#Web Gateway

Hello, thanks for your time reading this question.

We are receiving each day, alerts from one of our four Production nodes. It always has the same text:

[InterSystems IRIS SEVERE ERROR gchciris4.canariasalud:ENSEMBLE] [Utility.Event] [SYSTEM MONITOR] CSPGatewayLatency(127.0.0.1:443) Alert: CSPGatewayLatency = 5001.304, 5001.233, 5000.964 (Max value is 2000).

We have looked for it in the documentation here:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?

When accessing management portal through IIS the page is not fully rendered and the buttons/links that are displayed don't work.

Management Portal works fine through private web-server.

Have just set up IIS/CSP Gateway to access Ensemble, and accessing the CSP Gateway configuration pages through IIS works fine (screenshot at end of post).

This is the view when accessing management portal through IIS (port 80) - missing images, links don't work, not all content displayed:

And this is the (top of the) view when accessing through the PWS (port 57772):

I've been following @Kyle.

I am having issues trying to send SOAP requests to a Cloud Based AWS Application that lives outside of our network. 

It is using a Basic Authentication, Key, Certificate Authority and Whitelist for Security. 

If I attempt the connection using wget from the command line I am able to connect,

:>wget --bind-address=10.95.129.245 --server-response https://xxxxxxxxxx/xxxxxxx/services/Mirth
--2025-06-06 15:54:51--  https://xxxxxxx/xxxxxxxx/services/Mirth
wget: /ensemble/.netrc:16: unknown token xxxxxxx
wget: /ensemble/.netrc:16: unknown token xxxxxxxx
Resolving xxxxxxx.com (xxxxxxx). 34.233.89.

I am trying to log in to the Web Gateway Management and I have missed placed the password to access the system I have tried 

changing the password under local settings in the CSP.ini  and that has managed to change the password to access the gateway but cannot log me into the management area I have followed a post here and read here and I seem not to get the answers that actual explain how I can get to the web gateway management.

I ran into a situation where VS Code consumed all available web sessions and was unable to get to the Management Console to clear them. I was able to establish a terminal session, though.

Is there a method or routine available through the IRIS terminal that allows one to clear web sessions? I've searched the administration and class documentation and haven't found a solution.

Hi developers!

While developing web apps the security practice I consider safe and convenient is to create a special Role (e.g. equal application name) which contains security resources which application will need (SQL tables, priviledges, database access, etc) and assign it to the Web Application.
So the user gets this role once it loggs in to the application (via password, no password or delegated).

Convenient, right?

So, the question is, when I deploy the app as an IPM module what should I put as a database access?

While upgrading old Ensemble and Health Connect applications to V 2024.1 we are installing many webgateways since the private webserver is deprecated.

Configuring the "Default Parameters" we can determine the "Event Log Rotation Size" but not the count of preserved logfiles. So even if the webgateway cuts the logs in pieces they could fill up the disk space entirely for there seems to be no cleanup-job for old logfiles.

What is the recommended way to deal with this situation?

Do I have to create a schduled job on OS-level?

I have a flask application, its working locally. I also have a iris for health 2024.3 docker container front-ended with the iris nginx container.

I can configure the WSGI application with iris for health, give it a "url" (/flask or /csp/flask) but I cannot access the flask application. It looks like the url is not found within the nginx configuration. Is there any documentation or suggestion for configuration/enabling a flask app with a IRIS container front ended with the nginx container (provided by intersystems container registry) 

Hello Community,

we're running an Iris installation on SLES 15.5 using the SLES Apache server and web gateway for hosting the management portal on Port 57772 (e.g. http://<host-name>:57772/csp/sys/%25CSP.Portal.Home.zen?$NAMESPACE=HL7TOFHIR) on the same machine. The Iris installation also provides a FHIR Server in a separate namespace which uses the base URL http://<host-name>:57772/fhir/r4 for connections.

The installation is locked down and the SLES Firewall is activated an configured to just allow connections on port 57772 and 1972. Apache currently listens to Port 57772 only.

Is it possible to use one IIS server to configure Webgateway and external Webserver for management portal when implementing synchronous mirroring with VIP  i.e Is it necessary to have two mirror servers(primary and Backup) , one Arbiter server, one Webserver for Webgateway and a sperate webserver for management portal? 

If anyone can please point to any documentation on Mirroring with Webgateway and external webserver for management portal will be really helpful. 

Thank you for your help

We recently moved from using the Private Web Server, to using an Apache/Web Gateway setup and moved towards using the built in LDAP functionality within IRIS. Since then, we have 1 user that uses VSCode (/api/atelier) heavily that continues to have issues signing into IRIS through VS Code and the /api/atelier extension.

I am trying to troubleshoot two issues..

I am attempting to configure an inbound service that utilizes the EnsLib.SOAP.GenericService class. This service receives HL7-v3 content wrapped in SOAP requests. Despite reading the documentation on configuring SOAP services, I am still confused.

In my current configuration item "Fr_Centrak_RTLS", I have ‘Enable Standard Requests’ checked, ‘Pool Size’ set to 0, and the port is unspecified.

I have also configured a web application with the following details:

My challenge is determining the correct URL address for sending SOAP traffic to this service.

I am fairly new to using Docker, and instead of trying to get IIS, a Web Gateway, and Docker desktop working within my Windows environment, I thought I would try running it in a WSL2 Ubuntu environment since this is similar to how use it on my server. I have installed Apache and the Web Gateway on my WSL2 Ubuntu.

I went through Apache Web Gateway with Docker | InterSystems Developer Community however that is already bundled and requires TLS certificate setup which I don't care about since this is running locally on my machine.

Hello,

I have a problem with a FHIR Interop scenario that the HTTP Header Value content-type between IRIS and client changes in case of an error (HTTP 422). If I set the status in the response to 200 OK as the last step in the service class, the return transmission works.

Within my operation class, the error code is taken from the source system and entered in the HS.FHIRServer.Interop.Response message. 

Within the CSP gateway I am also shown that the content type is 422 application/fhir+xml and is returned.

When I look at the packet in Wireshark, it is already text/html.

Hello Guys,

Our cache application uses REST web services and handles single API request perfectly with response (response status and related data). But sometimes user sends multiple requests to the same API simultaneously ( ie, without waiting for the first to respond ), where one request will succeed (not necessarily the first) and the others will fail. 
So, I need to handle the requests one by one after completing and sending the response for first request in the queue then process the next request and so on.

Is there any appropriate way of handling this problem?

This is probably not the right place, but I don't know who I can reach out to... I am trying to configure an Apache/Web Gateway to our instance of IRIS so we are no longer using the built-in PWS. Can anyone point me in the right direction to configure Apache/Web Gateway to repoint

http://<server name>:52773/... to the https://<server name>/...

gateway so our users will not notice? How do I do this in Apache, do I need to modify httpd.conf or the ssl.conf file? What is the correct syntax...

This is what I tried to do in the httpd.conf file

<VirtualHost *:52773>
    ServerName int-lxiris-vd01.osumc.edu
    ServerAlias int-lxiris-vd01 int-lxiris-vd01.unix.osumc.edu
    Redirect permanent / https://int-lxiris-vd01.osumc.edu/
</VirtualHost>

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Hi Community,

We have web gateway installed  as a standalone on the web server and when I access it through the direct link https://mydomain.com/csp/bin/Systems/Module.cxw, it doesn't require authentication it just opens as per screenshot below.

There is a requirement to add authenticate using username and password as with the webgateway installed with iris, I want to get to the below screen before gaining access to web gateway.

Thanks in advance.

Does the Version of the Web Gateway have to match the version of IRIS that is currently running? Or are they independent of each other since they are different components? I am looking to install the Web Gateway (non-PWS) as we move forward with securing our Management Portal and VS Code connections using TLS.

Thanks

Scott

I recently started work on trying to Tighten Security in our Development Instance of IRIS that is running based on recommendations from our Audit as you might of seen from my other posts. I am currently trying to get into the Private Web Gateway Manager within IRIS as CSPSystem, but when I attempt to sign in nothing happens. 

I went through and reset the password in the CSP.ini and within IRIS for CSPSystem. I made sure it had the new GatewayRole per suggested 

https://docs.intersystems.com/healthconnect20231/csp/docbook/DocBook.UI.Page.cls?KEY=GSECURING_tighten#GSECURING_tighten_smp_CSPSysAuthe

I have notified the following :

• Web Gateway usually maintain a certain amount of TCP/IP connections (that is capped to Maximum Connections) with Super server process (also named %SYS.SERVER). Those connections will stay, even after some client requests (eg: browser) have been processed and the TCP/IP connections have been closed the other side (between client and webserver, usually Apache).

We're trying to get a little more discipline around Web Gateway change control, and deploy changes to our CSP.ini from source control.  I was wondering if anyone cared to share their best practices in this area?  There is a "RELOAD" parameter (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cl…) which says you can put RELOAD=1 in your CSP.ini file in order to force it to automatically activate when noticed by the daemon.  

Do people use this approach, and keep RELOAD=1 stored in their CSP.ini in source control?

Hi Guys,

For Login in CSP application, I am displaying custom Login page which is rendered from subclass CSS.CSP.Login that extends %CSP.Login, and also got IBA.CSP.Page that extends %CSP.Page with overridden method OnPreHTTP(). This setup is working perfectly for normal login. 

When I define Invalid login limit and enable Disable account if login limit reached in System > Security Management > System-wide Security Parameters, the users get disabled after certain invalid login attempts.

Hi guys,

In Cache CSP application, I have enabled Password expiration days to certain days in System > Security Management > System-wide Security Parameters. When password expires for the users and they try to login the login page takes to standard cache password change page. 

Is there anyway I can display my overridden page instead of standard cache password change page? 

Reason to display my own page:  I needed to break down the UserName, for eg: UserName into CompanyID - IBA and User ID - san.

Currently, I have overridden %CSP.PasswordChange class to CSS.CSP.ChangePassword.

I'm having trouble adjusting the protocol used for any CSP Requests. Currently all request to the system are sent over HTTP 1.1

When loading 40+ images on a page, the browser starts stalling request. According to google HTTP 1.1 only allows 6 parallel TCP Connections before suspending the remaining. 

I have looked through the Web Gateway Settings, %Net.HttpRequest.HTTPVersion and SSL Configuration but haven't found anything.

Is there a hidden setting that can be changed? Does Caché even support higher HTTP protocols. We do have an IRIS development instance I could test on.

I am trying to pull down the webgateway from containers.intersystems.com and I am receiving the following errors... Please advise

[roth16@int-lxiris-vd02 tls-ssl-webgateway]$ docker pull containers.intersystems.com/intersystems/webgateway:2021.1.0.215.0
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
Trying to pull containers.intersystems.com/intersystems/webgateway:2021.1.0.215.0...
Error: initializing source docker://containers.intersystems.com/intersystems/webgateway:2021.1.0.215.0: reading manifest 2021.1.0.215.0 in containers.

Hello, would anyone know where in Linux I need to change permissions on this? 

it is running a full Apache install and not what came with Cache.

Hi all!

I'm currently trying to find out how to have one Web Gateway route to multiple servers Management Portal. The only thing that I have come up with so far is to potentially make different routes per server?

I have a development, test, and production server and I want to use the same Gateway server using IIS to do SSL/TLS encryption for the CSP pages.

Any ideas or recommendations to pull this off?