#SSL

Hello Community, 

I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into. 

As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself. 

System:

I've tried it on 2 different systems with pretty much the same result: 

1. IIS Server with a 2 System-Mirror Healthshare 2018.1.2 Installation
2. loc

Hello good afternoon!

We're testing a REST Operation, to View Devices using OneSignal API

We are sending the request from Production's Operation Test tool, using the following code:

What happens is that it tells us error of SSL Configuration:
 

It should be noted that the test was done without https, to:

set path = http://onesignal.com/api/v1/players?app_id=...

If we see the trace of the browser, we get that OneSignal when receiving an HTTP request, redirects it to HTTPS:

Receives HTTP, redirects:

to HTTPS:

With what we have written, we get an empty answer (the 1st redirection) and an SSL error (the

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:  

https://52773b-62955584.labs.learning.intersystems.com/oauth2/authorize?response_type=code&client_id=nHCv5A-u_5T1YAwk_tJ7xpi1ky-s2AnRQMaL6YHsUgU&redirect_uri=https%3A//52773b-99792125.labs.learning.intersystems.com/csp/sys/oauth2/OAuth2.Response.cls&scope=scop

This is more for my memory that anything else but I thought I'd share it because it often comes up in comments, but is not in the InterSystems documentation. 

There is a wonderful utility called ^REDEBUG that increases the level of logging going into mgr\cconsole.log. 

You activate it by

a) start terminal/login

b) zn "%SYS"

c) do ^REDEBUG

d) change logging level to FFFFFFFF

if you are on you production system (with lots of traffic) I suggest you quickly reproduce the error, rename the cconsole.log file, and repeat the steps above to set the logging level to FF.

Hi, 

Is there any facility in Health Connect to notify us before a SSL/TLS security certificate expires?

I'd be interested in how other teams handle this as we are using TLS/SSL a lot more to integrate with external services. 

Kind regards, 

Stephen
 

Hi Community!

How do you create SSL Configuration for InterSystems IRIS programmatically? E.g. for installation or deployment case?

E.g. if I need to create a very simple "default" SSL client configuration to let HTPPS Get requests to an arbitrary server?

Hello all,

Been doing Ensemble for a while but I am struggling with this SOAP set up.

Currently in Cloverleaf, we are taking the HL7 feed out of Epic, and then we put the SOAP wrapper around it.  Then using a CAIR provided wsdl, we seem to be using a JKS file and a PFX file to send the data to CAIR (http://cairweb.org/next-steps-page/).

Here is what I have done so far: I used the SOAP wizard with the wsdl file to create a new Operation.

My questions are these:

- I believe I need to change the JKS file into a PEM file in order to use it with Ensemble?

- Then, do I upload that PEM file into the

Hello everyone

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

First here are the tutos found in the doc:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…

Hi community,

I would like to ask how to correctly enforce SSL on all "developer traffic" -- that is Management portal and Studio connections -- on a Caché instance.

Given large developer permissions, I would like to eliminate all plaintext credentials on the wire.

Currently, we compile our own httpd with SSL support for Management portal, but this breaks Add-Ins for us, in particular the SOAP wizard. So I guess this is not the "canonical way".

Thanks for any suggestions

Jiri

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Error message: Cache error: <UNDEFINED>ZAUTHENTICATE+104^ZAUTHENTICATE *LD

its not displaying the

Greetings.

We have one vendor who requires us to send data using TCP

through an SSH port forwarding tunnel that is set up in advance.

UNIX scripts maintain this, and the Ensemble interface uses a TCP Adapter.

I was thinking that Ensemble could maintain the SSH tunnel, 

which would improve our detecting of issues.

Has anyone done something like this?

I see that the  class %Net.SSH.Session has a method ForwardPort,

but it doesn't stand up the tunnel by itself.   Instead, it appears 

to return a handle into the tunnel.     It will work a bit differently.

Thanks

Seth

• method ForwardPort(pRemoteHost As %S

Caché will not change the cryptographic settings in an existing TLS configuration when you upgrade.  This means that unless you've updated them yourself, you're still using the values from the very first version you started using SSL in.  

If you've upgraded since creating your TLS configurations, take a moment to look at the enabled protocols and ciphersuites to make sure you've enabled all the versions you want, and disabled the old versions you don't want.

I have an Ensemble installation and just build my first RestService (using %CSP.Rest that forwards them to my Business Service). This works nice and fine when I use postman to make REST calls over http (port 57772). However when I attempt to make a request using https over port 443 I receive the following error:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
    <head>
        <title>404 Not Found</title>
    </head>
    <body>
        <h1>Not Found</h1>
        <p>The requested URL /csp/healthshare/fcoffice/rest/ping was not found on this server.</p>
        <hr>

I have an Ensemble installation with an FTP business operation which I would like to connect to a server over SSL in explicit mode (see also: https://www.rebex.net/kb/tls-ssl-explicit-implicit/default.aspx). I keep running into timeouts while attempting to do this via Ensemble. Does Ensemble actually support SSL in explicit mode??? Because I can't seem to find any setting where to switch it on.

Hi, 

I can't work out how to use the Cache CA Server to process certificate request from external clients!

We are setting up an interface where we use SSL/TLS 'Mutual Authentication' to allow a client system to securely transmit document to  our server. (they are off-site and hosting a service for us)

I am not a security expert, but my understanding of setting up mutual authentication where my instance of ensemble is the server, and it is receiving messages from a client is as follows

1. I create a CA private key and self-signed certificate ( or purchase a cert from one of the big providers)
2. Generate

We are in the process of setting enabling SSL on a soap web service exposed via InterSystems, but are running into trouble. We have installed our certificates on our webserver (Apache 2.4) and enabled SSL over the default port 57772. However, we now get an error when sending a soap message to the web service (it used to work over http). Specifically the CSP gateway refuses to route te emssage the soap web service:

<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLS

I have built an Ensemble SOAP service (EnsLib.SoapService.Service) as a business service which accepts soap requests from another application.

NB. Please be advised that PKI is not intended to produce certificates for secure production systems. You should make alternate arrangements to create certificates for your productions.
NB. PKI is deprecated as of IRIS 2024.1: documentation and announcement.

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to Caché.

Can Atelier connect to an Ensemble server that only accepts https connections?

How do I configure that? I did try an ssh into such server and Atelier over that but it didn't seem to work.

Any suggestions?

Thanks,

Chris

Our client is a test out of 2016.1 (Build 656U) Healthshare that wants to do a one way SSL connection to our Java 1.7/Tomcat 8.0 server.  We have yet to come up with a secure cipher set that Healthshare and Java agree on for the handshake.  So far we've had to use these ciphers identified which are not recommended (though it does do a handshake properly).  Our definition of "secure cipher set" comes from this best practices section 2.3 and ideally we'd like to use the ciphers identified.  Are any of these available in HealthShare 2016+?

Our setup:  In Healthshare, we have an SSL/TLS

I have posted to aid others in diagnosing problem with SSL/TLS connections to superserver port from .NET client executable.

The cache instance this appeared on is quite old - 2011 - so I do not know if Intersystems have added a better error message in a later version

The actual fault was due to the certificate in the %SuperServer SSL/TLS configuration having expired.

The unhelpful message that appeared in the .NET client included the following partial stack trace.

   *** CacheException..ctor: (12:05:09:546) [ConnID= 34822912] [SvrJob=Unknown] [ThreadID=9]
 [CacheProvider] Communication link

Question:

Where can I find the openssl command line tool for Windows?

Answer:

The openssl command line utility comes with Unix, but not with Windows. It is used for working with security certificates.

The main site is

https://www.openssl.org/

There are no binaries on this site but in the Community section there is a link for binaries which leads to:

https://www.openssl.org/community/binaries.html

This contains a link to "An informal list of third party engines":

https://wiki.openssl.org/index.php/Binaries

At the time of writing this had two entries for OpenSSL for Windows. I chose the first one:

https://

I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].

I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’

It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?

Hi,

I'm posting this for the benefit of others. Not often one changes certificates in Cache, at least in my case. I run a system, that uses certificates to encrypt SOAP messages, and since the last time I ran it, my certificates expired.

So I renewed them using our PKI tool, so far so good. I gave all (3) certificates the same names (and filenames too) as to those expired, thinking that everything would just work fine next time I call the SOAP service.

Unfortunately, I got trapped.

It took me a rather longer while to realize that replacing old files with new ones is not enough.