#Encryption

Hello,
I am currently facing the task of retrieving or sending HL7 messages from a web API. Since we only send HL7 messages via internal sockets, web APIs are relatively new to me.
The following is my plan for the new interface:
I have created a new custom business service that periodically sends requests to a business process. In this business process, the HTTP request (HTTP.GenericMessage) is then created from scratch. The special feature is the "Authorisation" header field, where a signature is inserted, which consists of a base64-encoded hash value.

Working on a project where I'm needing to make FHIR calls from my HealthConnect Interop production to Epic. 

My issue is I'm not able to construct a valid JWT for the OAuth token retrieval that Epic will accept. I have the below code where I'm able to create a valid header and payload that I'm base64URL encoding and then trying to sign with my .pem private key file. However, Epic is not liking the signature portion of my JWT.

As such, I wanted to present my code to see if I'm performing the signature steps correctly? I've seen some posts where the %Net.

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

Now I want to return a large amount of data to the front end. The string length has reached 40000 +, and the returned data needs to be encrypted by AES + Base64. I can convert the string into a stream. AES can use the AESCBCEncryptStream method to encrypt, but Base64 has no stream method。Anyone who get the solution  would you kindly share the solution please。

Any help would be appreciated. Thanks!

Hello; We are managing several Ensemble instances on several servers.  One server has 4 instances, and two other servers have one instance each (those are production servers).  We encrypt all instances using the Caché encryption in the management portal.

Currently we are using two different encryption keys: 1 key on the server with 4 instances, which is used for all 4 instances, and a second key on single-instance server. ( I'm installing the newest production server now.)

What I'd like to know is what are the best practices for managing encryption keys for separate servers.

We've implemented SAML authentication for our application where we are the service provider and various other entities are the identity providers. We've done successful connections with several identity providers including Okta, Duo Mobile, Ping Identity, and Azure. Validating the SAML response with signed assertions has been working great. Now, I am trying implement support for the SAML assertions in the response being encrypted for a new identity provider and struggling to understand procedurally how to go about this.

Hello,

Sorry for my epic english :(

I have a strange issue.

I have generated an encryption key with the tool (UI.Portal.EncryptionCreate.zen).

Then  I activate my key for data encryption (UI.Portal.EncryptionManaged) and encryption work fine.

But when I reboot my server the key is removed from the data encryption key list (UI.Portal.EncryptionManaged) and I have to re-activate the key.

Perhaps somebody have an idee ?

Cache version : Cache for Windows (x86-64) 2016.2.2 (Build 853U)

Windows: Windows Server 2012 R2 Standard

Thanks

Sébastien

Currently running Ensemble on Red Hat Enterprise Linux Server release 7.7

One of our clients is requesting files sent to their SFTP site be encrypted with their PGP public key and digitally signed with our PGP private key

We have created a custom class that includes the following command to encrypt the files

if (pAction = "Encrypt") {
// Find the Key ID from the Keyname
set tKeyId = ..GPGKeyLookup(pKeyName, ..#PUBLICKEYLUT)
set tCmdLine = "gpg --homedir "_pGPGhomedir_" --always-trust -r """_tKeyId_""" -o "_pOutFileName_" -e "_pInFileName
}
// Execute the command to generate the output file

I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL.  Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.  

I've come across an architecture issue recently, and am trying to assess the options I have.  At present, we encode a call to a class which takes in an OID and returns the Stream to the browser.

I am using the Java Binding to connect a Java Middleware Application to Cache.  Originally I was using a CacheListOfDataTypes (JAVATYPE = "java.lang.List") object to bring data back.  I was tasked with encrypting the data using AES and I was using the AESCBCEncrypt function on the List elements (up to 20k characters for each element) to bring it back before concatenating it on the middleware.  This almost worked.  Like 95% of the characters were being decrypted correctly but some text was coming back garbled.  I couldn't understand how this was happening.

Hi Community, 
 

Can I please check what the size limit for the parameter in  $SYSTEM.Encryption.Base64Decode() method ? 

I have a 12 page base64 encoded PDF document, which is failing when decoded. I am getting the error below:

ERROR <Ens>ErrException: <ILLEGAL VALUE>zXSDToLogical+1^%Library.Binary.1 -- logged as '-' number - @''

OBX:5 size=4233781

I tried the below from terminal, but it is not able copy the whole string for the parameter so couldn't execute it. 

Set text=$SYSTEM.Encryption.Base64Decode("JVB<<TRUNCATED>>) 

I am able decode the same string using notepad++ and save it as PDF.

Hello,

Looking for some help on how I actually set the properties to enable tracing for %Net.SSH.Session ?

The doc is here:

https://docs.intersystems.com/latest/csp/documatic/%25CSP.Documatic.cls…

The values look bitwise in their defaultness and I cant seem to figure out how to enable it in my object (or if I am going about this wrong altogether).  I am troubleshooting an elusive ssh error: unable to exchange encryption keys in a catch at the moment.

Would appreciate a clue if anybody has experience with it... thank you.

-Ron

Hi! I'm banging my head to the wall with HMAC authentication. I have tried to implement this various ways but nothing seems to work.

If someone could help on this it would be great!

Here is a code that I have tried and working Javascript example, tested on Postman. 

All,

Totally new to Cache and Encryption.  Have a project requirement for SHA-512.  

I need to create a JWT to connect to EPIC FHIRserver sandbox.

https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2G…

You will generate a one-time use JSON Web Token (JWT) to authenticate your app to the authorization server and obtain an access token that can be used to authenticate your app's web service calls. There are several libraries for creating JWTs. See jwt.io for some examples.

The header and payload are then base64 URL encoded, combined with a period separating them, and cryptographically signed using the private key to generate a signature.

Hello All,

I am trying to Exporting the InterSystems Cache Encryption Key to an External HSM.

My External HSM supports importing the key.

Is that can be done? or supported.

Regards

Amit Kumar Thakur

+91-9953946465

Hello all,
we have an encryption problem.

Out partner decode url with AES CBC 256 using crypto-js
https://community.dynatrace.com/t5/Troubleshooting/AES-Encryption-and-D…

with this params value:
var iv = CryptoJS.enc.Hex.parse("0000000000000000");
var stringyouWantToEncrypt = "HelloWorld";
var base64Key = "RXJjb2xpbm9zZW1wcmVpbnBpZWRp";
var encrypted = CryptoJS.AES.encrypt(
    stringyouWantToEncrypt,
    CryptoJS.enc.Base64.parse(base64Key),
    {
        iv: iv,
    }
);
console.log("Key " + CryptoJS.enc.Base64.parse(base64Key));
console.log("Result!

Thanks for all replies in advance.  We have a security vulnerability that we have to get rid of.  We use Putty software to connect to cache as a terminal allowing several users to do maintenance work in cache.  this uses telnet Plain text.  I know that we can configure telnet to be encrypted using the super server service and I'm looking for software that can work like Putty as a terminal using encryption compatible with cache telnet encryption.

Hi everyone,

I have a project which requires the sending of JSON messages to an external service provider using REST. The service provider requires the message contents to be signed.

Their instructions:

1. Add a header called "Date" with the the date and time in a specific format - done
2. Add the client's certificate password in a field in the header - done
3. Create a string which consist of the {Date}{newline}{Password}{newline}{etc}{Message Body}.

Dear Community,

I am trying to convert a base64 encoded string to a pdf. I have tried a lot of possible ways, but never succeeded. I am able to decode the base64 using $System.Encryption.Base64Decode but I am not able to convert it and store this in a path.

Can anybody help me out here?

Thanks.

Hi team.

Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).

Thanks

Paras

Hi,

I have a client who is considering encryption options in order to comply with a tendering requirement.

Were they to encrypt the production database then what would be a reasonable expectation forthe impact on message throughput. Or possibly more easily answered: what would be the expected impact be on I/O rate and CPU utilization. Are there any benchmarks to which could support an estimate ?

How would this compare with plan B: to use disk encryption ?

Thanks

I want to use AESEncode encryption, but it prompts a MAXSTRING error. How to solve it?

Hi,

We wanted to use the MD5Hash function,

And had trouble understanding it's return value , as documented:

"Return value: 16-byte MD5 hash."

The value we wanted should have been a simple string, and we did not know how to convert the output to string.

Searching for a solution we found this article:

https://groups.google.com/forum/#!msg/intersystems-public-cache/FdkHIgS9PkQ/P7s-92kN70UJ

That had this solution that works:

"If you know what this gibberish stuff is about, it can be very simple ;)

USER> s h = ##class(%SYSTEM.Encryption).MD5Hash("f.

Hi All,

Hopefully  someone can help me with this case. I need to encrypt a text(querystring) with an AES265 encryption. An other vendor is decrypting this information. I have a working class in C#. I've tried to build the same in Objectscript for the encrypt part but there's a missing link somewhere.  What's the difference between the C# and Objectscript implementation?

Objectscript code (until now):

Class TEST.ENCRYPT
{

// Symmetric Keys sample to encrypt

ClassMethod DoAESCBCEncrypt() As %Status
{
	set key="pZR8qfrz7t47G+dboyJCH4NnJRrF+dJbvxq37y/cLUo="
	set iv=##class(%PopulateUtils).

Hi,

I have a situation where I write a character stream to a file. The file content gets signed and the signature is sent to a service provider together with the file content.

The signing is done using openssl.

This works perfectly on a dev PC, which is runnning Windows and has a little-endian architecture.

The problem is as soon as I do this on the server, which has a big-endian architecture, the signed value is incorrect according to the service provider.

The content is signed using RSA SHA256 with PSS padding.

I've had a look at $nconvert, $sconvert, etc., but can't get to a solution.

I have an application that is requires an Encoded HL7 message sent over SOAP over HTTPS using SSL/TLS... the Response that is return is also encoded, which I know how to Decode but not sure when I Decode the response how to Extract the HL7 message to send back to the router.

How do I capture the Routing Source System and parse the encoded message back into an HL7 format that would show on the trace viewer?

Below is an example...where I get the response and want to send it back to FeederScottRouting as an HL7 message that can be tied to the Parent ID of the sending request message?

Can the built-in $System.Encryption.TOTP() function be used in conjunction with Authenticator Apps (e.g. Google, Microsoft, and so on)?

Providing the same secret/key to a variety of authentication apps, they all return the same synchronized value. However, passing the same secret/key to $System.Encryption.TOTP() is generating a different value (with all instances executing at the same time for comparison).

All of the reference material I have found so far mentions RFC4226 or RFC6238 or both, including the Intersystems documentation.

We are currently performing encryption at the OS level but it makes storage expansion complicated. Any feedback on OS encryption vs. Ensemble? Pros/Cons. We will have CentOS7 on our new server.

Thanks

Hi guys,

I try to make a test of encryption, decryption of a simple text.

I can crypt my text, but I can't decrypt it, do you see somewhere a dummy error of my part ?

Thanks for help

ClassMethod UnitTest()

{

  set inputPlainText = "David"

  // get private key

  set privKeyFileName = "C:\temp\toto.pem"

  set privobjCharFile = ##class(%Stream.FileCharacter).%New()

  set privobjCharFile.Filename = privKeyFileName

  set privKey = privobjCharFile.Read()

  set Inputbase64 = $SYSTEM.Encryption.Base64Encode(inputPlainText)

  // encrypte text using RSA

  set encryptText = $System.Encryption.