Security Concepts
Pages 202
- Home
- 2009 Esri Federal UC
- 2009 Esri International UC
- 2010 Esri Federal UC
- 2010 Esri International UC
- 2011 Esri Federal UC
- 2012 Esri Federal UC
- 2013 Esri Federal GIS Conference
- 2013 Esri International User Conference
- 2015 SDI Special Interest Group
- Add a Custom Profile
- Add an OpenSearch endpoint for Federated Search
- Add Another Tab to the Geoportal Interface
- Add Custom Link to a Search Result
- Add Custom Search Criteria
- Add the Geoportal Search to a List of Search Providers
- Add v1.1.1 FGDC editor to a previous Geoportal release
- AGP TO AGP Harvesting with the Geoportal
- AGS TO AGP Harvesting with the Geoportal
- All gpt.xml file settings
- An Introduction to vi
- Apache Tomcat geoportal logging
- Being a Good Robot
- Best Practice for Edits to JSP files
- Biological or Remote Sensing FGDC xsds
- Browse Tree
- Cart Processor
- Catalog Service
- Clear the Tomcat Work Folder
- Collections
- Common problems and solutions
- Communities and live examples
- Components
- Configure a Directory Server for the Geoportal
- Configure geoportal User and Schema in the PostgreSQL Database
- Configure Previewable Filetypes
- Configure Searching of YouTube
- Configure the gpt.xml File
- Configure Widgets
- Connecting to a User Directory
- Create a user account
- Create Relationships between Resources
- Customizations
- Customize DCAT output
- Customize Metadata Validation
- Database problems
- Database Tables
- DataDownload Tab
- Deploy and Configure the Geoportal Web Application in Tomcat
- Deploy and Configure the Servlet Web Application
- Deploy the Geoportal Web Application
- Details of Lucene Indexing in the Geoportal
- Development topics
- Discovering Resources
- Eclipse Project from Compiled WAR
- Eclipse Project from Source Code
- Enable Search Using an Ontology Service
- Error Messages in the Geoportal Web Application
- Esri Geoportal Server LiveDVD
- Extending the Web Harvester
- Federated Search in Portal for ArcGIS
- Feedback
- FGDC Biological Profile and Remote Sensing Extension
- FGDC Service Checker Integration
- Geoportal Clients for ArcGIS
- Geoportal CSW Clients
- Geoportal Facets using Apache Solr
- Geoportal genie
- Geoportal Project from Compiled WAR
- Geoportal Publish Client
- Geoportal Server 1.2.5 What's New
- Geoportal Server 1.2.6 What's New
- Geoportal Server 1.2.7 What's New
- Geoportal server as a broker
- Geoportal Server Downloads
- Geoportal Server v 1.0 What's New
- Geoportal Server v 1.1 What's New
- Geoportal Server v 1.1.1 What's New
- Geoportal Server v 1.2 What's New
- Geoportal Server v 1.2.2 What's New
- Geoportal Server v 1.2.4 What's New
- Geoportal SPARQL Sample
- Geoportal User Interface Components
- Geoportal Web Application File Organization
- Geoportal XML Editor
- Get Assistance with an Implementation
- GXE Concepts
- GXE Crash Course
- GXE Structure
- GXE Workflow
- High Availability and Large Number of Records
- How to Browse for Resources
- How to Create and Manage My Profile
- How to find all documents of a particular metadata standard
- How to Leave a Resource Review
- How to Login and Manage my Password
- How to Manage and Edit Resources
- How to Publish Resources
- How to Restrict Access to Resources
- How to Search for Resources
- How to Search with an Ontology Service
- How to Set Up an Esri Geoportal Server on Linux
- How to Use Search Page Results
- How to Use the Data Download Feature
- How to View Resource Relationships
- IDE Topics
- Identity Components LDAP and Single Sign On
- Index All Metadata Content
- Indexing and Searching the Time Period of the Content
- Install Apache Tomcat 6
- Install Desktop Tools
- Install Esri Geoportal Server
- Install PostgreSQL 9.1.2
- Install the JDBC .jar Files
- Installation
- Installation Version 1.0
- Installation Version 1.1
- Installation Version 1.2
- Installation Version 1.2.2
- Installation Version 1.2.4
- Installation Version 1.2.5
- Installation Version 1.2.6
- Installation Version 1.2.7
- Installation Version 1.2.8
- Integrate with a Content Management System
- Integrate with the con terra Security Solution
- Localization
- Log In to the Geoportal
- Logging
- Look and Feel of the User Interface
- Main Page
- Map LDAP Attributes on the Registration Page
- Map Viewer
- Online form editing for all publication methods
- Open source acknowledgements
- Oracle WebLogic geoportal logging
- Orientation to the Create Metadata Page
- Perform Preinstallation Computer Setup
- Portal for ArcGIS Integration
- Post Deployment Actions
- Preinstallation
- Preinstallation 0.9
- Preinstallation 1.0 and 1.1.x
- Preinstallation 1.2
- Preinstallation 1.2.2
- Preinstallation 1.2.4
- Preinstallation 1.2.5
- Preinstallation 1.2.6
- Preinstallation 1.2.7
- Preinstallation 1.2.8
- Preview Function
- Publication Components
- Ratings and Comments for Search Results
- Register ArcGIS for Server with the Geoportal
- Release notes
- REST API Syntax
- Sample FGDC metadata.xml
- Scheduled tasks
- Search Components
- Search Map
- Search Widget for Flex
- Search Widget for HTML
- Search Widget for Silverlight
- Security Concepts
- Set Up Systemwide Environment Variables
- Set up the Geoportal Database
- Share Link
- Single Sign On
- Smoketest the Geoportal
- Standards Support
- Supported CSW Profiles for Synchronization
- Theme Library
- Troubleshooting
- Troubleshooting Tips
- Two geoportals on the same server
- Upgrade 1.x to 1.2 database
- Upgrading file system approach
- Upgrading Read This Overview
- Upgrading SVN approach
- Url filter customization
- Use an XSLT to Render the Details Page
- Use Ant to build Geoportal
- User Functions and Roles
- User Management Interface
- Using a geoportal
- Using Lucene Search Text Queries
- Version 0.9
- Version 1.0
- Version 1.1
- Version 1.1.1
- Version 1.2
- Version 1.2.2
- Version 1.2.4
- Version 1.2.5
- Version 1.2.6
- Version 1.2.7
- Version 1.2.8
- What is a geoportal and the geoportal server
- What is the esri geoportal server
- What's New
- wiki template
- WMC Client
- Show 187 more pages…
Clone this wiki locally
This section discusses security concepts that are specific to the Geoportal Server. Overarching security concepts for an enterprise system can be found at the Esri Enterprise Resource Center security webpage.
Securing Metadata
An organization may want data to be discoverable to certain groups of people, but not discoverable to other groups. Access to metadata records can be configured in the geoportal by implementing a security policy for metadata access. The access policy chosen by the implementing organization will determine if and how a publisher can restrict access to his/her metadata. Important: Restricting user access to metadata records only restricts who can see the metadata. It does not determine user access to the actual data or web service resource itself. For more information on securing metadata please see How to Restrict Access to Resources.
Architecture Configurations
Another way to secure your geoportal is to manage access through the system architecture. Three models are briefly described below.
- Public and Internal Geoportal, no public authentication: Two geoportal web applications are deployed and connect to the same database. One geoportal is public-facing, has authentication disabled so the users cannot login, and therefore provides search functionality but not publishing functions. The other geoportal is internal to the organization and has authentication configured. These registered users publish and administer the geoportal and the content that is available to the public.
- Public and Internal Geoportal, authentication enabled: Similar to the previous model, except that the public-facing geoportal supports registered users. Publisher and Administrator users access the internal geoportal.
- Public-only Geoportal, authentication enabled: The Geoportal Server Sandbox uses this model. In this case, one public-facing Geoportal is configured with authentication. Anonymous users can search the catalog and register with the geoportal. Registered users can request publishing privileges and when those privileges are granted, publish metadata to the geoportal. All users search among the published and approved metadata.
Considerations for HTTPS Communications
Hypertext Transfer Protocol - Secure (HTTPS) is a variant of HTTP enhanced by a security mechanism such as an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection. It allows data sharing to take place on the internet in a protected way. The article Setting up SSL provides a good introduction to SSL and considerations for setting it up on your system. Besides general SSL configurations for your organization (see Security Resources for Geoportal System Environment Components), there are no geoportal-specific configurations required, with the exception of full URL references. For example, if you've configured a Map Viewer application to run from your geoportal under https, then it needs to be specified correctly within gpt.xml such that the URL includes the https prefix.
If you plan to have user login/logout or user/role management functionalities (e.g. through LDAP), it is recommended to use https as communication protocol to secure the user information.
Encryption Concepts
This section describes some important concepts for encryption within the Geoportal Server.
Encrypting Passwords in the gpt.xml file
In the gpt.xml file, there are sections where you can specify if the password is encrypted. When encryption is set to true, an encrypted password can be defined in these sections. To generate an encrypted password for storing passwords in the gpt.xml file, follow the steps below:
- Open the geoportal in a browser
- Log in as an administrator
- Navigate to http://<machinename></machinename>//catalog/identity/encryptPassword.page to display the Password Encryption Utility page
- Enter in your admin password into the password box
- Click the Encrypt button. The encrypted password appears in the Encrypted value box
- Copy and paste this value into your gpt.xml file where you want to encrypt the password
Change the Encryption Key
On the Register a resource on the network page, it is possible to define a connection to another catalog that requires a username and password. To protect the security of these remote catalogs, the Geoportal will not store the password in clear text in its database and logfiles. Instead, the Geoportal will apply an encryption algorithm to store the password. When the synchronization process uses the password information to connect to the repository, it decrypts the password. Because all Geoportal instances out-of-the-box use the same encryption key, it is important to change the value in the <enckey></enckey> section of the gpt.xml file so the encrypted passwords cannot be easily deciphered. Note: If the encryption key is changed at any point, any data already stored in the database that was encrypted with the old key will become invalid. In that case, the data will need to be re-generated and re-stored in the database to correspond to the new encryption key. For this reason it is recommended to change the encryption key at the beginning of Geoportal deployment and not change it thereafter.
To change the Encryption Key:
- Open the gpt.xml file from the \\geoportal\WEB-INF\classes\gpt\config folder in a text editor
- Scroll to the <identity></identity> tag, and note the value of encKey
- Change this value to a new key. The key can be a simple word
- Save the gpt.xml file and close it
Security Resources for Geoportal System Environment Components
Because the geoportal is deployed in the context of other products upon which it depends, it is important to investigate security recommendations from those other underlying technologies. Here are some useful documents that can be used for reference:
- Esri resources
- ArcGIS Resource Centers Enterprise GIS Security page
- How to Configure a reverse proxy system architecture for ArcGIS Server with an Apache Web Server
- Securing Internet connections to services
- Non-Esri resources
- Tomcat 6.0 SSL configuration: usually only necessary if Tomcat is being run as a standalone web server. If it is running behind another web server (such as Apache or IIS, as in the geoportal recommended system environment), then the SSL configuration should be on Apache or IIS and not on Tomcat.
- How To Set Up an HTTPS Service in IIS
- Apache SSL/TLS Encryption
- How to enable LDAP over SSL with a third-party certification authority