Embed Size (px)
Citation preview
Hosted by Esri
Official Distributor
Building Secure Applications
Andrew Sakowicz
Esri European User Conference October 15-17, 2012 | Oslo, Norway
ArcGIS Server 10.1 security architecture
ArcGIS Server 10.1 Physical architecture - High availability configuration
GIS Tier
ArcGIS Server 10.1 security Logical architecture
GIS Services
Data Tier
Internal Network DMZ Web
HTTPS LAN
Service Authorization
HTTPS
GIS Servers
Built-in store
ArcGIS Server Site
Web Tier Application Tier
Wizard builder
Identity manager
IIS
Web Adaptor
Enterprise Geodatabase
ArcGIS Server 10.1 security architecture Single firewall
• Port 80 opened • GIS and data server reside in the secure internal network
ArcGIS Server 10.1 security architecture Multiple firewall
• Port 80 and 6080 • Web adapter acts as reverse proxy • GIS and data server reside in the secure internal network
ArcGIS Server 10.1 security architecture Integrating an existing proxy
• Add your ArcGIS Server site to proxy directives, e.g. apache httpd.conf
- ProxyPass /arcgis http://myserver:6080/arcgis ProxyPassReverse /arcgis http://myserver:6080/arcgis
ArcGIS Server 10.1 security architecture Integrating an existing proxy
• To select your port, install the Web Adaptor on another web server
Securing data Production and Publication geodatabase
• Pros: - Better security - Improved performance - Additional hardware capacity
• Cons: - Requires replication - Additional hardware
Editors
1-Way Replication
or unregister as
versioned
Publication
(Read only)
Production
(Versioned GDB)
Viewers
Viewers
Securing data Internal and external web editing
• Pros: - Better security - Improved performance - Additional hardware capacity
• Cons: - Requires replication - Additional hardware
Editors
2-Way Replication Geodata Service
External (Versioned GDB)
Internal (Versioned GDB)
Web editors
Viewers
Managing ArcGIS Server users and roles
ArcGIS Server Account
• Domain account easier to manage • Update password with Configure
ArcGIS Server Account utility
Primary Site Administrator
• Specify when you first create a site • Not an operating system user • Disable after configuring admin role in identity store
Primary Site Administrator Restrict file permissions
Supported identity store configurations
Supported identity store configurations
• ArcGIS Server authentication - Built-in users and roles (token authentication) - LDAP or Windows Domain - LDAP or Windows Domain and the built-in store
• Web server authentication - Any identity store for which the web server has built support
What Architecture is Right for Me?
Capability Security Store Authentication Tier
Authentication Method
Application Tier
Encryption (HTTPS)
Single Sign On Active Directory Web Tier (IIS) Integrated Windows (IIS)
Any w/ SSO Support
Optional
Enterprise Users & Roles
Active Directory, LDAP
Any Any Any * Recommended
Web Editing Any Any Any Any * Recommended
Mobile Applications
Any Any Any Any * Recommended
SharePoint Any Any Any Any * Recommended
Enterprise Users & Built In Roles
Active Directory, LDAP
Any Any Any * Recommended
Linux LDAP, Built-In Any Any Any * Recommended
ArcGIS Online Any Any Any Any * Recommended
* Silverlight & SharePoint require use of Proxy Page for token management.
ArcGIS Server's built-in store
ArcGIS Server's built-in store Roles
ArcGIS Server's built-in store
ArcGIS Server's built-in store Users
Demo: Securing services
Web tier single-sign-on at 10.1
GIS Tier
Web tier single-sign-on at 10.1
GIS Services
Data Tier
Internal Network DMZ Web
HTTP LAN
Service Authorization
HTTP
GIS Servers
ArcGIS Server Site
Web Tier Application Tier
Single sign-on
IIS
Web Adaptor
Enterprise Geodatabase
Shared key
Active Directory security store
LDAP or Windows domain users
LDAP or Windows domain Authentication Tier
• GIS Server Tier - Esri's proprietary ArcGIS token-based authentication
• Web Tier - use single sign-on or a custom authentication mechanism - Requires Web Adapter - HTTP basic and digest
LDAP or Windows domain Web server authentication
• requires installing the ArcGIS Web Adaptor
Windows domain – web tier authentication
Enable windows authentication
Generating token
Generating token
• Automatically manages ArcGIS tokens
• Flex API & Viewer 2.5.1+ (works with ArcGIS 10.0 SP-1+)
Web App
Token Secured Service
Token Secured Service
Generating token Shared key
Generating token
Secure Web Applications with HTTPS
Demo: https
Building secure web application
Building secure applications ArcGIS Viewer for Flex
Demo: Building secure web
applications
