#SSL

Good day 

I am trying to connect a business service to fileZilla using FTP on my local PC Win 11.

I am trying to setup my training after attending the Building HL7 interfaces course with ISC.

The connection is failing. He is the error below

ERROR <Ens>ErrOutConnectFailed: FTP Connect failed for localhost:21//SSL=' with error ERROR <Ens>ErrFTPConnectFailed: FTP: Failed to connect to server 'localhost:21//SSL='/' (msg='Missing required argument',code=501)

I'm using a %Net.HttpRequest which had been successful in the past, but started failing at some point with a SSL/TLS protocol error.

ERROR #6085: Unable to write to socket with SSL/TLS configuration 'groundca', error reported 'SSL/TLS error in SSL_connect(), SSL_ERROR_SSL: protocol error, error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol'

The SSL/TLS configuration:

The request's SSLConfig is set to the "groundca" config when making the request.

A request using the same URL, API key, and CA file through Curl receives the desired response from the API at "https://osrd.

Hi all,

I am trying to establish an HTTPS connection to a server using a %Net.HttpRequest object. I'm able to ping and curl the server via command line. The issue I am running into is that I am able to establish a connection, but something seems to be going wrong with verification from the server side. For example, if I use the CheckSSLCN method on the server, it returns this error message 

ERROR #6155: Unable to verify SSL/TLS connected to correct system as no SSL certificate present for this socket.

I am developing a business operation that receives a request, creates a message with the data contained in it and sends it to an outlook email. For testing purposes both the sender and the destination are the same email account
This is the code:
ClassBO.AlertEmailSenderExtendsEns.BusinessOperation{

Hello,

Recently I have been tinkering with VSCode and ObjectScript extension to connect to my dockerized IRIS instance. I have configured the instance to use Apache as a Web Gateway as per instructions and it has been working well. Currently I'm using a self-signed certificate for the SSL part of the connection. The browser nags about insecure certs when connecting to Management Portal but that's expected.

I'm trying to configure an SSL/TSL configuration in our test environment so we can send ADT messages to an external server. I've verified connectivity/firewall to the external server.

type is set to Client, Server certificate verification is set to Require.

I have received a certificate from the external supplier and linked that in the "File containing trusted Certificate Authjority certificate" field. (I've also imported it into the cert store and tried using %OSCertificateStore).

My client certificate is in PEM format, the decrypted key was extracted using SSLOpen. Protocol enabled is TLSv1.

Hi,

I am trying to connect to another server using  %Net.HttpRequest.

I keep getting this error  : SSL23_GET_SERVER_HELLO:unsupported protocol.

My guess is that the site I am reaching for uses TLS1.3 which is not supported in 2016, But I cant right now ask my client to upgrade.

Is it possible to override this ? install some kind of a patch or a more recent version of openssl on the server ?

Thanks

Amiram

Hello,

I have Iris4Health community version (using for some development) running in a docker container and trying to enable TLS/SSL/HTTPS in the container. I have created the SSL cert chain (root ca/web site cert) via open SSL have the http.conf and http-local.conf file loaded on a durable volume. I have  also loaded the root CA in the trusted root cert store on the device that is connecting.

After inspecting the logs it looks like apache has loaded the certs and is listening on the correct port, but I am unable to connect to the mgmt portal via SSL.

I've disabled TLS v1.0 and 1.1 within Healthshare setting, but still seeing these error messages when running a security scan. We do have apache being used. What else can I try?

Error messages:

After what is seemed was weeks, I finally got SSL/TLS enabled on both Apache Web Server and IRIS using the Web Gateway. However while we can now use HTTPS to connect to our Development instance of IRIS, I am running into several errors when I have others try to access the Management Portal via HTTPS.

We are seeing...

• "Unexpected status code, unable to process Hyper Event: Internal Server Error (500)"
• Server Unavailable

I am not sure if this is the correct place for this question, but I am struggling to setup TLS security for our IRIS Management Portal and etc. through Apache and the Web Gateway. I have a couple of questions when it comes to the setup.  

• if I build a private key and certificate within Red Hat, does that certificate have to be on everyone's pc to connect to the Management Portal?
• Can I use a self signed Certificate?
• Can I use the existing CA on the server, or do I need to work with my Data Security team to get a Certificate?

Any help would be appreciated

Thanks

Scott Roth

I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?

Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.

Maybe I am not looking at the right place for documentation, but is there a Best Practice guide, set of instructions, or Online learning that can help guide me in trying to make our environment more secure?

Hi

We have ODBC 32bit Encryption working on our database with a SSLDEFs.ini file.  However 64 bit ODBC Encryption will not work and give generic error, same error if the ini file is not there for 32BIT.

We have copied the ini file to the 64bit folder?  Any ideas please?

thanks

I'm trying to implement an OAuth2 server, but I have som issues when trying to setup JWT under OAuth 2.0->Client.

I get the error message saying "No match between server name 'localhost' and SSL certificate values 'cache'". I have set up a SSL/TLS configuration as simple as possible without any certificate files. I'm accessing my server via HTTPS with an unsigned certificate.

Can anyone point me in the right direction on how to resolve the issue I'm encountering.

Hello everyone, I can choose between RSA and DSA. ECC seems to be unsupported. Is there any workarounds without using external binary like curl?

Best regards RY

I have 2 instances of Cache, one of 2010 and the other 2016.  On both I have created a SSL Configuration with same name.

When I connect to a SOAP Service Client from Cache 2010, I get the above error.

If I connect from Cache 2016, the connection get through.

How can get more details of the error in the Cache 2010 instance to be able to fix this issue.

I have enabled the SOAP Log and it does not give much of details.

Regards

Anil

We are getting more and more request wondering if we could send/receive data via HTTPS to the outside world from within our Hospital Network. As you can imagine our Ensemble/Cache productions are not exposed to the DMZ or has access outside of the network. We only communicate with external vendors through a VPN, so communicating not using a VPN is rather new to us.

Currently there is a project to get rid of using Proxy, and instead of through a Load Balancer that can use rules to filter out traffic, which adds another layer of complexity.

Hi team.

Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).

Thanks

Paras

Hello, I have an SSL / TLS configuration that used TLSv1.0 encryption.

However, I need to update to the TLS 1.2 version of encryption, and apparently Caché 2012.1 does not support it according to this link: https://community.intersystems.com/post/tls-v12-support-cach%C3%A9
 

Can I add a library to the Cache, enable TLSv1.2 in some way, or just a version update?

I have a .JKS Keystore file and associated password.

How do I reference that file when creating a web service (SOAP) call out?

Hi, a client have a installed enviroment with mirror activated, but when you test SSL on webservices you can get an error, not SSL access correctly from browser because certificate problem apparently with TLS Version, someone have a suggestion to reinstall SSL Certificates on mirrors ?

Chrome : something wrong, no details or diagnostic
Firefox : SSL_ERROR_HANDSHAKE_FAILURE_ALERT

We try simple regenerate Authority an regenerate all certificates, but not worked. Same results.

Hello Community, 

I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into. 

As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself. 

System:

I've tried it on 2 different systems with pretty much the same result: 

1. IIS Server with a 2 System-Mirror Healthshare 2018.1.

Hello good afternoon!

We're testing a REST Operation, to View Devices using OneSignal API

We are sending the request from Production's Operation Test tool, using the following code:

What happens is that it tells us error of SSL Configuration:
 

It should be noted that the test was done without https, to:

set path = http://onesignal.com/api/v1/players?app_id=.

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:  

https://52773b-62955584.labs.learning.intersystems.com/oauth2/authorize?response_type=code&client_id=nHCv5A-u_5T1YAwk_tJ7xpi1ky-s2AnRQMaL6YHsUgU&redirect_uri=https%3A//52773b-99792125.labs.learning.intersystems.com/csp/sys/oauth2/OAuth2.Response.

Hi, 

Is there any facility in Health Connect to notify us before a SSL/TLS security certificate expires?

I'd be interested in how other teams handle this as we are using TLS/SSL a lot more to integrate with external services. 

Kind regards, 

Stephen
 

Hi Community!

How do you create SSL Configuration for InterSystems IRIS programmatically? E.g. for installation or deployment case?

E.g. if I need to create a very simple "default" SSL client configuration to let HTPPS Get requests to an arbitrary server?

Hello all,

Been doing Ensemble for a while but I am struggling with this SOAP set up.

Currently in Cloverleaf, we are taking the HL7 feed out of Epic, and then we put the SOAP wrapper around it.  Then using a CAIR provided wsdl, we seem to be using a JKS file and a PFX file to send the data to CAIR (http://cairweb.org/next-steps-page/).

Here is what I have done so far: I used the SOAP wizard with the wsdl file to create a new Operation.

My questions are these:

- I believe I need to change the JKS file into a PEM file in order to use it with Ensemble?

Hello everyone

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

First here are the tutos found in the doc:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?

Hi community,

I would like to ask how to correctly enforce SSL on all "developer traffic" -- that is Management portal and Studio connections -- on a Caché instance.

Given large developer permissions, I would like to eliminate all plaintext credentials on the wire.

Currently, we compile our own httpd with SSL support for Management portal, but this breaks Add-Ins for us, in particular the SOAP wizard. So I guess this is not the "canonical way".

Thanks for any suggestions

Jiri

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along.