DSCResources/ArcGIS_Server_TLS/ArcGIS_Server_TLS.psm1
$modulePath = Join-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -ChildPath 'Modules' # Import the ArcGIS Common Modules Import-Module -Name (Join-Path -Path $modulePath ` -ChildPath (Join-Path -Path 'ArcGIS.Common' ` -ChildPath 'ArcGIS.Common.psm1')) <# .SYNOPSIS Creates a SelfSigned Certificate or Installs a SSL Certificated Provided and Configures it with Server .PARAMETER ServerHostName Optional Host Name or IP of the Machine on which the Server has been installed and is to be configured. .PARAMETER ServerRole Site Name or Default Context of Server .PARAMETER SiteAdministrator A MSFT_Credential Object - Primary Site Administrator. .PARAMETER WebServerCertificateAlias WebServerCertificateAlias with which the Certificate will be associated. .PARAMETER CertificateFileLocation Certificate Path from where to fetch the certificate to be installed. .PARAMETER CertificatePassword Sercret Certificate Password or Key. .PARAMETER SslRootOrIntermediate Takes a JSON string list of all the root or intermediate certificates to import .PARAMETER EnableHTTPSOnly Enable only HTTPs protocol .PARAMETER EnableHSTS Enable HTTP Strict Transport Security (HSTS) #> function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [parameter(Mandatory = $True)] [System.String] $ServerHostName ) $null # TODO } function Set-TargetResource { [CmdletBinding()] param ( [parameter(Mandatory = $true)] [System.String] $ServerHostName, [System.String] $ServerType, [System.Management.Automation.PSCredential] $SiteAdministrator, [System.String] $WebServerCertificateAlias, [System.String] $CertificateFileLocation, [System.Management.Automation.PSCredential] $CertificatePassword, [System.String] $SslRootOrIntermediate, [System.Boolean] $EnableHTTPSOnly, [System.Boolean] $EnableHSTS ) if($CertificateFileLocation -and -not(Test-Path $CertificateFileLocation)){ throw "Certificate File '$CertificateFileLocation' is not found or inaccessible" } $ServiceName = "ArcGIS Server" $SitePort = 6443 if($ServerType -ieq "NotebookServer"){ $ServiceName = "ArcGIS Notebook Server" $SitePort = 11443 }elseif($ServerType -ieq "MissionServer"){ $ServiceName = "ArcGIS Mission Server" $SitePort = 20443 } $FQDN = if($ServerHostName){ Get-FQDN $ServerHostName }else{ Get-FQDN $env:COMPUTERNAME } $ServerUrl = "https://$($FQDN):$($SitePort)" Wait-ForUrl -Url "$($ServerUrl)/arcgis/admin/" Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' $Referer = $ServerUrl $token = Get-ServerToken -ServerEndPoint $ServerURL -Credential $SiteAdministrator -Referer $Referer if(-not($token.token)){ throw "Unable to retrieve token for Site Administrator" } # Get the current security configuration if($ServerType -ine "NotebookServer" -or $ServerType -ine "MissionServer"){ $UpdateSecurityConfig = $False Write-Verbose 'Getting security config for site' $secConfig = Get-SecurityConfig -ServerURL $ServerURL -Token $token.token -Referer $Referer if($EnableHTTPSOnly){ if($secConfig.sslEnabled -and -not($secConfig.httpEnabled)){ Write-Verbose "Https Only is enabled. No update required" }else{ Write-Verbose "Https Only is disabled. Update required" $UpdateSecurityConfig = $True } }else{ if($EnableHSTS){ throw "Error: Enable HSTS porperty requires http protocol set to only HTTPS." } if(-not($secConfig.sslEnabled -and -not($secConfig.httpEnabled))){ Write-Verbose "Https Only is disabled. No update required" }else{ Write-Verbose "Https Only is enabled. Update required" $UpdateSecurityConfig = $True } } if(-not($UpdateSecurityConfig)){ if($secConfig.HSTSEnabled -ine $EnableHSTS){ Write-Verbose "Enable HSTS doesn't match the expected state $EnableHSTS" $UpdateSecurityConfig = $True }else{ Write-Verbose "Enable HSTS matches the expected state $EnableHSTS" } } if($UpdateSecurityConfig){ Update-SecurityConfig -ServerURL $ServerURL -Token $token.token -SecurityConfig $secConfig ` -Referer $Referer -EnableHTTPSOnly $EnableHTTPSOnly -EnableHSTS $EnableHSTS -Verbose # Changes will cause the web server to restart. Write-Verbose "Waiting 30 seconds before checking" Start-Sleep -Seconds 30 Write-Verbose "Waiting for Url '$($ServerUrl)/arcgis/admin' to respond" Wait-ForUrl -Url "$($ServerUrl)/arcgis/admin/" -SleepTimeInSeconds 15 -MaxWaitTimeInSeconds 90 Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' } } $MachineName = $FQDN $AllMachines = Get-Machines -ServerURL $ServerURL -Token $token.token -Referer $Referer if(-not($AllMachines.machines | Where-Object { $_.machineName -ieq $MachineName })) { $MachineName = $env:COMPUTERNAME if(-not($AllMachines.machines | Where-Object { $_.machineName -ieq $MachineName })){ throw "Not able to find machine in site with either hostname $MachineName or fully qualified domain name $FQDN" } } if($CertificateFileLocation){ if(-not(Test-Path $CertificateFileLocation)){ throw "Certificate File '$CertificateFileLocation' is not found" } if($WebServerCertificateAlias -as [ipaddress]) { Write-Verbose "Adding Host mapping for $WebServerCertificateAlias" Add-HostMapping -hostname $WebServerCertificateAlias -ipaddress $WebServerCertificateAlias } $DeleteTempCert = $False $ImportCert = $False $UpdateWebAlias = $False $CertForMachine = Get-SSLCertificateForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName $WebServerCertificateAlias.ToLower() if($null -ne $CertForMachine){ # Certificate with CName Found $NewCertIssuer = $null $NewCertThumbprint = $null if($CertificateFileLocation -and ($null -ne $CertificatePassword)) { $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert.Import($CertificateFileLocation,$CertificatePassword.GetNetworkCredential().Password,'DefaultKeySet') $NewCertIssuer = $cert.Issuer $NewCertThumbprint = $cert.Thumbprint Write-Verbose "Issuer for the supplied certificate is $NewCertIssuer" Write-Verbose "Thumbprint for the supplied certificate is $NewCertThumbprint" } $ExistingCertIssuer = $CertForMachine.Issuer $ExistingCertThumbprint = $CertForMachine.Thumbprint Write-Verbose "Existing Cert Issuer $ExistingCertIssuer with Thumbprint $ExistingCertThumbprint" $machineDetails = Get-MachineDetails -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName if($ExistingCertThumbprint -ine $NewCertThumbprint){ #Certificate Thumbprint doesn't match if($WebServerCertificateAlias -ieq $machineDetails.webServerCertificateAlias){ $DeleteTempCert = $True #Upload Temp Cert Write-Verbose "Importing Supplied Certificate with Alias $($WebServerCertificateAlias)-temp" Import-ExistingCertificate -ServerUrl $ServerUrl -Token $token.token -Referer $Referer ` -MachineName $MachineName -CertAlias "$($WebServerCertificateAlias)-temp" -CertificatePassword $CertificatePassword ` -CertificateFilePath $CertificateFileLocation -ServerType $ServerType #Update Web Alias to Temp Cert Write-Verbose "Updating to temp SSL Certificate for machine [$MachineName]" $machine = Get-MachineDetails -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName $machine.webServerCertificateAlias = "$($WebServerCertificateAlias)-temp" Update-SSLCertificate -ServerURL $ServerURL -Token $token.token -MachineName $MachineName -MachineProperties $machine -Referer $Referer Start-Sleep -Seconds 30 Write-Verbose "Waiting for Url '$ServerUrl/arcgis/admin' to respond" Wait-ForUrl -Url "$ServerUrl/arcgis/admin" -SleepTimeInSeconds 15 -MaxWaitTimeInSeconds 150 -HttpMethod 'GET' -Verbose Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' } #Delete Certificate Write-Verbose "Certificate with alias $WebServerCertificateAlias already exists for machine $MachineName. Deleting it" try { $res = Invoke-DeleteSSLCertForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName $WebServerCertificateAlias.ToLower() Write-Verbose "Delete Certificate Operation result - $($res | ConvertTo-Json)" } catch { Write-Verbose "[WARNING] Error deleting SSL Cert with alias $WebServerCertificateAlias. Error:- $_" } $ImportCert = $True #Upload New Cert $UpdateWebAlias = $True #Update Web Alias }else{ # Thumbprint matches if($WebServerCertificateAlias -ine $machineDetails.webServerCertificateAlias){ Write-Verbose "Certificate with alias $WebServerCertificateAlias already exists for machine $MachineName, but web server certificate alias $($machineDetails.webServerCertificateAlias) doesn't match." $UpdateWebAlias = $True #Update Web Alias } else { #Everything Matches Write-Verbose "Certificate with alias $WebServerCertificateAlias already exists for machine $MachineName and matches all the requirements." } } }else{ #Certificate with CName/Alias not found $ImportCert = $True #Upload New Cert $UpdateWebAlias = $True #Update Web Alias } if($ImportCert){ Wait-ForUrl -Url "$ServerUrl/arcgis/admin" -SleepTimeInSeconds 15 -MaxWaitTimeInSeconds 150 -HttpMethod 'GET' -Verbose Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' # Import the Supplied Certificate Write-Verbose "Importing Supplied Certificate with Alias $WebServerCertificateAlias" Import-ExistingCertificate -ServerUrl $ServerUrl -Token $token.token -Referer $Referer ` -MachineName $MachineName -CertAlias $WebServerCertificateAlias -CertificatePassword $CertificatePassword ` -CertificateFilePath $CertificateFileLocation -ServerType $ServerType } if($UpdateWebAlias){ $machine = Get-MachineDetails -ServerURL $ServerURL -Token $token.token -MachineName $MachineName -Referer $Referer # Update the SSL Cert for machine Write-Verbose "Updating SSL Certificate for machine [$MachineName]" $machine.webServerCertificateAlias = $WebServerCertificateAlias Update-SSLCertificate -ServerURL $ServerURL -Token $token.token -MachineName $MachineName -MachineProperties $machine -Referer $Referer Start-Sleep -Seconds 30 Write-Verbose "Waiting for Url '$ServerUrl/arcgis/admin' to respond" Wait-ForUrl -Url "$ServerUrl/arcgis/admin" -SleepTimeInSeconds 15 -MaxWaitTimeInSeconds 150 -HttpMethod 'GET' -Verbose Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' # Restart Geoevent if($ServerType -ine "NotebookServer" -or $ServerType -ine "MissionServer"){ #TODO - This will cause issues in Azure, where we have Geoevent and WFM running. ### If the SSL Certificate is changed. Restart the GeoEvent Service so that it will pick up the new certificate $GeoEventServiceName = 'ArcGISGeoEvent' $GeoEventService = Get-Service -Name $GeoEventServiceName -ErrorAction Ignore if($GeoEventService.Status -ieq 'Running') { $GeoEventServerHttpsUrl = "https://localhost:6143" Restart-ArcGISService -ServiceName $GeoEventServiceName -Verbose Write-Verbose "Waiting for Url '$GeoEventServerHttpsUrl/geoevent/rest' to respond" Wait-ForUrl -Url "$GeoEventServerHttpsUrl/geoevent/rest" -SleepTimeInSeconds 20 -MaxWaitTimeInSeconds 150 -HttpMethod 'GET' -Verbose Write-Verbose "Restarted Service $GeoEventServiceName" } } } if($DeleteTempCert){ #Delete Temp Cert try { Write-Verbose "Deleting Temp Certificate with alias $($WebServerCertificateAlias)-temp" $res = Invoke-DeleteSSLCertForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName "$($WebServerCertificateAlias)-temp".ToLower() Write-Verbose "Delete Temp Certificate Operation result - $($res | ConvertTo-Json)" } catch { Write-Verbose "[WARNING] Error deleting Temp SSL Cert with alias $($WebServerCertificateAlias)-temp. Error:- $_" } } }else{ Write-Verbose "CertificateFileLocation not specified. Skipping web server certificate configuration" } if($null -ne $SslRootOrIntermediate){ #RootOrIntermediateCertificate $RestartRequired = $false $Certs = Get-AllSSLCertificateForMachine -ServerUrl $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName foreach ($key in ($SslRootOrIntermediate | ConvertFrom-Json)){ $UploadRootOrIntermediateCertificate = $False if ($Certs.certificates -icontains $key.Alias){ Write-Verbose "RootOrIntermediate $($key.Alias) is in List of SSL-Certificates." $RootOrIntermediateCertForMachine = Get-SSLCertificateForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName $key.Alias -Verbose Write-Verbose "Existing Cert Issuer $($RootOrIntermediateCertForMachine.Issuer) and Thumbprint $($RootOrIntermediateCertForMachine.Thumbprint)" $NewCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $key.Path Write-Verbose "Issuer and Thumprint for the supplied certificate is $($NewCert.Issuer) and $($NewCert.Thumbprint) respectively." if($RootOrIntermediateCertForMachine.Thumbprint -ine $NewCert.Thumbprint){ Write-Verbose "Thumbprints for Certificate with Alias $($key.Alias) doesn't match that of existing cetificate. Deleting existing certificate and uploading a new one" $UploadRootOrIntermediateCertificate = $True $res = Invoke-DeleteSSLCertForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName $key.Alias Write-Verbose "Delete existing Certificate Operation result - $($res | ConvertTo-Json)" }else{ Write-Verbose "Thumbprints for Certificate with Alias $($key.Alias) match that of existing cetificate." } }else{ Write-Verbose "RootOrIntermediate $($key.Alias) is NOT in List of SSL-Certificates Import-RootOrIntermediate" $UploadRootOrIntermediateCertificate = $True } if($UploadRootOrIntermediateCertificate){ try{ Import-RootOrIntermediateCertificate -ServerUrl $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -CertAlias $key.Alias -CertificateFilePath $key.Path if(-not($RestartRequired)){ $RestartRequired = $True } }catch{ Write-Verbose "Error in Import-RootOrIntermediateCertificate :- $_" } } } if($RestartRequired) { Write-Verbose "Server Root and intermediate certificates were updated. Restarting Server." Restart-ArcGISService -ServiceName $ServiceName -Verbose Write-Verbose "Waiting 30 seconds before checking for intitialization" Start-Sleep -Seconds 30 Write-Verbose "Waiting for Url '$ServerURL/arcgis/admin' to respond" Wait-ForUrl -Url "$ServerURL/arcgis/admin" -SleepTimeInSeconds 10 -MaxWaitTimeInSeconds 60 -HttpMethod 'GET' Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' } } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [parameter(Mandatory = $True)] [System.String] $ServerHostName, [System.String] $ServerType, [System.Management.Automation.PSCredential] $SiteAdministrator, [System.String] $WebServerCertificateAlias, [System.String] $CertificateFileLocation, [System.Management.Automation.PSCredential] $CertificatePassword, [System.String] $SslRootOrIntermediate, [System.Boolean] $EnableHTTPSOnly, [System.Boolean] $EnableHSTS ) if($CertificateFileLocation -and -not(Test-Path $CertificateFileLocation)){ throw "Certificate File '$CertificateFileLocation' is not found or inaccessible" } [System.Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null $result = $True $FQDN = if($ServerHostName){ Get-FQDN $ServerHostName }else{ Get-FQDN $env:COMPUTERNAME } $SitePort = 6443 if($ServerType -ieq "NotebookServer"){ $SitePort = 11443 }elseif($ServerType -ieq "MissionServer"){ $SitePort = 20443 } $ServerUrl = "https://$($FQDN):$($SitePort)" Wait-ForUrl -Url "$($ServerUrl)/arcgis/admin/" -MaxWaitTimeInSeconds 60 -HttpMethod 'GET' Wait-ForUrl -Url "$($ServerUrl)/arcgis/rest/info/healthCheck?f=json" -HttpMethod 'GET' $Referer = $ServerUrl $token = Get-ServerToken -ServerEndPoint $ServerUrl -Credential $SiteAdministrator -Referer $Referer if(-not($token.token)){ throw "Unable to retrieve token for Site Administrator" } if($ServerType -ine "NotebookServer" -or $ServerType -ine "MissionServer"){ $secConfig = Get-SecurityConfig -ServerURL $ServerURL -Token $token.token -Referer $Referer if($result){ if($EnableHTTPSOnly){ if($secConfig.sslEnabled -and -not($secConfig.httpEnabled)){ Write-Verbose "Https Only is enabled. No update required" }else{ Write-Verbose "Https Only is disabled. Update required" $result = $false } }else{ if($EnableHSTS){ throw "Error: Enable HSTS porperty requires http protocol set to only HTTPS." } if(-not($secConfig.sslEnabled -and -not($secConfig.httpEnabled))){ Write-Verbose "Https Only is disabled. No update required" }else{ Write-Verbose "Https Only is enabled. Update required." $result = $false } } if($result){ if($secConfig.HSTSEnabled -ine $EnableHSTS){ Write-Verbose "Enable HSTS doesn't match the expected state $EnableHSTS" $result = $false }else{ Write-Verbose "Enable HSTS matches the expected state $EnableHSTS" } } } } $MachineName = $FQDN $AllMachines = Get-Machines -ServerURL $ServerURL -Token $token.token -Referer $Referer if(-not($AllMachines.machines | Where-Object { $_.machineName -ieq $MachineName })) { $MachineName = $env:COMPUTERNAME if(-not($AllMachines.machines | Where-Object { $_.machineName -ieq $MachineName })){ throw "Not able to find machine in site with either hostname $MachineName or fully qualified domain name $FQDN" } } if($CertificateFileLocation){ if(-not(Test-Path $CertificateFileLocation)){ throw "Certificate File '$CertificateFileLocation' is not found" } $CertForMachine = Get-SSLCertificateForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName $WebServerCertificateAlias.ToLower() -Verbose if($null -ne $CertForMachine){ # Certificate with Alias Found $NewCertIssuer = $null $NewCertThumbprint = $null if($CertificateFileLocation -and ($null -ne $CertificatePassword)) { $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert.Import($CertificateFileLocation,$CertificatePassword.GetNetworkCredential().Password,'DefaultKeySet') $NewCertIssuer = $cert.Issuer $NewCertThumbprint = $cert.Thumbprint Write-Verbose "Issuer for the supplied certificate is $NewCertIssuer" Write-Verbose "Thumbprint for the supplied certificate is $NewCertThumbprint" } $ExistingCertIssuer = $CertForMachine.Issuer $ExistingCertThumbprint = $CertForMachine.Thumbprint Write-Verbose "Existing Cert Issuer $ExistingCertIssuer and Thumbprint $ExistingCertThumbprint" $machineDetails = Get-MachineDetails -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName if($ExistingCertThumbprint -ine $NewCertThumbprint){ #Certificate Thumbprint doesn't match Write-Verbose "Thumbprints for Certificate with Alias $WebServerCertificateAlias doesn't match that of existing cetificate." if($WebServerCertificateAlias -ieq $machineDetails.webServerCertificateAlias){ Write-Verbose "Certificate with alias $WebServerCertificateAlias matches the WebServerCertificateAlias." } $result = $False }else{ # Thumbprint matches if($WebServerCertificateAlias -ine $machineDetails.webServerCertificateAlias){ Write-Verbose "Certificate with alias $WebServerCertificateAlias already exists for machine $MachineName, but web server certificate alias $($machineDetails.webServerCertificateAlias) doesn't match." $result = $False } else { #Everything Matches Write-Verbose "Certificate with alias $WebServerCertificateAlias already exists for machine $MachineName and matches all the requirements." } } }else{ #Certificate with CName/Alias not found Write-Verbose "Certificate with Alias $WebServerCertificateAlias not found for machine $MachineName" $result = $False } } if($result -and $null -ne $SslRootOrIntermediate){ $Certs = Get-AllSSLCertificateForMachine -ServerUrl $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName foreach ($key in ($SslRootOrIntermediate | ConvertFrom-Json)){ if ($Certs.certificates -icontains $key.Alias){ Write-Verbose "RootOrIntermediate $($key.Alias) is in List of SSL-Certificates. Validating if thumbprint matches the existing certificate" $RootOrIntermediateCertForMachine = Get-SSLCertificateForMachine -ServerURL $ServerUrl -Token $token.token -Referer $Referer -MachineName $MachineName -SSLCertName $key.Alias -Verbose Write-Verbose "Existing Cert Issuer $($RootOrIntermediateCertForMachine.Issuer) and Thumbprint $($RootOrIntermediateCertForMachine.Thumbprint)" $NewCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $key.Path Write-Verbose "Issuer and Thumprint for the supplied certificate is $($NewCert.Issuer) and $($NewCert.Thumbprint) respectively." if($RootOrIntermediateCertForMachine.Thumbprint -ine $NewCert.Thumbprint){ Write-Verbose "Thumbprints for Certificate with Alias $($key.Alias) doesn't match that of existing cetificate." $result = $False }else{ Write-Verbose "Thumbprints for Certificate with Alias $($key.Alias) match that of existing cetificate." } }else{ Write-Verbose "RootOrIntermediate $($key.Alias) is NOT in List of SSL-Certificates" $result = $False } } } Write-Verbose "Returning $result from Test-TargetResource" $result } function Invoke-DeleteSSLCertForMachine { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer, [System.String] $MachineName, [System.String] $SSLCertName ) $DeleteSSlCertUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/sslCertificates/$SSLCertName/delete" Invoke-ArcGISWebRequest -Url $DeleteSSlCertUrl -HttpFormParameters @{ f= 'json'; token = $Token; } -Referer $Referer -HttpMethod 'POST' -TimeoutSec 150 } function Invoke-GenerateSelfSignedCertificate { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer, [System.String] $MachineName, [System.String] $CertAlias, [System.String] $CertCommonName, [System.String] $CertOrganization, [System.String] $ValidityInDays = 1825 ) $GenerateSelfSignedCertUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/sslCertificates/generate" $props = @{ f= 'json'; token = $Token; alias = $CertAlias; commonName = $CertCommonName; organization = $CertOrganization; validity = $ValidityInDays } Invoke-ArcGISWebRequest -Url $GenerateSelfSignedCertUrl -HttpFormParameters $props -Referer $Referer -TimeOutSec 150 } function Import-ExistingCertificate { [CmdletBinding()] param( [System.String] $ServerUrl, [System.String] $Token, [System.String] $Referer, [System.String] $MachineName, [System.String] $CertAlias, [System.Management.Automation.PSCredential] $CertificatePassword, [System.String] $CertificateFilePath, [System.String] $ServerType ) $ImportCACertUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/sslCertificates/importExistingServerCertificate" $props = @{ f= 'json'; alias = $CertAlias; certPassword = $CertificatePassword.GetNetworkCredential().Password } $Header = @{} if(-not($ServerType -ieq "NotebookServer" -or $ServerType -ieq "MissionServer")){ $props["token"] = $Token; }else{ $Header["X-Esri-Authorization"] = "Bearer $Token" } $res = Invoke-UploadFile -url $ImportCACertUrl -filePath $CertificateFilePath -fileContentType 'application/x-pkcs12' -formParams $props -Referer $Referer -fileParameterName 'certFile' -httpHeaders $Header -Verbose if($res) { $response = $res | ConvertFrom-Json Confirm-ResponseStatus $response -Url $ImportCACertUrl } else { Write-Verbose "[WARNING] Response from $ImportCACertUrl was $res" } } function Import-RootOrIntermediateCertificate { [CmdletBinding()] param( [System.String] $ServerUrl, [System.String] $Token, [System.String] $Referer, [string] $MachineName, [System.String] $CertAlias, [System.String] $CertificateFilePath ) $ImportCertUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/sslCertificates/importRootOrIntermediate" $props = @{ f= 'json'; token = $Token; alias = $CertAlias; } $res = Invoke-UploadFile -url $ImportCertUrl -filePath $CertificateFilePath -fileContentType 'application/x-pkcs12' -formParams $props -Referer $Referer -fileParameterName 'rootCACertificate' if($res) { $response = $res | ConvertFrom-Json Confirm-ResponseStatus $response -Url $ImportCACertUrl } else { Write-Verbose "[WARNING] Response from $ImportCertUrl was null" } } function Update-SSLCertificate { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $MachineName, [System.String] $Referer, $MachineProperties, [System.Int32] $MaxAttempts = 5, [System.Int32] $SleepTimeInSecondsBetweenAttempts = 30 ) $Info = Invoke-ArcGISWebRequest -Url ($ServerUrl.TrimEnd('/') + "/arcgis/rest/info") -HttpFormParameters @{f = 'json';} -Referer $Referer -Verbose -HttpMethod 'GET' $VersionArray = "$($Info.fullVersion)".Split('.') $VersionIsLessThan107 = ($VersionArray[0] -eq 10 -and $VersionArray[1] -lt 7) $UpdateSSLCertUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/edit" $MachineProperties.psobject.properties | Foreach-Object -begin {$h=@{}} -process {$h."$($_.Name)" = $_.Value} -end {$h} # convert PSCustomObject to hashtable if($VersionIsLessThan107){ $h.JMXPort = $MachineProperties.ports.JMXPort $h.OpenEJBPort = $MachineProperties.ports.OpenEJBPort $h.NamingPort = $MachineProperties.ports.NamingPort $h.DerbyPort = $MachineProperties.ports.DerbyPort } $h.ports = $null $h.f = 'json' $h.token = $Token [bool]$Done = $false [int]$Attempt = 1 while(-not($Done) -and $Attempt -le $MaxAttempts) { $AttemptStr = '' if($Attempt -gt 1) { $AttemptStr = "Attempt # $Attempt" } Write-Verbose "Update SSLCert Name $AttemptStr" try { $response = Invoke-ArcGISWebRequest -Url $UpdateSSLCertUrl -HttpFormParameters $h -Referer $Referer -TimeOutSec 150 if($response.status -ieq 'success'){ Write-Verbose "Update Web Server SSL Certificate Successful! Server will Restart now." $Done = $true }else{ if(($response.status -ieq 'error') -and $response.messages){ Write-Verbose "[WARNING]:- $($response.messages -join ',')" Start-Sleep -Seconds $SleepTimeInSecondsBetweenAttempts } } } catch { if($Attempt -ge $MaxAttempts) { Write-Verbose "[WARNING] Update failed after $MaxAttempts. Last Response:- $($_)" #throw "Update failed after $MaxAttempts. Error:- $($_)" } Start-Sleep -Seconds $SleepTimeInSecondsBetweenAttempts } $Attempt++ } $response } function Get-Machines { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer ) $GetMachinesUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/" Invoke-ArcGISWebRequest -Url $GetMachinesUrl -HttpFormParameters @{ f= 'json'; token = $Token; } -Referer $Referer -HttpMethod 'GET' -TimeoutSec 150 } function Get-MachineDetails { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer, [System.String] $MachineName ) $GetMachineDetailsUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/" Invoke-ArcGISWebRequest -Url $GetMachineDetailsUrl -HttpFormParameters @{ f= 'json'; token = $Token; } -Referer $Referer -HttpMethod 'GET' -TimeoutSec 150 } function Get-AllSSLCertificateForMachine { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer, [System.String] $MachineName ) $certURL = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/sslCertificates/" Invoke-ArcGISWebRequest -Url $certURL -HttpFormParameters @{ f= 'json'; token = $Token; } -Referer $Referer -HttpMethod 'GET' } function Get-SSLCertificateForMachine { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer, [System.String] $MachineName, [System.String] $SSLCertName ) $CertUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/machines/$MachineName/sslCertificates/$SSLCertName" try{ $json = Invoke-ArcGISWebRequest -Url $CertUrl -HttpFormParameters @{ f= 'json'; token = $Token; } -Referer $Referer -HttpMethod 'GET' if($json.error){ $errMsgs = ($json.error.messages -join ', ') Write-Verbose "[WARNING] Response from $CertUrl is $errMsgs" $null }elseif($json.status -and $json.status -ieq "error"){ $errMsgs = ($json.messages -join ', ') Write-Verbose "[WARNING] Response from $CertUrl is $errMsgs" $null }else{ $issuer = $json.issuer $thumbprint = $json.sha1Fingerprint @{ Issuer = $issuer Thumbprint = $thumbprint } } } catch{ # If no cert exists, an error is returned Write-Verbose "[WARNING] Error checking $CertUrl Error:- $_" $null } } function Update-SecurityConfig { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer, $SecurityConfig, [System.Boolean] $EnableHTTPSOnly, [System.Boolean] $EnableHSTS ) if(-not($SecurityConfig)) { throw "Security Config parameter is not provided" } $UpdateSecurityConfigUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/security/config/update" $props = @{ f= 'json'; token = $Token; httpsProtocols = if($null -eq $SecurityConfig.httpsProtocols) {"TLSv1.2,TLSv1.1,TLSv1"}else{$SecurityConfig.httpsProtocols}; cipherSuites = $SecurityConfig.cipherSuites; Protocol = if($EnableHTTPSOnly){ "HTTPS" }else{ "HTTP_AND_HTTPS" }; authenticationTier = $SecurityConfig.authenticationTier; HSTSEnabled = "$EnableHSTS"; portalProperties = (ConvertTo-Json $SecurityConfig.portalProperties -Compress); allowedAdminAccessIPs= if($null -eq $SecurityConfig.allowedAdminAccessIPs) { "" }else{$SecurityConfig.allowedAdminAccessIPs}; allowDirectAccess= $SecurityConfig.allowDirectAccess ; allowInternetCORSEnabled= $SecurityConfig.allowInternetCORSAccess; virtualDirsSecurityEnabled = $SecurityConfig.virtualDirsSecurityEnabled; } Invoke-ArcGISWebRequest -Url $UpdateSecurityConfigUrl -HttpFormParameters $props -Referer $Referer -TimeOutSec 300 -Verbose } function Get-SecurityConfig { [CmdletBinding()] param( [System.String] $ServerURL, [System.String] $Token, [System.String] $Referer ) $GetSecurityConfigUrl = $ServerURL.TrimEnd("/") + "/arcgis/admin/security/config/" Write-Verbose "Url:- $GetSecurityConfigUrl" Invoke-ArcGISWebRequest -Url $GetSecurityConfigUrl -HttpFormParameters @{ f= 'json'; token = $Token; } -Referer $Referer -HttpMethod 'GET' -TimeOutSec 30 } Export-ModuleMember -Function *-TargetResource |