Quick way to check if an SSL/TLS configuration name is valid?
Is there a quick way to see if an SSL/TLS configuration name is valid, short of switching over to %SYS and checking Security.SSLConfigs:Exists?
Comments
Hi Tim
write $d(^|"%SYS"|SYS("Security","SSLConfigsD",<my config> ),settings)
provided you have access rights
Cheers, Robert
Hi Robert,
Access rights are part of my concern. You can connect using an SSL/TLS configuration without having read permission on %DB_CACHESYS (or the IRIS equivalent).
OK Vitaly !
It happens under cover (from: ^%SYS.SECURITY1.int)
i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"}
n $namespace
Do $zu(5,"%SYS")
In this case, you may create a Privileged Routine Application with the rights you need and the required code
calling it raises access rights just for this routine.
Hi Robert.
Exactly.
Programmatically Managing Roles:
This command can only be invoked either from a routine that is part of the CACHESYS database or if the current privileges held include Write permission for the CACHESYS database (%DB_CACHESYS:W).Note that setting $ROLES only alters a process’s added roles, not its login roles.
There is a third way, but I specifically did not publish it.
You can try to write to a TCP device with SSL. Doesn't require additional permissions:
ClassMethod Exists(ssl As %String) As %Boolean
{
#dim exists As %Boolean = $$$YES
set host = "google.com"
set port = 443
set timeout = 1
set io = $io
set device = "|TCP|" _ ##class(%PopulateUtils).Integer(5000, 10000)
try {
open device:(host:port:/SSL=ssl):timeout
use device
// real check
write "GET /" _ $c(10),*-3
// real check - end
// should be HTTP/1.0 200 OK but we don't really care
//read response:timeout
//write response
} catch ex {
set exists = $$$NO
}
use io
close device
quit exists
}It's slower than direct global check but if you want to do it rarely, I think it could be okay. Doesn't require additional permissions.
Code to compare times:
ClassMethod ExistGlobal(ssl) [ CodeMode = expression ]
{
$d(^|"%SYS"|SYS("Security","SSLConfigsD",ssl))#10
}
/// do ##class().Compare()
ClassMethod Compare(count = 1, ssl = "GitHub")
{
Write "Iterations: ", count,!
Write "Config exists: ", ..Exists(ssl),!
set start = $zh
for i=1:1:count {
set exists = ..Exists(ssl)
}
set end = $zh
set time = end - start
Write "Device check: ", time,!
set start = $zh
for i=1:1:count {
set exists = ..ExistGlobal(ssl)
}
set end = $zh
set time2 = end - start
write "Global check: ", time2,!
}Results:
Iterations: 1
Config exists: 1
Device check: .054983
Global check: .000032
Iterations: 1
Config exists: 0
Device check: .017351
Global check: .00001
Iterations: 50
Config exists: 1
Device check: 2.804497
Global check: .000097
Iterations: 50
Config exists: 0
Device check: .906424
Global check: .000078Below are two ways without additional permissions on %DB_CACHESYS:
<FONT COLOR="#0000ff">#include </FONT><FONT COLOR="#000000">%systemInclude
</FONT><FONT COLOR="#0000ff">n
try</FONT><FONT COLOR="#800080">{
</FONT><FONT COLOR="#0000ff">s </FONT><FONT COLOR="#800000">sslName</FONT><FONT COLOR="#000000">=</FONT><FONT COLOR="#008000">"Test"
</FONT><FONT COLOR="#0000ff">w </FONT><FONT COLOR="#008000">"1) GetSSLConfigList^%SYS.SECURITY1(.SSLConfigs)"</FONT><FONT COLOR="#000000">,!!
</FONT><FONT COLOR="#0000ff">w $$</FONT><FONT COLOR="#ff0000">Test1</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">sslName</FONT><FONT COLOR="#000000">)
</FONT><FONT COLOR="#0000ff">w </FONT><FONT COLOR="#000000">!!,</FONT><FONT COLOR="#008000">"2) $$ListSSLConfigs^%SYS.SECURITY(Client/Server)"</FONT><FONT COLOR="#000000">,!!
</FONT><FONT COLOR="#0000ff">w $$</FONT><FONT COLOR="#ff0000">Test2</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">sslName</FONT><FONT COLOR="#000000">)
</FONT><FONT COLOR="#800080">}</FONT><FONT COLOR="#0000ff">catch</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">ex</FONT><FONT COLOR="#000000">)</FONT><FONT COLOR="#800080">{
</FONT><FONT COLOR="#0000ff">w </FONT><FONT COLOR="#008000">"Error "</FONT><FONT COLOR="#000000">, </FONT><FONT COLOR="#800000">ex</FONT><FONT COLOR="#000000">.</FONT><FONT COLOR="#0000ff">DisplayString</FONT><FONT COLOR="#000000">(),!
</FONT><FONT COLOR="#800080">}
</FONT><FONT COLOR="#ff0000">Test1</FONT><FONT COLOR="#000000">(ssl) </FONT><FONT COLOR="#800080">{
</FONT><FONT COLOR="#0000ff">d </FONT><FONT COLOR="#ff0000">GetSSLConfigList</FONT><FONT COLOR="#000000">^%SYS.SECURITY1(.</FONT><FONT COLOR="#800000">SSLConfigs</FONT><FONT COLOR="#000000">)
</FONT><FONT COLOR="#0000ff">f </FONT><FONT COLOR="#800000">i</FONT><FONT COLOR="#000000">=1:1:</FONT><FONT COLOR="#800000">SSLConfigs </FONT><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">:</FONT><FONT COLOR="#800000">SSLConfigs</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#800000">i</FONT><FONT COLOR="#000000">)=</FONT><FONT COLOR="#800000">ssl </FONT><FONT COLOR="#0000ff">$$$YES
q $$$NO
</FONT><FONT COLOR="#800080">}
</FONT><FONT COLOR="#ff0000">Test2</FONT><FONT COLOR="#000000">(ssl) </FONT><FONT COLOR="#800080">{
</FONT><FONT COLOR="#0000ff">q </FONT><FONT COLOR="#000000">''</FONT><FONT COLOR="#0000ff">$lf</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#0000ff">$lfs</FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#0000ff">$$</FONT><FONT COLOR="#ff0000">ListSSLConfigs</FONT><FONT COLOR="#000000">^%SYS.SECURITY(</FONT><FONT COLOR="#008000">"Client"</FONT><FONT COLOR="#000000">)</FONT><FONT COLOR="#008000">","</FONT><FONT COLOR="#000000">
</FONT><FONT COLOR="#0000ff">$$</FONT><FONT COLOR="#ff0000">ListSSLConfigs</FONT><FONT COLOR="#000000">^%SYS.SECURITY(</FONT><FONT COLOR="#008000">"Server"</FONT><FONT COLOR="#000000">))
,</FONT><FONT COLOR="#800000">ssl</FONT><FONT COLOR="#000000">)
</FONT><FONT COLOR="#800080">}</FONT>