Jun 30 2014

SGeoS Esri ArcGIS 10.2.2 for Server Standard Java – Module 1 of 9

Published by at 1324h under SL In General

Esri ArcGIS 10.2.2 for Server Standard – Java

Build steps for configuration Module-stage-1

  1. Start from completed system Module-stage-0
  2. Create an installation directory for ArcGIS Server
    Name the installation directory with only lowercase letters per the Esri instructions.  Let the installation user own the new directory so that they can perform all necessary actions within.  The example here was chosen to convey version ArcGis Server 10.2.2

    mkdir /ags1022
    chown ags_install /ags1022
    chgrp ags_install /ags1022
  3. Enable NFS Export for ArcGIS Server Directory
    Make the installation directory for ArcGIS Server available via NFS.  This will permit Windows 7 Enterprise users (or more likely other ArcGIS Server machines) to connect to it .  Append a line to /etc/exports

    /ags1022  workstationIP(rw,sync,no_root_squash,no_all_squash)

    If you find that the check boxes during install seem not to have included NFS as they should: no worries.  It’s like this:

    sudo yum install nfs* -y

    Then fire up the share:

    service rpcbind start
    chkconfig rpcbind on
    service nfs start
    chkconfig nfs on
  4. Enable SMB for Windows 7 Pro users
    The NFS share is going to be useful among Linux servers, but to develop our services from a Windows desktop, only Windows 7 Enterprise systems have an NFS client built in.  There are open-source NFS clients for Windows, but they are not version-matched with NFS versions most commonly installed on CentOS 6.5.  The main use of NFS is for storage mapping among SGeoS modules on different tiers within a single site, or exchange across SGeoS modules in collaborating environments, such as Dev?Test/QA?Production server transfers.For the Dev machine, we’ll want to enable SMB connections so that any necessary Windows 7 workstation can be configured to connect, particularly Windows 7 Professional machines commonly found deployed through City and County of San Francisco and also at home.SMB can be a less secure means of sharing storage, because it is designed to be compatible with systems that used old and insecure approaches to publishing storage space.  To make this  a clean connection, we’ll configure both iptables as well as mark SELinux to open only the minimum required connection types—but run SELinux in permissive mode to allow SELinux to log but not block actions.Because it is more secure than Workgroup shares, SGeoS modules configure SMB to only work with Active Directory.  Samba Workgroup sharing takes place on other ports that can be left closed.

    It’s easy enough to install the system standard SMB server, but important to configure firewall, give some respect for proper SELinux configuration, and configure the actual SMB shares.
    For Active Directory only we can add these to /etc/sysconfig/iptables

    Then install

    yum install samba samba-client samba-common ntpd

    Verify the installed version; at CentOS 6.5 we get 3.6.9

    smbd --version

    Label the served directory to let SELinux know it’s OK to share

    semanage fcontext -a -t public_content_rw_t ‘/ags1022(/.*)?’

    Set the Samba services to start at boot time.

    chkconfig smb on
    chkconfig nmb on

    With an enterprise install, the standard configuration is found at /etc/samba/smb.conf and should have a section like this to enable a share around ArcGIS Server.  In general, deeper shares with restricted users and allowed client IP are strongly preferred for better server security.

       comment = ArcGIS Server 10.2.2 Java
       path = /ags1022
       browseable = yes
       public = no
       writable = yes
       printable = no

    It might be desirable to configure Samba to use Active Directory, and according to documentation at http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server it is necessary to have precise time within an AD network, including both a running ntpd and ntp-signd daemons.

    service ntpd stop
    ntpdate wwv.nist.gov
    service ntpd start
    chkconfig ntpdate on
  5. Create Esri install and user Linux system accounts
    To create a user account, make it and set its password.
    We need to have a normal user for the ArcGIS Server install, and not install it as root.
    So create a new user and set their password.

    useradd ags_install
    passwd ags_install
    useradd ags_user
    passwd ags_user
  6. Fulfill Esri-specified system configuration Dependencies
    Work through the Esri-specified dependencies listed http://t.co/f1UoXNrzdr
    yum install Xvfb freetype fontconfig mesa-libGL mesa-libGLUIdentify the hard and soft limits set in the system for file handles and processes

    ulimit -Hn -Hu
    ulimit -Sn -Su

    It’s likely default limits are too small to run ArcGIS Server properly, so sudo to edit the file /etc/security/limits.conf  adding these four lines to change settings for
    the ags_intall user

  7. Enable default httpd
    While it’s possible to install a pre-release Apache 2.4 from RedHat, the default CentOS 6.5 version is 2.2.13—installing more updated versions of web server and OpenSSL are described a couple of sections below.The classic Enterprise approach uses the stock install of httpd 2.2.15 on CentOS 6.5

    yum install httpd

    If there’s reason to attach to network (like always), SELinux can be set to allow this

    setsebool -P httpd_can_network_connect on

    Poise for open server, but enable only secure browsing with these lines in
    file /etc/sysconfig/iptables for workstations at 10.1.15.x to access via https://

    service httpd restart

    If it is desired to have the server always start up the web server, set that to happen

    chkconfig httpd on
  8. Install updated httpdOption A:If there’s a desire for an Apache 2.4 httpd on the server, but not the stomach to build one from source, then make the install this way using a software collection  scl  that can install pre-release postings by Red Hat people.  While not a pure enterprise approach, this technique does offer a minimal-risk method to update important framework elements like httpd.
    curl -s http://repos.fedorapeople.org/repos\
       /jkaluza/httpd24/epel-httpd24.repo > /etc/yum.repos.d/epel-httpd24.repo
    yum install httpd24-httpd

    Then to test it:

    service httpd24-httpd start
       Starting httpd:                                            [  OK  ]
    curl -s http://localhost/ | grep 'Test Page for'
        <title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>

    Option B:
    For security enthusiasts, configure and build from the latest stable Apache source.
    This makes most sense if one also chose to build the very latest OpenSSL from source, in Module-stage0 > Step 7 > Option B. This approach is normal for banking and payment card industries.

    cd /opt/installs
    wget wget http://<some apache mirror site>\
    tar xvf apr-1.5.1.tar.gz
    cd apr-1.5.1
    sudo make install

    This should place the APR configuration file at /usr/local/apr/bin/apr-1-config

    cd /opt/installs
    wget wget http://<some apache mirror site>\
    tar xvf apr-util-1.5.3.tar.gz
    cd apr-util-1.5.3
    ./configure --with-apr=/usr/local/apr/bin/apr-1-config
    sudo make install

    This should place the APR-util library at /usr/local/apr/lib

    And one more dependency was observed for building httpd:

    yum install  pcre  pcre-devel

    Prepare for SSL connections with a self-signed web server certificate

    cd /usr/local
    mkdir pki
    cd pki

    Once there, generate a private key for postgresql

    openssl genrsa -out htca.key 8192

    Generate a Certificate Signing Request

    openssl req -new -key htca.key -text -out htca.csr

    Generate a Self-Signed Key

    openssl x509 -req -days 365 -in htca.csr -signkey htca.key -out htca.crt

    Copy these  files to the following locations (DO NOT move them; copy them–then delete)

    cp htca.crt /etc/pki/tls/certs
    cp htca.key /etc/pki/tls/private
    cp htca.csr /etc/pki/tls/private
    chmod 600 /etc/pki/certs/htca.crt /etc/pki/tls/private/htca.*
    rm htca.*

    Then we should be ready to actually build an optimized httpd; the  ./configure  is long on options and requires a patch listed here to work with ssl, which it must do.

    cd /opt/installs
    wget http://<some apache mirror>\
    tar xvf httpd-2.4.9.tar.bz2
    cd httpd-2.4.9
    export LDFLAGS=”-L/usr/local/lib64”
    ./configure  --prefix=/usr/local/httpd \
      --enable-so \
      --enable-pie \
      --with-apr=/usr/local/apr/bin/apr-1-config \
      --enable-ssl \
      --with-ssl=/usr/local/openssl \
      --enable-allowmethods \
      --enable-info \
      --enable-speling \
      --with-mpm=event \
      LDFLAGS=-L/usr/local/lib64 \
    sudo make install

    Duplicate some of the enterprise httpd service configuration to make it easier to run the new web server

    cp  /etc/sysconfig/httpd  /etc/sysconfig/httpd2
    cp  /etc/init.d/httpd  /etc/init.d/httpd2
    ln -s  /usr/local/httpd/bin/httpd  /usr/sbin/httpd2
    ln -s  /usr/local/httpd/bin/apachectl  /usr/sbin/apachectl2
    mkdir  /usr/lib64/httpd2
    cp -r /usr/local/httpd/modules /usr/lib64/httpd2

    Edit /etc/init.d/httpd2   so that it contains these sort of changes


    Edit /usr/local/httpd/conf/httpd.conf  to redirect all traffic to SSL connections.

    Include conf/extra/httpd-ssl.conf
    Include conf/extra/httpd-mpm.conf
    <IfModule unixd_module>
    User apache
    Group apache
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
    Include conf/extra/httpd-ssl.conf
    # Redirect everything to an ssl connection
    # functional Directory is then specified in extra/httpd-ssl.conf
    <VirtualHost *:80>
    ServerName sg11
    Redirect permanent / https://sg11/
    <IfModule dir_module>
    DirectoryIndex  index.html
    <Files “.ht*”>
    Require all denied

    Edit /usr/local/httpd/conf/extra/httpd-ssl.conf  for system content locations and so editors can update content through the SMB share configured at the ArcGIS for Server directory.

    Listen 443
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLSessionCache        "shmcb:/usr/local/httpd/logs/ssl_scache(512000)"
    <VirtualHost _default_:443>
    ServerName sg11:443
    DocumentRoot "/ags1022/html"
    ServerAdmin your.name@here.net
    ErrorLog "/usr/local/httpd/logs/error_log"
    TransferLog "/usr/local/httpd/logs/access_log"
    <Location />
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    SSLEngine on
    SSLCertificateFile "/etc/your_path_to.crt"
    SSLCertificateKeyFile "/etc/your_path_to_server_private.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    <Directory "/usr/local/httpd/cgi-bin">
    SSLOptions +StdEnvVars
    BrowserMatch "MSIE [2-5]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    Back up the site configuration  by making a copy of the modified site configuration files in another location.

    cd /usr/local/httpd
    mkdir /root/httpd_local_conf
    cp -r conf /root/httpd_local_conf
  9. Build latest stable Python from source; development server config
    If there’s reason to build PostGIS support framework components with Python support later, it might help to have built the Python locally, so as to appease the linker later.  Reference Python source is from the python.org site. They’ve chosen to compress their archives with a scheme that requires the XZ compression library.  Since Python appears to have a lot of ties to development libraries, it’s been suggested in more than one place to bulk up on some of these tools for smoother builds.
    These may be removed on a production server; they are needed for development.

    yum groupinstall development
    yum install -y zlib-dev openssl-dev sqlite-devel bzip2-devel \
    ncurses-devel readline-devel tk-devel gdbm-devel db4-devel \
    libpcap-devel xz-libs xz-devel

    One possible build location is /opt/installs, where a TARFILES directory could be made.
    Create the directory if it doesn’t already exist

    mkdir /opt/installs
    cd !$

    Once there, get the compressed source similar to below and decode it

    cd /opt/installs
    wget https://www.python.org/ftp/python/2.7.6/Python-2.7.6.tar.xz
    xz -d Python-2.7.6.tar.xz
    cd ..
    tar xvf TARFILES/Python-2.7.6.tar
    cd Python-2.7.6

    Prepare to create a shared library by appending the path /usr/local/lib to /etc/ld.so.conf
    so that it at least looks like:

    include ld.so.conf.d/*.conf

    Then have the linker read the new configuration with


    Configure the Python build for alternate location, unicode-32, and shared library. Make it

    ./configure --prefix=/usr/local --enable-shared --with-threads

    Let’s not clobber the system’s Python install, and make this the alternate Python install
    This should leave only four minor and/or deprecated bits not found.  Good riddance to them.

    FInally install as an alternate Python so as not to impact any ArcGIS for Server defaults.  Be doubly certain to include the “altinstall” if you’re root.

    make altinstall

    Should the make have problems finding libpython2.7.so.1.0,  it could be necessary to create a file /etc/ld.so.conf.d/python2.7.conf   hat lists path /usr/local/python27/lib  if that was chosen as the prefix during config.  After changes there, run this to reload the loader’s configurations


    Set up Python build capability by adding Setuptools, then leverage that to install pip and since we’re building the system with Python 2 (and not yet 3), add virtualenv

    mkdir /usr/local/src/Setuptools_py
    cd !$
    wget https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py
    python2.7 ez_setup.py
    easy_install-2.7 pip
    pip2.7 install virtualenv
  10. Mount the Esri ISO and Prepare for Installing AGS
    When attaching an ISO image such as Esri installation DVD in the VMware vSphere Client, verify that the ISO has not been mounted in Windows (like to poke around the download) and thus used and locked by Virtual Clone Drive.  If the ISO has been mounted, and one has already tried attaching ISO in vSphere, consider restarting the Windows machine!Oddly, when mounting the ESRI Install DVD ISO,  it appears necessary to launch (or re-launch) the vSphere Client by right-clicking and explicitly using “Run as Administrator”
    With a fresh Windows boot (if needed), and vSphere launched as Administrator, it appears necessary to mount the ESRI ISO with explicit file system type into an existing empty directory such as /cdromThe finesse here seems to be that the login as root and mounting of device can take place in the vSphere console window, then launch a nice large PuTTY ssh window,  log in as ags_install, with home directory in /ags1022, to complete the installationAs root in the console window, after attaching the local ISO, mount the image

    mount -t iso9660 /dev/cdrom /cdrom

    Then in the PuTTY window have ags_install verify the mount by looking at all mounted devices; noting the presence of read-only storage at /cdrom



    In the PuTTY window, cd into the mounted ISO to see the Setup script.

  11. Install ArcGIS for Server
    Why bother installing a GUI just to run the ArcGIS Server install scripts?  Following the instructions at Esri Resources  the command line interface (CLI) install procedure is most readily described as “Installing ArcGIS for Server silently”  Then, in the cdrom install directory, this wickedly terse statement completely installs all of ArcGIS for Server 10.2.2 into  /ags1022

    su - ags_install
    cd /cdrom/ArcGISServer
    ./Setup -m silent -l Yes /a <path-to-.prvc> /d /ags1022

    Fire off the script in silent mode. That’s it. Really.
    If need be, it may be necessary to use the SMB share to copy over the Esri provisioning file to /ags1022, then run the authorizeSoftware script against the .prvc

    /ags1022/arcgis/server/tools/authorizeSoftware -f \

    Then start the post-installation configuration process.
    If server name resolves and ports are open, it’s time to point a browser  at a destination like this and Create New Site



  12. Complete ArcGIS for Server Post-Installation Steps
    This begins with defining an ArcGIS for Server site administrator (not an OS account).
    It’s wise to consider saving this password now in a runbook for the server.
    ags_07Consider keeping the working directories up a bit higher than default location
    ags_08Click Finish, and that’s all that it took.  Seriously easier than it was, once upon a time.
  13. Go Forth and Create Map Services
    Log in, go forth and make many Map and Image services!
    ags_10The new AGS Server Manager console looks more like ArcGIS Online these days:
  14. Secure AGS Manger connections for https-only access
    This will either generate a new cert or provide an opportunity to install an established one.
    Visit not the Manager site, but the Admin one.At first, ArcGIS for Server will be reached by



    Go to machines

    In the named machine, Resources: click sslcertificates near the bottom

    To create a new self-signed cert, click generate

    Consider using an Alternative name that is the server’s IP address, to help users who may not have the server name properly resolved in DNS.  That way, only https need be accepted.
    The Subject Alternative Name must be formatted in the style  IP:10.x.x.x

    When the certificate is available, move back up to …/arcgis/admin/machines and go to machine name, and click on Supported Operations:  edit

    Enter the name of the cert that you want to use in Web server SSL Certificate field,
    then click Save Edits.

    After it completes, verify that the chosen cert is displayed.

  15. Enable https-only access for Admin connections to ArcGIS Server
    Starting from  http://<server>:6080/arcgis/admin/security/config
    click on  update then modify the Protocol parameter.  If you haven’t yet verified that the certificate was working and you were able to connect via https:, select the HTTP and HTTPS choice.
    If secure admin connections are working and you were able to connect through
    https://<server>:6443/arcgis/admin/security/config   then it’s OK to select the HTTPS Only choice.
    That’s where you want to end up, but don’t lock yourself out while doing it, so try the two-step approach until verified.  When done, click the Update button.
    ags_19After that, only secured connections to the server will be enabled, at :6443, e.g.

  16. Make Publisher or Administrative connection from ArcCatalog In the Catalog tree view, GIS Servers > Add ArcGIS Server > Administer GIS Server  use Server URL in form of

    with Authenication as used in the admin pages above.
    If you’ve used your own self-signed cert, just click through the warning and connect away.

No responses yet

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.