SSL/TLS Client/OAuth2 Configuration - Testing
I am trying to setup a OAuth2.0 configuration to connect to a server within our Network using OAuth2.0. My previous attempt worked, however forgot to capture the steps before I had whipped the System so please bear with me.
I have an SSL/TLS Client configuration setup as we use the setup for our LDAP configuration.
When I go through the following steps within the Terminal, I am getting the following error...
%SYS>kill ^ISCLOG
%SYS>set scope="openid fhirUser"
%SYS>set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT("EpicFHIRPOC","1fd8f5cc-18ee-4eff-990d-4606037b932e",scope,.properties,.error,123)
%SYS>
%SYS>zwrite error
error=""
%SYS>zwrite jwt
jwt="0 "_$lb($lb(6085,"OSUMC","error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib",,,,,,,$lb(,"%SYS",$lb("e^Send+313^%Net.HttpRequest.1^1","e^Post+1^%Net.HttpRequest.1^1","e^GetAccessTokenJWT+44^%SYS.OAuth2.Authorization.1^1","e^^^0"))))/* ERROR #6085: Unable to write to socket with SSL/TLS configuration 'OSUMC', error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' */
ObjectScriptObjectScript
When I attempt to Test the SSL/TLS configuration to that same FHIR server, that I can access from my desktop I am seeing...
But that same configuration runs ok when I attempt to connect to the LDAP server.
Is this a problem with my OSUWMC SSL/TLS configuration?
Does my key/cert have the correct permissions??
[root@int-lxiris-vd01 private]# ls -lat int-lxiris-vd01_osumc_edu.key
-rw-rw-rw-+ 1 apache irisusr 3414 Jan 8 11:37 int-lxiris-vd01_osumc_edu.key
BashBash
[root@int-lxiris-vd01 certs]# ls -lat int-lxiris-vd01_osumc_edu.pem
-rw-rw-rw-+ 1 apache irisusr 6521 Jan 9 10:38 int-lxiris-vd01_osumc_edu.pem
BashBash
So the SSL test actually succeeded, so the port connection works. But instead of a normal http success code it got server unavailable. Is your target server answering correctly?
My real concern is... "error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib",,,,,,,$lb(,"%SYS",$lb("e^Send+313^%Net.HttpRequest.1^1","e^Post+1^%Net.HttpRequest.1^1","e^GetAccessTokenJWT+44^%SYS.OAuth2.Authorization.1^1"
is there an issue with my Certs?
Maybe your certificate file needs to include the full certificate chain, from your certificate to the CA.
I am being told the OAuth certificate has no chain behind it. it is a Self Signed Certificate/Key Pair. I changed the ownership of the files to irisusr:irisusr but I am still getting the same error message...
"error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' *"
I am still thinking it is something wrong with the Cert/Private Key that was provided to me from the Application, am I wrong?
I have a ticket in with WRC to help me figure out this issue because it is bugging the crap out of me I am trying to figure it out.
I have updated the Owner, Group, Folder Permissions, and Permission at the file level. REDEBUG is returning..
When I call...
set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT(....)
However, I use the same SSL/TLS configuration that uses /etc/pki/tls/certs/int-lxiris-vd01.pem in my LDAP authentication.
I ran the following to verify the Certificate against the CA Authority
[root@int-lxiris-vd01 certs]# openssl verify -verbose -CAfile /etc/pki/ca-trust/source/anchors/OSUWMC_CA.pem int-lxiris-vd01_osumc_edu.pem int-lxiris-vd01_osumc_edu.pem: OK
Anyone have an idea on what might be going on? If there was a problem with the Certificate chain inside of /etc/pki/tls/certs/int-lxiris-vd01.pem wouldn't I have issues with LDAP Authentication? I tried deleting my user, and having the LDAP Authentication recreate it, and it did without any issues when I tried to sign in as my user.
@Sean Klingensmith, I know you helped out in the past with a previous WRC ticket and Post. Any Idea on what might be going on?
Still no luck, it was suggested that I make sure the permissions were set correctly at the folder level /etc/, /etc/pki/, /etc/pki/tls/. Each had irisusr as the group but still receiving the Permission Denied error. Does anyone know what could be causing this?
I had to change the Access Control Rule (setfacl) on each of the files/folders to allow my non-root user access to the files/folders, using setfacl.