Running the Management Portal (Private Web Server) Over TLS/SSL/HTTPS |

Article

Nicholai Mitchko · Aug 12, 2020 2m read

#Best Practices #SSL #HealthShare #InterSystems IRIS #InterSystems IRIS for Health

Updated Jan 19th, 2023.

Hi all,

I want to share a quick little method you can use to enable ssl with a self signed certificate on your local development instance of IRIS/HealthShare. This enables you to test https-specific features such as OAuth without a huge lift.

1. Install OpenSSL

Windows     : Download from https://www.openssl.org or other built OpenSSL Binary. 

Debian Linux: $ sudo apt-get -y install openssl

RHEL        : $ sudo yum install openssl

2. Create a self-signed certificate pair. In your terminal (powershell, bash, zsh, etc)

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout apache-selfsigned.key -out apache-selfsigned.crt

Note -- This above command will create a certificate that lasts for a year.

3. Edit your private web-server to use the new self-signed certificate pair.

In you instance installation directory, edit your pws config <install-dir>/httpd/conf/httpd-local.conf. Add the following section before the "Include .. " directives.

# Port to listen for secure traffic On. The default is 443
# Update Jan 19th, 2023: No longer required to manually load the ssl_module
# LoadModule ssl_module "modules/mod_ssl.so"
Listen 10443

# Listen Virtual Host Block to define the keys we should use for that port
# If you define a different port in the Listen directive, change that here as well
<VirtualHost *:10443>

    # We need a servername, if you have a server name for your certificate, make sure to match that here.
    ServerName mysecureinstance

    # Turn on SSL for this Virtual Host
    SSLEngine on

    #key files, replace these paths with the path you generated the keys from in step 2.
    SSLCertificateFile "/path/to/apache-selfsigned.crt"

    SSLCertificateKeyFile "/path/to/apache-selfsigned.key"
</VirtualHost>

Here is an example of my config file:

In action:

Note: using the private web server for anything other than the server management may encounter performance errors and isn't explicitly supported for a production configuration. A better option would be to configure the apache / httpd or IIS web server using the default web gateway. You can find instructions to configure a dedicated web server in our Web Gateway Guide, or contact someone at InterSystems.

Joel Solon · Jan 29, 2021

Interesting, thanks for this. Related question: when running the Portal with this method of enabling ssl, do the Help links to docs.intersystems.com also become https links? For example, the Help links on this page:
System Administration > Configuration > Additional Settings > Startup

0 0

Nicholai Mitchko · Jan 29, 2021

I am not sure! This will secure any traffic hosted by the instance itself on the port added to the config (10443 in the example). It also does not change the way links are generated. If the portal webpage uses relative links, then it could secure those requests, but they ultimately don't connect through the instance so really security is out of our hands there.

This method simply opens an additional port on the included Apache server secured by the self-signed certificate. The non-secure ports will still work so this isn't a viable production strategy.

1 0

Ward De Backer · Jan 30, 2021

Nice tip! Btw, if you want a real signed certificate, you can also use Let's Encrypt certificates with an auto-renew client for all types of operating systems (because these free certificates expire after 4 months). You can also use this trick for all kinds of servers requiring ssl encryption when facing the public internet.

Developer Commu... · Jul 9, 2021

💡 This article is considered as InterSystems Data Platform Best Practice.

Jon Sue-Ho · Sep 2, 2021

This is sort of the minimum for just enabling SSL/TLS on apache. Please see apache documentation for further configuration options, including but not limited to selecting ciphersuites and configuring client verification:

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Also, please recall that private web server is provided for convenience and that for production purposes you should install a CSP/Web Gateway into a full web server. Per this documentation, quote:

When installing InterSystems IRIS, this private version of Apache is installed to ensure that:

The Management Portal runs out of the box.
An out-of-the-box testing capability is provided for development environments.

The PWS is not supported for any other purpose.

For deployments of http-based applications, including REST, CSP, Zen, and SOAP over http or https, you should not use the private web server for any application other than the Management Portal; instead, you must install and deploy one of the supported web servers. For information, see the section “Supported Web Servers” in the online InterSystems Supported Platforms document for this release.

end quote.

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

Attila Toth · Dec 9, 2022

Just one little addition to this InterSystems Data Platform Best Practice, which saved me a lot of time:

if you may have tried this on a Windows machine with a password protected private key file (for example: created with the built-in Public Key Infrastructure of InterSystems products), you probably ran into this error message in the Apache error.log:
SSLPassPhraseDialog builtin is not supported on Win32

That's because- as the message suggests- the SSLPassPhraseDialog directive is not supported on Windows version of Apache 2.4 and it can't prompt you for your private key password on startup.

The solution is:
a) to make sure, that the SSLPassPhraseDialog directive is not explicitly turned on in your httpd.conf file (or additional include files) and
b) remove the pass phrase from your private key file with the following openssl command:
openssl rsa -in privatekey-withpass.key -out privatekey-nopass.key

BTW: you don't necessarily need to install OpenSSL on your own. InterSystems products (at least at the moment) come with an openssl executable in their bin directories. Of course: if you want to make sure, that you use the latest and most secure version of the tool, it's better to install it separately.

Feng Wang · Apr 5

i am using a different method which is quite similar to this, also added the http to https redirect.

in httpd.conf file add one line to include ssl.conf file

Include conf/ssl.conf

create a new ssl.conf

Listen 52443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLCryptoDevice builtin
<VirtualHost *:52773>
ServerName localhost
Redirect "/" "https://example.com:52443/"
</VirtualHost>
<VirtualHost _default_:52443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
<FilesMatch "\.(log|ini|pid|exe|so)$">
Require all denied
SSLOptions +StdEnvVars
</FilesMatch>
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

restart database, you will still seeing the http process listening on the original port.

but when you copy the original url (http) to browser, it will redirect to https.