Installation for unfederated ArcGIS Server

Configuring the ArcGIS Server URL

When installing security.manager NEXT or using the CLI you sometimes have to specify the base URL of the ArcGIS Server instance. We recommend to always use the direct URL for the ArcGIS server, i.e. https://<host>:6443/arcgis. For <host> use the same hostname as displayed in https://<host>:6443/arcgis/admin/machines for the regarding machine.

If you instead want to use the Web Adaptor URL for ArcGIS Server, like https://gis.example.com/<webadaptor>, you need to ensure that Manager UI and CLI can access the ArcGIS Server Administrator Directory https://gis.example.com/<webadaptor>/admin using that URL. Access to the Administrator Directory might be disabled by the Web Adaptor configuration.

Please note the special requirements when using Integrated Windows Authentication.

Install SOI

To install the SOI you need to upload at least one SOE file to ArcGIS Server, depending on your setup and your ArcGIS Server version.

For ArcGIS Server 10.8.1 or ArcGIS Server 10.9.x follow these steps:

Sign in to ArcGIS Server Manager and navigate to the Site section.
Click Extensions → Add Extension to upload both SOE files from [SECMAN-DIR]/soi/ArcGIS 10.x.

If ArcMap Runtime support is disabled on ArcGIS Server (version 10.9.1), ArcGIS Server won’t let you upload the SOE file for ArcMap (ct-security-soi-arcmap.soe). In this case you only need to upload the SOE file for ArcGIS Pro (ct-security-soi-arcgispro.soe). Then proceed with the next step of this guide. If you decide to enable ArcMap Runtime support later on, you need to upload the SOE file for ArcMap-based services as well to be able to secure ArcMap-based services afterwards.

For ArcGIS Server 11.x follow these steps:

Sign in to ArcGIS Server Manager and navigate to the Site section.
Click Extensions → Add Extension to upload the SOE file ct-security-soi-arcgispro.soe from [SECMAN-DIR]/soi/ArcGIS 11.x.

Install Manager UI

Deploy to Tomcat

Make sure that the Tomcat service is started.
Deploy the Manager UI web application by copying [SECMAN-DIR]/secman-next.war to [TOMCAT]/webapps.

Alternatively you can use the Tomcat Manager to deploy the WAR file.

Configure the application

Before you can use the Manager UI, you need to edit some configuration settings. Otherwise, you won’t be able to login to the application.

To configure the Manager UI follow these steps:

Copy the template config file [SECMAN-DIR]/resources/application.properties into the folder ${user.home}/.secman-next/. ${user.home} refers to the home directory of the user running the Tomcat service.

If the Tomcat server does not run under a dedicated user, it runs as Local Service. In this case the directory is created under the following path: %systemroot%/ServiceProfiles/LocalService/.secman-next/.

If you want to use another location for the application.properties file, edit the value of data.directory.location in [TOMCAT]/webapps/secman-next/WEB-INF/classes/custom-application.properties as described in the configuration reference.
Edit the new, copied application.properties file and adjust the following values:
- security.authn.mode=arcgis
- policyManagement.arcgisServers=<ArcGIS Server URL>
The properties are described in the configuration reference.
Restart Tomcat, so the modified configuration is read.

Install CLI

You have got two options to install secmanctl. Either you directly use the executable shipped with security.manager NEXT or you install the tool from the npm registry.

Install from shipped executable

secmanctl is shipped as an executable file for Windows and Linux operating systems (x86-64 architecture). It is located at

[SECMAN-DIR]/cli/linux_x64/secmanctl for Linux.
[SECMAN-DIR]\cli\windows_x64\secmanctl.exe for Windows.

The directory containing the executable can be copied to another location. Files located next to the executable may be required by secmanctl at runtime and should be included when copying the binary.

You should add the location to your system’s search path ($PATH or %PATH%, for example) so you can run secmanctl without having to specify the full path to it. Depending on your operating system, it may be necessary to grant executable permissions to the secmanctl binary.

Install via npm

secmanctl is also available as a package in the public npm registry. To install secmanctl on your system, you need to install Node.js (and npm) if it is not already installed.

System requirements

For using secmanctl via npm, the following versions are supported:

Node.js: 18.x LTS, 20.x LTS
npm: 9.x, 10.x (matching the chosen Node.js version)

Install the command line tool and register it as a global executable on your system by running:

$ npm install @conterra/secmanctl -g

Verify the installation by executing the following command:

$ secmanctl --version

After the installation

After finishing the installation you can:

Get started with security.manager NEXT by protecting a service by example.
Learn more about managing access policies.