ArcFM Solution Center and Feeder Services – Configuration Guide

Certificates

The Certificate tab allows you to import intermediate and root certificates. This ensures certificate validation during authentication. The proxy service automatically knows how to use the certificate. However, if you have any difficulties you can contact ArcFMReadiness@se.com for assistance.

IMPORTANT: Is your Certificates interface blank? That might be OK. Certificates would be blank if you do not use any certificates issued by an internal certificate authority. In other words, if all your company certificates are generated by a well-known certificate provider like Thawte, DigiCert, etc., then there is no need to put a certificate in this Solution Center tab.

To add a certificate, follow these steps:

  1. Click either the Root or Intermediate subtab depending on your certificate type.

  2. Click the Add New button.

  3. Type a Display Name.

  4. Click the Choose File button to upload the certificate file.

  5. Click Upload in the lower, right-hand corner to complete the process.


The diagram below is an example architecture diagram illustrating the use of a certificate with GDBM XI.

The steps to set up the above architecture are as follows:

  1. The administrator logs into Solution Center.

  2. The administrator enters in a set of Machine to Machine (M2M) credentials for a given map service. These credentials are sent to the mapping service over HTTPS.

  3. The mapping service uses AspNet Core Data Protection APIs to securely store these credentials. The Data Encryption Keys (DEK) are stored in a key-ring maintained in Azure BLOB storage. The key-ring uses DEKs with a 90–day expiration and is protected by Azure Key Vault, which maintains the Key Encryption Keys (KEK).

  4. At a later point, through a scheduled event, GDBM is configured to run and begins its process.

  5. When GDBM is ready to communicate to ArcGIS Server, it must first retrieve the needed M2M credentials. It does this by communicating to the Mapping service. This is done over HTTPS with a privileged JWT that allows it to retrieve the credentials.

  6. The Mapping service must then read the credentials from storage, which follows the same path as Step 3.

  7. GDBM, now with credentials in hand, calls Portal for ArcGIS’s generate token endpoint. When Portal is not public facing, this request is sent to the Proxy service using an authenticated request.

  8. The Proxy service uses its configured network settings to determine how to route the request (Hybrid Connection Manager in this example).

  9. Hybrid Connection Manager picks up the authentication request from Azure Relay.

  10. Hybrid Connection Manager sends the request to Portal for ArcGIS, and the response is returned to GDBM.

  11. Now that GDBM is authenticated with Portal for ArcGIS, it then sends its REST calls to ArcGIS Server using the same Proxy/Hybrid Connection Manager mechanism.

IMPORTANT: All network traffic is over HTTPS.

See ASP.NET Core Data Protection Overview for more information.

Refer to Esri’s Generate Token article for more information about generating tokens.

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?

Contact Information
Legal Information
Privacy Policy
Change your cookie settings