Secure AGS services with self-signed certificate

Permanently deleted user

3. November 2011 22:43

I'm trying to configure a new site in Essentials 3.5.0 that accesses secured arcGIS services on our development server.  The AGS server uses a self-signed certificate on IIS7.  AGS is configured to require HTTPS for login/tokens.  The AGS server is configured with 2 layers that are accessible by everyone and one that is accessible only by me (using SQLExpress for security).

When I try to add a new map service to my Essentials site, I can connect to the AGS server fine and I see the two open services.  I then click on the 'access secure services' button, enter my username and password, and then get the following error: If the host server requires SSL please ensure its certificate is trusted. Underlying error message: The remote server returned an error: (403) Forbidden.   I looked into the IIS log on the AGS server and it appears the Essentials is trying to connect using HTTP not HTTPS, which corresponds with the 'forbidden' error because the token service does require HTTPS (as set in the web.config file in the token directory).  It doesn't look like Essentials made any attempt to try an HTTPS connection for the token service, so I'm not sure if the first part of the error message comes into play here at all ("... please ensure certificate is trusted") but I have installed the AGS server's certificate in the trusted certificates store on the Essentials server (through IE).

So.... my question is .... is there any way to force Essentials Manager to connect through HTTPS when it requests a token (using username/password)?  If I disable the HTTPS requirement on the token page, Essentials is able to log in fine and access the secure layer.

Thanks for any assistance,

Peter.

0

• 

  Permanently deleted user

  3. November 2011 22:51

  I should add that if I specify HTTPS for the AGS server URL, I do get an error that suggest there is still a problem with the self-signed certificate being accepted by Essentials:

  The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

  Is there a different way to tell Essentials that it should trust the self-signed certificate, other than importing it into the IE trusted store?

   

  0
• 

  Permanently deleted user

  3. November 2011 23:32

  Peter, welcome to the world of self-sign certificates (its not all fun ; )

  Can i assume your using ADF client?  I have a fully secured map services via SSL so i should be able to help you out.  Its also worth noting Silverlight DOES NOT support self-sign SSL certificates.

  I'm trying to think why this might be happening to you - i will go & have a look at our config.

  Brad

  0
• 

  Permanently deleted user

  3. November 2011 23:40

  Peter, can i assume your using manager from your app server box running geocortex?  If so (or if not?), what's the issue with putting the certificate in your trusted root?  As this is only during your application config, i don't think this should cause you issues once your application is configured?  Let me know if i'm miss understanding your point.

   

  Brad

  0
• 

  Permanently deleted user

  4. November 2011 00:07

  Brad,

  Just a bit of background, Server A is an IIS web server with only Essentials installed.  Server B is a web server with IIS and AGS 10SP2 installed.  I have run Essentials Manager from a browser on my desktop as well as directly from the Essentials Server (IE8 browser).  Since the call from Manager to AGS is happening from the Essentials server, not the browser, I don't think it should matter where I run it from.

  On the Essentials server, I did connect to AGS directly, got the message about the self-signed cert and choice to import it into IE's trusted certificate store, which it said it did successfully.  When I run Manager and try to connect to AGS vis HTTPS, I get the message in my second post.

  I believe you are correct that this should only be an issue for configuration, not when running the site, but I still need to figure out how to overcome the problem so I can tell other users ( I don't want everybody hacking the actual site.xml file manually).

   

  Peter.

  0
• 

  Permanently deleted user

  9. November 2011 01:39

  Okay I think I've sorted this out now.  Hopefully the following explanation will save others from some grief in using self-signed certs.

  Being relatively new to .NET and definitely not having had to worry about .NET and self-signed certs before,  I was under the mistaken impression that there was only one location for importing certificates into the Trusted Root Certification Authorities.  Initially I tried doing this through Internet Explorer browser ie. navigate to the site with the self-signed cert and import the cert into IE's Trusted Root Authorities store, which did add it to the Trusted Root Authories store - but I'm assuming this was only for the account I was logged in with.

  After much more digging I came across this MSDN article ( http://msdn.microsoft.com/en-us/library/ms733813.aspx ) that explains that there is a store for both the computer and the current user.  So after exporting the cert from the AGS server and importing into the Trusted Root Authorities store for the (Essentials) computer instead of my account, I was able to successfully access the secure AGS services.

  Peter.

  0
• 

  Permanently deleted user

  18. November 2011 18:18

  Hi Pete,

   

  My bad for not responding earlier - glad you got it sorted.  I meant to relay this fact to you when i read you had two different servers in the mix (i don't (well i do but that's dealing with the r-proxy).

   

  Its worth noting i do not believe Silverlight will support Self-Signed Certificates - be warned.

   

  Brad

   

   

  0

Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.