0
313

Written by

Scott Roth
Enterprise Application Development Consultant at The Ohio State University Wexner Medical Center
MOD
Follow
Question Scott Roth · Apr 11, 2024

Question about InterSystems API (IAM) install from tar file with IRIS running locally

#Health Connect #InterSystems IRIS #InterSystems IRIS for Health #InterSystems API Manager (IAM)

I downloaded IAM-3.4.2.0-5604.tar.gz from the Online Distribution site this morning, it the implementation to install it on our Development environment to see if it is a viable solution. Following the instructions, I have ran into an issue trying to make sure I am entering the information into the prompts correctly.

I have IRIS HealthShare Health Connect 2024.1 running locally using a Local Web Server, so when prompted I have entered the IP Address and port 443 is that correct? 

:>iam-setup.sh
Welcome to the InterSystems IRIS and InterSystems API Manager (IAM) setup script.
This script sets the ISC_IRIS_URL environment variable that is used by the IAM container to get the IAM license key from InterSystems IRIS.
Enter the full image repository, name and tag for your IAM docker image:
intersystems/iam:3.4.1.0
Enter the IP address for your InterSystems IRIS instance. The IP address has to be accessible from within the IAM container, therefore, do not use "localhost" or "127.0.0.1" if IRIS is running on your local machine. Instead use the IP address of your local machine. If IRIS is running in a container, use the IP address of the host environment, not the IP address of the IRIS container:
xxx.xxx.xxx.xxx
Enter the web server port for your InterSystems IRIS instance:
443
Enter the password for the IAM user for your InterSystems IRIS instance:
Re-enter your password:
If local policy requires that HTTPS be used for communication, please provide the full path to your CA Certificate file now. Otherwise hit "Return":
/etc/pki/ca-trust/source/anchors/OSUWMC_CA.pem
If your InterSystems IRIS instance is only accessible via its CSPConfigName URL prefix, please provide the prefix with a trailing slash (/) now. Otherwise hit "Return":

Your inputs are:
Full image repository, name and tag for your IAM docker image: intersystems/iam:3.4.1.0
IP address for your InterSystems IRIS instance: xxx.xxx.xxx.xxx
Web server port for your InterSystems IRIS instance: 443
CA Certificate for HTTPS: /etc/pki/ca-trust/source/anchors/OSUWMC_CA.pem
CSPConfigName URL prefix:
Would you like to continue with these inputs (y/n)?
y
Getting IAM license using your inputs...
Couldn't reach InterSystems IRIS at xxx.xxx.xxx.xxx:443. One or both of your IP and Port are incorrect.

I have verified that...

  • IAM user is enabled
  • /api/iam is enabled

What port should be specified if you are running a Local Web Server/Web Gateway?

Thanks

Scott

$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2024.1 (Build 264_1U) Thu Apr 4 2024 14:54:11 EDT U
Discussion (9)2
Log in or sign up to continue

Comments

Alexander Koblov · Apr 11, 2024

Scott,

take a look inside iam-setup.sh

Based on the inputs it constructs a URL and then tries to 'curl' it.

And fails for some reason. Check which URL it constructs and check if curl indeed works fine for that URL

The URL should look like:

https://IAM:@xxx.xxx.xxx.xxx:443/api/iam/license

Check if you can access it from the bash

0
Scott Roth  Apr 11, 2024 to Alexander Koblov

I verified that /api/iam is enabled, but using CURL or POSTMAN, I keep getting a 404 - Not Found error. I thought it might be because the script is looking for /api/iam/license so I shorted it to /api/iam to see if I could get a response but still getting the 404 error.

I even tried unauthenticated on /api/iam

0
Alexander Koblov  Apr 15, 2024 to Scott Roth

Does the webserver pass "/api/iam" to the Web Gateway?

0
Scott Roth  Apr 15, 2024 to Alexander Koblov

my httpd.conf is setup to send / to CSP.#

### BEGIN-ApacheCSP-SECTION ####
LoadModule csp_module_sa "/opt/webgateway/bin/CSPa24.so"
CSPModulePath "/opt/webgateway/bin/"
CSPConfigPath "/opt/webgateway/bin/"
CSPFileTypes csp cls zen cxw
Alias /csp/ /opt/webgateway/bin/
<Location />
        CSP On
</Location>
<Location "/csp/">
        CSP On
</Location>
<Location "/api/">
        CSP On
</Location>
<Location "/oauth2/">
        CSP On
</Location>
<Location "/isc/">
        CSP On
</Location>
<Location "/ui/">
        CSP On
</Location>

<Directory "/opt/webgateway/bin/">
        AllowOverride None
        Options MultiViews FollowSymLinks ExecCGI
        Require all granted
        <FilesMatch "\.(log|ini|pid|exe)$">
                Require all denied
        </FilesMatch>
</Directory>
0
Alexander Koblov  Apr 15, 2024 to Scott Roth

Hm, check also Protect event in the Audit -- ensure that the Audit and logging of Protect events are enabled, then reproduce the problem and see if anything is logged in the Audit

0
Bob Kuszewski · Apr 12, 2024

The URL that you're generating is the one to the webgateway.  Do you have the webgateway running on port 443 of the same IP address as your IRIS server?

0
Scott Roth  Apr 12, 2024 to Bob Kuszewski

I played around with the iam-setup.sh script, and found when I ran the script without a CA and port it was able to connect to the IRIS instance. Next step is that the docker will not start, I need to dig into that more.

0
Scott Roth · Apr 15, 2024

I was able to get past the iam-setup.sh but now when I run podman-compose up -d I am getting the follwing error...

:>sudo podman-compose up -d
podman-compose version: 1.0.6
['podman', '--version', '']
using podman version: 4.6.1
** excluding:  set()
['podman', 'ps', '--filter', 'label=io.podman.compose.project=scripts', '-a', '--format', '{{ index .Labels "io.podman.compose.config-hash"}}']
podman volume inspect scripts_pgdata14 || podman volume create scripts_pgdata14
['podman', 'volume', 'inspect', 'scripts_pgdata14']
['podman', 'network', 'exists', 'scripts_default']
podman run --name=scripts_db_1 -d --label io.podman.compose.config-hash=0b8c4491a1820337de3b759d5b1067ea78426dafeaec513283d14bd1ac5c3e8b --label io.podman.compose.project=scripts --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@scripts.service --label com.docker.compose.project=scripts --label com.docker.compose.project.working_dir=/ensemble/tmp/IAM/scripts --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=db -e POSTGRES_DB=iam -e POSTGRES_PASSWORD=iam -e POSTGRES_USER=iam -v scripts_pgdata14:/var/lib/postgresql/data --net scripts_default --network-alias db -i --restart on-failure --healthcheck-command /bin/sh -c pg_isready' '-U' 'iam --healthcheck-interval 30s --healthcheck-timeout 30s --healthcheck-retries 3 postgres:14.5
7db3dff8488e4115cd7d65d4ea61be9de185e68dfdbcf1744ec913b02314645c
exit code: 0
['podman', 'network', 'exists', 'scripts_default']
podman run --name=scripts_iam-migrations_1 -d --requires=scripts_db_1 --label io.podman.compose.config-hash=0b8c4491a1820337de3b759d5b1067ea78426dafeaec513283d14bd1ac5c3e8b --label io.podman.compose.project=scripts --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@scripts.service --label com.docker.compose.project=scripts --label com.docker.compose.project.working_dir=/ensemble/tmp/IAM/scripts --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=iam-migrations -e KONG_DATABASE=postgres -e KONG_PG_DATABASE=iam -e KONG_PG_HOST=db -e KONG_PG_PASSWORD=iam -e KONG_PG_USER=iam -e KONG_CASSANDRA_CONTACT_POINTS=db -e ISC_IRIS_URL= -e ISC_CA_CERT= --net scripts_default --network-alias iam-migrations --restart on-failure  bash -c kong migrations bootstrap; kong migrations up; kong migrations finish
Error: repository name must have at least one component
exit code: 125
podman start scripts_iam-migrations_1
Error: no container with name or ID "scripts_iam-migrations_1" found: no such container
exit code: 125
['podman', 'network', 'exists', 'scripts_default']
podman run --name=scripts_iam_1 -d --requires=scripts_db_1 --label io.podman.compose.config-hash=0b8c4491a1820337de3b759d5b1067ea78426dafeaec513283d14bd1ac5c3e8b --label io.podman.compose.project=scripts --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@scripts.service --label com.docker.compose.project=scripts --label com.docker.compose.project.working_dir=/ensemble/tmp/IAM/scripts --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=iam -e KONG_ADMIN_ACCESS_LOG=/dev/stdout -e KONG_ADMIN_ERROR_LOG=/dev/stderr -e KONG_ADMIN_LISTEN=0.0.0.0:8001 -e KONG_ANONYMOUS_REPORTS=off -e KONG_CASSANDRA_CONTACT_POINTS=db -e KONG_DATABASE=postgres -e KONG_PG_DATABASE=iam -e KONG_PG_HOST=db -e KONG_PG_PASSWORD=iam -e KONG_PG_USER=iam -e KONG_PROXY_ACCESS_LOG=/dev/stdout -e KONG_PROXY_ERROR_LOG=/dev/stderr -e KONG_PORTAL=on -e KONG_PORTAL_GUI_PROTOCOL=http -e KONG_PORTAL_GUI_HOST=127.0.0.1:8003 -e KONG_ADMIN_GUI_URL=http://localhost:8002 -e ISC_IRIS_URL= -e ISC_CA_CERT= --net scripts_default --network-alias iam -p 8000:8000 -p 8001:8001 -p 8002:8002 -p 8003:8003 -p 8004:8004 -p 8443:8443 -p 8444:8444 -p 8445:8445 --restart on-failure
Error: repository name must have at least one component
exit code: 125
podman start scripts_iam_1
Error: no container with name or ID "scripts_iam_1" found: no such container
exit code: 125
 

0
Craig Easton  Jan 13, 2025 to Scott Roth 
I encountered this issue on an upgrade of IAM, it wasn't covered in the documentation.

Kong is prompting to have the postgres DB structure updated to match the newer version of Kong. I solved it by changing the docker-compose.yml to contain the following config to run 'kong migrations up', then started the container:
  iam-migrations:      image:${ISC_IAM_IMAGE}      command:kongmigrationsup      depends_on:        -db      environment:        KONG_DATABASE:postgres        KONG_PG_DATABASE:${KONG_PG_DATABASE:-iam}        KONG_PG_HOST:db        KONG_PG_PASSWORD:${KONG_PG_PASSWORD:-iam}        KONG_PG_USER:${KONG_PG_USER:-iam}        KONG_CASSANDRA_CONTACT_POINTS:db        KONG_PLUGINS:bundled,jwt-crafter        ISC_IRIS_URL:${ISC_IRIS_URL}      restart:on-failure      links:        - db:db
0