ArcGIS Online Security Changes – Is Your Organisation Prepared?

Earlier last month Esri published a blog post titled Prepare for Next Major ArcGIS Online Security Advancement Now. I have to admit when I first read it; I didn’t pause for long – thinking it was related to another recent web-security related change by Esri – the switch to TLS 1.2

If your eyes are glazing over already, hang in there. There was more to this post than I first thought, and it’s something you should be thinking about now if you’re administering an ArcGIS Online organisation that has been in place for some time. To be specific, if you created your ArcGIS Online site before September 2018, then you should read on.

What’s going to happen in 2020 is that ArcGIS Online will no longer work with external references to resources that use HTTP in the referring URL. Only HTTPS references will be supported. This is the way the web is moving and Esri is simply following best practice.

If you created your ArcGIS Online organisational after September 2018, then you will have been subject to this restriction from the get-go and won’t have a problem (it has been the default position since that time). If the organisational site is older than that, then there’s a chance you could have these less secure references to resources lurking in your web maps, web scenes and other items. If you do nothing, a bunch of things may stop working at some point in 2020, and you’ll be scurrying to try and fix them in a hurry.

For any of you utilising Story Maps you may have already encountered this. In 2018 the Story Map team implemented HTTPS only compliant web apps. This meant not only did the story map have to be secured with HTTPS but also any referenced site in a story map  also had to be secured in the same fashion. In 2020 ArcGIS Online in its entirety will follow suite. Details on that earlier Story Map change here.

How would you know you’ve got a problem to solve? Esri has created a tool called the ArcGIS Online Security Advisor that will scan all the items in your organisation, looking for the issue. You’ll need to be logged in as an administrator of the organisation to do this. The HTTP Check component of that tool is in Beta right now with new capabilities being added regularly.

It can’t directly fix the issues because a simple replacement of HTTP with HTTPS in the reference may not work  if the target server doesn’t support HTTPS. However, it will give you the feedback you need to go triage each of the problems it flags.

A typical scenario that could impact many users is where a GIS service is coming from an older version of ArcGIS Server and added as an item to an ArcGIS Online organisation. That older ArcGIS Server version would have allowed the specification of just HTTP, or both HTTP and HTTPS when exposing services.

Here’s an example. Way back, I created a web map in my ArcGIS Online organisation that refers to the Australian Coastal Sediment Compartments web service from GeoScience Australia.  The link here is for the HTTPS version (since this is all about best practice), but when I created that map, I used the HTTP version. Both forms are currently supported by the GeoScience Australia GIS Server.

The map displays the GA map service on top of the Esri Oceans basemap and works fine. Come 2020; this won’t be the case. If I use the beta HTTP Check tool in the ArcGIS Online Security Advisor, it picks up two problems with the web map.

 
In scanning the web map item, it detected that I have the URL of the GA web service in the Description. While that won’t break the map when HTTP is no longer supported, it still needs attention given the resource it refers to will change.

The second pickup by the tool was the actual URL to the GA service in the JSON data describing the web map.

Equally, if you’ve created items in your portal that refer to resources coming from external sources  – say a web service from an external agency that you collaborate with, then you may come up against the same issue if they’re using HTTP.

When you interact with a web site that doesn’t use HTTPS to encrypt traffic these days, you get to know it. It’s no longer just a small broken padlock icon – mainstream browsers are now calling it out and telling you that the site is not secure. That’s a good thing, and Esri is just doing its part to ensure web security best practices are adhered to.

Read the original blog post here and use the ArcGIS Online Security Advisor tool to determine whether you need to take any action.

Important Security Updates to the ArcGIS Platform

January, 2019

Esri have recently announced upcoming improvements to ArcGIS Online in order to maintain the highest industry standards for data integrity and network security. Starting on 16 April 2019, ArcGIS Online will only accept TLS 1.2 connections for ArcGIS Online services. Some software, like ArcGIS Pro, are already TLS 1.2 enabled. Other Esri software, such as ArcGIS Desktop, uses TLS 1.0—this software requires a patch or configuration change to support TLS 1.2 connections. Esri is releasing patches and instructions to update existing software to support these connections.

What is TLS?
TLS or  “Transport Layer Security” is a widely deployed network security protocol. It provides privacy and data integrity between communicating applications over a network. You use TLS whenever accessing ArcGIS Online services, such as basemaps, geoprocessing services, and the Living Atlas, from ArcGIS Desktop, ArcGIS Enterprise, and other applications.

Continue reading →

Creating 3D Story Maps using data from Esri CityEngine.

In the last couple of years Story Maps have become quite popular with ArcGIS Desktop / Online users. They provide a quick and efficient way to deliver important information or a message in a form of an easily-configurable web application that uses geographic data and can be enriched by adding various types of media content. There are thousands of story maps that you can access through ArcGIS online and it’s very easy to create your own.

One of my areas of expertise is 3D GIS and from time to time people ask me whether it’s possible to display 3D information in a Story Map. Well, the answer is yes. This functionality has been available for more than a year and I believe it’s time to write a blog about the workflow that will make your story maps 3D –enabled.

In this blog I will demonstrate how to use CityEngine 3D scenes to publish your 3D data to ArcGIS Online and create an interactive Story Map that uses 3D web scenes.

For the purpose of this demo, I used one of the CityEngine Examples provided by Esri Inc. on their CityEngine Gallery web page, available here:>>

Continue reading →

Cutting-edge cartography

During my Directions LIVE presentation, I wanted to highlight some of the new and interesting functionality in both ArcGIS Pro and ArcGIS Online, specifically around the areas of cartography and map design. Continue reading →

Using Fiddler to Troubleshoot ArcConundrums

My work in our Technical Support team here at Esri Australia has exposed me to a variety of web traffic related incidents. You can find many useful resources to track and disseminate this web traffic online, but I have found one (free) program to be more useful and intuitive than the rest – Fiddler. Fiddler is a fantastic tool that provides information on any web interaction within your ArcGIS Enterprise system, web mapping and mobile applications. This can empower you with a better understanding of your problem, deployment or user workflows.This post will not explore the ins and outs of Fiddler, as this has been well documented by a large and involved community (including Esri), but I would like to introduce you to an easy and tangible way you can look ‘under the hood‘ of web GIS.

Continue reading →

A Brief Look at the Query and Search Widget for Web AppBuilder

While delivering Arc 2: Essential Workflows, I was enthusiastically describing the wonders and practical uses of the search widget in the Web App Builder for ArcGIS Online or Portal and the capability it has to search content within your feature layers. When asking my students, “which widget should I use?” Some referred to the functionality of the query widget which I had previously demonstrated, while others preferred the power of a search widget. Hopefully by the end of this post you will be well placed to make an informed decision as to whether you should use and configure a query or search widget for your web apps in ArcGIS Online or Portal.

Continue reading →

Updating ArcGIS Pro with a checked out license

So there has been a new release of ArcGIS Pro and you want to update to the latest version so you can begin using all the new tools and tricks. However, when you access the licensing window within ArcGIS Pro you are met with a similar sight to the below.

Continue reading →