How To: Configure ArcIMS to work with HTTPS
Instructions provided describe how to configure ArcIMS to work with HTTPS. HTTPS is a secure protocol for communicating between a Web server and a Web client. Most parts of ArcIMS require no additional configuration when an HTTPS is being used. Instructions provided describe the areas where additional configuration is required for ArcIMS. It assumes that HTTPS has already been successfully configured on the Web server.
In an HTTPS transaction, a Web server sends the Web client a server certificate that both identifies itself and gives the Web client a means to encrypt information it receives. To identify itself, the server refers to a Certifying Authority that can vouch for it.
- Configure the Web server to serve HTTPS pages and verify that a Web browser can view pages on your secure site.
- Try logging into ArcIMS Administrator. When specifying the connection site, verify that https:// precedes the URL. If this works, skip ahead to Step 4. If this does not work, go to the next step.
- ArcIMS Administrator and Designer use Java to connect to HTTPS sites. If the Java installation does not trust the certifying authority that created the Web server's HTTPS certificate, the connection fails. To configure Java to trust the Certifying Authority for the issuer of the SSL Server Certificate used on the Web server, do the following steps.
EXPORT YOUR CERTIFYING AUTHORITY ROOT CERTIFICATE
Skip steps A through I if there is a certifying authority root certificate.
A. Start Internet Explorer.
B. Select Tools menu > Internet Options.
C. Click the Content tab.
D. Click the Certificates button.
E. Click the Trusted Root Certification Authorities tab.
F. Select the organization that issued the server certificate from the list. For example, the Department of Defense issues most military-server certificates.
G. Click the Export button.
H. Select the Base-64 encoded X.509 (.CER) format from the Certificate Export Wizard.
I. Give the output file a name and save it.
IDENTIFY THE CORRECT JAVA INSTALLATION
J. If ArcIMS is installed on Windows click on the Start button and navigate to Program Files > ArcGIS > ArcIMS. Right-click the Administrator option and select Properties. The Java installation can be determined by looking at the Target box. In most cases it will be at ...\ArcGIS\ArcIMS\Jre
K. If ArcIMS is installed on UNIX then the Java installation used is the value of the $JAVA_HOME variable.
TRUST THE CERTIFYING AUTHORITY CERTIFICATE
L. Open a command prompt and change to the Java installation's bin directory.
M. Run the keytool utility to add the certificate exported in Step 3I. The syntax looks something like this:
keytool -import -trustcacerts -alias MyCertifyingAuthority -file c:\temp\getcacert.cer -keystore "c:\Program Files\ArcGIS\ArcIMS\Jre\lib\security\cacerts"
-- trustcacerts: indicates that the cacerts keystore will be edited;
-- alias: can be any alphanumeric value, preferably something recognizable;
-- file: the full path to the *.cer file;
-- keystore: the full path to the cacerts file.
The values that include file pathnames such as for -file and -keystore may need to be in quotes.
N. Type "'changeit' when prompted for a password.
- CHANGE DEFAULT MAP SERVICE SETTINGS, otherwise called SITE PROPERTIES:
A. Log into Administrator.
B. From the View menu select Site Properties.
C. For HTTP Location verify that the location starts with https://
D. On the Server Output tab verify that the HTTP Location (URL) starts with https://.
CHANGE THE OUTPUT OF EXISTING SERVICES
E. For each ImageServer or ArcMap Image Server service, select Properties from the Service menu.
F. In the Properties dialog box for each service, change the HTTP Location (URL) so that each URL starts with https://
G. After making all changes in Administrator, select to Save Site Configuration from the toolbar.
- UPDATE HTML VIEWER WEB SITES
A. For each HTML Viewer Web site, open the ArcIMSParam.js file located in the Web site's folder and change the imsURL and imsOVURL variables so that their values start with https://
UPDATE JAVA VIEWER WEB SITES
B. For each Java Viewer Web site, open the default.axl and change all IMAGESERVERWORKSPACE tags so that the url attribute's value starts with https.