Set ht = ##class(%Net.HttpRequest).%New()
  Set ht.Server = "server"
  Do ht.SetParam("param1", "true")
  Do ht.SetHeader("myheader", "headervalue")
  Set tSC = ht.Get("/api/get", 1)

Look at the second parameter in the call of Get method, it is a test flag, helps to understand how your request will actually go

GET /api/get?param1=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; InterSystems IRIS;)
Host: server
Accept-Encoding: gzip
myheader: headervalue

Look at this code, it will do the same

  Set ht = ##class(%Net.HttpRequest).%New()
  Set ht.Server = "server"
  Do ht.SetParam("param1", "true")
  Do ht.SetHeader("myheader", "headervalue")
  Set ht.Location = "/api/get"
  Set tSC = ht.Get(, 1)

Or even this code

  Set ht = ##class(%Net.HttpRequest).%New()
  Do ht.SetHeader("myheader", "headervalue")
  Set tSC = ht.Get("http://server/api/get?param1=true", 1)

It would be better if you could provide some of your code.

And how it looks like just with telnet

$ telnet echo.websocket.org 80

Copy-Paste this data

GET / HTTP/1.1
Accept: */*
Host: echo.websocket.org
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Key: 7BOhi3I1WkBoazaXv+MfWA==
Sec-WebSocket-Version: 13

After the empty line, it will show response

HTTP/1.1 101 Web Socket Protocol Handshake
Connection: Upgrade
Date: Tue, 05 Feb 2019 10:37:17 GMT
Sec-WebSocket-Accept: /gSfI5y+P3MMhONARUXNHG5vrHc=
Server: Kaazing Gateway
Upgrade: websocket

You should not forget that WebSockets is still used the HTTP protocol, so, you should send some headers first.

Look at this my code, it uses plain OPEN, and I'm not sure if my example 100% correct, but works.

  set securityKey = $SYSTEM.Util.CreateGUID()
  set securityKey = $SYSTEM.Encryption.MD5Hash(securityKey)
  set securityKey = $SYSTEM.Encryption.Base64Encode(securityKey)

  set host = "echo.websocket.org"
  set url = "/"
  set port = 80

  set device = "|TCP|"_port
  Open device:(host:port:"SCWD"::8192:8192:/TCPNOXY)
  Use device

  Write "GET ",url," HTTP/1.1",!
  Write "Accept: */*",!
  Write "Host: ",host,!
  Write "Connection: Upgrade",!
  Write "Upgrade: websocket",!
  Write "Sec-WebSocket-Key: ",securityKey,!
  Write "Sec-WebSocket-Version: 13",!
  Write !,*-3
  
  Use device:(::"A":$char(13))
  Set fullResponse = ""
  Do {
    Set response = ""
    Read response:1
    Quit:'$test
    Set fullResponse = fullResponse_response_$char(13)
  } While $test

  Use 0
  Close device

  Write !!,fullResponse

In this case, it only reads the first response, which actually should be with HTTP headers as well. Something like this.

HTTP/1.1 101 Web Socket Protocol Handshake
Connection: Upgrade
Date: Tue, 05 Feb 2019 10:51:37 GMT
Sec-WebSocket-Accept: qU2IAmlBvnSoEctnti8lcbc4bVA=
Server: Kaazing Gateway
Upgrade: websocket

It does not contain the first portion of data, which some WebSocket servers may send after initial connect. But if your server sends it, you should see it at the and of response. If you have to send something before, you should do it after the first response, which says that connection established and you can send any data. But not any, it should be in binary format, more details you can find here. Any responses also decoded.

first of all, you have to check

docker logs iristest2

And while you trying to use durable %SYS, you look at IRIS log /nfs/IRIS/iconfig/mgr/message.log.

And as Jim already noticed, you have double dash when defining the variable ICM_SENTINEL_DIR

If you can edit this code, you can try change to this.

<Data name="DESCRIP_2"> <RetrievalCode> S {DESCRIP_2}=$P($G(^PHPROP({L1},"DESC_CODES")),"\",2) S {DESCRIP_2}=$S($L({DESCRIP_2}):$Get(^SEDMIHP($P({DESCRIP_2},","),$P({DESCRIP_2},",",2))),1:{DESCRIP_2}) S {DESCRIP_2}=$E({DESCRIP_2},1,80) </RetrievalCode> </Data>

But not sure, if this correct.

What I did there, is, wrapped retrieving data from global ^SEDMIHP with the function $Get()

Or this way, with the default value

<Data name="DESCRIP_2"> <RetrievalCode> S {DESCRIP_2}=$P($G(^PHPROP({L1},"DESC_CODES")),"\",2) S {DESCRIP_2}=$S($L({DESCRIP_2}):$Get(^SEDMIHP($P({DESCRIP_2},","),$P({DESCRIP_2},",",2)),{DESCRIP_2}),1:{DESCRIP_2}) S {DESCRIP_2}=$E({DESCRIP_2},1,80) </RetrievalCode> </Data>

Well, such an interesting topic, and also quite wide.

Ok, TWAIN, is an API for image sources, it can be scanner or photo camera. You just asking about working with TWAIN, without any explanation of how you are going to use it and what sort of devices you going to utilize.

So, I'll just share some of my experience. How I've used only scanners, different types and with different workflows.

• Server way. One or more stream document scanner (sorry don't know right term in English). Just any scanner which can work in network and configured to place all scans to some network folder or send my emails. Before sending some documents to this scanner, the operator should stick some barcode, on the title page, or on added empty first page. On the server side, we have used ABBYY Recognition Server, which just watches some folder, and can decode barcode and recognize text in the document, pack it in XML and place it in another folder. This folder was watched by Ensemble, where we searched for barcode in our system and placed this as an attachment to this document. With recognized text, we also are able to search documents in our system by the content of this document.
• Client way. The operator working with a personal scanner connected right to his machine. While our application web-based and the server is far from this scanner, we used only client resources to scan images. We used java-applet which worked directly with TWAIN sources, so operator just called some functionality right from our application after finishing the scan, it has appeared as an attachment in the document. But this case now has some issues due to limitations for JAVA plugins in modern browsers. But it is now possible to find some modern solutions which may help to get access to twain on modern browsers, you can just google it.

SSO, can be achieved in some different ways. It can work over OAuth2, NTLM, Kerberos, SAML and so on. In different projects, I have used Kerberos/NTLM and OAuth2. But real SSO was only with Kerberos. And when you already have LDAP Auth in your application, it will be quite easy to add SSO. But also depends on which OS and which WEB server you have. On Windows much easier to start with IIS while so difficult to find a working module for Apache. On Linux there is also could be a problem to find the latest version of the module which will work with the latest version of apache. But when you will manage to get it worked on web-server side, on Caché side, almost nothing to do left. When you get first unauthorized request, you should return back with status 401, and say which method of authentication you need through header WWW-Authenticate: NTLM. Then if web server managed to get username, it will send it by header REMOTE_USER. Of course, you will not get password, you just use this username and authorize session. 

If your server on windows, you have two connection options. 

• Terminal. Available only locally, and can use windows security. Enabled by default.
• Telnet. Used to connect from outside. Disabled by default (you can activate this service in SMP.). After enabling, you can connect using terminal or any other tool by default port 22.

If your server on Linux. You have only one option is csession or irissession tool which works only locally to the server. For remote access you should use ssh or telnet. But you can't configure telnet from Cache. You should do it by yourself.

How Caché works with licenses, actually very interesting and sometimes quite difficult to understand, but it is possible to find a balance for everybody. Fortunately, at the same time, it has actually some tricks on how to turn it on your side.

The first important thing is every time when user login, you should log in the user not only in security but license as well. In this case, if the user uses the same IP address will be used the license unit.

In your case, I'm not even sure about forcing log out, do you really need it? You mentioned that your application still web, and does not matter is at wrapped as an application or opened right from the browser. You should have the same behaviour. So, you can reduce timeout for the session, add some timer which will ping the server from time to time when app is active to extend session time. Sessions on the server side also have a grace period after a timeout which is 5 minutes long, in most cases enough to return back from the call.