Problem: ArcGIS resources are inaccessible through HTTPS when the Web Adaptor is deployed on WebSphere
In ArcGIS 10.6.1, resources are inaccessible through HTTPS when the Web Adaptor is deployed on WebSphere. This can manifest itself in the following ways:
- When configuring ArcGIS Server with the Java Web Adaptor, the user interface displays the error message, “Unable to register the ArcGIS Server with the Web Adaptor. Please make sure that the server machine is running and that the account specified has administrative privileges to the site."
- When configuring Portal for ArcGIS with the Java Web Adaptor, the user interface displays the error message, "Unable to configure Portal with the Web Adaptor. Please make sure that the Portal machine is running and that the account specified has administrative privileges to the Portal."
- The error in the WebSphere application server logs is “Unable to get token for user <username>, Error in admin request for get machines Received fatal alert: handshake_failure.”
Starting at ArcGIS 10.6.1, the secure socket layer (SSL) protocol TLSv1 is disabled by default for both Portal for ArcGIS and ArcGIS Server due to Payment Card Industry (PCI) compliance. By default, WebSphere uses SSL-TLS as the SSL handshake protocol, which is SSLv3 and TLSv1, and hence terminates HTTPS connections from the Web Adaptor to the ArcGIS Server and Portal for ArcGIS applications.
Note: Starting with ArcGIS Web Adaptor for Java 10.3, SSLv3 is no longer supported to prevent the POODLE vulnerability.
Solution or Workaround
To use HTTPS with the ArcGIS Web Adaptor on WebSphere, update the WebSphere configuration to use SSL_TLSv2 as the SSL handshake protocol, which is SSLv3 and TLSv1, TLSv1.1, and TLSv1.2.
Follow the instructions below.
- Log in to the WebSphere Application Server Integrated Solutions Console.
- Click Security > SSL certificate and key management, and under Related Items, click SSL configurations.
- Click NodeDefaultSSLSettings (default).
- Under Additional Properties, click Quality of protection (QoP) settings. QoP settings define the strength of the SSL encryption, the integrity of the signer, and the authenticity of the certificate.
- Select a protocol for the SSL handshake SSL_TLSv2.
- Click OK and save directly to the master configuration.
In addition, the WebSphere Java Virtual Machine must be updated to start with SSL protocol TLSv1.1 and TLSv1.2. For this, follow the steps below.
In the WebSphere Administrative console:
- Click Servers > Server Types > WebSphere application servers, and click server1 to open it.
- Under Server Infrastructure, click Java and Process Management > Process definition.
- Under Additional Properties, click Java Virtual Machine.
- In the Generic JVM arguments text box, enter -Dhttps.protocols=TLSv1.1,TLSv1.2
- Click Apply, OK, and save directly to the master configuration.
- Restart the application server.
Note: The above solution is for Java Web Adaptor working with WebSphere 9. Review the WebSphere documentation for further details on security configuration for the organization level requirements.