The following sections describe the properties available to ArcGIS Mission Server administrators. Each property is described along with its path located in the ArcGIS Mission Server administration site by navigating to the URL https://machine.domain.com:20443/arcgis/admin.
Which account should I designate as the ArcGIS Mission Server account?
The ArcGIS Mission Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, Esri recommends that you create a domain or Active Directory account prior to installing ArcGIS Mission Server.
You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Mission Server on the first machine in your site and use the configuration file when you install ArcGIS Mission Server on the other machines in your site. That way, you guarantee that the ArcGIS Mission Server account is configured exactly the same on all the machines in your site.
Domain account
A domain account makes it easier to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.
When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Mission Server installation wizard creates a local account with the user name you specified. If you specify a domain account that does not exist, the installation returns an error.
If your logon settings deny login rights to the machine where ArcGIS Mission Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Mission Server account.
Local account
If you've chosen a local account, the local account and password must exist on each machine in the ArcGIS Mission Server site and be identical. You can create the local account with the same password on each machine before installing ArcGIS Mission Server, or you can let the ArcGIS Mission Server installation wizard create the local account; just be sure to use the same user name and password on every machine in the site.
If you're creating a new local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the version Windows you are using to learn how to check the security policy on your machines.
Group managed service account
A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logons and is restricted for use on only a pre-defined group of servers.
Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Mission Server site. Because the gMSA works at the domain level, it is able to regularly change the service account password on each machine with no manual steps required.
Starting in 10.8, the configureserviceaccount command line tool, which is described below, can be used to configure the ArcGIS Mission Server service to run under a gMSA. You can find this tool in the <Mission_Install>\tools\ConfigUtility directory. For the user name parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.
A sample command to configure a gMSA as the ArcGIS Mission Server account:
configureserviceaccount.bat --username mydomain\enterprise-gmsa$ --writeconfig c:\temp\domainaccountconfig.xml
Import an existing server certificate
To import an existing server certificate, click Home > Machines > MachineName > sslCertificates > importExistingServerCertificate
This operation imports an existing server certificate into the keystore. If the certificate is a Certificate Authority (CA) signed certificate, you must first import the CA root or intermediate certificate using the importRootOrIntermediate operation.
Import a root certificate
To import a root certificate, click Home > Machines > MachineName > sslCertificates > importRootOrIntermediate
This operation imports a CA's root and intermediate certificates into the keystore. To create a production quality CA-signed certificate, add the CA's certificates to the keystore that enables the SSL mechanism to trust the CA (and the certificates it has signed). While most of the popular CA's certificates are already available in the keystore, you can use this operation if you have a custom CA or specific intermediate certificates.
Update the security configuration
To update the security configuration, click Home > Security > SecurityConfig > UpdateSecurityConfig
This operation updates the security configuration, including TLS protocols and cipher suites, for your ArcGIS Mission Server site. This operation causes the REST service endpoints to be redeployed on every server machine in the site. If you updated the communication protocol as part of this operation, it takes ArcGIS Web Adaptor one minute to recognize changes to the communication protocol of your site.
Delete a site
To delete a site, click Home > Delete Site
This operation deletes the site configuration and releases all server resources. It is suited for development or test servers that need to be cleaned up regularly and can also be performed before uninstallation. Use caution with this option because it deletes all settings, and other configurations and is an unrecoverable operation.
This operation performs the following tasks:
- All server machines participating in the site are stopped.
- All server machines are unregistered from the site.
- The configuration store is deleted.
Editing System Properties
Administrators may edit ArcGIS Mission Server's properties to fit their organization. Custom property values may be set at https://machine.domain.com:20443/arcgis/admin/system/properties/update. Administrators can find system properties that may be set by using the API Reference hyperlink provided in the top right corner of the screen. When setting a custom system property, the property must be set as a valid JSON object. Multiple system properties may be set at a time, as long as they are strung together as valid JSON, for example: {
"WebSocketContextURL":"wss://machine.domain.com/<webadaptor>",
"AuthTokenTimeInSeconds":"180"
}
Define a WebSocketContextURL
A WebSocketContextURL is a System Property that allows clients to make WebSocket connections to ArcGIS Mission Server. WebSocket connections are unique in that they are the heart of ArcGIS Mission Server's real-time communication. If client applications are having difficulty making WebSocket connections to ArcGIS Mission Server, setting a WebSocketContextURL could resolve any connectivity issues. WebSocket connections to mission server always begin with wss://.
Example: {"WebSocketContextURL":"wss://machine.domain.com/<context>"}
Define the length of time a JWT is valid
The JWT (JSON Web Token) is used for user authentication. The length of time that the JWT is valid may be altered.
If this is not set, the default is 180.
Example:{"AuthTokenTimeInSeconds":"180"}
Configure ArcGIS Web Adaptor
To configure ArcGIS Web Adaptor, click Home > System > Web Adaptors > WebAdaptorConfig
The Web Adaptor configuration is a resource for all the configuration parameters shared across the Web Adaptors in the site. This resource identifies the shared key used by all the Web Adaptors to encrypt key data bits in the incoming requests to the server.
Backing up your site
In the event of a disaster, it is highly suggested to frequently export your site settings via the admin API. This can be achieved by navigating to Home > Export Site. It is highly recommended that when defining a destination for the exported site that the location be a network drive, or a location other than the Mission Server machine itself. Destination must be a location that is accessible to the Mission Server machine. In the event of a site failure, the site can be recovered by creating a new server site and navigating to Home > Import Site.
Note:
If you have a multi-machine Mission Server site and the site fails, it is only necessary to import the site once as described above and then joining other Mission Server machines to the site normally.
Edit the log settings
To edit the log settings, click Home > Logs > LogSettings > EditLogSettings
This operation updates the log settings for the entire server site, such as log output location, level, and format, as well as log file age.