SSL for Management portal and Studio connections - SOAP wizard issue

Hi community,

I would like to ask how to correctly enforce SSL on all "developer traffic" -- that is Management portal and Studio connections -- on a Caché instance.

Given large developer permissions, I would like to eliminate all plaintext credentials on the wire.

Currently, we compile our own httpd with SSL support for Management portal, but this breaks Add-Ins for us, in particular the SOAP wizard. So I guess this is not the "canonical way".

Thanks for any suggestions

Jiri

  • 0
  • 0
  • 154
  • 9
  • 3

Answers

The answers you've gotten so far are for the management portal, but you also mentioned Studio, and I wanted to follow up on that part, as it's configured quite differently.

Studio connects directly to the SuperServer, so you will need to configure SuperServer TLS on the server side if you haven't already. The documentation discusses how to do this here:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

Currently, I don't know of a way to enforce TLS for just the %Service_Bindings, so you will need to enforce it on all connections to the SuperServer if you want to require it. This means you'll need to configure TLS for any other types of connections to the SuperServer you use, including between the CSP gateway and the SuperServer.

Each machine which has Studio installed will also need to be configured to use TLS. I've written up how to do that here:

https://community.intersystems.com/post/configuring-cach%C3%A9-client-ap...

Usually, the problem which you can face with SSL, is, how to trust self-signed certificate. In your case looks like, you have one server for development, and everybody connects to this one server. And in this case, there are two ways to make this SSL trusted,

  • if you have a domain name which publicly available, from the internet. Internal servers should not be available from outside, just only one server, where you can generate certificate with Let'sEncrypt. And you can make wildcard certificate as well. 
  • you don't have such domain name, and don't have access from outside. So, you should have own certificate server, and make by yourself. I think this way is a bit harder.

For local instances, when you need SSL only on your machine for yourself, you can use the mkcert tool and any subdomain from localtest.me (which goes to localhost) for example.

Thanks Dimitry, for your response.

We have our own PKI deployed and configured so trust chain issues are not a problem for us.

Our problem is somewhat different.

Currently, we have (in our httpd.conf) a Redirect directive on all incoming http traffic on port 57772 to https on a different port, but this setup breaks add-ins functionality. The SOAP wizard in particular, which we need to use quite frequently, always executes in the context of %SYS namespace when SSL is enabled ( see attached screenshot).

We always need to temporarily disable SSL to use this wizard, but this is a hassle and, also, I guess that SSL usage should be seamless to the developer when configured correctly, so I suspect we might be doing something the wrong way.

Well,

this add-in url is

/isc/studio/templates/%25ZEN.Template.AddInWizard.SOAPWizard.cls?Namespace=USER

But when you redirect with Redirect directive, your query part dissapear. And it opens with default namespace %SYS.

To solve it you should use mod_rewrite instead with RewriteCond and RewriteRule directives. I don't give you any examples, just don't have a good place to check it. But I think I can find it.

My go-to https redirect:

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

Thank you Eduard and Dimitry, I was able, eventually, to get correct behavior with

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}:57782%{REQUEST_URI} [END,QSA,R=307]

Redirecting with R=permanent somehow still lost namespace information.

Try installing httpd from the package manager for your OS..

Add http to https redirect.

Maybe plugins go to https first, so redirect all traffic to https. Good for various cached links, etc.

Thanks Eduard for your answer, perhaps my original question was a bit vague, I have elaborated somewhat on my issue in response to Dimitry's post.

Hi Jiri,
we have done some recent changes to make this working without the need of configuring a redirection.
Please drop me a note if you are interested or contact WRC and i will investigate more details on this for you.
Kind regards,
Bernd

Thank you Bernd, I am interested, I will write a WRC request and reference you.

Kind regards,

Jiri