Question
· Feb 16, 2022

Question about setting up Apache HTTP and Web Gateway to use TLS

I am not sure if this is the correct place for this question, but I am struggling to setup TLS security for our IRIS Management Portal and etc. through Apache and the Web Gateway. I have a couple of questions when it comes to the setup.  

  • if I build a private key and certificate within Red Hat, does that certificate have to be on everyone's pc to connect to the Management Portal?
  • Can I use a self signed Certificate?
  • Can I use the existing CA on the server, or do I need to work with my Data Security team to get a Certificate?

 

Any help would be appreciated

Thanks

Scott Roth

Product version: IRIS 2021.2
$ZV: IRIS for UNIX (Red Hat Enterprise Linux for x86-64) 2021.2 (Build 649U) Thu Jan 20 2022 08:46:29 EST
Discussion (1)2
Log in or sign up to continue

Hey Scott - Your questions require a bit of clarification to best answer but I can help a bit as I just went through this for both internally served and secured IRIS Management Portal and externally served and secured IRIS-hosted web services. 
 

There’s two layers to securing to consider and that’s where I would need clarification on which part your questions are after:

  • Mutual TLS 1.2 encryption to/from the web gateway module installed on Apache that acts as a reverse proxy of sorts between the web server and the IRIS server’s SuperServer port. (Actual users don’t use this port directly in a web browser) 
  • HTTPS/SSL Encryption on the Apache Web Server that encrypts the traffic between the client browser and web server itself.

For the a production quality/secure setup, you want to always achieve both of these in my opinion.

For the first bullet, if you control both sides of the equation (the IRIS server and the web server), you could easily do a self-signed cert using your redhat server’s CA as you can specify the CA Chain of Authority that validates the signed cert on both sides. 
 

For the second bullet, you really want to use a certificate authority that your user’s web browsers will natively trust. Eg if youre just serving up internally and all your users are joined to an internal domain, that domain’s CA could generate a web server cert you could install to be used by port 443 on apache httpd and your user’s browsers will likely be a-ok with it as domain CAs generally update their domain members Keystore on login (keyword being usually.) That CA could also be used to generate appropriate Server/Client profile certs to be used for the mutual tls of the first bullet  

But easiest approach for the second bullet is using a external trusted CA (think Thawte, VeriSign, and many others) as browsers will generally trust these “out of the box.” External CAs can also be used for the mutual TLS piece but generally overkill if the web gateway and iris server are all on the same internal network (again, in my opinion) - proper securing of private keys is important with use of internal CA for mutual TLS especially but really should be doing that anyway.

Reference for the mutual tls: https://docs.intersystems.com/irisforhealthlatest/csp/docbook/DocBook.UI...