Nxstage pureflow instructions for binding

Installation instructions

In this subject

The SSL protocol is a standard security technology used to establish an encrypted connection between a web server and a web client. SSL ensures secure network communication by identifying and authenticating the server and ensuring data protection and the integrity of all transmitted data. Because SSL prevents eavesdropping or tampering with information sent on the network, it should be used in any login or authentication mechanism, as well as for the entire network where communication contains confidential or proprietary information.

The use of SSL prevents the names, passwords, and other sensitive information sent between the Web Adapter and the server from being read. When using SSL, connect to websites and resources using the HTTPS protocol instead of the HTTP protocol.

To use SSL, you must obtain an SSL certificate and bind it to the website that hosts the Web Adapter. Loading a certificate and binding it to a website differs depending on the web server.

Creating an SSL Certificate

In order to create an SSL connection between the web adapter and your server, the web server needs an SSL certificate. An SSL certificate is a digital file that contains information about the identity of the web server. It also contains the encryption technology used when establishing a secure channel between the web server and the ArcGIS server. An SSL certificate must be created and digitally signed by the website owner. There are three types of certificates, CA-signed, domain and self-signed certificates, which are explained below.

CA-signed certificates

Certificates signed by a CA should be used on production systems, especially if users outside of your organization are accessing the ArcGIS Server deployment. For example, if your server is not behind a firewall and accessible from the Internet, the use of a CA-signed certificate guarantees clients outside your organization that the website's identity has been verified.

In addition to being signed by the website owner, an SSL certificate can also be signed by an independent certificate authority (CA). A CA is usually a trusted third party that can verify the authenticity of a website. When a website is trusted, the CA adds its own digital signature to that website's self-signed SSL certificate. This way, web clients are guaranteed that the identity of the website has been verified.

When using an SSL certificate issued by a well-known CA, secure communication between the server and the web client takes place automatically without any special user action required. There is no unexpected behavior in the web browser or no warning message is displayed because the website has been checked by the CA.

Domain Certificates

If your server is behind a firewall and a signed CA certificate cannot be used, a domain certificate is an acceptable solution. A domain certificate is an internal certificate that is signed by an organization's certification authority. Using a domain certificate can reduce the cost of issuing certificates and simplify the deployment of certificates because they can be quickly created within the organization for trusted internal use.

There will be no unexpected behavior or warning messages within your domain, as is normally the case with a self-signed certificate because the website has been verified by the domain certificate. However, domain certificates are not verified by an external CA; H. Users visiting your site from outside your domain cannot verify that the certificate is actually what it claims to be. External users will see browser warnings that the site is untrustworthy, which could create the impression that they are communicating with a malicious attacker and will be redirected away from your site.

Create a domain certificate in IIS

In IIS Manager, do the following to create a domain certificate:

  1. In the Connections window, select your server in the tree view and double-click Server Certificates.
  2. In the Actions window, click Create Domain Certificate.
  3. In the Distinguished Name Properties dialog box, provide the required information for the certificate:
    1. For Common Name, you must enter the computer's fully qualified domain name, for example gisserver.domain.com.
    2. For the other properties, enter the information specific to your organization and location.
  4. Click on Continue.
  5. In the Online Certification Authority dialog box, click Select and choose the certification authority in your domain that will sign the certificate. If this option is not available, enter your domain's online certification authority in the Specify online certification authority field, for example City Of Redlands Enterprise Root \ REDCASRV.empty.local. If you need help with this step, contact your system administrator.
  6. Enter a friendly name for the domain certificate and click Finish.

The final step is to bind the domain certificate to SSL port 443. For instructions, see Bind Your Certificate to the Website.

Self-signed certificates

An SSL certificate that is only signed by the website owner is known as a self-signed certificate. Self-signed certificates are typically used on websites that are only available to users on the organization's internal network (LAN). When communicating with a website outside of your own network that uses a self-signed certificate, there is no way to verify that the site issuing the certificate is actually what it claims to be. You could actually be communicating with a malicious attacker who is putting your data at risk.

Create a self-signed certificate in IIS

In IIS Manager, do the following to create a self-signed certificate:

  1. In the Connections window, select your server in the tree view and double-click Server Certificates.
  2. In the Actions window, click Create Self-Signed Certificate.
  3. Enter a friendly name for the new certificate and click OK.

The final step is to bind the self-signed certificate to SSL port 443. For instructions, see Bind Your Certificate to the Website.

Bind the certificate to the website

After you've created an SSL certificate, you'll need to bind it to the website that hosts the Web Adapter. Binding is the process of configuring the SSL certificate to use port 443 on the website. The instructions for binding a certificate to the website vary depending on the platform and version of the web server. Please contact your system administrator or the documentation for your web server for further instructions. For example, below are the steps to bind a certificate in IIS.

Binding a Certificate to 443 in IIS

In IIS Manager, do the following to bind a certificate to SSL port 443:

  1. Select your site in the Tree View and Actions window and click Bindings.
    • If port 443 is not available in the list of bindings, click Add. Select HTTPS from the Type drop-down list. Leave the port set to 443.
    • If port 443 is listed, select the port from the list and click Edit.
  2. From the SSL Certificate drop-down list, select the name of the certificate and click OK.

Testing the site

After binding the certificate to the website, you can configure the Web Adapter for use with the server. The Web Adapter configuration page must be accessed using an HTTPS URL such as https://webadaptor.domain.com/arcgis/webadaptor.

After you've configured the Web Adapter, you should test that SSL is working properly by making an HTTPS request to ArcGIS Server Manager, for example https://webadaptor.domain.com/arcgis/manager.

For more information on testing the site with SSL, see Microsoft's instructions in Setting Up SSL in IIS.


Feedback on this topic?