securing your arcgis server services an introduction
TRANSCRIPT
Esri UC 2014 | Technical Workshop |
Securing Your ArcGIS Server Services
An Introduction
David Cordes & Derek Law
Esri – Redlands, CA
Copyright Esri ©2014 – All Contents property of Esri
Esri UC 2014 | Technical Workshop |
• Security in the context of ArcGIS for Server
• Background concepts
• Access
• Authentication
• Authorization: securing web services
• ArcGIS for Server + Portal for ArcGIS
• Encryption and certificates
• Security architectures
• Summary
Agenda
Securing Your ArcGIS Server Services: An Introduction
How to configure
A
Esri UC 2014 | Technical Workshop |
ArcGIS for Server Security Protect your assets
Control access and set permissions
Esri UC 2014 | Technical Workshop |
Review: ArcGIS for Server Architecture
Securing Your ArcGIS Server Services: An Introduction
10.1 and later releases
ArcGIS account
(OS level)
ArcGIS Server site
GIS Server
Service directories
Manager
Server Administrator API
http://6080
Primary Site
Administrator (PSA)
A
Data
Server directories
Configuration store
Esri UC 2014 | Technical Workshop |
• User → Valid login to access
• Role → Grouping of users
- 3 types
1. Administrators – Full admin control
2. Publishers – Publish web services
3. Users – View web services
• Identity store → Defines your users and roles
- User store + Role store
ArcGIS for Server Access
Securing Your ArcGIS Server Services: An Introduction
Perm
issio
ns
A
Esri UC 2014 | Technical Workshop |
Identity store
• Where are your users coming from?
- Determines which type of identity store you should use
• Intranet → Windows Active Directory or LDAP
• Internet → Built-in or custom
ArcGIS for Server: User considerations
Securing Your ArcGIS Server Services: An Introduction
A
Organizations IT network
External
Internal
Esri UC 2014 | Technical Workshop |
• How much control do I have on my ArcGIS Server site?
- Managed by me, within my Dept? or
- Managed by my organization’s IT Dept
• May affect where you define your roles
ArcGIS for Server: Role considerations
Securing Your ArcGIS Server Services: An Introduction
Built-in
identity store
Enterprise
identity store
LDAP
A
Esri UC 2014 | Technical Workshop |
• Identity Store → Defines your users and roles
• 3 different options
1. Built-in (default)
2. Register with an enterprise identity store
- Windows Active Directory
- LDAP
3. “Mixed mode”
- Users from enterprise identity store
- Roles from built-in store
ArcGIS for Server: Identity Store
Securing Your ArcGIS Server Services: An Introduction
Identity store
A
Esri UC 2014 | Technical Workshop | Esri UC 2014 | Technical Workshop |
Show users and roles
ArcGIS Server Manager
Demo
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• Authentication → Check and verify user identity
• 2 options
1. GIS Tier
- Uses tokens to authenticate
2. Web Tier
- Uses HTTP authentication
- E.g., Basic, Digest, Integrated Windows, Client certificates, and Custom
Authentication Tier/Method
Securing Your ArcGIS Server Services: An Introduction
A
Esri UC 2014 | Technical Workshop |
• ArcGIS Server site
• + Identity store
• + 3rd party web server
• + Web Adaptor
Review 2: ArcGIS Server Architecture
Securing Your ArcGIS Server Services: An Introduction
Other components of a Server site
GIS Server
Server directories
Configuration store
A
Identity store
Web Server
Web Adaptor
Esri UC 2014 | Technical Workshop |
• Enables ArcGIS Server to work with 3rd party web server
- E.g., IIS, Web Sphere, etc.
• Leverage web server features
• Provides more flexibility to control site access
• Conceptually like a reverse proxy
ArcGIS for Server – Web Adaptor
Securing Your ArcGIS Server Services: An Introduction
GIS Server
Web Server
Web Adaptor
http://80
http://6080
GIS site
Esri UC 2014 | Technical Workshop |
• GIS Server checks credentials
• Token → Unique identifier sent
from Server to client to identify
an interaction session
GIS Tier Authentication
Securing Your ArcGIS Server Services: An Introduction
GIS Server
Server directories
Configuration store
Identity store
Web Server
Web Adaptor
1. Credentials sent
to GIS server 3. Esri token
sent back to client
Client
2. Checked with
ID store
A
Esri UC 2014 | Technical Workshop |
• Web server checks credentials
• Must use Web Adaptor
• HTTP authentication
Web Tier Authentication
Securing Your ArcGIS Server Services: An Introduction
GIS Server
Server directories
Configuration store
Web Server
Web Adaptor
Identity store
3. Role sent to
GIS server
1. Credentials
checked with ID store
2. Role sent
to Web Adaptor
A
Client
Esri UC 2014 | Technical Workshop |
GIS Tier vs. Web Tier Authentication
GIS Tier / Token Web Tier / HTTP Auth
Default Yes No
Public / anonymous
possible
Yes Yes
Clients Supporting Esri All, including OGC
Requirements Enable SSL Web Adaptor(s) required
Basic – require SSL
Digest – special setup
IWA – Windows only
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop | Esri UC 2014 | Technical Workshop |
Show how to set-up authentication in
wizard
Show IIS configuration of Web Adaptor
ArcGIS Server Manager
Demo
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• Set permissions for roles on folders and services
- Administrators/Publishers grant permissions
• All new services are public by default
- Anonymous access
• Can specify whether folders require HTTPS
Securing GIS Web Services
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop | Esri UC 2014 | Technical Workshop |
Show securing a web service
Show accessing a secured service in a
client application
ArcGIS Server Manager
Demo
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• You can federate an ArcGIS Server site with Portal for ArcGIS
• Federated server → Server site uses Portal’s identity store
ArcGIS for Server + Portal for ArcGIS
Securing Your ArcGIS Server Services: An Introduction
ArcGIS Server site Identity store
Web Server
Web Adaptor
Federated Server
Portal for ArcGIS Identity store
Portal
X A
Esri UC 2014 | Technical Workshop |
Should you be using HTTPS?
Yes!
Securing Your ArcGIS Server Services: An Introduction
Hypertext Transfer Protocol Secure (HTTPS)
Esri UC 2014 | Technical Workshop |
Do I need to get a CA signed certificate for ArcGIS Server or Portal?
No, just for your reverse proxy or Web
Adaptor.
Securing Your ArcGIS Server Services: An Introduction
Web Server
GIS Server Portal for ArcGIS
Web Adaptor
Esri UC 2014 | Technical Workshop |
What do you need to do if you need a certificate?
1. Generate a CSR
2. Send CSR for signing
3. Import signed certificate
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
Security Architecture – Introduction
• Deployment of machines and components
• Demilitarized Zones (DMZ) → a physical or logical subnetwork that contains
and exposes an organization's external-facing services to a larger and
untrusted network, usually the Internet
• Applies to internal-only sites or Internet-facing
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• Pros
- Fast to setup
- Easy to manage
• Cons
- Exposes internal network
- Less controlled
Internal Oriented Security Architecture
Securing Your ArcGIS Server Services: An Introduction
7080/7443
6080/6443
80 / 443
Esri UC 2014 | Technical Workshop |
External Oriented Security Architecture
Securing Your ArcGIS Server Services: An Introduction
Pros • Limited internal
exposure
• Highly Controlled
Cons • Data management
issues
• Risk to LDAP/AD
389 / 636
389 / 636
389 / 636
389 / 636
Esri UC 2014 | Technical Workshop | Securing Your ArcGIS Server Services: An Introduction
RDBMS
Port
Pros • Limited internal exposure
• Controlled
• Data easier to manage
Cons • Risk to database
• Risk to LDAP/AD
Hybrid Security Architecture
Esri UC 2014 | Technical Workshop |
Pros • Limited internal exposure
• Highly Controlled
• Single point into your LDAP
or ActiveDirectory
• Easy data management
Cons • Some database risk
• Requires 10.3
• Requires Portal
389 / 636
10.3 Hybrid Security Architecture
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• Scenario:
- You are a multinational
- You work closely with another company that you own, a subsidiary
- You work closely with a competitor through a joint venture
- People from the subsidiary and joint venture need access
Security Architecture for Multiple Organizations
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• Security in the context of ArcGIS for Server
• Background concepts
• Access
• Authentication
• Authorization: securing web services
• ArcGIS for Server + Portal for ArcGIS
• Encryption and certificates
• Security architectures
• Summary
Summary
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
Thank you…
• Please fill out the session survey:
First Offering ID: 658
Second Offering ID: 1129
Online – www.esri.com/ucsessionsurveys
Paper – pick up and put in drop box
Securing Your ArcGIS Server Services: An Introduction
Esri UC 2014 | Technical Workshop |
• Designing an Enterprise GIS Security Strategy
- Thurs July 15, 8:30 – 9:45 am, Room 31C
• Securing Your ArcGIS Server Services: Advanced
- Thurs July 15, 1:30 – 2:45 pm, Ballroom 6E
• Please complete survey:
www.esri.com/ucsessionsurveys
- Session ID: 1129
Other Security sessions
Securing Your ArcGIS Server Services: An Introduction