Closed makariw closed 2 years ago
Hello @makariw,
You can define the following attributes within your json file to import a ssl certificate into portal (7443) and server (6443):
https://github.com/Esri/arcgis-cookbook/tree/master/cookbooks/arcgis-enterprise#server
node['arcgis']['server']['keystore_file'] = Path to PKSC12 keystore file (.pfx) with SSL certificate for ArcGIS Server. Default value is nil.
node['arcgis']['server']['keystore_password'] = Keystore file password for ArcGIS Server. Default value is nil.
node['arcgis']['server']['cert_alias'] = SSL certificate alias for ArcGIS Server. Default alias is composed of these values: node['arcgis']['server']['domain_name'].
https://github.com/Esri/arcgis-cookbook/tree/master/cookbooks/arcgis-enterprise#portal
node['arcgis']['portal']['keystore_file'] = Path to PKSC12 keystore file (.pfx) with SSL certificate for Portal for ArcGIS. Default value is nil.
node['arcgis']['portal']['keystore_password'] = Keystore file password for Portal for ArcGIS. Default value is nil.
node['arcgis']['portal']['cert_alias'] = SSL certificate alias for Portal for ArcGIS. Default alias is composed of these values:node['arcgis']['portal']['domain_name'].
As for the error received, I recommend checking two things. First I would check to see what TLS settings are enabled in IIS. You can use a third part tool such as IIS Crypto. Perhaps its set to TLS v1.2 only, I have seen issues where the Web Adaptor silent registration tool fails because of this. Additionally, if you are setting a WebContextUrl property for portal, I recommend checking to ensure the FQDN of the WebContextUrl property is resolvable from both portal and web adaptor node.
Thanks, Cameron K.
Hi Cameron,
I am using arcgis-3.7.0 cookbooks and the json for the primary machine has the
"arcgis": {
"version": "10.9",
"run_as_user": "arcgis",
"run_as_password": "Pa$$w0rdPa$$w0rd",
"configure_windows_firewall": true,
"repository": {
"archives": "C:\\Software\\Archives",
"setups": "C:\\Software\\Setups"
},
"iis": {
"keystore_file": "C:\\Temp\\keystore.pfx",
"keystore_password": "change.it",
"replace_https_binding": true
},
"server": {
"install_dir": "C:\\Program Files\\ArcGIS\\Server",
"install_system_requirements": true,
"private_url": "https://domain.com:6443/arcgis",
"web_context_url": "https://domain.com/server",
"admin_username": "siteadmin",
"admin_password": "change.it",
"authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Server.prvc",
"directories_root": "\\\\FILESERVER\\arcgisserver",
"log_dir": "C:\\arcgisserver\\logs",
"log_level": "WARNING",
"config_store_type": "FILESYSTEM",
"config_store_connection_string": "\\\\FILESERVER\\arcgisserver\\config-store",
"wa_name": "server",
"system_properties": {
"WebContextURL": "https://domain.com/server"
}
},
"python": {
"install_dir": "C:\\Python27"
},
"data_store": {
"install_dir": "C:\\Program Files\\ArcGIS\\DataStore",
"install_system_requirements": true,
"data_dir": "C:\\arcgisdatastore",
"preferredidentifier": "hostname",
"types": "tileCache,relational",
"tilecache": {
"backup_type": "fs",
"backup_location": "\\\\FILESERVER\\arcgisbackup\\tilecache"
},
"relational": {
"backup_type": "fs",
"backup_location": "\\\\FILESERVER\\arcgisbackup\\relational"
}
},
"portal": {
"install_dir": "C:\\Program Files\\ArcGIS\\Portal",
"install_system_requirements": true,
"admin_username": "siteadmin",
"admin_password": "change.it",
"admin_email": "admin@mydomain.com",
"admin_full_name": "Administrator",
"admin_description": "Initial account administrator",
"security_question": "Your favorite ice cream flavor?",
"security_question_answer": "bacon",
"data_dir": "C:\\arcgisportal",
"log_dir": "C:\\arcgisportal\\logs",
"log_level": "WARNING",
"content_store_type": "fileStore",
"content_store_provider": "FileSystem",
"content_store_connection_string": "\\\\FILESERVER\\arcgisportal\\content",
"object_store": "",
"authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Portal.json",
"user_license_type_id": "",
"wa_name": "portal",
"system_properties": {
"privatePortalURL": "https://domain.com:7443/arcgis",
"WebContextURL": "https://domain.com/portal"
}
},
"web_adaptor": {
"admin_access": true,
"reindex_portal_content": false
}
},
"run_list": [
"recipe[arcgis-enterprise::system]",
"recipe[arcgis-enterprise::disable_loopback_check]",
"recipe[esri-iis]",
"recipe[arcgis-enterprise::install_portal]",
"recipe[arcgis-enterprise::webstyles]",
"recipe[arcgis-enterprise::portal]",
"recipe[arcgis-enterprise::portal_wa]",
"recipe[arcgis-enterprise::server]",
"recipe[arcgis-enterprise::server_wa]",
"recipe[arcgis-enterprise::datastore]",
"recipe[arcgis-enterprise::federation]"
]
}
Where do set the SSL certs for both Portal and Server? Should I be using a different version cookbooks?
Thanks @makariw for providing the cookbook version and json file being used. You are using the latest\recommended cookbook and json file.
node['arcgis']['server']['keystore_file'] = Path to PKSC12 keystore file (.pfx) with SSL certificate for ArcGIS Server. Default value is nil.
node['arcgis']['server']['keystore_password'] = Keystore file password for ArcGIS Server. Default value is nil.
node['arcgis']['server']['cert_alias'] = SSL certificate alias for ArcGIS Server. Default alias is composed of these values: node['arcgis']['server']['domain_name'].
Example:
"server": {
"install_dir": "C:\\Program Files\\ArcGIS\\Server",
"install_system_requirements": true,
"private_url": "https://domain.com:6443/arcgis",
"web_context_url": "https://domain.com/server",
"admin_username": "siteadmin",
"admin_password": "change.it",
"authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Server.prvc",
"directories_root": "\\\\FILESERVER\\arcgisserver",
"log_dir": "C:\\arcgisserver\\logs",
"log_level": "WARNING",
"config_store_type": "FILESYSTEM",
"config_store_connection_string": "\\\\FILESERVER\\arcgisserver\\config-store",
"wa_name": "server",
"system_properties": {
"WebContextURL": "https://domain.com/server"
},
"keystore_file": "C:\\Temp\\keystore.pfx",
"keystore_password": "change.it",
"cert_alias": "domain.com"
},
node['arcgis']['portal']['keystore_file'] = Path to PKSC12 keystore file (.pfx) with SSL certificate for Portal for ArcGIS. Default value is nil.
node['arcgis']['portal']['keystore_password'] = Keystore file password for Portal for ArcGIS. Default value is nil.
node['arcgis']['portal']['cert_alias'] = SSL certificate alias for Portal for ArcGIS. Default alias is composed of these values:node['arcgis']['portal']['domain_name'].
Example:
"portal": {
"install_dir": "C:\\Program Files\\ArcGIS\\Portal",
"install_system_requirements": true,
"admin_username": "siteadmin",
"admin_password": "change.it",
"admin_email": "admin@mydomain.com",
"admin_full_name": "Administrator",
"admin_description": "Initial account administrator",
"security_question": "Your favorite ice cream flavor?",
"security_question_answer": "bacon",
"data_dir": "C:\\arcgisportal",
"log_dir": "C:\\arcgisportal\\logs",
"log_level": "WARNING",
"content_store_type": "fileStore",
"content_store_provider": "FileSystem",
"content_store_connection_string": "\\\\FILESERVER\\arcgisportal\\content",
"object_store": "",
"authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Portal.json",
"user_license_type_id": "",
"wa_name": "portal",
"system_properties": {
"privatePortalURL": "https://domain.com:7443/arcgis",
"WebContextURL": "https://domain.com/portal"
},
"keystore_file": "C:\\Temp\\keystore.pfx",
"keystore_password": "change.it",
"cert_alias": "domain.com"
},
One additional thing that could be causing the portal web adaptor registration to fail is the silent webadaptor config utility does a url validation check on either the portal privatePortalURL
and/or portal WebContextURL
. If this validation check fails then portal web adaptor registration will fail with a similar error that you are receiving.
For the portal privatePortalURL
property are you specifying the internal hostname of the portal machine with port 7443 or using an internal load balancer?
For the portal WebContextURL
property, are you specifying an external reverse proxy, load balancer, or web adaptor url?
It's very possible that the ArcGIS Web Adaptor silent configure tool is not able to validate either of those properties. One way to test this is to see if manually configuring the web adaptor succeeds via the web browser (the web browser tool does not do the same url validation check as the silent tool).
Can also try manually running the following command in Windows cmd (as an Administrator):
"C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\10.9\Tools\ConfigureWebAdaptor.exe" /m portal /w "https://MACHINENAME/portal/webadaptor" /g "https://MACHINENAME:7443" /u "portaladmin_user" /p "password" /r false
I suspect this command will fail. If it does then perhaps one workaround would be to temporarily add an etc/hosts entry pointing the web adaptor machine's ipv4 address to the FQDN of the WebContextURL
. This may trick the tool and allow the url validation check to succeed.
Or if you don't want to add an etc/host entry then another option would be to temporarily remove the portal privatePortalURL
and WebContextURL
from portaladmin system properties (and json file), which will allow the web adaptor registration to complete. Once web adaptor is registered can put them back.
Hi,
Thanks for the feedback I will try this and let you know the results.
Hi Cameron,
I managed to get the install in the primary machine to complete successfully by setting the privatePortalURL to https://machinename:7443/arcgis and the WebContextURL to https://machinename/portal.
However, I still need to set the WebContextURL to the load balancer URL i.e. https://lb/portal as ESRI Portal will be access via the load balancer by our customers. What is the best way of doing this after running the instal?
On the primary machine I can successfully login into ESRI Portal from the Start menu i.e. Start > ArcGIS > ESRI Portal for ArcGIS. However, if I try to run ArcGIS Server Manager from Start > ArcGIS > ArcGIS Server Manager I get the following error "Invalid redirect_uri Error: 400". Is there a way round this issue?
It seems the only way I can run ArcGIS Server Manger on the primary machine is to go directly to https://primarymachinename:6443/arcgis.
I have also successfully run the install on the standby machine.
I have also hit a couple of issues on the standby machine though. Running ESRI Portal from the Start menu is fine. However, I get "Invalid redirect_uri Error: 400" when I try to run ArcGIS Server Manager from the Start menu.
Trying to run ArcGIS Server Manager by going directly to https://standbymachine:6443/arcgis does not work either. I get prompted for my credentials and after inputting then it hangs on "Please wait..." and never logs into ArcGIS Server Manager.
Any pointers on how I can fix these issues will be much appreciated?
Hi,
Any comments on the above?
Hi Cameron,
I managed to get the install in the primary machine to complete successfully by setting the privatePortalURL to https://machinename:7443/arcgis and the WebContextURL to https://machinename/portal.
However, I still need to set the WebContextURL to the load balancer URL i.e. https://lb/portal as ESRI Portal will be access via the load balancer by our customers. What is the best way of doing this after running the instal?
On the primary machine I can successfully login into ESRI Portal from the Start menu i.e. Start > ArcGIS > ESRI Portal for ArcGIS. However, if I try to run ArcGIS Server Manager from Start > ArcGIS > ArcGIS Server Manager I get the following error "Invalid redirect_uri Error: 400". Is there a way round this issue?
It seems the only way I can run ArcGIS Server Manger on the primary machine is to go directly to https://primarymachinename:6443/arcgis.
I have also successfully run the install on the standby machine.
I have also hit a couple of issues on the standby machine though. Running ESRI Portal from the Start menu is fine. However, I get "Invalid redirect_uri Error: 400" when I try to run ArcGIS Server Manager from the Start menu.
Trying to run ArcGIS Server Manager by going directly to https://standbymachine:6443/arcgis does not work either. I get prompted for my credentials and after inputting then it hangs on "Please wait..." and never logs into ArcGIS Server Manager.
Any pointers on how I can fix these issues will be much appreciated?
Hi @makariw,
I believe the issue is with the Web Adaptor command line registration tool. When WebContextURL property is set to https://lb/portal the web adaptor command line tool is likely doing a url check of some kind on the lb url which is failing. As a workaround perhaps could try adding a temporary etc/host entry (on the machine where the web adaptor is being registered) pointing the local ipv4 address to the lb dns alias that is set for WebContextURL. Once the registration of Web Adaptor is complete you should then be able to remove the etc/host entry.
As for the other error "Invalid redirect_uri Error: 400" when accessing ArcGIS Server Mgr, please check out the solution for Scenario 1. You will need to add any/all hostnames that are not listed in the redirect url list.
https://support.esri.com/en/technical-article/000015445
I believe the link from Start Menu refers to "https://localhost:6443/arcgis/manager", so the "Invalid redirect_uri Error: 400" is happening because "losthost" is not apart of the default redirect uri list.
And as for https://standbymachine:6443/arcgis not working it could be due to the following:
When you federate a highly available ArcGIS Server site with your ArcGIS Enterprise portal, set Administration URL to a URL that the portal can use to communicate with all servers in the site. This applies even when a URL is unavailable, such as a load balancer URL.
Also be aware that using a load balancer URL affects the way you connect to ArcGIS Server Manager. For example, if you federate using a load balancer URL, you must connect to Server Manager using the load balancer; you cannot use the default Server Manager URL of https://gisserver.domain.com:6443/arcgis/manager.
Thanks, Cameron K.
Hello @makariw,
I wanted to follow up to see if the information I provided in the previous post was helpful?
Also, as an FYI there were improvements made with the ArcGIS Web Adaptor command line registration tool at 10.9.1, so this situation can be avoided starting with 10.9.1+ and cookbook v3.8.0.
Thanks, Cameron K.
I am running the install ESRI Enterprise with HA as documented here
https://github-wiki-see.page/m/Esri/arcgis-cookbook/wiki/Deploy-a-highly-available-ArcGIS-Enterprise
on Windows 2016 with 4 cores
The process is failing with error message below
I can browse to https://MACHINENAME/portal/webadaptor and it resolves as expected.
https://MACHINENAME:7443 does not resolve successfully as ESRI Portal is using a self-signed cert on this port. In arcgis-enterprise-primary.json
"arcgis": { "version": "10.9", "run_as_user": "arcgisadmin", "run_as_password": "password", "configure_windows_firewall": true, "repository": { "archives": "C:\Software\Archives", "setups": "C:\Software\Setups" }, "iis": { "keystore_file": "C:\Software\Certificates\gis01v.pfx", "keystore_password": "password", "replace_https_binding": true },
gis01v.pfx is domain cert is successfully bind on IIS web server for https communication.
Ideally I would to use this domain cert in both ArcGIS Server and Portal for ArcGIS.
Is there a recipe that imports the domain cert into both ArcGIS Server and Portal for ArcGIS?
Generated at 2021-09-03 13:13:54 +0000 Mixlib::ShellOut::ShellCommandFailed: arcgis_enterprise_webadaptor[Configure Web Adaptor with Portal] (arcgis-enterprise::portal_wa line 22) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1' ---- Begin output of "C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\10.9\Tools\ConfigureWebAdaptor.exe" /m portal /w "https://MACHINENAME/portal/webadaptor" /g "https://MACHINENAME:7443" /u "portaladmin_user" /p "password" /r false ---- STDOUT: ERROR: Unable to connect to PortalURL : https://MACHINENAME:7443 STDERR:
Any suggestions on how I can resolve this issue?