Why doesn't portal_standby "Import Root Certificate"

[ramtechjoe]

Hi,

I am setting up an ArcGIS Enterprise HA and I noticed that there is different behavior around the loading of the root certificate. In the portal.rb used for the primary machine setup there is 'Import Root Certificate' included:

arcgis_enterprise_portal 'Import Root Certificates' do
  portal_url node['arcgis']['portal']['url']
  username node['arcgis']['portal']['admin_username']
  password node['arcgis']['portal']['admin_password']
  root_cert node['arcgis']['portal']['root_cert']
  root_cert_alias node['arcgis']['portal']['root_cert_alias']
  not_if { node['arcgis']['portal']['root_cert'].empty? ||
           node['arcgis']['portal']['root_cert_alias'].empty?}
  retries 5
  retry_delay 30
  action :import_root_cert
end

This occurs prior to the 'Configure HTTPS' action

This action does not exist in the portal_stanby.rb

In the portal_standby it does look at the root certificate parameters, but I do not believe the action :configure_https includes importing the root cert

portal_standby

arcgis_enterprise_portal 'Configure HTTPS' do
  portal_url node['arcgis']['portal']['url']
  username node['arcgis']['portal']['admin_username']
  password node['arcgis']['portal']['admin_password']
  keystore_file node['arcgis']['portal']['keystore_file']
  keystore_password node['arcgis']['portal']['keystore_password']
  cert_alias node['arcgis']['portal']['cert_alias']
  root_cert node['arcgis']['portal']['root_cert']
  root_cert_alias node['arcgis']['portal']['root_cert_alias']
  not_if { node['arcgis']['portal']['keystore_file'].empty? }
  retries 5
  retry_delay 30
  action :configure_https
end

portal.rb

arcgis_enterprise_portal 'Configure HTTPS' do
  portal_url node['arcgis']['portal']['url']
  username node['arcgis']['portal']['admin_username']
  password node['arcgis']['portal']['admin_password']
  keystore_file node['arcgis']['portal']['keystore_file']
  keystore_password node['arcgis']['portal']['keystore_password']
  cert_alias node['arcgis']['portal']['cert_alias']
  not_if { node['arcgis']['portal']['keystore_file'].empty? || 
           node['arcgis']['portal']['cert_alias'].empty? }
  retries 5
  retry_delay 30
  action :configure_https
end

So in the standby the root certificate is not actually imported.

Is this by design? And If so why would that be.

Thanks
-Joe

[cameronkroeker]

Hi @ramtechjoe,

Great catch! This was just an oversight, it should have been added when portal went to per machine ssl certificates. I will see if we can get this added to a future release of the cookbooks. For now you can use the following workaround:

Add this block to the portal_standby.rb recipe (After 'Join Portal Site' and before the 'Configure HTTPS'):

arcgis_enterprise_portal 'Import Root Certificates' do
  portal_url node['arcgis']['portal']['url']
  username node['arcgis']['portal']['admin_username']
  password node['arcgis']['portal']['admin_password']
  root_cert node['arcgis']['portal']['root_cert']
  root_cert_alias node['arcgis']['portal']['root_cert_alias']
  not_if { node['arcgis']['portal']['root_cert'].empty? ||
           node['arcgis']['portal']['root_cert_alias'].empty?}
  retries 5
  retry_delay 30
  action :import_root_cert
end

Then in the arcgis-enterprise-standby.json or arcgis-portal-standby.json be sure to add node['arcgis']['portal']['root_cert_alias'] and node['arcgis']['portal']['root_cert'] attributes.

Thanks,
Cameron K.

[ramtechjoe]

@cameronkroeker thanks for looking into it. We did just install manually for the time being.

[cameronkroeker]

Hi @ramtechjoe,

This has been added to cookbooks v4.2.0.

https://github.com/Esri/arcgis-cookbook/releases/tag/v4.2.0

Thanks,
Cameron K.