SSL/TLS Client/OAuth2 Configuration - Testing

Question

Question

Scott Roth · Apr 22, 2024

#Red Hat Enterprise Linux (RHEL) #SSL #System Administration #Health Connect #InterSystems IRIS #InterSystems IRIS for Health

I am trying to setup a OAuth2.0 configuration to connect to a server within our Network using OAuth2.0. My previous attempt worked, however forgot to capture the steps before I had whipped the System so please bear with me.

I have an SSL/TLS Client configuration setup as we use the setup for our LDAP configuration.

When I go through the following steps within the Terminal, I am getting the following error...

%SYS>kill ^ISCLOG
%SYS>set scope="openid fhirUser"
%SYS>set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT("EpicFHIRPOC","1fd8f5cc-18ee-4eff-990d-4606037b932e",scope,.properties,.error,123)

%SYS>

%SYS>zwrite error
error=""
%SYS>zwrite jwt
jwt="0 "_$lb($lb(6085,"OSUMC","error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib",,,,,,,$lb(,"%SYS",$lb("e^Send+313^%Net.HttpRequest.1^1","e^Post+1^%Net.HttpRequest.1^1","e^GetAccessTokenJWT+44^%SYS.OAuth2.Authorization.1^1","e^^^0"))))/* ERROR #6085: Unable to write to socket with SSL/TLS configuration 'OSUMC', error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' */ObjectScript
ObjectScript

When I attempt to Test the SSL/TLS configuration to that same FHIR server, that I can access from my desktop I am seeing...

But that same configuration runs ok when I attempt to connect to the LDAP server.

Is this a problem with my OSUWMC SSL/TLS configuration?

Does my key/cert have the correct permissions??

[root@int-lxiris-vd01 private]# ls -lat int-lxiris-vd01_osumc_edu.key
-rw-rw-rw-+ 1 apache irisusr 3414 Jan  8 11:37 int-lxiris-vd01_osumc_edu.keyBash
Bash


[root@int-lxiris-vd01 certs]# ls -lat int-lxiris-vd01_osumc_edu.pem
-rw-rw-rw-+ 1 apache irisusr 6521 Jan  9 10:38 int-lxiris-vd01_osumc_edu.pemBash
Bash

$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2024.1 (Build 264_1U) Thu Apr 4 2024 14:54:11 EDT

Discussion (7)2

Log in or sign up to continue

Scott Roth · May 6, 2024

I had to change the Access Control Rule (setfacl) on each of the files/folders to allow my non-root user access to the files/folders, using setfacl.

0 0

score 0 · Answer 1 · 2024-04-22T19:30:49-04:00

So the SSL test actually succeeded, so the port connection works. But instead of a normal http success code it got server unavailable. Is your target server answering correctly?

score 0 · Answer 2 · 2024-04-23T07:46:11-04:00

My real concern is... "error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib",,,,,,,$lb(,"%SYS",$lb("e^Send+313^%Net.HttpRequest.1^1","e^Post+1^%Net.HttpRequest.1^1","e^GetAccessTokenJWT+44^%SYS.OAuth2.Authorization.1^1"

is there an issue with my Certs?

score 0 · Answer 3 · 2024-04-23T08:15:22-04:00

Enrico Parisi Apr 23, 2024 to Scott Roth

Maybe your certificate file needs to include the full certificate chain, from your certificate to the CA.

0 0

score 0 · Answer 4 · 2024-04-23T09:21:48-04:00

I am being told the OAuth certificate has no chain behind it. it is a Self Signed Certificate/Key Pair. I changed the ownership of the files to irisusr:irisusr but I am still getting the same error message...

"error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' *"

I am still thinking it is something wrong with the Cert/Private Key that was provided to me from the Application, am I wrong?

score 0 · Answer 5 · 2024-04-26T13:46:20-04:00

I have a ticket in with WRC to help me figure out this issue because it is bugging the crap out of me I am trying to figure it out.

I have updated the Owner, Group, Folder Permissions, and Permission at the file level. REDEBUG is returning..

TLS enabled versions, minimum: 16, maximum: 32
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Cipher list for TLSv1.2 and below: ALL:!aNULL:!eNULL:!EXP:!SSLv2
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Ciphersuites for TLSv1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Certificate file: /etc/pki/tls/certs/int-lxiris-vd01.pem
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:0200100D:system library:fopen:Permission denied
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:20074002:BIO routines:file_ctrl:system lib
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:140DC002:SSL routines:use_certificate_chain_file:system lib
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event]

When I call...

set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT(....) ObjectScript
ObjectScript

However, I use the same SSL/TLS configuration that uses /etc/pki/tls/certs/int-lxiris-vd01.pem in my LDAP authentication.

I ran the following to verify the Certificate against the CA Authority

[root@int-lxiris-vd01 certs]# openssl verify -verbose -CAfile /etc/pki/ca-trust/source/anchors/OSUWMC_CA.pem  int-lxiris-vd01_osumc_edu.pem                                              int-lxiris-vd01_osumc_edu.pem: OKBash
Bash

Anyone have an idea on what might be going on? If there was a problem with the Certificate chain inside of /etc/pki/tls/certs/int-lxiris-vd01.pem wouldn't I have issues with LDAP Authentication? I tried deleting my user, and having the LDAP Authentication recreate it, and it did without any issues when I tried to sign in as my user.

@Sean Klingensmith, I know you helped out in the past with a previous WRC ticket and Post. Any Idea on what might be going on?

score 0 · Answer 6 · 2024-05-06T13:46:05-04:00

Still no luck, it was suggested that I make sure the permissions were set correctly at the folder level /etc/, /etc/pki/, /etc/pki/tls/. Each had irisusr as the group but still receiving the Permission Denied error. Does anyone know what could be causing this?