Securing your Management Web Portal moving from http:// to https://
I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?
Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.
Maybe I am not looking at the right place for documentation, but is there a Best Practice guide, set of instructions, or Online learning that can help guide me in trying to make our environment more secure?
| Cache for UNIX (IBM AIX for System Power System-64) 2018.1.3 (Build 414U) Mon Oct 28 2019 11:24:02 EDT [HealthShare Modules:Core:15.032.9026 + Linkage Engine:15.032.9026] |
Thanks
Scott Roth
Comments
There is only one way to do it, is to use any supported webserver, Apache or Nginx, and do not use built-in apache. Configure the chosen server to work with InterSystems products. And configure SSL for that server, in any way by instructions you can find on the internet.
With upgrading to 2021.2 and moving to Red Hat servers we decided to pursue securing the management portal. I have read the documentation but I am still confused on how this should work.
I have installed Apache and a standalone Web Gateway. Does this mean I need to stop the Private Web Gateway that was installed with IRIS? How do I get calls to the Management Portal to go through the standalone Web Gateway? I am having issues trying to connect the parts.
Has anyone installed Apache and the standalone Web Gateway on the same server (Red Hat 8) that IRIS is running on? How did you configure it?
Hi Scott,
Did you look at Web Servers for UNIX, Linux, and macOS? That page explains how to configure Apache to serve CSP files.
I'm not sure what you mean by calls to the management portal. If you have the standalone Apache / gateway set up appropriately, you can serve the portal through (presumably default) port 80, ex. go to http://<hostname>:80/csp/sys/UtilHome.csp, rather than attempting to use your private web server port.
Really the independent Apache is the main piece, you can consider the standalone web gateway to be a module on that Apache web server.
Hope that helps.
I've installed standalone web servers/gateways on both the same host as IRIS and on separate servers that support multiple standalone IRIS instances. I often use the standalone web host/gateway as the arbiter host for a mirrored server pair. The customer I'm currently working with has all of their PROD and STAGE hosts (mirror pairs and DR servers) accessible through two separate web server/arbiter hosts.
If you're doing this to enhance security, it's not just about installing certificates and turning on TLS for the web server. You also need to make sure the communication between the web gateway module and the IRIS server is encrypted via TLS (primarily when the gateway is on a host separate from the IRIS instance). And if you're doing that, you probably ought to make sure that ODBC/jdbc and Studio connections are also encrypted, you've enabled STARTTLS for LDAP/AD authentication, TLS for mirror synchronization, etc.
Hello,
There is another repository with webgateway and apache here.