SSL

Syndicate content 16 

I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?

Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.

10
0 2 99

Hi all,

 

I want to share a quick little method you can use to enable ssl with a self signed certificate on your local development instance of IRIS/HealthShare. This enables you to test https-specific features such as OAuth without a huge lift.

 

 

1. Install OpenSSL

Windows: https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe

Debian Linux: $ sudo apt-get -y install openssl

RHEL: $ sudo yum install openssl

 

40
2 0 155

Hi, a client have a installed enviroment with mirror activated, but when you test SSL on webservices you can get an error, not SSL access correctly from browser because certificate problem apparently with TLS Version, someone have a suggestion to reinstall SSL Certificates on mirrors ?

Chrome : something wrong, no details or diagnostic
Firefox : SSL_ERROR_HANDSHAKE_FAILURE_ALERT

We try simple regenerate Authority an regenerate all certificates, but not worked. Same results.

00
0 4 88

Hello Community, 

I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into. 

As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself. 

System:

10
0 3 166

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old, legacy method, it will continue to work, but I would recommend you consider switching to the new one.

190
0 2 3,277

There's an easy new way to add certificate authority (CA) certificates to your SSL/TLS configurations on InterSystems IRIS 2019.1 (and 2018.1.2) on Windows and Mac.  You can ask IRIS to use the operating system's certificate store by entering:

%OSCertificateStore

in the field for "File containing Trusted Certificate Authority X.509 certificate(s)".   Here's an image of how to do this in the portal:

120
4 3 572

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:  

10
1 3 242

This is more for my memory that anything else but I thought I'd share it because it often comes up in comments, but is not in the InterSystems documentation. 

There is a wonderful utility called ^REDEBUG that increases the level of logging going into mgr\cconsole.log. 

You activate it by

a) start terminal/login

b) zn "%SYS"

c) do ^REDEBUG

40
0 0 432

Hello all,

Been doing Ensemble for a while but I am struggling with this SOAP set up.

Currently in Cloverleaf, we are taking the HL7 feed out of Epic, and then we put the SOAP wrapper around it.  Then using a CAIR provided wsdl, we seem to be using a JKS file and a PFX file to send the data to CAIR (http://cairweb.org/next-steps-page/).

Here is what I have done so far: I used the SOAP wizard with the wsdl file to create a new Operation.

My questions are these:

00
0 2 135

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

10
0 8 693

Hi community,

I would like to ask how to correctly enforce SSL on all "developer traffic" -- that is Management portal and Studio connections -- on a Caché instance.

Given large developer permissions, I would like to eliminate all plaintext credentials on the wire.

Currently, we compile our own httpd with SSL support for Management portal, but this breaks Add-Ins for us, in particular the SOAP wizard. So I guess this is not the "canonical way".

Thanks for any suggestions

Jiri

00
0 12 351
Question
Scott Roth · Jun 29, 2018
Adding TLS to ZAUTHENTICATE

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

10
0 14 284

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to InterSystems IRIS Data Platform. I did a similar post in the past for Caché, so feel free to check that out here if you are not running InterSystems IRIS. Much like the original, the goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running. Example screenshots are taken on a 2018.1.1 version of IRIS, so yours may look slightly different.

60
1 0 401
Question
Seth Rothenberg · Nov 29, 2017
TCP adaptor + SSH Tunnel

Greetings.

We have one vendor who requires us to send data using TCP

through an SSH port forwarding tunnel that is set up in advance.

UNIX scripts maintain this, and the Ensemble interface uses a TCP Adapter.

 

I was thinking that Ensemble could maintain the SSH tunnel, 

which would improve our detecting of issues.

 

Has anyone done something like this?

I see that the  class %Net.SSH.Session has a method ForwardPort,

but it doesn't stand up the tunnel by itself.   Instead, it appears 

00
0 1 274
Article
Katherine Reid · Nov 27, 2017 1m read
Upgrading TLS configurations

Caché will not change the cryptographic settings in an existing TLS configuration when you upgrade.  This means that unless you've updated them yourself, you're still using the values from the very first version you started using SSL in.  

40
0 2 501

I have an Ensemble installation and just build my first RestService (using %CSP.Rest that forwards them to my Business Service). This works nice and fine when I use postman to make REST calls over http (port 57772). However when I attempt to make a request using https over port 443 I receive the following error:

10
0 7 536

I have an Ensemble installation with an FTP business operation which I would like to connect to a server over SSL in explicit mode (see also: https://www.rebex.net/kb/tls-ssl-explicit-implicit/default.aspx). I keep running into timeouts while attempting to do this via Ensemble. Does Ensemble actually support SSL in explicit mode??? Because I can't seem to find any setting where to switch it on.

00
0 1 355

Hi, 

I can't work out how to use the Cache CA Server to process certificate request from external clients!

We are setting up an interface where we use SSL/TLS 'Mutual Authentication' to allow a client system to securely transmit document to  our server. (they are off-site and hosting a service for us)

I am not a security expert, but my understanding of setting up mutual authentication where my instance of ensemble is the server, and it is receiving messages from a client is as follows

00
0 5 1,054

We are in the process of setting enabling SSL on a soap web service exposed via InterSystems, but are running into trouble. We have installed our certificates on our webserver (Apache 2.4) and enabled SSL over the default port 57772. However, we now get an error when sending a soap message to the web service (it used to work over http). Specifically the CSP gateway refuses to route te emssage the soap web service:

00
0 1 883

I have built an Ensemble SOAP service (EnsLib.SoapService.Service) as a business service which accepts soap requests from another application. To secure the traffic between the SOAP service and the application i'd like to enable SSL. I see that in the management portal I can upload the certificates, chains and keys and save them as an SSL / TLS configuration. However, it is not clear to me how I apply this SSL / TLS configurtion to the soap service I am running.

00
0 2 1,148

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to Caché. The goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running.

40
0 7 1,530
Question
Chris Paraskiv · Mar 2, 2017
Atelier over https

Can Atelier connect to an Ensemble server that only accepts https connections?

How do I configure that? I did try an ssh into such server and Atelier over that but it didn't seem to work.

 

Any suggestions?

 

Thanks,

Chris

10
0 3 283
Question
Todd Johnson · Mar 2, 2017
TLS Cipher Suite selection

Our client is a test out of 2016.1 (Build 656U) Healthshare that wants to do a one way SSL connection to our Java 1.7/Tomcat 8.0 server.  We have yet to come up with a secure cipher set that Healthshare and Java agree on for the handshake.  So far we've had to use these ciphers identified which are not recommended (though it does do a handshake properly).

00
0 1 658

I have 2 instances of Cache, one of 2010 and the other 2016.  On both I have created a SSL Configuration with same name.

When I connect to a SOAP Service Client from Cache 2010, I get the above error.

If I connect from Cache 2016, the connection get through.

How can get more details of the error in the Cache 2010 instance to be able to fix this issue.

I have enabled the SOAP Log and it does not give much of details.

Regards

Anil

10
0 3 2,633

I have posted to aid others in diagnosing problem with SSL/TLS connections to superserver port from .NET client executable.

The cache instance this appeared on is quite old - 2011 - so I do not know if Intersystems have added a better error message in a later version

The actual fault was due to the certificate in the %SuperServer SSL/TLS configuration having expired.

The unhelpful message that appeared in the .NET client included the following partial stack trace.

 

00
0 0 507