Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client - typically a web server (website) and a browser, or a mail server and a mail client.
I have a .JKS Keystore file and associated password.
How do I reference that file when creating a web service (SOAP) call out?
Hi, a client have a installed enviroment with mirror activated, but when you test SSL on webservices you can get an error, not SSL access correctly from browser because certificate problem apparently with TLS Version, someone have a suggestion to reinstall SSL Certificates on mirrors ?
Chrome : something wrong, no details or diagnostic
Firefox : SSL_ERROR_HANDSHAKE_FAILURE_ALERT
We try simple regenerate Authority an regenerate all certificates, but not worked. Same results.
Hello Community,
I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into.
As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself.
System:
I've tried it on 2 different systems with pretty much the same result:
Hello good afternoon!
We're testing a REST Operation, to View Devices using OneSignal API
We are sending the request from Production's Operation Test tool, using the following code:
.png)
What happens is that it tells us error of SSL Configuration:
It should be noted that the test was done without https, to:
set path = http://onesignal.com/api/v1/players?app_id=.
OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.
Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:
https://52773b-62955584.labs.learning.intersystems.com/oauth2/authorize?response_type=code&client_id=nHCv5A-u_5T1YAwk_tJ7xpi1ky-s2AnRQMaL6YHsUgU&redirect_uri=https%3A//52773b-99792125.labs.learning.intersystems.com/csp/sys/oauth2/OAuth2.Response.cls&scope=scope1&state=lXsMt6yckoPEv-HNdWZptXDxNS0
Hi,
Is there any facility in Health Connect to notify us before a SSL/TLS security certificate expires?
I'd be interested in how other teams handle this as we are using TLS/SSL a lot more to integrate with external services.
Kind regards,
Stephen
Hi Community!
How do you create SSL Configuration for InterSystems IRIS programmatically? E.g. for installation or deployment case?
E.g. if I need to create a very simple "default" SSL client configuration to let HTPPS Get requests to an arbitrary server?
Hello all,
Been doing Ensemble for a while but I am struggling with this SOAP set up.
Currently in Cloverleaf, we are taking the HL7 feed out of Epic, and then we put the SOAP wrapper around it. Then using a CAIR provided wsdl, we seem to be using a JKS file and a PFX file to send the data to CAIR (http://cairweb.org/next-steps-page/).
Here is what I have done so far: I used the SOAP wizard with the wsdl file to create a new Operation.
My questions are these:
- I believe I need to change the JKS file into a PEM file in order to use it with Ensemble?
Hello everyone 
I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).
First here are the tutos found in the doc:
https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…
https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?
Hi community,
I would like to ask how to correctly enforce SSL on all "developer traffic" -- that is Management portal and Studio connections -- on a Caché instance.
Given large developer permissions, I would like to eliminate all plaintext credentials on the wire.
Currently, we compile our own httpd with SSL support for Management portal, but this breaks Add-Ins for us, in particular the SOAP wizard. So I guess this is not the "canonical way".
Thanks for any suggestions
Jiri
I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.
1. Get User Attibutes from AD
2. Get User Groups From AD
So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along.
Greetings.
We have one vendor who requires us to send data using TCP
through an SSH port forwarding tunnel that is set up in advance.
UNIX scripts maintain this, and the Ensemble interface uses a TCP Adapter.
I was thinking that Ensemble could maintain the SSH tunnel,
which would improve our detecting of issues.
Has anyone done something like this?
I see that the class %Net.SSH.Session has a method ForwardPort,
but it doesn't stand up the tunnel by itself. Instead, it appears
to return a handle into the tunnel. It will work a bit differently.
Caché will not change the cryptographic settings in an existing TLS configuration when you upgrade. This means that unless you've updated them yourself, you're still using the values from the very first version you started using SSL in.
If you've upgraded since creating your TLS configurations, take a moment to look at the enabled protocols and ciphersuites to make sure you've enabled all the versions you want, and disabled the old versions you don't want.
I have an Ensemble installation and just build my first RestService (using %CSP.Rest that forwards them to my Business Service). This works nice and fine when I use postman to make REST calls over http (port 57772). However when I attempt to make a request using https over port 443 I receive the following error:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL /csp/healthshare/fcoffice/rest/ping was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at <MyUrl.Com> Port 443</address>
</body>
</html>I have an Ensemble installation with an FTP business operation which I would like to connect to a server over SSL in explicit mode (see also: https://www.rebex.net/kb/tls-ssl-explicit-implicit/default.aspx). I keep running into timeouts while attempting to do this via Ensemble. Does Ensemble actually support SSL in explicit mode??? Because I can't seem to find any setting where to switch it on.
Hi,
I can't work out how to use the Cache CA Server to process certificate request from external clients!
We are setting up an interface where we use SSL/TLS 'Mutual Authentication' to allow a client system to securely transmit document to our server.
We are in the process of setting enabling SSL on a soap web service exposed via InterSystems, but are running into trouble. We have installed our certificates on our webserver (Apache 2.4) and enabled SSL over the default port 57772. However, we now get an error when sending a soap message to the web service (it used to work over http). Specifically the CSP gateway refuses to route te emssage the soap web service:
I have built an Ensemble SOAP service (EnsLib.SoapService.Service) as a business service which accepts soap requests from another application. To secure the traffic between the SOAP service and the application i'd like to enable SSL. I see that in the management portal I can upload the certificates, chains and keys and save them as an SSL / TLS configuration. However, it is not clear to me how I apply this SSL / TLS configurtion to the soap service I am running.
In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to Caché. The goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database.
Can Atelier connect to an Ensemble server that only accepts https connections?
How do I configure that? I did try an ssh into such server and Atelier over that but it didn't seem to work.
Any suggestions?
Thanks,
Chris
Our client is a test out of 2016.1 (Build 656U) Healthshare that wants to do a one way SSL connection to our Java 1.7/Tomcat 8.0 server. We have yet to come up with a secure cipher set that Healthshare and Java agree on for the handshake. So far we've had to use these ciphers identified which are not recommended (though it does do a handshake properly). Our definition of "secure cipher set" comes from this best practices section 2.3 and ideally we'd like to use the ciphers identified. Are any of these available in HealthShare 2016+?
I have posted to aid others in diagnosing problem with SSL/TLS connections to superserver port from .NET client executable.
The cache instance this appeared on is quite old - 2011 - so I do not know if Intersystems have added a better error message in a later version
The actual fault was due to the certificate in the %SuperServer SSL/TLS configuration having expired.
The unhelpful message that appeared in the .NET client included the following partial stack trace.
*** CacheException..ctor: (12:05:09:546) [ConnID= 34822912] [SvrJob=Unknown] [ThreadID=9] [CacheProvider] Communication link failure: System.ArgumentNullException; Value cannot be null. NativeError: 461 State: 08S01 InnerException StackTrace: at System.Threading.Monitor.Enter(Object obj) at InterSystems.Data.CacheClient.SysList.dumpData(Stream outStream, Int32 count, LogFileStream logFile) at InterSystems.Data.CacheClient.OutStream.send(Int32 count) at InterSystems.Data.CacheClient.CacheADOConnection.Login() at InterSystems.Data.CacheClient.CachePool.CreateNewPooledConnection(CacheADOConnection conn)
Question:
Where can I find the openssl command line tool for Windows?
Answer:
The openssl command line utility comes with Unix, but not with Windows. It is used for working with security certificates.
The main site is
There are no binaries on this site but in the Community section there is a link for binaries which leads to:
https://www.openssl.org/community/binaries.html
This contains a link to "An informal list of third party engines":
https://wiki.openssl.org/index.php/Binaries
At the time of writing this had two entries for OpenSSL for Windows.
I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].
I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’
It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?
Hi,
I'm posting this for the benefit of others. Not often one changes certificates in Cache, at least in my case. I run a system, that uses certificates to encrypt SOAP messages, and since the last time I ran it, my certificates expired.
So I renewed them using our PKI tool, so far so good. I gave all (3) certificates the same names (and filenames too) as to those expired, thinking that everything would just work fine next time I call the SOAP service.
Unfortunately, I got trapped.
It took me a rather longer while to realize that replacing old files with new ones is not enough.