Nicholai Mitchko · Aug 12, 2020 2m read

Running the Management Portal (Private Web Server) Over TLS/SSL/HTTPS

Hi all,


I want to share a quick little method you can use to enable ssl with a self signed certificate on your local development instance of IRIS/HealthShare. This enables you to test https-specific features such as OAuth without a huge lift.



1. Install OpenSSL


Debian Linux: $ sudo apt-get -y install openssl

RHEL: $ sudo yum install openssl


2. Create a self-signed certificate pair. In your terminal (powershell, bash, zsh, etc)

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout apache-selfsigned.key -out apache-selfsigned.crt

Note -- This above command will create a certificate that lasts for a year.

3. Edit your private web-server to use the new self-signed certificate pair.

In you instance installation directory, edit your pws config <install-dir>/httpd/conf/httpd-local.conf. Add the following section before the "Include .. " directives.

# Port to listen for secure traffic On. The default is 443
LoadModule ssl_module "modules/"
Listen 10443

# Listen Virtual Host Block to define the keys we should use for that port
# If you define a different port in the Listen directive, change that here as well
<VirtualHost *:10443>

    # We need a servername, it has not effect but is required by apache
    ServerName mysecureinstance

    # Turn on SSL for this Virtual Host
    SSLEngine on

    #key files, replace these paths with the path you generated the keys from in step 2.
    SSLCertificateFile "/path/to/apache-selfsigned.crt"

    SSLCertificateKeyFile "/path/to/apache-selfsigned.key"


Here is an example of my config file:



In action:



Note: this type of HTTPS support is not supported by InterSystems and if you need a production product you should follow directions to install apache2 / IIS / nginx in it's full form.

3 4 3 275


Interesting, thanks for this. Related question: when running the Portal with this method of enabling ssl, do the Help links to also become https links? For example, the Help links on this page:
System Administration > Configuration > Additional Settings > Startup

I am not sure! This will secure any traffic hosted by the instance itself on the port added to the config (10443 in the example). It also does not change the way links are generated. If the portal webpage uses relative links, then it could secure those requests, but they ultimately don't connect through the instance so really security is out of our hands there.

This method simply opens an additional port on the included Apache server secured by the self-signed certificate. The non-secure ports will still work so this isn't a viable production strategy.