Update Security Configuration

URL:
https://<root>/security/config/update
Methods:
POST
Required Capability:
Access allowed with either the "Security and Infrastructure" or "Servers" privileges
Version Introduced:
10.1

Description

The update operation updates the security configuration, including TLS protocols and cipher suites, for your ArcGIS Server site.

This operation causes the SOAP and REST service endpoints to be redeployed (with the new configuration) on every server machine in the site. If the authentication tier is GIS_SERVER, the ArcGIS token service is started on all server machines.

When the authentication occurs at the Web Adaptor, the server does not participate in authenticating the user.

If you updated the communication protocol as part of this operation, it takes the ArcGIS Web Adaptor 1 minute to recognize changes to the communication protocol of your site. If you want the ArcGIS Web Adaptor to immediately recognize the changes, you can reconfigure it by following the instructions in Configure ArcGIS Web Adaptor after installation.

Request parameters

ParameterDetails

Protocol

Specifies the HTTP protocol to be used for communication to and from the ArcGIS Server site. If set to HTTP, all communication to and from the site will be over HTTP, with HTTPS communication will be unavailable. If set to HTTP_AND_HTTPS, users and clients can use either HTTP or HTTPS to connect to the site. If set to HTTPS, all communication to and from the site will be over HTTPS. Calls made using HTTP will be redirected to use HTTPS.

When an ArcGIS Server site is created, all communication to and from the site is sent over HTTP, which is not secure. This means that your credentials sent over an internal network or the Internet are not encrypted and can be intercepted. To prevent the interception of communication, it's recommended that you configure ArcGIS Server and ArcGIS Server Manager (if installed) to enforce Secure Sockets Layer (SSL). When you create a site, a warning-level message in the logs recommends that you update the communication protocol of the site to use SSL.

Values: HTTP | HTTP_AND_HTTPS | HTTPS

httpsProtocols

The TLS protocols ArcGIS Server will use. TLSv1.2 and TLSv1.3 (support for TLSv1.3 was added at 10.9) is enabled by default. You can also enable TLSv1 and TLSv1.1. Values must be separated by commas.

Example
Use dark colors for code blocksCopy
1
httpsProtocols=TLSv1.2,TLSv1.3

cipherSuites

The cipher suites ArcGIS Server will use. The Valid cipher suites section below outlines the ciphers enabled by default, as well as valid ciphers that can be enabled.

Example
Use dark colors for code blocksCopy
1
cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

HSTSEnabled

A Boolean that indicates whether HTTP Strict Transport Security (HSTS) is being used by the site. To enable this property, the Protocol property must be set to HTTPS.

Values: true | false

virtualDirsSecurityEnabled

A Boolean that indicates whether the server's virtual directories are secure and require authentication. When this property is set to true, accessing the content of secured services in the arcgisoutput, arcgisjobs, and arcgisinput directories over HTTP will require user authentication. These same permissions are applied to the server directories associated with the service. If the service is publicly available, the directories are also publicly available. The default value is false.

Values: true | false

allowInternetCORSAccess

Introduced at 10.9.1. A Boolean that controls the value of the Access-Control-Allow-Private-Network response header in a CORS preflight request to a REST service URL. This property supports the Private Network Access web specification (previously CORS-RFC1918), which aims to restrict websites accessed over a private network from making internal cross-origin requests.

Values: true | false

authenticationTier

Specifies the tier at which requests to access GIS services will be authenticated. It is recommended that you do not modify these values using the Administrator Directory. Instead, use ArcGIS Server Manager to configure web tier authentication or use the Enterprise portal to federate an ArcGIS Server with your organization.

Values: WEB_ADAPTOR | GIS_SERVER | ARCGIS_PORTAL

allowDirectAccess

A Boolean that indicates whether a user with administrator privileges can access the server through port 6080. If true, all users with administrative access can access the Administrator Directory and ArcGIS Server Manager through port 6080. If false, users in the identity store cannot access the server through port 6080; users must access the site through ArcGIS Web Adaptor. The default value is true.

Before disabling administrative access on port 6080, ArcGIS Server must be configured to use web tier authentication (WEB_ADAPTOR) and at least one user in the identity store must have administrator privileges to the site. The primary site administrator account can administer the site through port 6080.

To fully disable access on port 6080, you can optionally disable the primary site administrator account. If ArcGIS Server Manager becomes unavailable or the web server cannot authenticate users who have administrator privileges, you cannot administer the site. To recover this site, re-enable the primary site administrator account and connect to the site through port 6080 with this account.

Values: true | false

portalProperties

The properties used when federating ArcGIS Server with Portal for ArcGIS. See Portal properties for more information.

allowedAdminAccessIPs

A comma separated list of client machine IP addresses that are allowed access to ArcGIS Server. This can be used as an additional security measure to prevent unauthorized access to the site.

f

The response format. The default response format is html.

Values: html | json | pjson

Portal properties

PropertyDetails

portalMode

The portal mode. This must be ARCGIS_PORTAL_FEDERATION.

Example
Use dark colors for code blocksCopy
1
"portalMode": "ARCGIS_PORTAL_FEDERATION"

portalSecretKey

The key obtained after federating ArcGIS Server with Portal for ArcGIS.

Example
Use dark colors for code blocksCopy
1
"portalSecretKey": "12a34b56c78d90ef09e87d65c43b21a"

portalUrl

The URL of Portal for ArcGIS in the following format:

Example
Use dark colors for code blocksCopy
1
"portalUrl": "https://machine.domain.com/webadaptor"

privatePortalUrl

The internal URL of Portal for ArcGIS is in the following format:

Example
Use dark colors for code blocksCopy
1
"privatePortalUrl": "https://machine.domain.com:7443/arcgis"

serverId

The ID of the server federated with the portal.

Example
Use dark colors for code blocksCopy
1
"serverId": "pn04lWxDPEh1vLR6"

serverURL

The external URL of the server federated with the portal in the following format:

Example
Use dark colors for code blocksCopy
1
"serverUrl": "https://machine.domain.com/webadaptor"

Valid cipher suites

The following cipher suites are enabled by default:

Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_AES_256_GCM_SHA384,
TLS_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

The following cipher suites are not enabled by default, but are valid and can be added using this operation:

Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA

Example usage

The following is a sample POST request for the update operation:

Use dark colors for code blocksCopy
1
2
3
4
5
6
POST /webadaptor/admin/security/config/update HTTP/1.1
Host: machine.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

Protocol=HTTPS&httpsProtocols=TLSv1.2,TLSv1.3&cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256&HSTSEnabled=false&virtualDirsSecurityEnabled=false&allowInternetCORSAccess=true&authenticationTier=GIS_SERVER&allowDirectAccess=true&allowedAdminAccessIPs=&f=pjson

JSON Response example

Use dark colors for code blocksCopy
1
{"status": "success"}

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.