English

Problem: ArcGIS resources are inaccessible through HTTPS when the Web Adaptor is deployed on WebLogic

Description

ArcGIS resources are inaccessible through HTTPS when the Web Adaptor is deployed on WebLogic.

Internet Explorer displays the message "HTTP 500 Internal Server Error" when accessing ArcGIS resources through the Web Adaptor. Mozilla Firefox displays the message "Secure Connection Failed - SSL peer cannot verify your certificate".

Cause

By default, when HTTPS is enabled, both ArcGIS for Server and Portal for ArcGIS use an internally generated, self-signed certificate. WebLogic does not recognize these self-signed certificates and terminates HTTPS connections from the Web Adaptor to the ArcGIS Server and Portal applications.

Solution or Workaround

To use HTTPS with the ArcGIS Web Adaptor on WebLogic, either use an SSL (Secure Sockets Layer) certificate issued by a well-known CA (Certificate Authority), or import the self-signed certificate into the WebLogic server's keystore.

  • To enable SSL on ArcGIS for Server using a CA-signed certificate, see Enabling SSL using a CA-signed certificate.
  • To enable SSL on Portal for ArcGIS (versions 10.2 through 10.2.2) using a CA-signed certificate, see Importing a certificate into the portal.

    Starting at Portal for ArcGIS 10.3, SSL management functionality has been added to the Portal Admin site. To enable SSL on Portal for ArcGIS using a CA-signed certificate, see Importing a CA-signed certificate in Portal.
     
  • Import the Portal self-signed certificate, which is present at '<Portal Installation directory>\etc\ssl\portal.ks' into the WebLogic. Follow the steps below.
    1. Run the Java 'keytool' command using the 'exportcert' option to export the certificate used by Portal to a file.
    2. Run the Java keytool command using the 'importcert –trustcacerts' option to import the certificate into the WebLogic keystore.
      For detailed instructions, refer to the WebLogic product documentation.
  • Starting at ArcGIS Web Adaptor for Java version 10.3, SSLv3 is no longer supported to prevent the POODLE vulnerability. As a result, WebLogic Server must also be configured to use TLS instead of SSL. Follow the steps below.
    1. In a text editor, open the {WEBLOGIC_DOMAIN_HOME}/bin/setDomainEnv.sh file.
    2. Edit the 'JAVA_OPTIONS' variable and append the following property at the end:
       -Dweblogic.security.SSL.protocolVersion=TLS1