Security certificate considerations

To successfully use PI Integrator for Esri ArcGIS you must acquire a valid security certificate. Ideally, the certificate should be supplied by the Certificate Authority that is managed by your Information Technology (IT) group.

Self-signed security certificates are not recommended for production environments. If a self-signed certificate is used, all computers that access PI Integrator for Esri ArcGIS must have the certificate manually trusted; this includes all computers on which the PI Integrator for Esri ArcGIS user interface is accessed from a browser in addition to all computers on which Esri client applications and software are running.

In short, any map or application that accesses feature layers that are hosted by PI Integrator for Esri ArcGIS, including the GeoEvent Server that polls the integrator for data, must have the self-signed certificate trusted. See Configure certificates.

Trusting PI Integrator for Esri ArcGIS within ArcGIS

When you create a time-enabled feature layer, an associated item is created within ArcGIS (either ArcGIS Online or Portal for ArcGIS). The associated item contains a reference to the URL of the feature layer. If PI Integrator for Esri ArcGIS was accessed using HTTPS (instead of HTTP), then the feature layer that was created is secure.

ArcGIS GeoEvent Server attempts to resolve all feature service and feature layer URLs contained in its configured data stores even if no output is configured to access a feature layer. If any of these URLs are secure, but the GeoEvent Server has not been configured to trust the layer's hosting server, numerous repeating log messages are written to the GeoEvent message log indicating that GeoEvent Server cannot access these layers. The log messages are similar to the following:

An SSL Handshake error has occurred when attempting to communicate with URL: "https://pi_integrator_server.domain.int/api/rest/services/feature_service_name/FeatureServer/0?f=json&token=token". Please make sure you have imported the SSL certificate from "https://pi_integrator_server.domain.int/api/rest/services/feature_service_name/FeatureServer/0?f=json&token=token" into GeoEvent's site via the ArcGIS Server Admin API. Root Cause: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".

To prevent flooding the GeoEvent message log, GeoEvent Server should be configured to trust PI Integrator for Esri ArcGIS server if both of the following conditions are met:

• The user that created the time-enabled feature layer followed the recommended approach for creating time-enabled feature layers by using secured URLs (HTTPS).

• The GeoEvent Server has been configured with a data store pointing to an ArcGIS Online or Portal for ArcGIS containing items associated with the secured time-enabled feature layers

GeoEvent Server uses certificates registered in ArcGIS Server. Consult Esri documentation for details about importing trusted certificates into ArcGIS Server: Import the certificate into ArcGIS Server.

Installing certificates on the GeoEvent Server

When you use a secure (HTTPS) connection, ensure that the GeoEvent Server computer trusts the computer on which PI Integrator for Esri ArcGIS is installed.

For current versions of GeoEvent Server, certificate configuration is handled through the ArcGIS Server administration site. See: Configuring HTTPS using an existing ssl certificate for more information.

To install certificates on GeoEvent Extension to use HTTPS polling, see the Esri help page: Connecting to sites with certificates issued by unknown certificate authorities.