Securing services for ArcGIS Server is not as difficult as one would think. The ArcGIS Server Manager works as a great tool to lock down services, create and manage a security database, and grant permissions for specific services and or folders.
Step 1: Before you lock down your server, you will need to create a database to manage the security.Log in into the ArcGIS Server Manager and click on the "Security" tab. Then click on "Settings".The settings window will have a wizard that allows you to connect to a database server. The wizard will then create a new database with the needed tables to store permissions. As you are going through the wizard, be sure that you check the box that automatically creates a user and role for "Everyone." We will use this later.
Step 2: Create roles and usersPermissions for the services are managed via roles. After you successfully create a role, you can create a new user or add existing users to that role. Creating users and roles can be done easily via the ArcGIS Server Manager wizard.
Step 3: Lock down your serverNow that you have a database set up, you are ready to lock down your services. Go back to the "Setting" section of the "Security" tab. You will see a section that says: "Security for GIS Services is: Not Enabled". Beside this text is a button that says "Enable"
Note: Once you Enable security, you cannot undo this via the ArcGIS Server manager. Don't get frightened away yet, you will see in the next step that this is not a big deal.
Step 4: Grant permission for "Everyone" at the root levelNow that your site is locked down, you need to grant permissions to your services. The next few steps are going to assume you have some public services and some private services. Even though security is turned on, we want to make sure that our public services remain public, not requiring a username / password. Click on the "Services" tab. It should automatically load the "Manage Services" section. If you are not already there, change the "Services In" pulldown value to your root directory. Then Click Manage Folders -> Permissions. At the root level, grant "Everyone" permission by adding the role to the Access List. Now security is turned on, but all of your services are public. I recommend this set up for any initial installation of ArcGIS Server. This will allow you to quickly add permissions when needed.
Step 5: Lock down a folder in your ArcGIS Server Now that all of our sites are public, we want to lock down specific services.If your services are organized into folders, this can be done easily. Let's assume you have a folder called "Private". Switch the "Services in" value to your private folder. Then, click Manage Folders - > Permissions. Add the role you created to this folder. Be sure to remove "Everyone" from the Access list. Now your services in this folder will require the a username and password that is associated to that role.
Step 6: Access the Secure Folder via REST interface.If you're developing applications with the ArcGIS Server Javascript API, the REST interface should be your best friend. However after you lock down a folder, you will notice the interface for that folder is gone from your root services directory:http://
Step 7: Using a secure service in your ArcGIS Server JavaScript API applicationThe following setup will work great if you would like to have a public ArcGIS Server Javascript API application with secure services embedded into the application. As a result, users will not be able to grab your service URLs and use them in their own applications. To keep this blog from getting to long, we are going to assume you already have a proxy page set up in your application. If you do not, that probably means 2 things. You are not printing your maps, and you are not receiving data back in IE where the queries are longer than 2000 characters. Here is a link to setting up your proxy: http://resources.esri.com/help/9.3/arcgisserver/apis/javascript/arcgis/help/jshelp/ags_proxy.htm#webprint Since we're assuming you already have a proxy set up, the first step is going to be an updating your settings for the proxy in your JavaScript. The sites are now secure, so you will need to use the proxy page for each request. If you have not done so already, change the "alwaysUseProxy" setting to "true" in your application. esri.config.defaults.io.alwaysUseProxy = true;
Step 8: Change your http references to https for your secure services.
·Enabling SSL in IIS on Windows XP Professional
Enabling SSL on IIS is not as simple as clicking a checkbox setting, especially on Windows XP Professional. This site describes how to use OpenSSL to create a self-signed certificate that will freely enable SSL encryption for testing and private purposes.
·Running IIS on Windows XP Professional
Many people do not know that Windows XP Professional includes a fully functional web server, Microsoft IIS 5.1. For a small office or home, this is incredibly convenient. If you're a developer who wants to try web development with HTML, Javascript, Active Server Pages (ASP), or VBScript, having IIS can allow you to experiment quickly with files on your local system. Of course, you could always download and install the free and robust Apache web server, but IIS is somewhat simpler and the documentation is better. [begin heated debate...]
You don't need to buy the more expensive Windows XP Advanced Server or Windows 2000 Server to run IIS. However, the XP Professional standard EULA (license) states that at most 10 computers may connect to your machine for IIS, File/Printing services, and remote access. That means you would be violating the license if you ran a web server using IIS from your house or office, and more than 10 people connected to it at once. If you want a free solution and don't need ASP, you could also run Apache+PHP on your XP Professional machine. The duo is free, unrestricted, and serves the same purpose.
·Installing IIS on Windows XP Professional
The Internet Information Server (IIS) is not installed by default on Windows XP. To install it, one must log in under an account with administrator priviledges, and go to "Control Panel"->"Add Remove Programs"->"Add/Remove Windows Components." Just check the "Internet Information Services" checkbox and complete the installation. (Note, if you click the "Details..." button, you can also install Microsoft's free FTP server.)
Once that finishes, you will have a directory called c:\Inetpub\wwwroot on your hard drive that contain the files that your web server will serve. To test your server, use Internet Explorer or Mozilla and type in "http://localhost" or "http://127.0.0.1" in the URL. You will see either an "Under Contruction" page or a Microsoft page that says your web service is now running. These are default files installed by IIS in the wwwroot directory, and it is safe to delete them if you want a barebones IIS installation. Create a text file called "Default.asp", type something in it, and save it to the wwwroot directory. When you reload your site again, you will see the file you just made displayed in the browser. Now you are free to experiment with HTML, Javascript, CSS, etc. If you don't want to learn ASP, you can download and install the free and powerful PHP scripting engine, which integrates into IIS easily. PHP is an up-and-coming all-star in web server-side scripting; it is used by Yahoo!, CBS, and other large corporations. For example, one can create custom GIF images on the fly using one of the PHP function libraries. There are dozens of other useful function libraries in PHP. Furthermore, the documentation is superb.
· Requirements for Installing Self-Signed Certificate
Now that you have IIS running and have set up some pages, let's say you would like to share your documents or web application securely, making sure everything is encrypted during its transmission over the wild, wild web. Encryption on the web is possible using a technology called SSL (Secure Sockets Layer). However, enabling SSL on IIS is not as simple as clicking a checkbox setting. In particular, enabling SSL independently on Windows XP Professional is not possible. This site describes a method of creating a self-signed certificate to enable SSL encryption for testing and private purposes. For businesses, novices, and individuals who don't have time to mess with server settings, you should hire an expert. I recommend you skim through this entire site before attempting the procedure, because it is fairly advanced. The requirements are below.
OpenSSL i386 binary and source distributions (free)
Active Perl (free)
Basic knowledge of how to use the command shell "cmd"
Ability to use a text editor
· IIS Directory Security
First open the IIS configuration console. To do this the easy way, right click on the "My Computer" on your desktop and select "Manage". You can also get to it via "Control Panel"->"Administrative Tools"->"Computer Management". Expand through the following heirarchy: "Services and Applications"->"Internet Information Services"->"Web Sites"->"Default Web Site."
Right click on "Default Web Site", and select "Properties". Then click on the "Directory Security" tab.
· Prepare a Certificate Request
Click on the "Server Certificate..." button. This will open the Web Server Certificate Wizard. Click "Next". At this point, you have the options of "Create a new certificate", "Assign an existing certificate", and "Import a certificate from a Key Manager backup file." Select "Create a new certificate" and click Next. (Update 9/5/2003. See Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL for a much simpler method.)
Digression: The Certificate Business
Though it's labelled "Create," this step actually means to request a certificate from a "certificate authority," and requires some elaboration. There is this thing called the Public Key Infrastructure (PKI), which is basically a group of companies that have agreed to trust each other, and a set of mechanisms for validating that trust. It is similar to the Kerberos system developed at MIT. Practically, this means that Windows comes pre-installed with the certificates of trusted companies. These certificates can be viewed by running certmgr.msc from a command window, and updated using Windows Update. For any certificate in the list of trusted certificates, your programs, particularly Internet Explorer, will not give you warning when you access their website with SSL enabled. If the web server uses a certificate that is not issued by a trusted company (a.k.a Certificate Authority or CA), then Internet Explorer will warn you that the certificate is not automatically trusted, and you should proceed with caution.
To the end-user of the website, it's the difference between having a security warning and not having one. Everything sent over SSL is encrypted regardless of whose certificate is used, whether it is one you cooked up on your own machine or one you're paying $400 per year for. The upshot is that when you request a certificate the traditional way, you are requesting it from the administrator of a 'trusted' party, who has the power to deny your request. For websites, this is almost always a company like Verisign or Thawte, whose trusted certificates are installed in almost all web browsers. They keep the trust by charging you a fee, which they use to monitor that no one who has been granted a certificate signed by them is doing anything illegal or untrustworthy.
To create your own certificate, you can pretend to be a certificate authority. The software that allows one to be a certificate authority in Windows is called "Certificate Services", but Windows XP Professional does not include an option to install it. If you have XP Advanced Server, then you can use the certificate generation procedure described on the IISFaq.com SSL page. Alternatively, you could also request a certificate from the administrator of a server running Certificate Services on your domain, if you are so lucky.
For the poor man who does not have money to spend on a trusted certificate or to buy XP advanced server, you can follow these steps to use the freeware OpenSSL tools to create your own certificate. This is the way I figured out after rummaging around on the Internet today, and may not be the easiest way in town.
· Create the Self-Signed Certificate using OpenSSL
Continuing on in the wizard, choose "Prepare the request now, but send it later." The next four dialogs will ask you about the names that should be in the certificate. You can leave the defaults, or enter a name and location for your company. Finally, the wizard will ask you to save the certificate request to a file named certreq.txt.
In order to create a private key and sign the certificate, you will need to download the free OpenSSL for Windows Binaries and Source packages, courtesy of the GnuWin32 project on SourceForge. From the GnuWin32 project downloads page, download the two OpenSSL zip files labeled as "src" and "bin" for i386.
To make the process easier, you will also need to download and install the free ActivePerl. Download and install this so you will be able to run Perl scripts on your machine, independently or as scripts on IIS.
Next, unzip both of the OpenSSL packages to temporary folders. From the binaries package "bin" folder, copy the files "openssl.exe" and the two DLLs into the source package's "apps" folder. In the "apps" folder is a file called CA.pl.
Open this perl script in a text editor and change the line $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; to read $SSLEAY_CONFIG="-config openssl.cnf";. (Alternatively, you can change the individual occurrences. Change $CA="openssl ca $SSLEAY_CONFIG"; to $CA="openssl ca -config openssl.cnf"; and $REQ="openssl req $SSLEAY_CONFIG"; to $REQ="openssl req -config openssl.cnf";.) Now copy the certreq.txt file you made above into this "apps" directory, and rename it to "newreq.pem".
Next, open a command prompt window in the apps directory, and run the following commands:
perl CA.pl -newca
perl CA.pl -signreq
· Install the Certificate
If all is successful, you should have a file called "newcert.pem" in the "apps" directory, which contains your certificate.
Open this file in a text editor and remove everything before the -----BEGIN CERTIFICATE----- line.
Go back into the "IIS management console"->"Directory Security" tab and click "Server Certificates". In the wizard, select "Process the pending request and install the certificate" and press Next. Browse to and open the newcert.pem file in the "apps" directory. (Note, you will have to set the file filter to "all files" in order to see the .pem file.)
Click next to complete the process.
That's it! Now you have IIS set up with an SSL certificate.
To turn on SSL, make sure in the "IIS configuration"->"Web Site tab"->"Advanced"->"Multiple SSL identities for this Web Site", you have a default IP address registered on port 443.
If you want to only allow SSL encrypted connections from web browsers, click the "Edit" button in the "Secure Communications" section of the "Directory Security" tab, and check the "Require secure channel (SSL)" checkbox.
· Results of Installing the Certificate in IE
Whenever anyone visits your web server using the https:// prefix in Internet Explorer (6.0), they will see the dialog shown below.
The first sentence of the IE dialog says Information you exchange with this site cannot be viewed or changed by others, which means that the data is being encrypted. However, because the certificate was not signed by a CA in the trust heirarchy, the warning is displayed. Therefore, this procedure is not recommended for any businesses collecting sensitive data from the public at-large, such as e-commerce. However, for testing and private use, you may find it useful. This certificate could be permanently installed as trusted by the client, and the warning would thereafter be automatically bypassed for that client.
TEXT: Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate has expired or is not yet valid. * The name on the security certificate is invalid or does not match the name of the site.
TEXT: Website Certified by an Unknown Authority, Unable to verify the identity of xyz as a trusted site. Possible reasons for this error: * Your browser does not recognize the Certificate Authority that issued the site's certificate. * The site's certificate is incomplete due to a server misconfiguration. * You are connected to a site pretending to be xyz, possibly to obtain your confidential information.
Step 9: Token Based AuthenticationToken based authentication is used for authorization of ArcGIS Server Services via the JavaScript API. You have two options: 1. Create a token via the Token generation page. 2. Create a token DynamicallyOption 1. Create a token via the Token generation pageAfter you turn on security for your ArcGIS Server installation, you will have access to a token generation page. http://
Step: 10 Using the token in your application
Once you have a valid token, add it to your application. You can include the token in your application in one of two ways: include the token in the HTML page, by setting the Token property of the service; or, use a proxy page, and include the token in the configuration for the proxy page. The proxy page option offers a higher level of protection for the token, if implemented correctly. End users do not have access to the token with the proxy page option. Since the token is not sent to the browser, it also prevents the possibility of interception of the token during transmission of the application page (though the token is still sent from your server to the ArcGIS Server service). See Using the proxy page for information on that approach.
To include the token in the HTML page, set the Token property of the task or service. For example, if you are adding an ArcGIS Server map service to the ArcGIS JavaScript API map, you will use the ArcGISTiledMapServiceLayer class to create the layer. The ArcGISTiledMapServiceLayer class takes a url in its constructor. You can append the token to the url in the query parameter by setting the token property. For example: var token = "5fFo4%2fI4Tv8IGSqSYbpUNORRD%2fYxXMSPopt9CMknpXIjEVqYGm3uuQnU"; var mapServiceURL = "http://premium.arcgisonline.com/ArcGIS/rest/services/ESRI_StreetMap_World_2D/MapServer"; var tiledMapServiceLayer = new esri.layers.ArcGISTiledMapServiceLayer(mapServiceURL + "?token=" + token));
Note the Token in the example above may wrap to multiple lines, but is a single string. The token may also have one or two periods at the end. These periods are part of the token.
Alternatively, you can include the token directly in the URL: var tiledMapServiceLayer = new esri.layers.ArcGISTiledMapServiceLayer
("http://premium.arcgisonline.com/Server/rest/services/ESRI_StreetMap_World_2D/MapServer?
token=5fFo4%2fI4Tv8IGSqSYbpUNORRD%2fYxXMSPopt9CMknpXIjEVqYGm3uuQnU");
Each class that communicates with an ArcGIS Server system has a Token property. If you use a combination of multiple tasks or layers, you will need to set the Token property for each. If multiple servers are used, each will require a separate token, even if the user name and password is the same. Services on the same computer can use the same token, unless the services require a different user name and password.
If you are concerned about possible interception of the token during requests from browsers, you may wish to require the use of HTTPS for your application, and to require users to log in to your application. Your token will contain the referrer URL of your application, so normally users could not use the token in a Web application hosted at a different server. However, it is possible to spoof the referrer. Therefore you should assume that if someone intercepts your token, they would be able to use it to gain access to the services used in your application. If you require users to log in and to employ HTTPS for your application, then it is much less likely that the token may be intercepted.Using the proxy page is also a way to prevent transmission of the token to and from the browser.
References:
# Securing Services
http://resources.esri.com/help/9.3/arcgisserver/apis/javascript/arcgis/help/jshelp_start.htm#jshelp/ags_security.htm#HTTP_Authentication
# Implementing SSL, https, certificate
http://webhelp.esri.com/arcgisserver/9.3/dotNet/index.htm#setting_up_ssl.htm
http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx
http://www.somacon.com/p41.php
# Add multiple instances
http://webhelp.esri.com/arcgisserver/9.3/dotNet/index.htm#multiple_instances_sec.htm
Watch-list:
# Certificate will expire in 365 days, if it was installed via SelfSSL(IIS 6.0 SelfSSL utility)
#Token generated by https://servername/ArcGIS/tokens/gettoken.html would expire based upon the variable you put in for Expires in:*
No comments:
Post a Comment