Three machine setup fails - some questions

[ghost]

Hello,

I have (tried to) set up a three machine ArcGIS Enterprise environment using configuration file “BaseDeployment-ThreeMachine-10.6-ssl.json”. The setup was not successful and left me with a bunch of questions:

Is it correct that the PowerShell ArcGIS module is needed on every server that is part of the deployment?

Compiling the configuration raises a “deserializing” error (see PowerShell output). Nevertheless, the installation seemed to proceed correctly. What is this error and is it a critical one?

The federation of server with portal fails (see PowerShell output). Why and what needs to be done?

The portal and server URLs listed in the PowerShell output (see PowerShell output) are missing the domain names “esri-de.com”. Why (since in the single machine deployment they are listed “correctly”)?

Although certificates are provided for both, portal and server (see configuration file), the portal still uses a self-signed certificate (see screenshot of portal certificate configuration). Why and can the portal certificate be configured with PowerShell?

The alias for the server certificate is given as “vsdev2371” in the configuration file. Nevertheless, it is named “vsdev2371.esri-de.com” in the final configuration. What is the purpose of the “Alias” parameter in the configuration file?

Neither portal nor server have a root certificate imported. Can this also be done with PowerShell?

Neither server nor data store can be reached via the “localhost” URL (e. g. for server -> “https://localhost:6443/arcgis/manager”). Why is that?

Attachments:
-> vsdev2370_BaseDeployment-ThreeMachine-10.6-ssl.txt -> Configuration file
-> PowerShell_Install_BaseDeployment_Output.txt -> Complete PowerShell output in -DebugSwitch mode
-> vsdev2370_ssl_certificate.jpg -> Screenshot of portal certificate configuration
-> vsdev2371_ssl_certificate.jpg -> Screenshot of server certificate configuration

Thank you very much for your help and expertise, best regards,
Jürgen

PowerShell_Install_BaseDeployment_Output.txt
vsdev2370_BaseDeployment-ThreeMachine-10.6-ssl.txt

[shailesh91]

Hey Jürgen,

These are my preliminary answers. I will get back to you on question number 5 in detail soon.

1. Is it correct that the PowerShell ArcGIS module is needed on every server that is part of the deployment?
   Answer - Yes PowerShell ArcGIS Module is required on every Server

2. Compiling the configuration raises a “deserializing” error (see PowerShell output). Nevertheless, the installation seemed to proceed correctly. What is this error and is it a critical one?
   Answer - We haven't seen this error before. This is possibly a bug due to an extra space at the start of the ArcGIS_PortalUnregister.Schema.mof . Looks like it doesn't impact your configurations and installations. If we are able to repro this, we will roll out a fix soon.

3. The federation of server with portal fails (see PowerShell output). Why and what needs to be done?
   Answer - Your SSL certificate Aliases are wrong. This causes the wrong endpoint to be hit by the module.

4. The portal and server URLs listed in the PowerShell output (see PowerShell output) are missing the domain names “esri-de.com”. Why (since in the single machine deployment they are listed “correctly”)?
   Answer - Your SSL certificate Aliases are wrong. These endpoints are computed based on these endpoints.

5. Although certificates are provided for both, portal and server (see configuration file), the portal still uses a self-signed certificate (see screenshot of portal certificate configuration). Why and can the portal certificate be configured with PowerShell?
   Answer - Will get back to you with an answer asap with what might be going wrong.

6. The alias for the server certificate is given as “vsdev2371” in the configuration file. Nevertheless, it is named “vsdev2371.esri-de.com” in the final configuration. What is the purpose of the “Alias” parameter in the configuration file?
   Answer - Alias is basically a domain name (CNAME) associated with the certificate. So most probably the alias of the cert must be "vsdev2371.esri-de.com" and the NodeName could either be "vsdev2371" or “vsdev2371.esri-de.com”

7. Neither portal nor server have a root certificate imported. Can this also be done with PowerShell?
   Answer - Yes this can be done in the configuration itself. Please check out the SslRootOrIntermediate under Config Data on the following Link. If you have any questions on how to use this let me know.
   This configuration shows how to use SSL Root Certs - https://github.com/Esri/arcgis-powershell-dsc/blob/master/SampleConfigs/Base%20Deployment/BaseDeployment-ThreeMachine-10.6-ssl-per-Node.json

8. Neither server nor data store can be reached via the “localhost” URL (e. g. for server -> “https://localhost:6443/arcgis/manager”). Why is that?
   Answer - I am not able to follow this question. Can you please elaborate.

Thanks,
Shailesh

[ghost]

Hey Shailesh,

Referring to #8:
Usually, on the machine, where portal or server is installed, one can also reach portal or server with “localhost” in the URL. So, on my machine I have three URL addresses to access portal:

-> https://localhost:7443/arcgis/home
-> https://:7443/arcgis/home
-> https:///portal/home

Regards,
Jürgen

[shailesh91]

Jürgen,

For Question 5, the SSL certificates will be installed on the Web Adaptor endpoint instead of the portal or server when they are on the same machine. Hence, self-signed certificates will be installed on the portal and server. On another, there is a possibility of an issue I am verifying when the self-signed certificates and CA certificates have the same CNAME.
For Question 8, are you sure your portal or server service is running? What is the error you are getting when you try to hit the local endpoint?

Regards,
Shailesh

[ghost]

Hi Shailesh, For question 5: With “…when they are on the same machine.” you mean, when portal or server are on the same machine with (their corresponding) web adaptor? I will wait for your verification of the potential issue. For question 8: Yes, both are running since I can access both via their web adaptor addresses. Nevertheless, I also can access portal directly on the portal server with the localhost address. When I try to access server directly on the server machine with the localhost address I get this error message:  Somehow, the localhost address is redirected to portal. But why? Best regards, Jürgen

[shailesh91]

Jürgen,
It is very hard to say what is going on with your deployment in relation to the redirect to the portal endpoint. I will have to look at the configuration run output and the machines itself to check.
As for point number 5, when portal + WA is on one machine and Server +WA is on one machine. If the certs are specified, they will be installed on WAs of both the machines and not the server or portal.
Thanks,
Shailesh

[ghost]

Shailesh,
I am sorry but I still don't feel comfortable with the explanation.
#5:
Here, the picture is still not clear to me. I provided server certificates for both, portal and server. But, only server uses the provided certificate, portal uses a self-signed certificate (see screenshots). This seems to be inconsistent.
You say, that the provided certificates "will be installed on WAs". How can I check that or where can I see that?
#8:
I assume that this works as designed. Once a server is federated with portal, when you try to access the server it tries to redirect to the portal login page. Since there is no redirection defined for "localhost", the redirect fails. At least, the behavior is identical on all enterprise environments I have access to.

Portal Certificate

Server Certificate

[shailesh91]

Fixed. Closing the issue. Please open again if you have any further issues.