Certificate Authentication
Certification authentication issues can occur when running 1Integrate for ArcGIS on a secure network.
Secure HTTPS communication requires two certificates that represent:
- A private key (on the server)
- A public key (for the client components)
In order to allow for secure communication between the 1Integrate for ArcGIS components, the public and private keys need to be available to the services.
For secure deployment, a private key is associated with a specific domain (e.g. www.mycompany.com) and is signed by a recognised certificate authority who confirms that the owners of the domain are who they say they are.
1Integrate for ArcGIS is shipped with some self-signed certificates which allow the product to be used immediately (but which should not be considered truly secure because the private key is not really private and is associated with the generic localhost domain).
We recommend you generate your own certificate and key files and replace those provided with 1Integrate for ArcGIS.
Generating and replacing secure certificates and private keys
-
Generate secure certificates for use on your server, and use certificate authentication to export a .crt certificate and .pksc8 private key file.
-
Rename the generated certificate and key files to server.crt and server.pkcs8.
-
Replace the placeholder files in the Rules Engine, Metadata Service and Rules Author folders within: C:\Program Files\1Spatial\RulesEngineService\ssl.
Federated and Secured Networks (Server Edition only)
On Federated and Secured networks, certificate authentication issues can result in the following error when trying to fetch rules in ArcGIS Desktop:
“javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”
To resolve this error, your self-signed certificate must be in .cert format.
Note: There are several methods for converting certificates into the required .cert format. A commonly used tool is OpenSSL.
In order to use the new certificate, it needs to be imported into two Java certificate keystores, one for the ArcMap Add-in (C:\Program Files (x86)\ArcGIS\Desktop10.4\java\jre\lib) and one for the Rule Author interface (JAVA_HOME\jre\lib).
The import can be achieved using the keytool Java command line application that is available in the Java\jre..\bin directory.
Use the keytool command to import certificates (replacing the variables indicated in <angled brackets>):
keytool -import -alias
<certificate_alias>
-file
<name of the certificate which is exported in .cert format>
-keystore
<JAVA_HOME>
/jre/lib/security/cacerts –trustcacerts"
Example:
For ArcMap Add-in this is imported into ArcGIS desktop's Java jre, for example.:
keytool -import -alias
{certificate_alias} -file {name of the certificate to import} -keystore C:\Program Files (x86)\ArcGIS\Desktop10.4\java\jre\lib\security\cacerts –trustcacerts
For the Rule Author interface this is imported into the 64 bit java home, for example:
keytool -import -alias {certificate_alias}
-file
{name of the certificate to import}
-keystore C:\Program Files\Java\jre1.8.0_74\lib\security\cacerts –trustcacerts
