From ArcGIS for Server 10.3 Security Technical Implementation Guide
Part of SRG-APP-000179
Associated with: CCI-000068 CCI-000803 CCI-001184 CCI-001188
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised.
Review the ArcGIS for Server configuration to ensure the application uses mechanisms that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Substitute the target environment’s values for [bracketed] variables.
Navigate to [https://server.domain.com/arcgis]admin/system/handlers/rest/servicesdirectory (logon when prompted.)
Browse to “machines” >> [machine name] >> Click “edit”.
Verify that the name of the SSL certificate listed in the box for “Web server SSL Certificate” is not set to “SelfSignedCertificate”.
If the name of the SSL certificate listed in the box for “Web server SSL Certificate” is set to “SelfSignedCertificate”, this is a finding.
Browse to “security” >> “config”.
Verify “Protocol” parameter is not set to “HTTP Only”.
If the “Protocol” parameter is set to “HTTP Only”, this is a finding.
On the local system where the GIS Server is installed, open the “[C:\Program Files\]ArcGIS\Server\framework\runtime\tomcat\conf\server.xml” file.
Search for the parameter “ciphers=”.
Verify the property of the “ciphers=” parameter is set DoD-approved cipher suite value(s). A list of all possible values is located here: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES. An example of a valid configuration is provided below:
Configure the ArcGIS Server to use DoD-approved encryption certificates. Substitute the target environment’s values for [bracketed] variables.
Using the Primary Site Administrator account, log on to the ArcGIS Server Administrator Directory at https://[server.domain.com]:6443/arcgis/admin.
Navigate to machines >> [machine name] >> sslcertificates. Click "importRootOrIntermediate", then import a DoD-approved/provided root certificate file.
Click "importRootOrIntermediate", then import a DoD-approved/provided intermediate certificate file (if applicable.)
Click "importExistingServerCertificate", then import the SSL server certificate (public key) and private key pair.
In the "Certificate password" field, enter the password to unlock the file containing the SSL certificate.
In the "Alias" field, enter a unique name that easily identifies the certificate.
Click "Browse" to choose the .p12 or .pfx file that contains the SSL certificate and its private key.
Click "Import" to import the SSL certificate.
Browse to machines >> [machine name]. Click "edit".
Enter the alias of the SSL certificate (public/private key pair) that was chosen above in the box for "Web server SSL Certificate". Click "Save Edits" to apply the change.
Browse to security >> config >> update. Update the Protocol parameter to "HTTPS Only".
On the ArcGIS Server, open the "[C:\Program Files\]ArcGIS\Server\framework\runtime\tomcat\conf\server.xml" file.
Search the string
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer