New post
AllAccepted answers
Jeffrey Drumm · Mar 2, 2022

Are you using the private key you created at the time you generated the CSR, or one provided by your server folks? You need to use the one you generated.

And I'm assuming your private key is encrypted, and therefore has the following header in the file:

-----BEGIN ENCRYPTED PRIVATE KEY-----

Have you tried decrypting it with openssl?

openssl rsa -in /etc/pki/tls/private/ssl_vd01.key -text

You should be prompted for a passphrase; use the one you provided when you generated the CSR. If it decrypts OK, you'll get something similar to this:

RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:98:42:c5:37:28:e4:b9:69:e4:a0:45:86:b1:20:
    39:5f:78:36:96:14:f8:e9:4f:49:7d:44:31:16:3c:
<remainder elided>

If you don't get something like this, the passphrase is wrong for the key file. If you do, verify that you've provided the proper passphrase in both the %SuperServer SSL configuration and the Web Gateway Server Access configuration.

You'll also need to provide the passphrase when starting httpd, which may not be obvious if SELinux is blocking it; running the following command will allow the prompting for a password when starting/restarting httpd:

setsebool -P httpd_read_user_content 1
Jeffrey Drumm · Mar 1, 2022

I ran into this issue with a customer within the last few days. The customer provided me with a GoDaddy-supplied certificate (in PEM/x509 format) and a private key file. Unfortunately the private key wasn't anything recognizable by openssl (it definitely wasn't an RSA key at least), and it did not appear to be encrypted.

The resolution was to regenerate an RSA private key and CSR ourselves with openssl, then submit the CSR to GoDaddy for generation of the certificate. The RSA key and the cert from GoDaddy were supplied as the certificate and private key for both the %SuperServer SSL configuration and the cert/private key in the Web Gateway server configuration.

Jeffrey Drumm · Feb 8, 2022

I've installed standalone web servers/gateways on both the same host as IRIS and on separate servers that support multiple standalone IRIS instances. I often use the standalone web host/gateway as the arbiter host for a mirrored server pair. The customer I'm currently working with has all of their PROD and STAGE hosts (mirror pairs and DR servers) accessible through two separate web server/arbiter hosts.

If you're doing this to enhance security, it's not just about installing certificates and turning on TLS for the web server. You also need to make sure the communication between the web gateway module and the IRIS server is encrypted via TLS (primarily when the gateway is on a host separate from the IRIS instance). And if you're doing that, you probably ought to make sure that ODBC/jdbc and Studio connections are also encrypted, you've enabled STARTTLS for LDAP/AD authentication, TLS for mirror synchronization, etc.

Jeffrey Drumm · Feb 8, 2022

@Brett Saviano ,

Apologies if I'm seeming a little dense here, but what's the relevance of CI/CD to the workflow I described? In my experience the need to move code from one work area to another has been fairly common, and while it's not a streamlined operation in IRIS Studio, it at least doesn't require editing configuration files.

I'm not talking about big projects here, just the sort of stuff you need to do in healthcare integration (custom business hosts, scheduled tasks, or utility methods used in business rules/DTLs).

Is VS Code simply the wrong tool for my needs? I use it for other projects and very much like it as an editor, so was hopeful it would be an effective replacement for IRIS Studio.

Jeffrey Drumm · Jan 27, 2022

One oddity I've noticed when using this method is that the Home/End keys don't work as expected.

If I start an ssh shell session and manually run iris session <instance>, everything works normally.

If I start it using the method described in my post above, the Home and End keys seem to send a newline or carriage return, sending what I've typed to the IRIS interpreter rather than moving the cursor to the beginning of the line. This is regardless of whether I execute it from VS Code or the "DOS" Shell, so it's not really a VS Code problem. Just curious if anyone else has a solution ...

Note: Interestingly Ctrl+A works for moving to the beginning of the line ... but not Home.

Jeffrey Drumm · Jan 27, 2022 
set tmpStr = ##class(%Stream.FileCharacter).%New()
do tmpStr.LinkToFile("/some/writeable/location/temp.json")
do tmpStr.CopyFrom(newMsg)
do tmpStr.%Save()

You should then be able to open the JSON file outside of Caché/Ensemble, from the location to which it was written.

EDIT: The location could potentially be /<cache-install-dir>/csp/user/<filename> ... in which case you may be able to access it through the Caché/Ensemble web server and display it in your web browser:

http://<hostname>:<port>/csp/user/<filename>

Jeffrey Drumm · Jan 25, 2022

For those that use a Windows workstation but code on a Linux/Unix-based server, here's a configuration that provides a remote IRIS terminal session. It uses the ssh client that is included with Windows 10 (I'm assuming there's one in Windows 11 as well).

Add it to your user settings to make it available across all of your projects, or to your workspace settings to have a custom terminal session per workspace:

    "terminal.integrated.profiles.windows": {
        "IRIS Session": {
            "overrideName": true,
            "path": "C:\\Windows\\System32\\OpenSSH\\ssh.exe",
            "args": [
                "-t",
                "<user>@<hostname>",
                "iris session <instance>"
            ]
        }
    }
Jeffrey Drumm · Jan 18, 2022

Do you have a corporate mail server that supports SMTP relay? You would need to get the details from the administrator of the mail system. Some require TLS, some don't. Some require credentials, others don't. 

You can use GMail, in which case you would need a configuration of something like this:

Mail server? smtp.gmail.com 
Mail server port? 587
Mail server SSLConfiguration? <SSLConfigName> <-- You would need to create this in Security | SSL/TLS Configurations
Mail server UseSTARTTLS? 1 
 

You will also need to supply your Gmail email address for the username, and an app password (created in your Google Account Security settings) for the Set Authentication option.

Your best bet would be to discuss your email delivery requirements with the mail server administrator of your organization; they should be able to provide you with the required values. If this is for a private/personal installation of Caché or IRIS, GMail is probably the easiest to configure and best documented.

Jeffrey Drumm · Jan 18, 2022

If you create a class that extends Ens.Rule.FunctionSet, you can have a method that's selectable from the expression editor in either a DTL or a Routing Rule ...

Class User.Util.MetaData Extends Ens.Rule.FunctionSet
{
/// Retrieves the UserValue associated with key <var>pKey</var> from the message object supplied as
/// <var>pMsg</var> (normally <strong>source</strong> in a DTL or <strong>Document</strong> in
/// a Routing Rule) as a %String. Returns an empty string if the key is undefined.
ClassMethod UserValueGet(pMsg As EnsLib.HL7.Message, pKey As %String) As %String
{
    If pMsg.UserValues.IsDefined(pKey)
    {
        Return pMsg.UserValues.GetAt(pKey)
    }
    Return ""
}
}
Jeffrey Drumm · Jan 17, 2022

I haven't found support for this yet. I have a need for this as well and am considering writing an adapter to support get/put operations using smbclient. If there's a better/quicker way to accomplish this, I'd be very excited to learn about it laugh

We had toyed with the idea of mounting all of the shares as cifs filesystems on the RHEL 8.5 hosts, but there are quite a few ... Dynamically establishing a connection and then performing the required operation is preferred.