Question
· Apr 22

SSL/TLS Client/OAuth2 Configuration - Testing

I am trying to setup a OAuth2.0 configuration to connect to a server within our Network using OAuth2.0. My previous attempt worked, however forgot to capture the steps before I had whipped the System so please bear with me. 

I have an SSL/TLS Client configuration setup as we use the setup for our LDAP configuration. 

When I go through the following steps within the Terminal, I am getting the following error...

%SYS>kill ^ISCLOG
%SYS>set scope="openid fhirUser"
%SYS>set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT("EpicFHIRPOC","1fd8f5cc-18ee-4eff-990d-4606037b932e",scope,.properties,.error,123)

%SYS>

%SYS>zwrite error
error=""
%SYS>zwrite jwt
jwt="0 "_$lb($lb(6085,"OSUMC","error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib",,,,,,,$lb(,"%SYS",$lb("e^Send+313^%Net.HttpRequest.1^1","e^Post+1^%Net.HttpRequest.1^1","e^GetAccessTokenJWT+44^%SYS.OAuth2.Authorization.1^1","e^^^0"))))/* ERROR #6085: Unable to write to socket with SSL/TLS configuration 'OSUMC', error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' */

When I attempt to Test the SSL/TLS configuration to that same FHIR server, that I can access from my desktop I am seeing...

But that same configuration runs ok when I attempt to connect to the LDAP server.

Is this a problem with my OSUWMC SSL/TLS configuration?

Does my key/cert have the correct permissions??

[root@int-lxiris-vd01 private]# ls -lat int-lxiris-vd01_osumc_edu.key
-rw-rw-rw-+ 1 apache irisusr 3414 Jan  8 11:37 int-lxiris-vd01_osumc_edu.key

[root@int-lxiris-vd01 certs]# ls -lat int-lxiris-vd01_osumc_edu.pem
-rw-rw-rw-+ 1 apache irisusr 6521 Jan  9 10:38 int-lxiris-vd01_osumc_edu.pem
$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2024.1 (Build 264_1U) Thu Apr 4 2024 14:54:11 EDT
Discussion (7)2
Log in or sign up to continue

I am being told the OAuth certificate has no chain behind it. it is a Self Signed Certificate/Key Pair. I changed the ownership of the files to irisusr:irisusr but I am still getting the same error message...

"error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' *"

I am still thinking it is something wrong with the Cert/Private Key that was provided to me from the Application, am I wrong?

I have a ticket in with WRC to help me figure out this issue because it is bugging the crap out of me I am trying to figure it out.

I have updated the Owner, Group, Folder Permissions, and Permission at the file level. REDEBUG is returning..

TLS enabled versions, minimum: 16, maximum: 32
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Cipher list for TLSv1.2 and below: ALL:!aNULL:!eNULL:!EXP:!SSLv2
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Ciphersuites for TLSv1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Certificate file: /etc/pki/tls/certs/int-lxiris-vd01.pem
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:0200100D:system library:fopen:Permission denied
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:20074002:BIO routines:file_ctrl:system lib
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:140DC002:SSL routines:use_certificate_chain_file:system lib
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event]

When I call... 

set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT(....) 

However, I use the same SSL/TLS configuration that uses /etc/pki/tls/certs/int-lxiris-vd01.pem in my LDAP authentication.

I ran the following to verify the Certificate against the CA Authority

[root@int-lxiris-vd01 certs]# openssl verify -verbose -CAfile /etc/pki/ca-trust/source/anchors/OSUWMC_CA.pem  int-lxiris-vd01_osumc_edu.pem                                              int-lxiris-vd01_osumc_edu.pem: OK

Anyone have an idea on what might be going on? If there was a problem with the Certificate chain inside of /etc/pki/tls/certs/int-lxiris-vd01.pem wouldn't I have issues with LDAP Authentication? I tried deleting my user, and having the LDAP Authentication recreate it, and it did without any issues when I tried to sign in as my user.

@Sean Klingensmith, I know you helped out in the past with a previous WRC ticket and Post. Any Idea on what might be going on?