ArcGIS Mission Server administrator operations

The following sections describe the properties available to ArcGIS Mission Server administrators. Each property is described along with its path, located in the ArcGIS Mission Server administration site by browsing to the URL https://machine.domain.com:20443/arcgis/admin.

Designate the ArcGIS Mission Server account

The ArcGIS Mission Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, Esri recommends that you create a domain or Active Directory account prior to installing ArcGIS Mission Server.

You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Mission Server on the first machine in your site and use the configuration file when you install ArcGIS Mission Server on the other machines in your site. This ensures that the ArcGIS Mission Server account is configured the same on all the machines in your site.

Domain account

A domain account makes it easier to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.

When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Mission Server installation wizard creates a local account with the user name you specified. If you specify a domain account that does not exist, the installation returns an error.

If your login settings deny login rights to the machine where ArcGIS Mission Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Mission Server account.

Local account

If you've chosen a local account, the local account and password must exist on each machine in the ArcGIS Mission Server site and must be identical. You can create the local account with the same password on each machine before installing ArcGIS Mission Server, or you can allow the ArcGIS Mission Server installation wizard to create the local account; just be sure to use the same user name and password on every machine in the site.

If you're creating a new local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does not meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the version of Windows you are using to learn how to check the security policy on your machines.

Group managed service account

A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.

Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Mission Server site. Because the gMSA works at the domain level, it is able to regularly change the service account password on each machine with no manual steps required.

Starting in 10.8, the configureserviceaccount command line tool, which is described below, can be used to configure the ArcGIS Mission Server service to run under a gMSA. You can find this tool in the <Mission_Install>\tools\ConfigUtility directory. For the username parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.

The following is a sample command to configure a gMSA as the ArcGIS Mission Server account:

configureserviceaccount.bat --username mydomain\enterprise-gmsa$ --writeconfig c:\temp\domainaccountconfig.xml

Import an existing server certificate

To import an existing server certificate, click Home > Machines > MachineName > sslCertificates > importExistingServerCertificate.

This operation imports an existing server certificate into the keystore. If the certificate is a Certificate Authority (CA) signed certificate, you must first import the CA root or intermediate certificate using the importRootOrIntermediate operation.

Import a root certificate

To import a root certificate, click Home > Machines > MachineName > sslCertificates > importRootOrIntermediate.

This operation imports a CA's root and intermediate certificates into the keystore. To create a production-quality CA-signed certificate, add the CA's certificates to the keystore that enables the SSL mechanism to trust the CA (and the certificates it has signed). While most of the popular CA's certificates are already available in the keystore, you can use this operation if you have a custom CA or specific intermediate certificates.

Update the security configuration

To update the security configuration, click Home > Security > SecurityConfig > UpdateSecurityConfig.

This operation updates the security configuration, including TLS protocols and cipher suites, for your ArcGIS Mission Server site. This operation causes the REST service endpoints to be redeployed on every server machine in the site. If you updated the communication protocol as part of this operation, it takes ArcGIS Web Adaptor one minute to recognize changes to the communication protocol of your site.

Delete a site

To delete a site, click Home > Delete Site.

This operation deletes the site configuration and releases all server resources. It is suited for development or test servers that need to be cleaned up regularly and can also be performed before uninstallation. Use caution with this option because it deletes all settings and other configurations and is an unrecoverable operation.

This operation performs the following tasks:

  • All server machines participating in the site are stopped.
  • All server machines are unregistered from the site.
  • The configuration store is deleted.

Edit system properties

Administrators can edit ArcGIS Mission Server properties to fit their organization. Custom property values can be set at https://machine.domain.com:20443/arcgis/admin/system/properties/update. Administrators can find system properties that can be set by using the API Reference link in the upper right corner of the screen. When setting a custom system property, the property must be set as a valid JSON object. Multiple system properties can be set at a time, as long as they are strung together as valid JSON, for example:

{
"WebSocketContextURL":"wss://machine.domain.com/<webadaptor>",
"AuthTokenTimeInSeconds":"180"
}
The sections below describe common system properties an administrator can use.

Define a WebSocketContextURL

A WebSocketContextURL is a system property that allows clients to make WebSocket connections to ArcGIS Mission Server. WebSocket connections are the foundation of real-time communication in ArcGIS Mission Server. If client applications are having difficulty making WebSocket connections to ArcGIS Mission Server, setting a WebSocketContextURL property can resolve connectivity issues. WebSocket connections to ArcGIS Mission Server always begin with wss://, for example:

{"WebSocketContextURL":"wss://machine.domain.com/<context>"}

Define the length of time a JSON Web Token is valid

The JSON Web Token (JWT) is used for user authentication. The length of time that the JWT is valid can be altered.

If this time is not set, the default is 180 seconds, for example:

{"AuthTokenTimeInSeconds":"180"}

Configure ArcGIS Web Adaptor

To configure ArcGIS Web Adaptor, click Home > System > Web Adaptors > WebAdaptorConfig.

The ArcGIS Web Adaptor configuration is a resource for all the configuration parameters shared across the web adaptors in the site. This resource identifies the shared key used by all the web adaptors to encrypt key data bits in the incoming requests to the server.

Back up the site

It is highly recommended that you frequently export your site settings via the admin API. You can do this by browsing to Home > Export Site. It is highly recommended when defining a destination property for the exported site that the location be a network drive, or a location other than the ArcGIS Mission Server machine itself. The destination must be a location that is accessible to the ArcGIS Mission Server machine. In the event of a site failure, the site can be recovered by creating a new server site and browsing to Home > Import Site.

Note:

If you have a multimachine ArcGIS Mission Server site and the site fails, it is only necessary to import the site once as described above and then join other ArcGIS Mission Server machines to the site normally.

Edit the log settings

To edit the log settings, click Home > Logs > LogSettings > EditLogSettings.

This procedure updates the log settings for the entire server site, such as log output location, level, and format, as well as log file age.