In this article:
- Overview
- Security Configuration Options for SkylineGlobe Server Deployment
- Creating a Self-Signed Certificate using IIS Manager
- Local Server Operation Without SSL Encryption (HTTP)
- Troubleshooting
Overview
TerraExplorer Fusion is a web client that utilizes WebAssembly technology, specifically the SharedArrayBuffer. This technology enables high-performance applications on web pages, but it requires certain security measures to function properly.
Modern web browsers have implemented security protocols that restrict the execution of WebAssembly pages to those that are hosted on secure sites. For a site to be considered secure, it must serve its pages over HTTPS (Hyper Text Transfer Protocol Secure) and possess a valid SSL (Secure Sockets Layer) certificate. HTTPS ensures that the data transfer between the user's browser and the website is encrypted, while the SSL certificate authenticates the website's identity, providing a double layer of security.
Securing a website and its data transmissions typically includes installing an SSL certificate on a load balancer, firewall, or directly in the Internet Information Services (IIS) Manager. This task demands IT expertise and infrastructure, readily manageable by organizations with strong IT capabilities. More about: Managing SGS Security >
For organizations with limited IT resources, an alternative is to use a self-signed certificate in the IIS. While this provides some level of security, self-signed certificates lack verification from a trusted third-party certificate authority. Consequently, they might not be appropriate for all scenarios, especially in environments where public-facing production is involved.
Security Configuration Options for SkylineGlobe Server Deployment (Including TerraExplorer Fusion)
- Trusted Environment with a CA-Issued Certificate: This environment uses a certificate issued by a recognized third party, like a Certificate Authority (CA). A CA-issued certificate verifies the website's identity and ensures its authenticity, providing a high level of trust and security. More about: Managing SGS Security >
- Secured Site with a Self-Signed SSL Certificate: In this setup, the certificate is self-issued, rather than being obtained from a trusted CA. While a self-signed certificate can encrypt data, it lacks the third-party verification essential for full authentication. Web browsers typically display warnings for these sites, indicating a lower level of trust. See below how to create a self-signed certificate.
- Single Computer without a Certificate: This setup is suitable for scenarios where both the server and the client are run on the same machine, typically for internal use such as testing and experimentation. Access to the server and TerraExplorer Fusion in this mode is through http://127.0.0.1/SG and http://127.0.0.1/SG/TEF/TE.html. See more below.
Creating a Self-Signed Certificate using IIS Manager
- Open IIS Manager (Start > type “IIS Manager”).
- In the IIS console, double-click the Server Certificates icon.
- In the action panel, select Create Self-Signed Certificate…
- In the Create Self-Signed Certificate dialog, do the following:
- Type the certificate name.
- Select Web Hosting as the Certificate Store.
- Click OK.
- Select your website and then, from the right-side menu bar, click Bindings…
- In the Site Binding dialog, click Add… and then set:
- Type = HTTPS
- SSL Certificate = Select the newly created certificate .
- Click OK and then Close.
- In SkylineGlobe Server Manager, on the Settings page, update the Public URL parameter to the HTTPS address.
- Configure your web.config for HTTPS. This is automatic if the self-signed certificate procedure is done pre-installation. More about: Managing SGS Security >
Local Server Operation Without SSL Encryption (HTTP)
- Use localhost or http://127.0.0.1/SG and http://127.0.0.1/SG/TEF instead of a domain or machine name to access both the server and the client. This is necessary to comply with browser security restrictions when operating without SSL encryption.
- Update the public URL: Change the public URL to http://localhost/SG or http://127.0.0.1/SG. Then publish your projects using this updated URL. Note that this method is only suitable for testing, learning, and development on the same machine. For remote server access or broader operational use, you need to use SSL (HTTPS).
Troubleshooting
-
SharedArrayBuffer: The SharedArrayBuffer JavaScript Object, used to share memory across a cluster, requires specific cross-origin tags in the server's response headers. Typically, when IIS is configured with the appropriate web.config as part of a standard SkylineGlobe installation, these headers are automatically added to necessary server responses. However, if your TerraExplorer Fusion is hosted on a server that is not a SkylineGlobe Server, it will lack the necessary tags, leading to the following error: "Uncaught ReferenceError: SharedArrayBuffer is not defined."
-
Solution: Configure your server (e.g., in your IIS Manager or proxy) to ensure these tags are included in your server's responses:
<add name="Cross-Origin-Embedder-Policy" value="require-corp" />
<add name="Cross-Origin-Resource-Policy" value="cross-origin" />
<add name="Cross-Origin-Opener-Policy" value="same-origin" />
-
Solution: Configure your server (e.g., in your IIS Manager or proxy) to ensure these tags are included in your server's responses:
-
Mixed Content: This issue arises when a webpage loaded over HTTPS includes resources (like images, videos, feature layers, 3D Models, scripts) that are loaded over an insecure HTTP connection. Such a mix can create security vulnerabilities, exposing users to malicious activity such as unauthorized tracking and on-path attacks. Most modern web browsers block such content.
- Solution: Make sure all resources in the TEF client are loaded from HTTPS servers.
-
Failed to Connect to Server: This issue arises when attempting to publish from TerraExplorer Desktop to SGS from a secured site with a self-signed SSL certificate. The following error message is displayed: "Failed to connect to server. Server is unavailable."
- Solution: Contact Skyline support for assistance.
-
Unable to Log in to Server from Firefox: When attempting to log in to the server using the Firefox browser, the process fails, leaving the user stuck on a "Redirecting..." window after clicking the log-in button instead of completing the login process.
-
Solution: The problem stems from Firefox's default settings, which restrict the sharing of cookies between different domains - an essential step for the login process. To fix this, adjust Firefox's cookie settings to allow cross-site tracking cookies. This can be done by accessing the Privacy & Security section within Firefox's Settings. Here, select Custom as the Browser Privacy setting and then select Cross-site tracking cookies from the Cookies dropdown. Then select Reload All Tabs for the changes to take effect.
-
Solution: The problem stems from Firefox's default settings, which restrict the sharing of cookies between different domains - an essential step for the login process. To fix this, adjust Firefox's cookie settings to allow cross-site tracking cookies. This can be done by accessing the Privacy & Security section within Firefox's Settings. Here, select Custom as the Browser Privacy setting and then select Cross-site tracking cookies from the Cookies dropdown. Then select Reload All Tabs for the changes to take effect.