All
Accepted answers
Scott Roth · Jun 4, 2024 go to post

Yup, same here. I have %ALL access, and still not being able to modify the Target of SEND. I tried all different options that I could think of changing in the Web Applications, but no luck. I opened a ticket with WRC. 

While I like the IF, THEN look and it is better than WHEN.. if I have to disable for now, I will leave that up to the team tomorrow.

Scott Roth · Jun 4, 2024 go to post

Yeah, I think I am going to lean that way too, there is something security wise that is preventing me from editing the Target, but the documentation doesn't share any details about what it could be.

I left 

per what the document says. I tried CompileAllNamespaces() and different options but still it is inconsistent on if I can edit it or not.

Scott Roth · May 29, 2024 go to post

I fixed the Client setup to ensure that the Info URL looks correct, however still nothing is showing up in the FSLog from the Testing I am doing using the Testing tool on the HS.FHIRServer.Interop.HTTPOperation.

Scott Roth · May 29, 2024 go to post

I am not seeing any information in ISCLOG based on the Testing call that is being made

Scott Roth · May 24, 2024 go to post

The table in Exists needs to have " " around it as it is still a string.

Scott Roth · May 24, 2024 go to post

There is a Schema issue, it is not liking the way you're grouping several segments together which is resulting in the error.

Scott Roth · May 16, 2024 go to post

I know this is not using OAuth, but OAuth is just the Authentication method.

When I attempt to do something similar to search Patient for identifier=OSUMRN|xxxxx I keep getting a 404 not found error. Nothing is showing up within the ISCLOG under %SYS globals. Is there anyway I can see the trace of making the calls to verify that the correct API's are being called in the correct format? What is the magic chant to get the ISCLOG to capture the information?

Scott Roth · May 14, 2024 go to post

_system password is normally defined when you install the instance. But if you did not I would try SYS as the password then change it of course. 

Scott Roth · May 9, 2024 go to post

When using a Code block, I find that I have to put a space in at the beginning of the code.

Scott Roth · May 6, 2024 go to post

I had to change the Access Control Rule (setfacl) on each of the files/folders to allow my non-root user access to the files/folders, using setfacl.

Scott Roth · May 6, 2024 go to post

Still no luck, it was suggested that I make sure the permissions were set correctly at the folder level /etc/, /etc/pki/, /etc/pki/tls/. Each had irisusr as the group but still receiving the Permission Denied error. Does anyone know what could be causing this?

Scott Roth · Apr 26, 2024 go to post

I have a ticket in with WRC to help me figure out this issue because it is bugging the crap out of me I am trying to figure it out.

I have updated the Owner, Group, Folder Permissions, and Permission at the file level. REDEBUG is returning..

TLS enabled versions, minimum: 16, maximum: 32
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Cipher list for TLSv1.2 and below: ALL:!aNULL:!eNULL:!EXP:!SSLv2
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Ciphersuites for TLSv1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

Certificate file: /etc/pki/tls/certs/int-lxiris-vd01.pem
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:0200100D:system library:fopen:Permission denied
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:20074002:BIO routines:file_ctrl:system lib
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event] 

error:140DC002:SSL routines:use_certificate_chain_file:system lib
04/24/24-16:18:26:573 (2675888) 0 [Generic.Event]

When I call... 

set jwt = ##class(%SYS.OAuth2.Authorization).GetAccessTokenJWT(....) 

However, I use the same SSL/TLS configuration that uses /etc/pki/tls/certs/int-lxiris-vd01.pem in my LDAP authentication.

I ran the following to verify the Certificate against the CA Authority

[root@int-lxiris-vd01 certs]# openssl verify -verbose -CAfile /etc/pki/ca-trust/source/anchors/OSUWMC_CA.pem  int-lxiris-vd01_osumc_edu.pem                                              int-lxiris-vd01_osumc_edu.pem: OK

Anyone have an idea on what might be going on? If there was a problem with the Certificate chain inside of /etc/pki/tls/certs/int-lxiris-vd01.pem wouldn't I have issues with LDAP Authentication? I tried deleting my user, and having the LDAP Authentication recreate it, and it did without any issues when I tried to sign in as my user.

@Sean Klingensmith, I know you helped out in the past with a previous WRC ticket and Post. Any Idea on what might be going on?

Scott Roth · Apr 25, 2024 go to post

Sessions normally are available closer to the date of the Summit. You should receive a notice when they are available to be Scheduled.

Scott Roth · Apr 25, 2024 go to post

I noticed that this is now included in 2024.1, and there is documentation Production Validator | HealthShare Health Connect 2024.1 (intersystems.com)

While I was able to help test the code, the code version I have is probably an older version. The Documentation mentions loading the code for the Production Validator and compiling it in the system.

For me and others where can that updated Production Validator code be found? @James Bourette 

Scott Roth · Apr 23, 2024 go to post

I am being told the OAuth certificate has no chain behind it. it is a Self Signed Certificate/Key Pair. I changed the ownership of the files to irisusr:irisusr but I am still getting the same error message...

"error reported 'error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib' *"

I am still thinking it is something wrong with the Cert/Private Key that was provided to me from the Application, am I wrong?

Scott Roth · Apr 23, 2024 go to post

My real concern is... "error:0200100D:system library:fopen:Permission denied, error:20074002:BIO routines:file_ctrl:system lib, error:140DC002:SSL routines:use_certificate_chain_file:system lib",,,,,,,$lb(,"%SYS",$lb("e^Send+313^%Net.HttpRequest.1^1","e^Post+1^%Net.HttpRequest.1^1","e^GetAccessTokenJWT+44^%SYS.OAuth2.Authorization.1^1"

is there an issue with my Certs?

Scott Roth · Apr 15, 2024 go to post

I was able to get past the iam-setup.sh but now when I run podman-compose up -d I am getting the follwing error...

:>sudo podman-compose up -d
podman-compose version: 1.0.6
['podman', '--version', '']
using podman version: 4.6.1
** excluding:  set()
['podman', 'ps', '--filter', 'label=io.podman.compose.project=scripts', '-a', '--format', '{{ index .Labels "io.podman.compose.config-hash"}}']
podman volume inspect scripts_pgdata14 || podman volume create scripts_pgdata14
['podman', 'volume', 'inspect', 'scripts_pgdata14']
['podman', 'network', 'exists', 'scripts_default']
podman run --name=scripts_db_1 -d --label io.podman.compose.config-hash=0b8c4491a1820337de3b759d5b1067ea78426dafeaec513283d14bd1ac5c3e8b --label io.podman.compose.project=scripts --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@scripts.service --label com.docker.compose.project=scripts --label com.docker.compose.project.working_dir=/ensemble/tmp/IAM/scripts --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=db -e POSTGRES_DB=iam -e POSTGRES_PASSWORD=iam -e POSTGRES_USER=iam -v scripts_pgdata14:/var/lib/postgresql/data --net scripts_default --network-alias db -i --restart on-failure --healthcheck-command /bin/sh -c pg_isready' '-U' 'iam --healthcheck-interval 30s --healthcheck-timeout 30s --healthcheck-retries 3 postgres:14.5
7db3dff8488e4115cd7d65d4ea61be9de185e68dfdbcf1744ec913b02314645c
exit code: 0
['podman', 'network', 'exists', 'scripts_default']
podman run --name=scripts_iam-migrations_1 -d --requires=scripts_db_1 --label io.podman.compose.config-hash=0b8c4491a1820337de3b759d5b1067ea78426dafeaec513283d14bd1ac5c3e8b --label io.podman.compose.project=scripts --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@scripts.service --label com.docker.compose.project=scripts --label com.docker.compose.project.working_dir=/ensemble/tmp/IAM/scripts --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=iam-migrations -e KONG_DATABASE=postgres -e KONG_PG_DATABASE=iam -e KONG_PG_HOST=db -e KONG_PG_PASSWORD=iam -e KONG_PG_USER=iam -e KONG_CASSANDRA_CONTACT_POINTS=db -e ISC_IRIS_URL= -e ISC_CA_CERT= --net scripts_default --network-alias iam-migrations --restart on-failure  bash -c kong migrations bootstrap; kong migrations up; kong migrations finish
Error: repository name must have at least one component
exit code: 125
podman start scripts_iam-migrations_1
Error: no container with name or ID "scripts_iam-migrations_1" found: no such container
exit code: 125
['podman', 'network', 'exists', 'scripts_default']
podman run --name=scripts_iam_1 -d --requires=scripts_db_1 --label io.podman.compose.config-hash=0b8c4491a1820337de3b759d5b1067ea78426dafeaec513283d14bd1ac5c3e8b --label io.podman.compose.project=scripts --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@scripts.service --label com.docker.compose.project=scripts --label com.docker.compose.project.working_dir=/ensemble/tmp/IAM/scripts --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=iam -e KONG_ADMIN_ACCESS_LOG=/dev/stdout -e KONG_ADMIN_ERROR_LOG=/dev/stderr -e KONG_ADMIN_LISTEN=0.0.0.0:8001 -e KONG_ANONYMOUS_REPORTS=off -e KONG_CASSANDRA_CONTACT_POINTS=db -e KONG_DATABASE=postgres -e KONG_PG_DATABASE=iam -e KONG_PG_HOST=db -e KONG_PG_PASSWORD=iam -e KONG_PG_USER=iam -e KONG_PROXY_ACCESS_LOG=/dev/stdout -e KONG_PROXY_ERROR_LOG=/dev/stderr -e KONG_PORTAL=on -e KONG_PORTAL_GUI_PROTOCOL=http -e KONG_PORTAL_GUI_HOST=127.0.0.1:8003 -e KONG_ADMIN_GUI_URL=http://localhost:8002 -e ISC_IRIS_URL= -e ISC_CA_CERT= --net scripts_default --network-alias iam -p 8000:8000 -p 8001:8001 -p 8002:8002 -p 8003:8003 -p 8004:8004 -p 8443:8443 -p 8444:8444 -p 8445:8445 --restart on-failure
Error: repository name must have at least one component
exit code: 125
podman start scripts_iam_1
Error: no container with name or ID "scripts_iam_1" found: no such container
exit code: 125
 

Scott Roth · Apr 15, 2024 go to post

my httpd.conf is setup to send / to CSP.#

### BEGIN-ApacheCSP-SECTION ####
LoadModule csp_module_sa "/opt/webgateway/bin/CSPa24.so"
CSPModulePath "/opt/webgateway/bin/"
CSPConfigPath "/opt/webgateway/bin/"
CSPFileTypes csp cls zen cxw
Alias /csp/ /opt/webgateway/bin/
<Location />
        CSP On
</Location>
<Location "/csp/">
        CSP On
</Location>
<Location "/api/">
        CSP On
</Location>
<Location "/oauth2/">
        CSP On
</Location>
<Location "/isc/">
        CSP On
</Location>
<Location "/ui/">
        CSP On
</Location>

<Directory "/opt/webgateway/bin/">
        AllowOverride None
        Options MultiViews FollowSymLinks ExecCGI
        Require all granted
        <FilesMatch "\.(log|ini|pid|exe)$">
                Require all denied
        </FilesMatch>
</Directory>
Scott Roth · Apr 12, 2024 go to post

I played around with the iam-setup.sh script, and found when I ran the script without a CA and port it was able to connect to the IRIS instance. Next step is that the docker will not start, I need to dig into that more.

Scott Roth · Apr 11, 2024 go to post

We just went through a same dilemma. it was recommended from an IT audit perspective that we look into securing the access and hardening what access was given.

We had been using Delegated authentication that performed the necessary lookup against LDAP, but the way in which we did it was not ideal according to the Audit. So, we moved to using the internal LDAP functionality inside IRIS, and through a painful process I was able to get a TLS certificate signed by the Active Directory Services. 

By knowing how to obtain a Certificate signed by the CA that is used across the Medical Center, it allowed us to configure Apache and a Local instance of the Web Gateway to encrypt the connection to the management portal instead of using HTTP with port 52773. VS Code was not affected either as we switched our VS Code connections to use https and port 443.

We also took steps in hardening access by limiting resources, and web applications by those resources as well.

That was just how we addressed it, Configuring a local firewall, or network access based on ports is painful but it can be done. As applications are moved to a segregated network we have had to start having tickets put in to allow traffic across ports. So we are updating the network as we go through new applications. Eventually we will need to do this for all ports as the Powers that be would like us to move to the Cloud evenutally.

Scott Roth · Apr 11, 2024 go to post

I verified that /api/iam is enabled, but using CURL or POSTMAN, I keep getting a 404 - Not Found error. I thought it might be because the script is looking for /api/iam/license so I shorted it to /api/iam to see if I could get a response but still getting the 404 error.

I even tried unauthenticated on /api/iam

Scott Roth · Apr 9, 2024 go to post

Thanks, I did receive an email, downloaded the new kit, and upgraded our DEV environment yesterday to start evaluating.

Scott Roth · Apr 5, 2024 go to post

The scenario was for a Backload that may or may not happen. The Backloaded data does not include a field that was recently added to the interface. I think if need be since it is a one-time backload, I might just use a Data Lookup table to get the missing information into the backloaded data.

Scott Roth · Apr 3, 2024 go to post

I have many integrations using JDBC stored procedure calls against MS SQL. 

  • Define Stored Procedure Class Structure that extends Extends (%Library.Persistent, %XML.Adaptor) [ Not ProcedureBlock, SqlRowIdPrivate ] for any Parameters (Properties) that need to be passed to the stored procedure
Class osuwmc.CPD.DataStructures.CheckProviderSpecialty Extends (%Library.Persistent, %XML.Adaptor) [ Not ProcedureBlock, SqlRowIdPrivate ]

{



Property DoctorNumber As %String(MAXLEN = 6);



Storage Default

{

<Data name="CheckProviderSpecialtyDefaultData">

<Value name="1">

<Value>%%CLASSNAME</Value>

</Value>

<Value name="2">

<Value>DoctorNumber</Value>

</Value>

</Data>

<DataLocation>^osuwmc.CPD59D.CheckProvideAF3D</DataLocation>

<DefaultData>CheckProviderSpecialtyDefaultData</DefaultData>

<IdLocation>^osuwmc.CPD59D.CheckProvideAF3D</IdLocation>

<IndexLocation>^osuwmc.CPD59D.CheckProvideAF3I</IndexLocation>

<StreamLocation>^osuwmc.CPD59D.CheckProvideAF3S</StreamLocation>

<Type>%Storage.Persistent</Type>

}
  • Using a Custom Operation that uses the EnsLib.SQL.Outbound adapter, and a XData Message Map, I create Methods that use the Stored Procedure class structure defined and return EnsLib.SQL.Snapshot.
Include (EnsSQLTypes, %occODBC)



Class osuwmc.Epic.MFN.EpicMFNToCPDDBWriteDEV Extends Ens.BusinessOperation [ ClassType = "", ProcedureBlock ]

{



Parameter ADAPTER = "EnsLib.SQL.OutboundAdapter";



Parameter INVOCATION = "Queue";



Property InitDSN As %String;



Method OnInit() As %Status

{

    Set ..InitDSN = ..Adapter.DSN

    Kill $$$EnsRuntimeAppData(..%ConfigName)

    //Set ..Adapter.ConnectAttrs = "QueryTimeout:45" ; try this too just in case...

    Quit $$$OK

}
  • I call the execution of the store procedure using ..Adapter.ExecuteProcedureParmArray
Method CheckDoesProviderExists(pRequest As osuwmc.CPD.DataStructures.CheckDoesDoctorNumberExist, Output pResponse As EnsLib.SQL.Snapshot) As %Status

{

  set SPQuery = "{ ?= call InterfaceCheckDoctorNumber(?) }"

  set parm = 2

  set parm(1,"SqlType")=$$$SQLVARCHAR

  set parm(1,"IOTypes")=$$$SQLPARAMOUTPUT



  set parm(2)=pRequest.DoctorNumber

  set parm(2,"SqlType")=$$$SQLVARCHAR

  set parm(2,"IOTypes")=$$$SQLPARAMINPUT



  set tSC = ..Adapter.ExecuteProcedureParmArray(.CheckDoctor,.outputs,SPQuery,"oi",.parm)

  if tSC = 1

  {

    set pResponse = CheckDoctor.GetAt(1)

  }

  quit tSC

}

Let me know if you need additional help, but this should give you a good start.

Scott Roth · Apr 2, 2024 go to post

I am not seeing HealthShare Health Connect 2024.1 listed under the HealthShare Full Kits. Am I missing something?