Configuration (Security)

URL:: https://<root>/security/config
Methods:: GET
Operations:: Update, Test Identity Store, Update Identity Store
Required Capability:: Access allowed with the "Security and infrastructure" privilege
Version Introduced:: 10.9

Description

The config resource returns the currently active security configuration for your ArcGIS Enterprise on Kubernetes deployment.

Request parameters

Parameter	Details
`f`	The response format. The default format is `html`. Values: `html` \| `json` \| `pjson`

Security configuration properties

Parameter	Details
`serverRole`	The role assigned to the federated server.
`userStoreConfig`	Connection information about the currently active user store.
`roleStoreConfig`	Connection information about the currently active role store.
`tokenServiceKey`	The key used to encrypt tokens.
`enableAutomaticAccountCreation`	A Boolean that indicates whether new organization accounts will automatically be created when enterprise users access your Enterprise portal for the first time (`true`), or whether accounts will be manually created. The default value is `false`. Values: `true` \| `false`
`securityEnabled`	A Boolean that indicates whether security is enabled for any GIS service. The default value is `true`. Values: `true` \| `false`
`disableServicesDirectory`	A Boolean that indicates whether access to the services directory will be disabled. The default value is `false`. Values: `true` \| `false`
`allowedProxyHosts`	This property restricts what hosts Enterprise portal can access directly. This restriction applies to several scenarios, including when the Enterprise portal accesses resources from a server that does not support Cross-Origin Resource Sharing (CORS) or when saving credentials used to access a secure service. By default, this property is not defined and no restrictions are applied. Use the format (.).example.com to allow access to all machines within a specified domain. Domains must be comma-separated. Example Use dark colors for code blocksCopy `1 "allowedProxyHosts": "gisserver1.example.com, gisserver2.example.com, (.).example.com"`
`allowInternetCORSAccess`	Introduced at 10.9.1. A Boolean that controls the value of the Access-Control-Allow-Private-Network response header in a CORS preflight request to a portal service URL. This property was added to support the Private Network Access web specification (CORS-RFC1918) that aims to protect sites accessed over a private network from being able to make internal CORS requests. The default value is `true`. Values: `true` \| `false`
`contentSecurityPolicy`	Introduced at 11.4. The `contentSecurityPolicy` property defines the Content-Security-Policy (CSP) response headers that are included when accessing different components of ArcGIS Enterprise. At 11.4, the CSP response headers were added for the organization's portal website or any of its associated applications. These are defined by the `home` and `apps` properties, respectively. At 11.5, support has been added for new CSP response headers that are defined by the `sharing` and `rest` properties. The response header defined by the `sharing` property is applied to each HTML page in the Portal Directory, while the response header defined by the `rest` property is applied to each HTML page in the Services Directory. The default value for `home` is `frame-ancestors 'self';`, which prevents the portal website from being loaded inside a frame. The default value for both `sharing` and `rest` is `script-src 'self';`, which prevents the JavaScript used in XSS attacks from running. The CSP for the portal website its applications, the CSP for the Portal Directory, and the CSP for the Services Directory are defined separately. Note The values for each CSP response header can be one or more of the CSP directives based on the CSP specifications. For more information on CSP syntax and directives, reference the Content-Security-Policy documentation maintained by MDN Web Docs. Use dark colors for code blocksCopy `1 2 3 4 5 6 7 "contentSecurityPolicy": { "home": "frame-ancestors 'self';", "apps": "frame-ancestors 'self' sample.example.com;", "sharing": "script-src 'self';", "rest": "script-src 'self';" }`

Portal properties

Parameter	Details
`webgisServerTrustKey`	A key automatically generated during site creation. This property should not be modified.
`portalSecretKey`	The key obtained after federating an ArcGIS Server to an organization.
`privatePortalUrl`	The internal service URL used to access the Portal sharing container.
`portalURL`	The organization URL.
`serverURL`	The external URL of the server federated with the organization.
`portalMode`	Must be set as `ARCGIS_PORTAL_FEDERATION`.
`serverId`	The ID of the server that is federated with the organization.

Forward proxy config

Parameter	Details
`httpProxyHost`	The forward proxy host name for http requests.
`httpsProxyHost`	The forward proxy host name for https requests.
`httpProxyPort`	The forward proxy port number for http requests.
`httpsProxyPort`	The forward proxy port number for https requests.
`httpProxyUser`	The forward proxy user name for http requests when authentication is required.
`httpsProxyUser`	The forward proxy user name for https requests when authentication is required.
`httpProxyPassword`	The forward proxy password for http requests when authentication is required.
`httpsProxyPassword`	The forward proxy password for https requests when authentication is required.
`nonProxyHosts`	A list of host names separated by `\|` that can be accessed directly and do not require the use of the proxy. Wildcards can be used for an entire domain (`*.example.com`).
`isHttpProxyPasswordEncrypted`	A Boolean that indicates whether the http proxy password is encrypted. When adding or updating the password, this property should be changed to `false`. Once saved, the password becomes encrypted and this value will be changed to `true` automatically. Values: `true` \| `false`
`isHttpProxyPasswordEncrypted`	A Boolean that indicates whether the https proxy password is encrypted. When adding or updating the password, this should be changed to `false`. Once saved, the password becomes encrypted and this value will be changed to `true` automatically. Values: `true` \| `false`

Example usage

The following is a sample request URL used to access the config resource:

Use dark colors for code blocksCopy
https://organization.example.com/<context>/admin/security/config?f=pjson

JSON Response example

Use dark colors for code blocksCopy
{
  "serverRole": "HOSTING_SERVER",
  "userStoreConfig": {
    "type": "PORTAL",
    "properties": {}
  },
  "roleStoreConfig": {
    "type": "PORTAL",
    "properties": {}
  },
  "tokenServiceKey": "AIT8Nvh7J7AHWAld1RZe9/n393gLeAeq4HvTkaN5SoM=",
  "enableAutomaticAccountCreation": false,
  "allowInternetCORSAccess": true,
  "securityEnabled": true,
  "disableServicesDirectory": false,
  "contentSecurityPolicy": {
    "home": "frame-ancestors 'self';",
    "apps": "frame-ancestors 'self' sample.example.com;"
  },
  "portalProperties": {
    "webgisServerTrustKey": "PluSR7m7CyWo3JfOZrL2qkRAy4tvO+VNzEgKfK5gWS4=",
    "portalSecretKey": "73ccba361df243ddbfd8b697e148dc4a",
    "privatePortalUrl": "https://privateportal.example.local:8443/arcgis/",
    "portalUrl": "https://reverseproxy.example.com/arcgis/",
    "serverUrl": "https://reverseproxy.example.com/gis/",
    "includeOrgIdWIthUsername": false,
    "portalMode": "ARCGIS_PORTAL_FEDERATION",
    "serverId": "T4QEbIXt66r0p5bW"
  },
  "forwardProxyConfig": {
    "httpProxyHost": "proxy.example.com",
    "httpsProxyHost": "proxy.example.com",
    "httpProxyPort": 8888,
    "httpsProxyPort": 8888,
    "httpProxyUser": "username",
    "httpProxyPassword": "password",
    "httpsProxyUser": "username",
    "httpsProxyPassword": "password",
    "nonProxyHosts": "enterprise.example.com|server.example.com",
    "isHttpProxyPasswordEncrypted": false,
    "isHttpsProxyPasswordEncrypted": false
  }
}