Building Secure Applications
Esri European User Conference October 15-17, 2012 | Oslo, Norway Hosted by Esri Official Distributor
Building Secure Applications Andrew Sakowicz
ArcGIS Server 10.1 security architecture
ArcGIS Server 10.1 Physical architecture - High availability configuration
ArcGIS Server 10.1 security Logical architecture GIS Services
Service Authorization
GIS Tier
Data Tier
GIS Servers Enterprise Geodatabase
LAN
IIS HTTPS
Built-in store
Application Tier
Web Tier HTTPS Web Adaptor
Wizard builder Identity manager
ArcGIS Server Site
Internal Network
DMZ
Web
ArcGIS Server 10.1 security architecture Single firewall
•
Port 80 opened
•
GIS and data server reside in the secure internal network
ArcGIS Server 10.1 security architecture Multiple firewall
•
Port 80 and 6080
•
Web adapter acts as reverse proxy
•
GIS and data server reside in the secure internal network
ArcGIS Server 10.1 security architecture Integrating an existing proxy
•
Add your ArcGIS Server site to proxy directives, e.g. apache httpd.conf -
ProxyPass /arcgis http://myserver:6080/arcgis ProxyPassReverse /arcgis http://myserver:6080/arcgis
ArcGIS Server 10.1 security architecture Integrating an existing proxy
•
To select your port, install the Web Adaptor on another web server
Securing data Production and Publication geodatabase
•
Pros: -
Better security
-
Improved performance
-
Additional hardware capacity
Viewers
Viewers
•
Cons: -
Requires replication
-
Additional hardware
Editors
Production (Versioned GDB)
1-Way Replication
Publication
or unregister as
(Read only)
versioned
Securing data Internal and external web editing
•
Pros: -
Better security
-
Improved performance
-
Additional hardware capacity
Web editors
Viewers
•
Cons: -
Requires replication
-
Additional hardware
Editors
Internal 2-Way Replication External (Versioned GDB) Geodata Service (Versioned GDB)
Managing ArcGIS Server users and roles
ArcGIS Server Account
•
Domain account easier to manage
•
Update password with Configure ArcGIS Server Account utility
Primary Site Administrator
•
Specify when you first create a site
•
Not an operating system user
•
Disable after configuring admin role in identity store
Primary Site Administrator Restrict file permissions
Supported identity store configurations
Supported identity store configurations
•
•
ArcGIS Server authentication -
Built-in users and roles (token authentication)
-
LDAP or Windows Domain
-
LDAP or Windows Domain and the built-in store
Web server authentication -
Any identity store for which the web server has built support
What Architecture is Right for Me? Capability
Security Store
Authentication Tier
Authentication Method
Application Tier
Encryption (HTTPS)
Single Sign On
Active Directory
Web Tier (IIS)
Integrated Windows (IIS)
Any w/ SSO Support
Optional
Enterprise Users & Roles
Active Directory, LDAP
Any
Any
Any *
Recommended
Web Editing
Any
Any
Any
Any *
Recommended
Mobile Applications
Any
Any
Any
Any *
Recommended
SharePoint
Any
Any
Any
Any *
Recommended
Enterprise Users & Built In Roles
Active Directory, LDAP
Any
Any
Any *
Recommended
Linux
LDAP, Built-In
Any
Any
Any *
Recommended
ArcGIS Online
Any
Any
Any
Any *
Recommended
* Silverlight & SharePoint require use of Proxy Page for token management.
ArcGIS Server's built-in store
ArcGIS Server's built-in store Roles
ArcGIS Server's built-in store
ArcGIS Server's built-in store Users
Demo: Securing services
Web tier single-sign-on at 10.1
Web tier single-sign-on at 10.1 GIS Services
Service Authorization
GIS Tier
Data Tier
GIS Servers Enterprise Geodatabase
LAN
Shared key
IIS
HTTP
ArcGIS Server Site
Internal Network
Application Tier
Web Tier
Active Directory security store
HTTP Web Adaptor
DMZ
Single sign-on
Web
LDAP or Windows domain users
LDAP or Windows domain Authentication Tier
•
GIS Server Tier -
•
Esri's proprietary ArcGIS token-based authentication
Web Tier -
use single sign-on or a custom authentication mechanism
-
Requires Web Adapter
-
HTTP basic and digest
LDAP or Windows domain Web server authentication
•
requires installing the ArcGIS Web Adaptor
Windows domain – web tier authentication
Enable windows authentication
Generating token
Generating token
•
Automatically manages ArcGIS tokens
•
Flex API & Viewer 2.5.1+ (works with ArcGIS 10.0 SP-1+)
Web App
Token Secured Service
Token Secured Service
Generating token Shared key
Generating token
Secure Web Applications with HTTPS
Demo: https
Building secure web application
Building secure applications ArcGIS Viewer for Flex
Demo: Building secure web applications
Thank you. [email protected]
Building Secure Applications Andrew Sakowicz
ArcGIS Server 10.1 security architecture
ArcGIS Server 10.1 Physical architecture - High availability configuration
ArcGIS Server 10.1 security Logical architecture GIS Services
Service Authorization
GIS Tier
Data Tier
GIS Servers Enterprise Geodatabase
LAN
IIS HTTPS
Built-in store
Application Tier
Web Tier HTTPS Web Adaptor
Wizard builder Identity manager
ArcGIS Server Site
Internal Network
DMZ
Web
ArcGIS Server 10.1 security architecture Single firewall
•
Port 80 opened
•
GIS and data server reside in the secure internal network
ArcGIS Server 10.1 security architecture Multiple firewall
•
Port 80 and 6080
•
Web adapter acts as reverse proxy
•
GIS and data server reside in the secure internal network
ArcGIS Server 10.1 security architecture Integrating an existing proxy
•
Add your ArcGIS Server site to proxy directives, e.g. apache httpd.conf -
ProxyPass /arcgis http://myserver:6080/arcgis ProxyPassReverse /arcgis http://myserver:6080/arcgis
ArcGIS Server 10.1 security architecture Integrating an existing proxy
•
To select your port, install the Web Adaptor on another web server
Securing data Production and Publication geodatabase
•
Pros: -
Better security
-
Improved performance
-
Additional hardware capacity
Viewers
Viewers
•
Cons: -
Requires replication
-
Additional hardware
Editors
Production (Versioned GDB)
1-Way Replication
Publication
or unregister as
(Read only)
versioned
Securing data Internal and external web editing
•
Pros: -
Better security
-
Improved performance
-
Additional hardware capacity
Web editors
Viewers
•
Cons: -
Requires replication
-
Additional hardware
Editors
Internal 2-Way Replication External (Versioned GDB) Geodata Service (Versioned GDB)
Managing ArcGIS Server users and roles
ArcGIS Server Account
•
Domain account easier to manage
•
Update password with Configure ArcGIS Server Account utility
Primary Site Administrator
•
Specify when you first create a site
•
Not an operating system user
•
Disable after configuring admin role in identity store
Primary Site Administrator Restrict file permissions
Supported identity store configurations
Supported identity store configurations
•
•
ArcGIS Server authentication -
Built-in users and roles (token authentication)
-
LDAP or Windows Domain
-
LDAP or Windows Domain and the built-in store
Web server authentication -
Any identity store for which the web server has built support
What Architecture is Right for Me? Capability
Security Store
Authentication Tier
Authentication Method
Application Tier
Encryption (HTTPS)
Single Sign On
Active Directory
Web Tier (IIS)
Integrated Windows (IIS)
Any w/ SSO Support
Optional
Enterprise Users & Roles
Active Directory, LDAP
Any
Any
Any *
Recommended
Web Editing
Any
Any
Any
Any *
Recommended
Mobile Applications
Any
Any
Any
Any *
Recommended
SharePoint
Any
Any
Any
Any *
Recommended
Enterprise Users & Built In Roles
Active Directory, LDAP
Any
Any
Any *
Recommended
Linux
LDAP, Built-In
Any
Any
Any *
Recommended
ArcGIS Online
Any
Any
Any
Any *
Recommended
* Silverlight & SharePoint require use of Proxy Page for token management.
ArcGIS Server's built-in store
ArcGIS Server's built-in store Roles
ArcGIS Server's built-in store
ArcGIS Server's built-in store Users
Demo: Securing services
Web tier single-sign-on at 10.1
Web tier single-sign-on at 10.1 GIS Services
Service Authorization
GIS Tier
Data Tier
GIS Servers Enterprise Geodatabase
LAN
Shared key
IIS
HTTP
ArcGIS Server Site
Internal Network
Application Tier
Web Tier
Active Directory security store
HTTP Web Adaptor
DMZ
Single sign-on
Web
LDAP or Windows domain users
LDAP or Windows domain Authentication Tier
•
GIS Server Tier -
•
Esri's proprietary ArcGIS token-based authentication
Web Tier -
use single sign-on or a custom authentication mechanism
-
Requires Web Adapter
-
HTTP basic and digest
LDAP or Windows domain Web server authentication
•
requires installing the ArcGIS Web Adaptor
Windows domain – web tier authentication
Enable windows authentication
Generating token
Generating token
•
Automatically manages ArcGIS tokens
•
Flex API & Viewer 2.5.1+ (works with ArcGIS 10.0 SP-1+)
Web App
Token Secured Service
Token Secured Service
Generating token Shared key
Generating token
Secure Web Applications with HTTPS
Demo: https
Building secure web application
Building secure applications ArcGIS Viewer for Flex
Demo: Building secure web applications
Thank you. [email protected]
