Installation

Overview

security.manager NEXT consists of the following components:

To get started with security.manager NEXT you at least need to install the SOI and the Manager UI. Installing the CLI is not required but recommended if you want to manage more than just a handful of services or automate the policy management.

Preparing the installation

Before installing the security.manager NEXT components, unzip the installation file security.manager-NEXT-<version>.zip into an arbitrary folder. This will create the folder security.manager-NEXT-<version> that will be referred to as [SECMAN-DIR] in these docs.

Configuring ArcGIS Enterprise URLs

When installing security.manager NEXT or using the CLI you sometimes have to specify the "base URL" of an ArcGIS Enterprise Portal or ArcGIS Server instance. We recommend to use the direct URL https://<host>:6443/arcgis for ArcGIS Server, and https://<host>:7443/portal for ArcGIS Portal. For <host> use the same hostname as displayed in https://<host>:6443/arcgis/admin/machines for the regarding machine.

If you instead want to use the Web Adaptor URL for ArcGIS Server, like https://gis.example.com/<webadaptor>, you need to ensure that Manager UI and CLI can access the ArcGIS Server Administrator Directory (https://gis.example.com/<webadaptor>/admin) using that URL. Access to the Administrator Directory might be disabled by the Web Adaptor configuration.

When done, proceed with the installation of the SOI extension.

Install SOI

To install the SOI you need to upload two .soe files to ArcGIS Server:

  1. Sign in to ArcGIS Server Manager and navigate to the Site section.

  2. Click ExtensionsAdd Extension to upload both .soe files from [SECMAN-DIR].

  3. Copy the license file to the ArcGIS Server host:

    • Windows: Copy the license to C:\arcgisserver. In case the folder does not exist, copy the license to the folder configured in the AGSSERVER environment property.

    • Linux: Copy the license to ${AGSSERVER}/usr/.

Install Manager UI

Register at ArcGIS Enterprise portal

The Manager UI has to be registered as a web application at the ArcGIS Enterprise portal to make use of the portal’s single sign-on feature. Follow the next steps to register the application:

  1. Log in to portal as a privileged user.

  2. Switch to tab Content.

  3. Click Add ItemAn application.

  4. Use the following settings:

    • Type: Application

    • Title: security.manager

    • Tags: security.manager

  5. Click Add Item.

    portal add application en

    • The overview for the new portal item "security.manager" is displayed.

  6. Click Settings and go to section Application.

  7. Enter in URL: https://<tomcat-host>/secman-next replacing <tomcat-host> with the actual hostname and port. This will be the URL to the application.

  8. Click Update to set the registration settings.

    • As Redirect URI, please enter: https://<tomcat-host>/secman-next replacing <tomcat-host> with the actual hostname and port.

    • Click Add to add the URI to the list of valid redirect URIs.

    • Store the App ID somewhere — it will be needed during the configuration of Manager UI web application.

    • Click Update to close the dialog.

      portal app oauth redirect en

  9. Click Save to confirm the changes made in the application settings.

URLs should start with https:// to ensure that secret tokens are always sent over a secure channel.

Deploy to Tomcat

  • Make sure that the Tomcat service is started.

  • Deploy the Manager UI web application by copying [SECMAN-DIR]/secman-next.war to [TOMCAT]/webapps.

    Alternatively you can use the Tomcat Manager to deploy the WAR file.

Configure application

Before you can use the Manager UI you need to edit some configuration settings. Otherwise you won’t be able to login to the application.

To configure the Manager UI follow these steps:

  1. Copy the template config file [SECMAN-DIR]/resources/application.properties into the folder ${user.home}/.secman-next/. ${user.home} refers to the home directory of the user running the Tomcat service.

    If you want to change the location of the application.properties file, edit the value of data.directory.location in [TOMCAT]/webapps/secman-next/WEB-INF/classes/custom-application.properties as described in the configuration reference.

  2. Edit the new, copied application.properties file and adjust the following values:

    • policyManagement.arcgisServers

    • policyManagement.portalUrl

    • security.authn.oauth.clientId

    The properties are described in the configuration reference.

  3. Restart Tomcat so the modified configuration is read.

Install CLI

You have got two options to install secmanctl. Either you directly use the executable shipped with security.manager NEXT or you install the tool from the npm registry.

Install from shipped executable

secmanctl is shipped as an executable file for Windows and Linux operating systems (x86-64 architecture). It is located at

  • [SECMAN-DIR]/cli/linux_x64/secmanctl for Linux.

  • [SECMAN-DIR]\cli\windows_x64\secmanctl.exe for Windows.

The executable may be copied to another location. You should add the location to your system’s search path ($PATH or %PATH%, for example) so you can run secmanctl without having to specify the full path to it. Depending on your operating system, it may be necessary to grant executable permissions to the secmanctl binary.

Install via npm

secmanctl is also available as a package in the public npm registry. To install secmanctl on your system, you need to install Node.js (and npm) if it is not already installed.

System requirements

For using secmanctl via npm, the following versions are supported:

  • Node.js: 12.x LTS, 14.x LTS

  • npm: 6.14.x (matching the chosen Node.js version)

Install the command line tool and register it as a global executable on your system by running:

$ npm install @conterra/secmanctl -g

Verify the installation by executing the following command:

$ secmanctl --version

After the installation

After finishing the installation you can: