LAN protected by a Firewall. ArcGIS Server. Web Server. GIS Server. Reverse Proxy. Data

Transcription

1 Implementing Security for ArcGIS Server Java Solutions Shreyas Shinde

2 Introductions Who are we? Developers for ArcGIS Server Java Who are you? ArcGIS Server developers p developers GIS Administrators for ArcGIS Server IT/System Architects

3 Agenda 9.3 Security y model Introduction Configuration Use Extending g & advanced configurations g File LDAP over SSL Securing your site Using reverse proxies Tips & troubleshooting

4 A Secure ArcGIS Server Site DMZ LAN protected by a Firewall ArcGIS Server Local Connection Local Users Server Mobile Device Internet Connection Users Manager GIS Server Internet (HTTP) Application SOM Reverse Proxy SOC SOC ArcCatalog Desktop Clients (ArcGIS Explorer, ArcGIS Desktop, ArcGIS Engine) Data ArcGIS Desktop Content Author

5 Introduction Securing g your y GIS services and applications pp Java EE (provided by application servers) ArcGIS managed (introduced at 9.3) Java EE security UI driven through g Manager g No more opening/editing contents of WAR file ArcGIS managed UI driven through Manager Role based access control Works seamlessly with JavaScript /Flex clients

6 Terms and Concepts Principal (User) Individual consuming published functionality Role Group of individuals with some privilege Permission Privilege P i il to t access certain t i resource Authentication Validating credentials of the individual and establishing identity Authorization Evaluating privileges of an individual based on permission

7 ArcGIS Managed Security - Components User and Role ((Principal p )) Data store of user and role information (example: username, password, roles, etc) APIs to access this information Permission (engine) Data store of permissions assigned to a role APIs to access this information ArcGIS Token service that issues a token

8 ArcGIS Managed Security for GIS s Access is role based Permissions are assigned to roles Authorization based on the roles a user plays Requires tokens A token needs to be appended pp to the URL when accessing ga secured GIS Tokens are acquired from a ArcGIS Token by providing username and password Desktop clients and Mapping Application (built using Manager) can automatically fetch tokens and use them Administration through Manager

9 Managing User and Roles for ArcGIS Security Administrator can configure g the storage g of user and roles using ArcGIS Manager Manage user and role information ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

10 Demo Configure g store Manage users and roles

11 User and Role Out of the box ROLE USER R/W = read & write R = read only Default Apache Derby (R/W) STORAGE Default External DB Apache LDAP (R) (R/W) Derby (R/W) MS-Active MSDirectory (R) STORAGE Allowed X X X X Allowed X X LDAP (R) All Allowed d All Allowed d All Allowed d X MS-Active MSDi Directory t (R) Allowed Allowed X Allowed External DB (R/W) Also see the section: Extending and Customization

12 ArcGIS Token A service that g grants tokens (part (p of ArcGIS Managed security) Authenticates the user requesting a token Connected to the user store Configured through Manager Should be deployed on a SSL port gettoken.html page UI for fetching tokens for JavaScript/Flex developers

13 ArcGIS Managed Security for GIS s Internals applications pp wants to consume a secured GIS service (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

14 ArcGIS Managed Security for GIS s Internals application pp makes a request to the URL of the service (without a token) (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

15 ArcGIS Managed Security for GIS s Internals service handler returns a token required error but Application provides the URL of the Token ArcGIS Server Manager User/Role (https) Token URL Handler SOM GIS service Permission ArcGIS Server

16 ArcGIS Managed Security for GIS s Internals application pp requests q a token by providing user credentials (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

17 ArcGIS Managed Security for GIS s Internals Token authenticates the user credentials Application ArcGIS Server Manager User/Role (https) Token Handler SOM GIS service Permission ArcGIS Server

18 ArcGIS Managed Security for GIS s Internals If user is authenticated,, token is issued (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

19 ArcGIS Managed Security for GIS s Internals application pp connects to the URL of the GIS service with a token (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

20 ArcGIS Managed Security for GIS s Internals service handler validates the token & looks up the roles for the user (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

21 ArcGIS Managed Security for GIS s Internals service handler p passes roles for the user to the Application permission store for authorization ArcGIS Server Manager User/Role (https) Token Handler SOM GIS service Permission ArcGIS Server

22 ArcGIS Managed Security for GIS s Internals Permission store engine g will authorize the request (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

23 ArcGIS Managed Security for GIS s Internals If authorization is successful, the requested GIS service is returned (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

24 ArcGIS Managed Security for GIS s Internals application pp can then connect/consume the GIS service (https) Application ArcGIS Server Manager User/Role Token Handler SOM GIS service Permission ArcGIS Server

25 Demo Assigning g g permissions p

26 Demo through application Consuming g secured services through ArcCatalog

27 JavaScript Applications Consuming Secured s JavaScript p embeds a token instead of user credentials Simple workflow for the developer Build your application Fetch a token from ArcGIS Token Append the token to the URL var map = new esri.map( mymap ); var layer = new esri.layers.arcgisdynamicmaplayer( i l i i ( h // hi 83 99/arcgis/rest/services/usa/MapServer?token=ksdfsfsirteueim lskdmcwkck ); map.addlayer(layer);

28 Demo JavaScript p application pp consuming g a secured service

29 ArcGIS Managed Security for Applications Application pp can be secured using g ArcGIS Manager g application creator set the permissions User and role store can be configured using ArcGIS Manager application is secured using login control The login g web page p g can be customized

30 Demo Securing the web application Secure web application login

31 Extending and Customization Out of the box support pp for: Relational Databases LDAP Active Directory You can write custom membership providers if: None of the above schemes meet your storage needs Have data in a proprietary format Want to authenticate using other tools You need to implement the Security Java interface provided by ArcGIS

32 Demo File user/role storage g in an XML file

33 User and Role Advanced Configuration Connecting g to LDAP over SSL (ldaps) ( p ) Server side Enable ldaps (usually port 636) on the LDAP server Generate the public & private keys Get the public key signed by a CA Import the signed certificate into the keystore Client side If certificates are self signed import self self--signed certificate of the Server into the JRE s certificate store Restart ArcGIS components (Manager, Handlers etc)

34 SSL Basics Server p proves its identity, y, data transfer is encrypted yp Uses asymmetric key cryptography for handshaking Public and private keys CA signs the public keys, public keys are shared with clients Encrypting data with the public key and then decrypting it is usually an expensive operation (hence the use of fast symmetric keys) Uses symmetric key to encrypt the contents sent over the wire for the duration of the session More efficient way of encrypting instead of using public/private keys

35 SSL Basics The handshake Client Server {Hello} {ACK + Public Key} If client accepts the Server s Public Key {[Symmetric Key] x Public Key} Certificate Key Server uses its private key to decrypt message {[OK] x Symmetric Key} {[Request] x Symmetric Key} {[Response] x Symmetric Key}...

36 Demo Connecting g to LDAP over SSL ApacheDS keytool Java tool to manage cryptographic keys and certificates ArcGIS Manager Troubleshooting tip Use this JVM argument: -Djavax.net.debug Djavax.net.debug= =ssl

37 A Secure ArcGIS Server Site DMZ LAN protected by a Firewall ArcGIS Server Local Connection Local Users Server Mobile Device Internet Connection Users Manager GIS Server Internet (HTTP) Application SOM Reverse Proxy SOC SOC ArcCatalog Desktop Clients (ArcGIS Explorer, ArcGIS Desktop, ArcGIS Engine) Data ArcGIS Desktop Content Author

38 Securing Your Site Host application pp servers within the firewall protected p LAN Use a reverse proxy server to expose functionality to the Internet Hides app server Client is not aware of the internal server specifics Can do SSL instead of app server No SSL between reverse proxy and app server Load balancing Can toggle requests between multiple app servers Caching, C hi etc. t

39 Demo Setting g up p a reverse proxy p y server using g Apache p Server

40 Reverse Proxy with Apache Download the Apache p server from Following modules are required: mod_proxy mod_proxy_http mod proxy http mod_headers mod_deflate mod_proxy_html d ht l (available ( il bl att htt // h bthi ) KB:

41 Reverse Proxy with Apache Cont d Make builds $./configure enableenable-so enableenable-mods mods--shared= proxy proxy_http proxy_connect headers deflate prefix=/usr prefix=/usr/local/apache2 /local/apache2 $make $make install $apxs c I/usr I/usr/include/libxml2 /include/libxml2 i mod_proxy_html.c Load the modules into Apache httpd.conf LoadModule proxy_module proxy module modules/mod_proxy.so modules/mod proxy.so LoadModule proxy_http modules/mod_proxy_http.so LoadFile /usr usr/lib/libxml2.so /lib/libxml2.so LoadModule proxy_html_module proxy html module modules/mod_proxy_html.so modules/mod proxy html so

42 Reverse Proxy with Apache Cont d ProxyPass y & ProxyPassReverse y directives httpd.conf p ProxyPass /arcgis/services arcgis/services ProxyPassReverse /arcgis/services arcgis/services ProxyPass /arcgis/rest arcgis/rest ProxyPassReverse /arcgis/rest arcgis/rest ProxyPass /arcgis/tokens arcgis/tokens ProxyPassReverse /arcgis/tokens arcgis/tokens References with an HTML page returned by the server will be rere-written by the mod_html module Unfortunately, U f t t l it does d nott rere-write it XML/WSDLs XML/WSDL

43 Tips & Troubleshooting User/Role store LDAP, Active Directory are treated as readread-only stores. Cannot use ArcGIS Manager to edit information in them When connecting to a database, database add the JDBC driver (JAR file) into //arcgis arcgis/java/manager/ /java/manager/config config/security/lib /security/lib directory Token T k S i Should run on an SSL port (install certificates in components that need to communicate with the service) Windows Vista has IPv6 enabled by default use the correct IP version when requesting tokens (IPv4 vs IPv6) Set the token expiration time to something appropriate balance between security & performance the shared key securely

44 Tips & Troubleshooting Consuming g secured GIS services ArcGIS Manager & Desktop will warn when the token service is not running on SSL port Only tokens issued by ArcGIS Token are considered to be valid tokens cannot use tokens from other entities When Wh using i a reverse proxy JavaScript /Flex developers should not use the IP address mechanism to lock their tokens (the client IP is not visible to the server) use HTTP referrer/url method WSDL exposed by a service has reference to the internal server s URL need to use an XML rere-writer in the reverse proxy, ability will be provided at post 9.3.1

45 Tips & Troubleshooting Cont d Enabling/Disabling g g security y for GIS s s will be locked down by default when security is enabled access based on permissions Disabling security is multiple steps read documentation

46 Q&A Tech Talk Area: Mesquite q A

47 Conclusion Secure y your GIS services and applications pp using g ArcGIS managed or JavaEE security Seamlessly consume secured services in JavaScript/Flex application using tokens Think about all the aspects of security for your site. Don t make it an afterthought

48 Resources 9.3 Security y Model Documentation htm esri com/help/9 3/arcgisserver/apis/flex/help/ind ex.html#whats_new.htm Flex API Setting up SSL for ApacheDS to--enable enable-ssl.html Sun s keytool keytool y tool to manage g keys y and certificates Reverse proxy using Apache htt // h t t / d i / i

49 Want to Learn More? ESRI Training and Education Resources Instructor Instructor--Led Training Developing Applications with ArcGIS Server Using the Java Platform Free F W b Training T i i Seminars S i Building Applications with ArcGIS Server Using the Java Platform Implementing Security for ArcGIS Server 9.3 Java Solutions