section of this tab panel, if a View Certificate button appears, an SSL certificate has been installed. If a Request Certificate button appears, no SSL certificate has been installed.

Steps for IIS 7

Steps:
  1. Open Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Select your machine from the Connections panel.
  3. Make sure the IIS Features View tab is selected and click Server Certificates. Any installed certificates are listed here.

Obtaining and installing an SSL certificate from a certificate authority

This section outlines the procedure for obtaining and installing an SSL certificate from a certificate authority. For complete information, consult your system administrator, outside consultant, or other resources on security. For more information, see Using SSL to Encrypt Confidential Data.

Steps:
  1. Create a request for a certificate using IIS Manager. For instructions, see Request a server certificate (IIS 6.0) or Request an Internet Server Certificate (IIS 7).
  2. Send the request to a recognized certificate authority. For a list of CAs that work with Microsoft software, see Microsoft Root Certificate Program Members.
  3. Once you obtain the certificate, install the certificate in the IIS server. For instructions, see Install a server certificate (IIS 6.0) or Install an Internet Server Certificate (IIS 7).
  4. If using IIS 7, add the HTTPS binding to the site. For instructions, see Add a Binding to a Site (IIS 7).

After the certificate is installed, clients can access pages and other resources using the HTTPS protocol. You can also require that HTTPS be used when accessing a resource. If you later need to remove an SSL certificate, refer to IIS documentation on tools such as HTTPCfg (IIS 6.0) or see Remove a Server Certificate (IIS 7).

SSL port on the Web server

SSL requests to the Web server are sent to a specific port on the server. A port (or TCP port) tells the destination machine what program will handle the request. By default, Web servers handle SSL requests on port 443. If the default port is used, clients do not need to specify the port in the request. If a nondefault port is set on the Web server, then URLs must include it, for example, https://gis.example.com:8443/mywebapp.

You can use a nondefault SSL port for your IIS Web site, but you should set it before installing ArcGIS Server (specifically, the ArcGIS Server Web applications or ArcGIS instance). If you install your ArcGIS Server instance, then configure SSL to a nondefault port, you may need to update the SSL port value in ArcGIS Server. Likewise, if you change the SSL port after configuring security for ArcGIS Server, you will need to update ArcGIS Server with the new port number.

You only need to update the SSL port in ArcGIS Server if you have enabled or intend to enable security for GIS Web services and the security will use tokens. The services security will use tokens if you store users in SQL Server or a custom provider.

To update the ArcGIS Server instance with a new or nondefault SSL port number, follow these steps:

Steps:
  1. Using a text or XML editor, open the file <ArcGIS instance>\Security\web.config. The <ArcGIS instance> is typically the folder C:\Inetpub\wwwroot\ArcGIS, but if you have a different location for your IIS Web site or installed the ArcGIS Web applications to another name, locate the folder and use its Security folder.
  2. In the security web.config, find this setting (your SSL port value may differ): <add key="SSLPort" value="443" /> and change the value to the new SSL port number. Save and close the file.
  3. If you have not yet configured security, you can skip the remaining steps for now. Otherwise, open ArcGIS Server Manager, log in, and go to Security > Settings > Configure.
  4. Follow the wizard to configure security to the user and role location desired. Even if you have previously configured security, you need to repeat the process to have the new SSL port picked up.
  5. After completing the security wizard, test access to your secured services to confirm that the settings have been applied correctly.

Requiring the use of HTTPS

You should require clients to use HTTPS to access Web pages and resources with sensitive data. This includes login pages but may also include whole Web applications.

Using HTTPS adds overhead to communications between client and server. Use or require HTTPS only for resources that should not be disclosed to third parties.

If you want to require HTTPS for an ArcGIS Server service or folder, you can use ArcGIS Server to require HTTPS. For details, see Requiring HTTPS for folders and services in the topic "Securing Internet connections to services".

You can also use the IIS Web server to require HTTPS (SSL) for a Web application, Web page, or other resource:

Steps for IIS 6

Steps:
  1. Start IIS Manager by opening Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Expand the Web Sites node and, in turn, expand the Web site that contains the resource to restrict to HTTPS. By default, IIS serves sites found in Default Web Site. In the Web site, navigate through the tree to find the Web application, folder, Web page, or other resource you want to restrict to HTTPS.
  3. Right-click the resource and choose Properties.
  4. Click the Directory (or File) Security tab. On this tab, in the Secure Communications area, click the Edit button. If this button is not available, the IIS server does not have an SSL certificate installed. See the previous section "Obtaining and installing an SSL certificate from a certificate authority" to obtain and install a certificate.
  5. On the Secure Communications dialog box that opens, check the box Require secure channel (SSL).
  6. Click OK to close this dialog box, as well as the Properties dialog box, for the resource. Close IIS Manager.
  7. Test by attempting to retrieve the resource using http://. A message appears that HTTPS is required. Retrieve the resource using https://.

Steps for IIS 7

Steps:
  1. Start IIS Manager by opening Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Expand the Web Sites node and, in turn, expand the Web site that contains the resource to restrict to HTTPS. By default, IIS serves sites found in Default Web Site. In the Web site, navigate through the tree to find the Web application, folder, Web page, or other resource you want to restrict to HTTPS.
  3. Navigate the tree view of your server and select the item for which you want to require SSL.
  4. Ensure IIS Features View is enabled, then double-click SSL Settings
  5. Check Require SSL and in the Actions pane, click Apply.
  6. Click the Back button in IIS Manager to return to the Features View.
  7. Test by clicking Browse *:80 (http) in the Actions pane. You should see a message that SSL is required. Now click Browse *:443 (https) in the Actions pane to retrieve the page using HTTPS.

Note that if clients request a page or resource via HTTP when it requires HTTPS, they are not automatically redirected to the HTTPS URL of the resource. It is possible to programmatically redirect such requests (search Internet resources for a variety of developer resources), but no out-of-the-box tools are available. Make sure your users are aware that they need to use https:// to access the resource.

Using a self-signed SSL certificate

For development and testing, a self-signed SSL certificate may be adequate. Using a self-signed certificate is not recommended for production sites. Browser users will see a security warning when loading a resource from a site that uses a self-signed certificate. You should not trust any self-signed certificate unless you are certain of the identity of the server and organization you are connecting to. In addition to browser issues, some server applications may have problems working with self-signed certificates. Some tips are included in the steps below for some server applications, but for other types of applications, you might need to install the certificate for the server in a way that the server and application recognize it.

Self-signed certificates can be generated in a number of ways. Consult texts on security, security experts, or Web sites for options.

With IIS 7, IIS Manager can be used to create a self signed certificate. For instructions, see Create a Self-Signed Server Certificate in IIS 7. Once you create a self-signed server certificate you will need to add the HTTPS binding to the site. For instructions, see: Add a Binding to a Site (IIS 7) .

With IIS 6, you need to use SelfSSL from the IIS 6.0 Resource Kit to create a self-signed certificate. The steps below explain how to do this.

Steps:
  1. Download and install the IIS 6.0 Resource Kit from Microsoft. Install at least the SelfSSL tool. Other tools are optional.
    NoteNote:

    This tool is supported on Windows Server 2003 and Windows XP. Other platforms may require a different tool.

  2. Run SelfSSL and install the certificate to the IIS machine:
    1. On the IIS machine, click Start > Programs > IIS Resources > SelfSSL > SelfSSL. This opens a command prompt to the SelfSSL location.
    2. Type the command to create and install a certificate. This example creates a certificate good for 365 days, for the server as www.example.com, and which will be trusted by the local browser: SelfSSL /V:365 /N:CN=www.example.com /T
    3. The name (N) argument must be set to the name that users will enter for the server. See the SelfSSL Help for more information on options, such as installing on a nondefault IIS Web site.
    4. Close the SelfSSL window by typing exit and pressing the ENTER key.
  3. Test the certificate by opening a browser and loading a page on the server using https://. A message appears that the certificate is not from a known certificate authority. Click to proceed, and the page loads normally.
  4. If you will use secured ArcGIS services in a Web ADF application running on a different server, import the certificate into the certificate store of the local computer. See the instructions below.

The certificate is only recognized when requested with the name as specified with the N argument above (or the machine name, if N is not specified). For example, if the default machine name myserver is used and the client requests the page with the fully qualified domain name myserver.example.com, the client warns that the name on the certificate does not match the request.

Installing the self-signed certificate on client computers

With a self-signed certificate, the client will display a warning at the start of each session with the server. If you create a Web ADF application that uses a secured service on a server with a self-signed certificate, the service may not work in the application. To avoid these security warnings and issues, you can export the certificate from the server and import it at client machines. This should only be done for internal test and development purposes, not for production sites.

Exporting the certificate in IIS 6

Steps:
  1. Open IIS Manager and navigate to your Default Web Site.
  2. Right-click Default Web Site, then choose Properties.
  3. On the Directory Security tab, under Secure Communications, click View Certificate.
  4. In the Certificate window, click the Details tab, then Copy to File.
  5. In Certificate Export Wizard, accept all defaults (don't export private key; use DER format), name the file (for example, mymachine-ssl-cert-export.cer), then click Finish. By default, the certificate file is put in \Windows\System32\inetsrv\, but you can save it to any location.
  6. Share the certificate with client machines via e-mail, file share, or on the Web server.

Exporting the certificate in IIS 7

Steps:
  1. Open IIS Manager and select your machine.
  2. In IIS Features View, double-click Server Certificates.
  3. Click the certificate you want to export.
  4. In the Actions pane, click View.
  5. In the Certificate window, click the Details tab, then click Copy to File.
  6. In the Certificate Export Wizard, accept all defaults (don't export private key; use DER format), name the file (for example, mymachine-ssl-cert-export.cer), and click Finish. By default, the certificate file is put in \Windows\System32\inetsrv\, but you can save it to any location.
  7. Share the certificate with client machines via e-mail, file share, or on the Web server.

Once the certificate is available, continue with the appropriate steps below to import it at a client machine.

Importing a certificate in IIS 6

Steps:
  1. Obtain a copy of the certificate file produced earlier and save it locally.
  2. Double-click the .cer file to display certificate information.
  3. Click Install Certificate.
  4. When Certificate Import Wizard opens, click Next.
  5. In the Certificate Store panel of the wizard, choose where to install the certificate.
    • If the computer will only run client applications (ArcGIS Desktop or browsers), keep the option to Automatically select the certificate store based on the type of certificate.
    • If the computer is a Web server that will host .NET Web ADF applications, click the option Place all certificates in the following store. Then click the Browse button, and in the Select Certificate Store dialog box that opens, check the option Show physical stores. Expand Trusted Root Certificate Authorities and choose the Local Computer folder. Click OK to return to Certificate Import Wizard.
      NoteNote:

      If the computer will run client applications as discussed above, rerun the import wizard after finishing step 6 and choose to install the certificate using the Automatically select the certificate store option.

  6. Click Next and click Finish. A message appears that the certificate import was successful. Close the Certificate dialog box.

Importing a certificate in IIS 7

Steps:
  1. Click Start, then in the search box, type mmc.exe and click OK.
  2. In the Microsoft Management Console (MMC), click File and click Add/Remove Snap-in.
  3. Click Certificates and click the Add button.
  4. Click My user account and click Finish.
  5. Click OK in the Add or Remove Snap-ins dialog box. The Certificates snap-in is added to the MMC window.
  6. Expand the Certificates > Current User node and expand Trusted Root Certification Authorities to see its Certificates subnode.
  7. Right-click the Certificates node, click All Tasks, then click Import.
  8. When Certificate Import Wizard opens, click Next, and in the File To Import panel, click Browse and navigate to the certificate file you saved locally. Choose it in the Open dialog box and click Open. The path and name are displayed in the File to Import panel.
  9. Click Next. In the Certificate Store panel, verify that the option Place all certificates in the following store is selected and that the certificate store displayed is Trusted Root Certification Authorities. Click Next.
  10. View the summary information for the certificate import, then click Finish.
  11. Click Yes to the Security Warning, then click OK.
  12. If the computer is a Web server that will host .NET Web ADF applications, repeat steps 2 through 11, but in step 4, choose Computer account instead of My user account.

Once you perform these steps, Internet Explorer and other IE-based clients can use HTTPS with the server without warnings. Browsers other than Internet Explorer may require a separate acceptance of the certificate.

If the GIS Web services will be accessed from an ArcGIS Server Java Web ADF application, you must install the certificate in the Java Manager's Java Runtime Environment (JRE) using the keytool. Any redeployment of the application to a different Web server requires that you add the certificate to the Web server's JRE.

Requiring SSL for the Services Directory login and admin pages

By default, the Services Directory uses HTTP for all pages. Since logging into the Services Directory passes credentials to the server, you should require HTTPS for the login and administration pages once you have configured SSL on your server. To require SSL on these pages, follow these steps:

Steps:
  1. Open < ArcGIS Server instance >\rest\rest.config file in a text editor. For example, if your instance name is ArcGIS and IIS is installed on the c: drive, the path would be c:\Inetpub\wwwroot\ArcGIS\rest\rest.config.
  2. Find the element UseSslForLoginAndAdmin at the bottom of the file.
  3. Change the contents of the element to true.
  4. Save and close the file.

Now when users click the login link or administrators navigate to the REST admin page, they are redirected to an HTTPS URL so their credentials are protected.


8/22/2012