Installation for federated ArcGIS Server

Configuring ArcGIS Enterprise URLs

When installing security.manager NEXT or using the CLI you have to specify the base URL of the ArcGIS Enterprise Portal.

We recommend to use the direct URL https://<host>:6443/arcgis for federated servers, and https://<host>:7443/arcgis for ArcGIS Portal. For <host> use the same hostname as displayed in https://<host>:6443/arcgis/admin/machines for the regarding machine.

If you instead want to use the Web Adaptor URL for ArcGIS Server, ensure that Manager UI and CLI can access the ArcGIS Server Administrator Directory. For example, if your web adapter URL is https://gis.example.com/server, the Manager UI and CLI need access to the ArcGIS Server administrator directory https://gis.example.com/server/admin. Access to the Administrator Directory might be disabled by the Web Adaptor configuration.

Please note the special requirements when using Integrated Windows Authentication.

Install SOI

To install the SOI you need to upload at least one SOE file to ArcGIS Server, depending on your setup and your ArcGIS Server version.

For ArcGIS Server 10.8.1 or ArcGIS Server 10.9.x follow these steps:

  1. Sign in to ArcGIS Server Manager and navigate to the Site section.

  2. Click ExtensionsAdd Extension to upload both SOE files from [SECMAN-DIR]/soi/ArcGIS 10.x.

    If ArcMap Runtime support is disabled on ArcGIS Server (version 10.9.1), ArcGIS Server won’t let you upload the SOE file for ArcMap (ct-security-soi-arcmap.soe). In this case you only need to upload the SOE file for ArcGIS Pro (ct-security-soi-arcgispro.soe). Then proceed with the next step of this guide. If you decide to enable ArcMap Runtime support later on, you need to upload the SOE file for ArcMap-based services as well to be able to secure ArcMap-based services afterwards.

For ArcGIS Server 11.x follow these steps:

  1. Sign in to ArcGIS Server Manager and navigate to the Site section.

  2. Click ExtensionsAdd Extension to upload the SOE file ct-security-soi-arcgispro.soe from [SECMAN-DIR]/soi/ArcGIS 11.x.

Install Manager UI

Register at ArcGIS Enterprise portal

The Manager UI has to be registered as a web application at the ArcGIS Enterprise portal to make use of the portal’s single sign-on feature. Follow the next steps to register the application:

  1. Log in to portal as a privileged user.

  2. Switch to tab Content.

  3. Click New ItemApplication.

  4. Select Other Application

  5. Click Next and use the following settings:

    • Title: security.manager

    • Tags: security.manager

  6. Click Save (or Next, depending on the portal version).

    portal add application en

    • The overview for the new portal item security.manager is displayed.

  7. Click Settings and go to section Application.

  8. Enter in URL: https://<tomcat-host>/secman-next replacing <tomcat-host> with the actual hostname and port. This will be the URL to the application.

    • In the Redirect URLs section, click Add and enter the Redirect URL: https://<tomcat-host>/secman-next replacing <tomcat-host> with the actual hostname and port.

    • Store the Client ID (or App ID, depending on the portal version) somewhere — it will be needed during the configuration of Manager UI web application.

      portal app oauth redirect en This screenshot shows the user interface for ArcGIS Enterprise Portal 11.3. For older versions please refer to previous documentations.

  9. Click Save to confirm the changes made in the application settings.

Deploy to Tomcat

  • Make sure that the Tomcat service is started.

  • Deploy the Manager UI web application by copying [SECMAN-DIR]/secman-next.war to [TOMCAT]/webapps.

    Alternatively you can use the Tomcat Manager to deploy the WAR file.

Configure the application

Before you can use the Manager UI, you need to edit some configuration settings. Otherwise, you won’t be able to login to the application.

To configure the Manager UI follow these steps:

  1. Copy the template config file [SECMAN-DIR]/resources/application.properties into the folder ${user.home}/.secman-next/. ${user.home} refers to the home directory of the user running the Tomcat service.

    If the Tomcat server does not run under a dedicated user, it runs as Local Service. In this case the directory is created under the following path: %systemroot%/ServiceProfiles/LocalService/.secman-next/.

    If you want to use another location for the application.properties file, edit the value of data.directory.location in [TOMCAT]/webapps/secman-next/WEB-INF/classes/custom-application.properties as described in the configuration reference.

  2. Edit the new, copied application.properties file and adjust the following values:

    • security.authn.oauth.clientId=<Client ID within Portal>

    • policyManagement.arcgisServers=<List of federated server URLs>

    • policyManagement.portalUrl=<Portal URL>

    The properties are described in the configuration reference.

  3. Restart Tomcat, so the modified configuration is read.

Install CLI

You have got two options to install secmanctl. Either you directly use the executable shipped with security.manager NEXT or you install the tool from the npm registry.

Install from shipped executable

secmanctl is shipped as an executable file for Windows and Linux operating systems (x86-64 architecture). It is located at

  • [SECMAN-DIR]/cli/linux_x64/secmanctl for Linux.

  • [SECMAN-DIR]\cli\windows_x64\secmanctl.exe for Windows.

The directory containing the executable can be copied to another location. Files located next to the executable may be required by secmanctl at runtime and should be included when copying the binary.

You should add the location to your system’s search path ($PATH or %PATH%, for example) so you can run secmanctl without having to specify the full path to it. Depending on your operating system, it may be necessary to grant executable permissions to the secmanctl binary.

Install via npm

secmanctl is also available as a package in the public npm registry. To install secmanctl on your system, you need to install Node.js (and npm) if it is not already installed.

System requirements

For using secmanctl via npm, the following versions are supported:

  • Node.js: 20.x LTS

  • npm: 10.x (matching the chosen Node.js version)

Install the command line tool and register it as a global executable on your system by running:

$ npm install @conterra/secmanctl -g

Verify the installation by executing the following command:

$ secmanctl --version

After the installation

After finishing the installation you can: