Running the Management Portal (Private Web Server) Over TLS/SSL/HTTPS
Hi all,
I want to share a quick little method you can use to enable ssl with a self signed certificate on your local development instance of IRIS/HealthShare. This enables you to test https-specific features such as OAuth without a huge lift.
1. Install OpenSSL
Windows: https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe Debian Linux: $ sudo apt-get -y install openssl RHEL: $ sudo yum install openssl
2. Create a self-signed certificate pair. In your terminal (powershell, bash, zsh, etc)
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout apache-selfsigned.key -out apache-selfsigned.crt
Note -- This above command will create a certificate that lasts for a year.
3. Edit your private web-server to use the new self-signed certificate pair.
In you instance installation directory, edit your pws config <install-dir>/httpd/conf/httpd-local.conf. Add the following section before the "Include .. " directives.
# Port to listen for secure traffic On. The default is 443
LoadModule ssl_module "modules/mod_ssl.so"
Listen 10443
# Listen Virtual Host Block to define the keys we should use for that port
# If you define a different port in the Listen directive, change that here as well
<VirtualHost *:10443>
# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance
# Turn on SSL for this Virtual Host
SSLEngine on
#key files, replace these paths with the path you generated the keys from in step 2.
SSLCertificateFile "/path/to/apache-selfsigned.crt"
SSLCertificateKeyFile "/path/to/apache-selfsigned.key"
</VirtualHost>
Here is an example of my config file:
.png)
In action:
.png)
Note: this type of HTTPS support is not supported by InterSystems and if you need a production product you should follow directions to install apache2 / IIS / nginx in it's full form.
Interesting, thanks for this. Related question: when running the Portal with this method of enabling ssl, do the Help links to docs.intersystems.com also become https links? For example, the Help links on this page:
System Administration > Configuration > Additional Settings > Startup
I am not sure! This will secure any traffic hosted by the instance itself on the port added to the config (10443 in the example). It also does not change the way links are generated. If the portal webpage uses relative links, then it could secure those requests, but they ultimately don't connect through the instance so really security is out of our hands there.
This method simply opens an additional port on the included Apache server secured by the self-signed certificate. The non-secure ports will still work so this isn't a viable production strategy.
Nice tip! Btw, if you want a real signed certificate, you can also use Let's Encrypt certificates with an auto-renew client for all types of operating systems (because these free certificates expire after 4 months). You can also use this trick for all kinds of servers requiring ssl encryption when facing the public internet.
💡 This article is considered as InterSystems Data Platform Best Practice.
This is sort of the minimum for just enabling SSL/TLS on apache. Please see apache documentation for further configuration options, including but not limited to selecting ciphersuites and configuring client verification:
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Also, please recall that private web server is provided for convenience and that for production purposes you should install a CSP/Web Gateway into a full web server. Per this documentation, quote:
When installing InterSystems IRIS, this private version of Apache is installed to ensure that:
The PWS is not supported for any other purpose.
For deployments of http-based applications, including REST, CSP, Zen, and SOAP over http or https, you should not use the private web server for any application other than the Management Portal; instead, you must install and deploy one of the supported web servers. For information, see the section “Supported Web Servers” in the online InterSystems Supported Platforms document for this release.
end quote.
https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...