SSL

Syndicate content 11 

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

First here are the tutos found in the doc:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

Last answer 13 days ago Last comment 11 days ago
0 3
50

views

0

rating

Hi community,

I would like to ask how to correctly enforce SSL on all "developer traffic" -- that is Management portal and Studio connections -- on a Caché instance.

Given large developer permissions, I would like to eliminate all plaintext credentials on the wire.

Currently, we compile our own httpd with SSL support for Management portal, but this breaks Add-Ins for us, in particular the SOAP wizard. So I guess this is not the "canonical way".

Thanks for any suggestions

Jiri

Last answer 22 January 2019 Last comment 13 February 2019
0 5
137

views

0

rating

Hi, a client have a installed enviroment with mirror activated, but when you test SSL on webservices you can get an error, not SSL access correctly from browser because certificate problem apparently with TLS Version, someone have a suggestion to reinstall SSL Certificates on mirrors ?

Chrome : something wrong, no details or diagnostic
Firefox : SSL_ERROR_HANDSHAKE_FAILURE_ALERT

We try simple regenerate Authority an regenerate all certificates, but not worked. Same results.

Last answer 12 February 2019 Last comment 12 February 2019
0 3
38

views

0

rating

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Error message: Cache error: <UNDEFINED>ZAUTHENTICATE+104^ZAUTHENTICATE *LD

its not displaying the error code it should be from the ZAUTHENTICATE in the Audit Database. How do I get it to tell me where it is actually stopping in the ZAUTHENTICATE code? Or can someone look at the code below and see what I might be doing wrong

Last answer 30 June 2018 Last comment 24 July 2018
0 3
197

views

+ 1

rating

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to InterSystems IRIS Data Platform. I did a similar post in the past for Caché, so feel free to check that out here if you are not running InterSystems IRIS. Much like the original, the goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running. Example screenshots are taken on a 2018.1.1 version of IRIS, so yours may look slightly different.

1 1
0

comments

181

views

+ 3

rating

Greetings.

We have one vendor who requires us to send data using TCP

through an SSH port forwarding tunnel that is set up in advance.

UNIX scripts maintain this, and the Ensemble interface uses a TCP Adapter.

 

I was thinking that Ensemble could maintain the SSH tunnel, 

which would improve our detecting of issues.

 

Has anyone done something like this?

I see that the  class %Net.SSH.Session has a method ForwardPort,

but it doesn't stand up the tunnel by itself.   Instead, it appears 

to return a handle into the tunnel.     It will work a bit differently.

 

Thanks

Seth

Last answer 29 November 2017
0 2
0

comments

162

views

0

rating

Caché will not change the cryptographic settings in an existing TLS configuration when you upgrade.  This means that unless you've updated them yourself, you're still using the values from the very first version you started using SSL in.  

If you've upgraded since creating your TLS configurations, take a moment to look at the enabled protocols and ciphersuites to make sure you've enabled all the versions you want, and disabled the old versions you don't want.  You can your find existing TLS configurations in the management portal under System Administration -> Security -> SSL/TLS configurations.

The default ciphersuite string has changed to include new options and is now: ALL:!aNULL:!eNULL:!EXP:!SSLv2  If you're still using the old default (TLSv1:SSLv3:!ADH:!LOW:!EXP:@STRENGTH) you may want to change to the new string, as the old one does not include new ciphersuites which some sites require

Last comment 28 November 2017
0 2
282

views

+ 4

rating

I have an Ensemble installation and just build my first RestService (using %CSP.Rest that forwards them to my Business Service). This works nice and fine when I use postman to make REST calls over http (port 57772). However when I attempt to make a request using https over port 443 I receive the following error

Last answer 23 November 2017 Last comment 23 November 2017
0 2
291

views

0

rating

I have an Ensemble installation with an FTP business operation which I would like to connect to a server over SSL in explicit mode (see also: https://www.rebex.net/kb/tls-ssl-explicit-implicit/default.aspx). I keep running into timeouts while attempting to do this via Ensemble. Does Ensemble actually support SSL in explicit mode??? Because I can't seem to find any setting where to switch it on.

Last answer 7 November 2017
0 1
0

comments

219

views

0

rating

Hi, 

I can't work out how to use the Cache CA Server to process certificate request from external clients!

We are setting up an interface where we use SSL/TLS 'Mutual Authentication' to allow a client system to securely transmit document to  our server. (they are off-site and hosting a service for us)

I am not a security expert, but my understanding of setting up mutual authentication where my instance of ensemble is the server, and it is receiving messages from a client is as follow

Last answer 3 May 2017 Last comment 2 May 2017
0 3
636

views

0

rating

We are in the process of setting enabling SSL on a soap web service exposed via InterSystems, but are running into trouble. We have installed our certificates on our webserver (Apache 2.4) and enabled SSL over the default port 57772. However, we now get an error when sending a soap message to the web service (it used to work over http). Specifically the CSP gateway refuses to route te emssage the soap web service:

<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:s="http://www.w3.org/2001/XMLSchema">

  <SOAP-ENV:Body>

     <SOAP-ENV:Fault&gt

Last answer 3 May 2017
0 3
0

comments

492

views

0

rating

I have built an Ensemble SOAP service (EnsLib.SoapService.Service) as a business service which accepts soap requests from another application. To secure the traffic between the SOAP service and the application i'd like to enable SSL. I see that in the management portal I can upload the certificates, chains and keys and save them as an SSL / TLS configuration. However, it is not clear to me how I apply this SSL / TLS configurtion to the soap service I am running. I would expect something under Security -> Applications -> Web Applications or even on the business service running in production itself, but I can't find it.

How do I setup the SSL connection?

Last answer 20 April 2017
0 3
0

comments

623

views

0

rating

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to Caché. The goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running. Example screenshots are taken on a 2016.1 version of Caché, so yours may look slightly different.

Step 1: Configure Certificate Authority (CA) Server

Last comment 29 March 2017
0 0
975

views

+ 4

rating

Our client is a test out of 2016.1 (Build 656U) Healthshare that wants to do a one way SSL connection to our Java 1.7/Tomcat 8.0 server.  We have yet to come up with a secure cipher set that Healthshare and Java agree on for the handshake.  So far we've had to use these ciphers identified which are not recommended (though it does do a handshake properly).  Our definition of "secure cipher set" comes from this best practices section 2.3 and ideally we'd like to use the ciphers identified.  Are any of these available in HealthShare 2016+

Last answer 2 March 2017
0 0
0

comments

437

views

0

rating

I have 2 instances of Cache, one of 2010 and the other 2016.  On both I have created a SSL Configuration with same name.

When I connect to a SOAP Service Client from Cache 2010, I get the above error.

If I connect from Cache 2016, the connection get through.

How can get more details of the error in the Cache 2010 instance to be able to fix this issue.

I have enabled the SOAP Log and it does not give much of details.

Regards

Anil

Last answer 30 January 2017 Last comment 31 January 2017
0 3
1083

views

+ 1

rating

I have posted to aid others in diagnosing problem with SSL/TLS connections to superserver port from .NET client executable.

The cache instance this appeared on is quite old - 2011 - so I do not know if Intersystems have added a better error message in a later version

The actual fault was due to the certificate in the %SuperServer SSL/TLS configuration having expired.

The unhelpful message that appeared in the .NET client included the following partial stack trace.

0 3
0

comments

270

views

0

rating

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old method, it will continue to work, but I would recommend you consider switching to the new one

0 5
0

comments

1964

views

+ 15

rating

Question:

Where can I find the openssl command line tool for Windows?

Answer:

The openssl command line utility comes with Unix, but not with Windows. It is used for working with security certificates.

The main site is

https://www.openssl.org/

There are no binaries on this site but in the Community section there is a link for binaries which leads to:

https://www.openssl.org/community/binaries.html

This contains a link to "An informal list of third party engines":

https://wiki.openssl.org/index.php/Binaries

At the time of writing this had two entries for OpenSSL for Windows. I chose the first one:

https://slproweb.com/products/Win32OpenSSL.html

0 2
0

comments

480

views

-1

rating

I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].

I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’

It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?

Last answer 2 November 2016 Last comment 2 November 2016
0 4
514

views

0

rating

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix

0 0
0

comments

912

views

+ 5

rating

Hi,

I'm posting this for the benefit of others. Not often one changes certificates in Cache, at least in my case. I run a system, that uses certificates to encrypt SOAP messages, and since the last time I ran it, my certificates expired.

So I renewed them using our PKI tool, so far so good. I gave all (3) certificates the same names (and filenames too) as to those expired, thinking that everything would just work fine next time I call the SOAP service.

Unfortunately, I got trapped.

It took me a rather longer while to realize that replacing old files with new ones is not enough. You also need to DELETE and CREATE again all your X.509 Credentials (with original names) to reflect changes, otherwise our X.509 credentials still remember old certificates with old serial numbers (yes, that's a good indicator saying what certificate is active)

Hope this helps others.

 

Dan

 

 

0 1
0

comments

323

views

+ 2

rating