Configuring a remote CSP Gateway for serving with SSL/TLS/HTTPS

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

First here are the tutos found in the doc:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

I have tried in many ways using certificates that I have got from a colleague, but I always get an ERR_SSL_PROTOCOL_ERROR or an "unavailable web page/server" error. Could you please take a look on what I've done and tell me if you see anything weird or wrong ? Tutorials in the doc lead me to try:

-Configuring the S2's CSP gateway server access (I notice that I can access to the webapp in HTTP from S2 only if the connection security level is set to "none" (not SSL) in this screen)

-Changing CGI environment variables in related webapp config

-Creating SSL/TLS configurations in S1's Healthshare portal (also tried with a %SuperServer... but where and how could I use them ? I haven't found it)

-Looking into S2's IIS installed certificates... but it seems not linked to S2's CSP Gateway as the HTTP webapp does not go down when I stop the default web site in IIS;

-configuring file SSLdefs.ini following this tutorial: https://community.intersystems.com/post/configuring-cach%C3%A9-client-ap... (...but once more it does not seem to have any effect on the webapp)

So what should I try next ? smiley

Have a nice day !

Mathieu

Answers

There are two different connections here - one from the browser to the webserver, and one from the CSP gateway to Cache. Either or both can use SSL and they are configured separately.

You said you want HTTPS. This would be used on the connection between the browser and the webserver. It does not involve Cache or the CSP gateway at all. It is configured entirely in the web server configuration. For example, if you are using Apache, it is configured in the httpd.conf and related Apache conf files.

The settings you've shown above are for the CSP gateway to Cache connection. If the gateway and Cache are on separate machines, you may also want to configure SSL for this connection. The gateway will be connecting to the SuperServer on Cache, so you will want to follow the instructions for configuring SuperServer SSL if you want to get this part working. The instructions for that are here:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

Hello Katherine, thank you for your answer.

I have configured Apache in my server S2, and it seems to work as expected now, after having added those lines to httpd.conf :

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
    ServerName myhost.mydomain.be
    SSLEngine on
    SSLCertificateFile "D:/pathToMy/certificate.cer"
    SSLCertificateKeyFile "D:/pathToMy/certificate.key"
    SSLVerifyClient optional
    SSLVerifyDepth 1
    SSLCACertificateFile "D:/pathToMy/certificateCA.crt"
</VirtualHost>

Best regards :-)

-Creating SSL/TLS configurations in S1's Healthshare portal (also tried with a %SuperServer... but where and how could I use them ? I haven't found it)

Your SSL configuration should be called %SuperServer. Currently it's called AccDirSsl. You need to create new/rename existing configuration to %SuperServer.

 

Also, can you show a screen from the Portal’s System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters)? For the Superserver SSL/TLS Support choice, you should select Enabled (not Required).

 

Also does HS OS user has access to C:\chr11614pem? I'd try to copy certificates/keys to HS temp directory and modify paths in config accordingly.