I am trying to move us to Securing the Management Portal using Apache and the Web Gateway.

Our Development environment/namespace only has 1 server, but both Test and Production have failover/DR mirroring containing 3 servers for Test, and 3 additional servers for Production. 

• Development - 1 server
• Test -2 server's setup for Failover, and 1 Async DR Mirror
• Production - 2 servers' setup for Failover, and 1 Async DR Mirror

In Test and Production, the mirroring is setup using an Arbiter and the VIP address is controlled at the Hardware level.

• Should I have 1 centralized location for the

I am trying to connect the external application. Authenticating via Two SSL,

I have the Client Cert, Private key and the Root Certificate

The connection is successful from local (both via terminal and as well via Postman)

But when trying from IRIS application by configuring the certificates in the SSL configuration, i am not able to successfully verify the SSl connections

When test from the ssl configuration with the endpoint and port its gives the error Error #988: SSL connection failed. SSL/TLS error in SSL_read(), SSL_ERROR_SYSCALL: I/O error (54)

I am also seeing the error when the Http

First time setting up a SSL/TLS connection, and I am running into issues when I call it from within a Business Operation.

I am trying to setup our first SSL/TLS configuration so we can possibly connect to the EMR FHIR server to pull data into the Interoperability engine.

I am running on Red Hat, and created and submitted a openssl CSR request to our Windows ADCS system.

I used the following command to generate the key and CSR request to submit to Windows ADCS

openssl req -new -sha512 -nodes -newkey rsa:4096 -keyout xxxxxxx.key -out xxxxxxxx.csr

When the certificate was generated I was able to download the individual certificate (cer) and the certificate chain (p7b) in  DER or Base64.

Several steps should be done in order to secure the connection through xDBC clients to an IRIS Server instance using TLS. Most of the information can be obtained from the documentation about TLS on IRIS here, about configuring the security layer for encrypted connections. In the next paragraphs we will cover an step-by-step guide on how to configure and test the connection using SQL Clients apps using ODBC and JDBC.

You can download the drivers from InterSystems IRIS Driver Packages

Configuring IRIS SuperServer to use TLS

IRIS Documentation on this link

Before starting with the client

In this article, we will establish an encrypted JDBC connection between Tableau Desktop and InterSystems IRIS database using a JDBC driver. While documentation on configuring TLS with Java clients covers all possible topics on establishing an encrypted JDBC connection, configuring it with Tableau might be a little bit tricky, so I decided to write it down.

Securing SuperServer

Before we start with client connections, you need to configure SuperServer, which by default runs on port 1972 and is responsible for xDBC traffic to accept encrypted connections. This topic is described in the documentati

Hello,

I have Iris4Health community version (using for some development) running in a docker container and trying to enable TLS/SSL/HTTPS in the container. I have created the SSL cert chain (root ca/web site cert) via open SSL have the http.conf and http-local.conf file loaded on a durable volume. I have  also loaded the root CA in the trusted root cert store on the device that is connecting.

After inspecting the logs it looks like apache has loaded the certs and is listening on the correct port, but I am unable to connect to the mgmt portal via SSL.

Is there anything specific that has to be

Hey guys.

I'm having trouble using the Certificate in my BO.
It started to occur after updating the certificate.

I have 2 configurations and 2 certificates, the first one was updated and no error occurs, the second one, the  bad certificate or Handshake failure errors occurs. Both have the same configuration.
I already tried marking SSLV3, handshake error occurs. When I unchecked it, a Bad Certificate error occurs.

Do you know what I can do in this case to solve it?I looked for some threads in the community, and I didn't find a solution for my case.
The Certificate works correctly on other systems

So I have a base string that I want to sign using RSA-SHA256. I have a .p12 file and passphrase to get the RSA Private key using NodeJS (pem.readPkcs12 library), which I don't know how to do that in intersystems as well. (would appreciate if you can include a solution for that too)
The main problem here is I am trying to sign a string and print the result to terminal, using the code below in a routine (.mac file).

SignTest
    s privateKey = "-----BEGIN RSA PRIVATE KEY-----\r\nsomeKey\r\nsomeKey\r\n-----END RSA PRIVATE KEY-----"s myString  = "text to sign"s signedTxt = ##class(%SYST

Hello. 

I'm trying to transfer two connectors from my test env to my production env ( both are IRIS 2021.1 ) 

So i have created an SSL configuration on both :

Test env : 

Production env : 

The connector work well on the test env. When i try the same code in my production env i got this error :
 

Erreur lors de la récupération du token : ERROR #6085: Unable to write to socket with SSL/TLS configuration 'XXXXX', error reported 'SSL/TLS error in SSL_connect(), SSL_ERROR_SYSCALL: I/O error (183)'

I tried to use the advanced debug like this post :

Hi Team , 

Can I please check if anyone has encountered SOAP authentication error when trying to submit a certificate signing request or when trying to get certificate .

I configured a local CA server without SMTP configuration and I configured a local CA client. These steps worked okay.

Then I tried to Submit Certificate Signing Request to Certificate Authority server and I am getting the following error :

Similar error is appearing when I try to use the Get Certificate(s) from Certificate Authority server option

Hi all,

I am trying to use some process private variables (percent variables) in Triggers.

I am referring to values from $System.Process, like the ClientIPAddress and CSPSessionID.
These do to not contain values and I suspect it is bacause of scope. I also checked, and the %session variable is not available if the change originated from a CSP request.
I know that in triggers the scope of the variables are to be kept local, that is why NEW is to be used.

Is there a way to access the Process Private Variables in Triggers or get $System.Process to return the correct values?

Thanks.

I've disabled TLS v1.0 and 1.1 within Healthshare setting, but still seeing these error messages when running a security scan. We do have apache being used. What else can I try?

Error messages:

Hello Community,

when trying to send HS.FHIRServer.Interop.Request objects to an external FHIR server, I get errors: ERROR #6156: No match between server name '...' and SSL certificate values '...'. The reason is pretty clear, the problem is that we don't get correct certificates in time, but have some pressure to go live with the interface.

In the SSL/TLS Configuration "Server certificate validation" is set to none. Is there a way to temporarily disable this kind of certificate validation (sending unencrypted via http is no option) in the service settings, or anywhere else? 

Thanks for your

NB. Please be advised that PKI is not intended to produce certificates for secure production systems. You should make alternate arrangements to create certificates for your productions.
NB. PKI is deprecated as of IRIS 2024.1: documentation and announcement.

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to InterSystems IRIS Data Platform. I did a similar post in the past for Caché, so feel free to check that out here if you are not running InterSystems IRIS. Much like the original, the goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running. Example screenshots are taken on a 2018.1.1 version of IRIS, so yours may look slightly different.

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

Here’s why:  Caché uses the openssl library for SSL/TLS.

After what is seemed was weeks, I finally got SSL/TLS enabled on both Apache Web Server and IRIS using the Web Gateway. However while we can now use HTTPS to connect to our Development instance of IRIS, I am running into several errors when I have others try to access the Management Portal via HTTPS.

We are seeing...

• "Unexpected status code, unable to process Hyper Event: Internal Server Error (500)"
• Server Unavailable

Does anyone have a Optimal settings list that I need to set for Apache/Web Gateway https?

I am not sure if this is the correct place for this question, but I am struggling to setup TLS security for our IRIS Management Portal and etc. through Apache and the Web Gateway. I have a couple of questions when it comes to the setup.  

• if I build a private key and certificate within Red Hat, does that certificate have to be on everyone's pc to connect to the Management Portal?
• Can I use a self signed Certificate?
• Can I use the existing CA on the server, or do I need to work with my Data Security team to get a Certificate?

Any help would be appreciated

Thanks

Scott Roth

I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?

Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.

Maybe I am not looking at the right place for documentation, but is there a Best Practice guide, set of instructions, or Online learning that can help guide me in trying to make our environment more secure?

Hi,

I recently needed to setup an SSL/TLS configuration in IRIS that supported mutual authentication (where the server IRIS is establish a connection to is verified, and, where IRIS is in turn verified by the remote host).  After a bit of research and getting it done, I thought it worthwhile to just go over the process I went through in order to potential help others, and save you some time .

I had in hand, Certificate and Private key for my IRIS instance, that was initiating the connection, and needed to ensure that this was setup correctly.

Hi

We have ODBC 32bit Encryption working on our database with a SSLDEFs.ini file.  However 64 bit ODBC Encryption will not work and give generic error, same error if the ini file is not there for 32BIT.

We have copied the ini file to the 64bit folder?  Any ideas please?

thanks

I'm trying to implement an OAuth2 server, but I have som issues when trying to setup JWT under OAuth 2.0->Client.

I get the error message saying "No match between server name 'localhost' and SSL certificate values 'cache'". I have set up a SSL/TLS configuration as simple as possible without any certificate files. I'm accessing my server via HTTPS with an unsigned certificate.

Can anyone point me in the right direction on how to resolve the issue I'm encountering. 

Screenshot 1: When I set "Source other than dynamic registration" to "JWKS from URL" under "JSON Web Token (JWT) Settings"

Screenshot

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old, legacy method, it will continue to work, but I would recommend you consider switching to the new one.

Background

These client

Hello everyone, I can choose between RSA and DSA. ECC seems to be unsupported. Is there any workarounds without using external binary like curl?

Best regards RY

I have 2 instances of Cache, one of 2010 and the other 2016.  On both I have created a SSL Configuration with same name.

When I connect to a SOAP Service Client from Cache 2010, I get the above error.

If I connect from Cache 2016, the connection get through.

How can get more details of the error in the Cache 2010 instance to be able to fix this issue.

I have enabled the SOAP Log and it does not give much of details.

Regards

Anil

We are getting more and more request wondering if we could send/receive data via HTTPS to the outside world from within our Hospital Network. As you can imagine our Ensemble/Cache productions are not exposed to the DMZ or has access outside of the network. We only communicate with external vendors through a VPN, so communicating not using a VPN is rather new to us.

Currently there is a project to get rid of using Proxy, and instead of through a Load Balancer that can use rules to filter out traffic, which adds another layer of complexity.

So does anyone out there have a Best Practice, or can

Hi team.

Does anyone has any idea on how to send an encrypted / secure Print from IRIS ( which is hosted on AWS ) to a printer ( which is an on-premise device ).

Thanks

Paras

Hello, I have an SSL / TLS configuration that used TLSv1.0 encryption.

However, I need to update to the TLS 1.2 version of encryption, and apparently Caché 2012.1 does not support it according to this link: https://community.intersystems.com/post/tls-v12-support-cach%C3%A9
 

Can I add a library to the Cache, enable TLSv1.2 in some way, or just a version update?

I have a .JKS Keystore file and associated password.

How do I reference that file when creating a web service (SOAP) call out?

Hi, a client have a installed enviroment with mirror activated, but when you test SSL on webservices you can get an error, not SSL access correctly from browser because certificate problem apparently with TLS Version, someone have a suggestion to reinstall SSL Certificates on mirrors ?

Chrome : something wrong, no details or diagnostic
Firefox : SSL_ERROR_HANDSHAKE_FAILURE_ALERT

We try simple regenerate Authority an regenerate all certificates, but not worked. Same results.