Programmatic configuration of SSL Connections with the Superserver |

Article

Luis Angel Pére... · 5 hr ago 3m read

#Docker #SSL #InterSystems IRIS #InterSystems IRIS for Health

Greetings dear community members!

I have recently been deploying an IRIS for Health image on a Docker with a preconfigured Webgateway image and I have come across the problem of the SSL configurations that allow us to connect to the IRIS instance using HTTPS and going through our Webgateway.

Until now I had always deployed IRIS for Health with a Community license, which still has the Private Web Server installed, so I only needed to configure the Webgateway connection with the deployed IRIS instance:

Access the management portal using the URL provided by the PWS and enable access to the Superserver from its configuration screen:

Seleccionando el puerto 1972 podíamos ver la información de seguridad y sólo necesitábamos habilitar las conexiones SSL con la configuración de la SSL/TLS %SuperServer previamente creada:

Well, with non-Community versions the last step of the configuration is not feasible, since we do not have web access to our IRIS instance, therefore, we will have to do it programmatically so that when deploying our Docker it not only creates the SSL/TLS configuration but also enables SSL connections with the superserver that the webgateway will use for the connection.

To do this we must use the Security.Servers class that allows us to perform the same configuration. Below you can see a class method that will create the SSL connection %SuperServer and then enable said connections with port 1972:

Method EnableSSLSuperServer(password="")
{
    New $NAMESPACE
    zn "%SYS"
    set certdir=..SSLDirectory
    set CAfile = ..SSLCertAuth
    set certfile = ..SSLCertificate
    set keyfile = ..SSLKey
    set sslconfig = ##class(Security.SSLConfigs).%New()
    do sslconfig.CAFileSet(certdir_CAfile)
    do sslconfig.CertificateFileSet(certdir_certfile)
    do sslconfig.PrivateKeyFileSet(certdir_keyfile)
    if password'="" do sslconfig.PrivateKeyPasswordSet(password)
    do sslconfig.DescriptionSet("SuperServer configuration")
    do sslconfig.EnabledSet(1)
    do sslconfig.TypeSet(1)
    do sslconfig.NameSet("%SuperServer")
    set sc=sslconfig.%Save()
    If (sc'=1) {
        Write !, "WARNING: Creating and saving the %SuperServer SSL configuration failed!"
        Write !, $system.Status.GetErrorText(sc)
    }

    If (sc'=1) {
        Write !, "WARNING: Getting the system security settings failed!"
        Write !, $system.Status.GetErrorText(sc)
    }
    set sc = ##class(Security.Servers).Get("1972",,.propsSuperServer)
    set propsSuperServer("Enabled") = 1
    set propsSuperServer("SSLSupportLevel") = 1
    set propsSuperServer("SSLConfig") = "%SuperServer"
    set sc = ##class(Security.Servers).Modify("1972",,.propsSuperServer)

    If (sc'=1) {
        Write !, "WARNING: Modifying the system's SSLSuperServer property failed!"
        Write !, $system.Status.GetErrorText(sc)    
    }
    Write !, "Done enabling SSL for the SuperServer"
}

In more detail, this will be the code snippet that enables SSL for 1972:

set sc = ##class(Security.Servers).Get("1972",,.propsSuperServer)
    set propsSuperServer("Enabled") = 1
    set propsSuperServer("SSLSupportLevel") = 1
    set propsSuperServer("SSLConfig") = "%SuperServer"
    set sc = ##class(Security.Servers).Modify("1972",,.propsSuperServer)

I hope you find it useful!

Go to the original post written by @Luis Angel Pérez Ramos