I recently started work on trying to Tighten Security in our Development Instance of IRIS that is running based on recommendations from our Audit as you might of seen from my other posts. I am currently trying to get into the Private Web Gateway Manager within IRIS as CSPSystem, but when I attempt to sign in nothing happens. 

I went through and reset the password in the CSP.ini and within IRIS for CSPSystem. I made sure it had the new GatewayRole per suggested 

https://docs.intersystems.com/healthconnect20231/csp/docbook/DocBook.UI.Page.cls?

I am trying to lock down security within our Development environment per requirements from a Security Audit that was done earlier this year. I need to try to limit access at a public level, access to cache users, and exposure.

I installed IRIS with the Lockdown method, and have configured my web applications, services, resources, etc.

When I go into my namespace, I am constantly presented with the following error when I try to start or stop an Object...

Cannot login as IRIS manager.

We currently have a couple of Shell scripts we have written to EnableConfigItem from a Unix (Red Hat) command line, so we can control when a Service/Operation is running via the cron in Unix. We do this by calling

:>iris session xxxxx

using _system user.

During our Security audit it was mentioned that we need to lock down some of the cache users. 

• So, has others written scripts to make IRIS calls via command line?
  • If so, what is the consensus of using a Cache user vs using say a LDAP service account?

• Or what have you used in the past to ensure that the password is not hardcoded anywhere?

We are noticing some issues with the communication between our Arbiter and our servers. Looking at the following documentation to limit connections, and logging...https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GHA_mirror_set_config#GHA_mirror_set_agent_port

if I am configuring the ISCAgent on the arbiter, would we set 

application_server.interface_address=<ip_address>

to each IRIS server? Or does this mean to give it a specific NIC IP Address to use for communication?

Currently we are using Delegated Authentication using ZAUTHENTICATE to look at the groups that are associated with a user and if it matches a role within IRIS, to assign the user to that role within IRIS. 

Instead of using ZAUTHENTICATE as custom code, I am looking to use the built-in LDAP Authentication instead. Since I already have two AD Groups called (Access.Ensemble.Developer.User and Access.Ensemble.DataLookup.User) is it possible to config the built in LDAP functionality to look for these groups and assign the users to the correct roles within IRIS without the custom ZAUTHENTICATE?

My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac  but I am getting an error

GetCredentials(ServiceName,Namespace,Username,Password,Credentials) Public {

  // For console sessions, authenticate as _SYSTEM.
  If ServiceName="%Service_Console" {
    Set Username="_SYSTEM"
    Set Password="SYS"
    Quit $SYSTEMStatus.

Still working on my first External REST API call, and I am struggling to find the exact answer I am looking for... I get a JSON response from my API call but I am not quite sure how to dynamically get the JSON response into the Ens.Response Object with its lists of Arrays that I have defined.

  set tSC = ..Adapter.SendFormDataArray(.tHTTPResposne,"POST",tHTTPRequest,,,tURL)

  set pResponse = ##class(User.REST.Epic.Msg.GetPatientLocationResponse).%New()

  set dynObject = {}.%FromJSON(tHTTPResposne.Data)

  set iter = dynObject.%GetIterator()

  while iter.%GetNext(.

I am working on my first REST operation to send a API Request to an internal server within our Network. I have finally got past the point of being able to connect using a SSL/TLS Configuration, but I am getting a ERROR <Ens>ErrHTTPStatus: Received non-OK status 403 from remote HTTP server: 'HTTP/1.1 403 Forbidden'.

I have tried using $$$TRACE within my operation to capture the different elements that are being sent to verify the Server, URL, SSL Configuration, and payload.

Recently I started moving some of our JDBC Gateway configurations over to using the Microsoft JDBC Gateway driver instead of using the jTDS open source driver. I have noticed since then that those Objects that are using Microsoft JDBC Driver are throwing a lot more errors than the jTDS driver ever did, which I can understand however I am puzzled that I keep running into an issue with the Java Gateway Service within the Interoperability engine.

Every so often I will start seeing "Gateway Server failure timeout on 127.0.0.1:55550" followed by "Gateway Server did not respond to PING request.

Is there a way problematically to see what Operations/Services are attached to a EnsLib.JavaGateway.Service and if there are issues with the EnsLib.JavaGateway.Service to stop/start those Services/Operations that might be attached to it?

Thanks

First time setting up a SSL/TLS connection, and I am running into issues when I call it from within a Business Operation. I used openssl to generate a RSA 4096  SHA512 key/csr request for our Active Directory Certificate Service to generate a Certificate Chain for me to use within RedHat. I was 
able to connect to our Web Service server using a generic request from terminal, however when I try it from our Business Operation I am running into issues.

I tested the SSL/TLS connection using the following commands from the terminal.

DEVCLIN>set request=##class(%Net.

I am trying to setup our first SSL/TLS configuration so we can possibly connect to the EMR FHIR server to pull data into the Interoperability engine.

I am running on Red Hat, and created and submitted a openssl CSR request to our Windows ADCS system.

I used the following command to generate the key and CSR request to submit to Windows ADCS

openssl req -new -sha512 -nodes -newkey rsa:4096 -keyout xxxxxxx.key -out xxxxxxxx.csr

When the certificate was generated I was able to download the individual certificate (cer) and the certificate chain (p7b) in  DER or Base64.

Trying my first REST call operation to our internal EMR (Epic) server, and I am receiving "ERROR #6097: Error '<READ>Read+28^%Net.HttpRequest.1' while using TCP/IP device '9999'" when I attempt to test my operation. When I look up the General Error Messages for 6097 I am seeing...Error '%1' while using TCP/IP device $zu(189,1)='%2'. What does this mean? 

I am trying to connect to the server over port 443 which is HTTPS but I am not using an SSL Configuration. Could that be the issue? 

Is there a way to debug HTTP like their is with the ISCSOAP log?

I am playing around with trying to make an Epic REST API call from an operation, and from what I understood because the request has to be sent as POST, I need to send the request as JSON. However when I try taking the request and running %ToJSON against it for the payload to be created I am getting an error...

ERROR <Ens>ErrException: <METHOD NOT SUPPORTED>zgetPatientLocationByVisit+6^User.SCOTT.REST.APIOperation.1 *%ToJSON,osuwmc.Epic.Access.Request.

I had attempted to create a REST Operation before but did not have success. As I am going through the Tutorials and Documentation everything references REST services, but I have a case where I want to create a REST Operation that makes Epic API calls against Interconnect. I have done SOAP operations before and we currently have one in our Production Namespace, but from what I understand SOAP has the wsdl which defines al the structures and etc, where REST does not. 

So how does one go about creating a REST Operation if Learning Tutorials and Documentation always talks about REST services?

Had an issue on Friday where a vendor added an additional field in the middle of a row of one of our record maps. This threw the mapping off when I take the record and try to map it into HL7 and caused massive amounts of errors in our EMR because the data was wrong.

Is there a way that I can add validation on the Business Service to say if the fields are off to fail, stop, and alert on the Business Service?

I am trying to add Web Terminal as a feature for my team to use. 

I installed webterminal via zpm "install webterminal" ran on %SYS on our Development box.

%SYS>zpm "install webterminal"

[%SYS|webterminal]      Reload START (/ensemble/DEV/mgr/.modules/%SYS/webterminal/4.9.6/)
[%SYS|webterminal]      Reload SUCCESS
[webterminal]   Module object refreshed.
[%SYS|webterminal]      Validate START
[%SYS|webterminal]      Validate SUCCESS
[%SYS|webterminal]      Compile START
Recompiling WebTerminal, skipping the deletion...
Installing WebTerminal application to %SYS
Updating web application

Forgive me but our System Administrator who knows how the networking works is OOO...

How does IRIS know which local adapters are available to populate in an Inbound or Outbound TCP Adapter Object? We recently moved from HealthShare Health Connect 2018.1.3 to IRIS HealthShare Health Connect  2022.1. When we migrated we moved the VIP over to the new box and set it at the hardware level.

On RedHat when I do an ifconfig I have two ens192

Ran into an issue with our upgrade from HealthShare Health Connect 2018.1.3 to IRIS HealthShare Health Connect 2022.1, that I thought I would reach out about, I already have a ticket open with WRC and started a chat on Discord. We have a couple of MS SQL tables that I have setup as Linked Tables within Cache to query NPI, Patient Account Information, Visit information, etc.

I am running into an error trying to send an Alert Email to test the functionality of IRIS HealthShare Health Connect  2022.1 compared to Cache HealthShare Health Connect 2018.1.3. I was trying to send an Alert email, when I am getting the following error on my EMailAlert operation which is using EnsLib.EMail.OutboundAdpater.

I verified the message to the EMailAlert was populated, so what could be throwing this error...

I found the problem to be with

I am trying to finish build for moving to IRIS HealthShare Health Connect 2022.1 from HealthShare Health Connect 2018.1.3. I am currently using Delegated Authentication using an AD group to match up to the Role in IRIS. The Role has access to everything but the HS Resources because we don't really use the HS Resources for anything. We are mainly using IRIS for the Interoperability Engine. 

When I run System Administration --> Security --> Security Advisor, I am getting the following error.... "It has been logged to system error log (System Operation>System Logs>Application Error

I wrote a function awhile back to take Encoded Base 64 and write the PDF out to a file that could be sent to a faxing system to fax out. We are trying to test this code out in IRIS and I am seeing an error that I have not seen before... ERROR #5034: Invalid status code structure

Here is the code...

ClassMethod DecodeBase64HL7ToFile(base64 As

We are currently using different iterations of Ens.Director.EnableConfig items to start/stop objects within the Interoperability Namespace. We are looking for ways to minimize our downtime as we move from AIX to a new section of our Network and Red Hat Servers.

Besides using Ens.Director.EnableConfig item and waiting for a response, or just disabling the objects through the Namespace class file, is there a quicker way to stop Services and Operations to ensure the TCP disconnect is sent to those endpoints so we can move the networking rules to ensure they point to new servers?

We have a function that was written for us that allows us to create text files for logging certain aspects to the OS using %Stream.FileCharacter. We had no issues with this until we moved from AIX to Red Hat.

Now it seems the 1st time the function is called, and the file is created the permissions seem to be correct on the file. But as soon as we attempt to write another line to the file using MoveToEnd() it seems the permissions are changed on the file. I have been able to narrow the issue down to the MoveToEnd() by calling the function from different users.

I followed the instructions to setup the Port Authority Report in our new IRIS instances, but noticed if I tell it to run every hour I am getting the following error message...

Here is how the report is setup...

Has anyone run into this issue? If so how do you resolve it?

Please and thanks

I had an interesting scenario come up, as when we moved from eGate to Ensemble and we will be moving to IRIS here in the near future I was taught to create Business Processes for writing to and extracting data from outside MS SQL Databases.

That works ok for simple messages but I have a case where I have a rather large MFN message coming in from a vendor. The normal Business Process of reading in the HL7, and parsing the message into Stored Procedure structure calls has worked in the past with smaller messaging like ADT, etc.

I am trying to pinpoint and troubleshoot an issue we have been seeing lately. We have several SQL Outbound Adapter Operations that are seeing issues trying to connect to our MS SQL Servers using the JDBC Gateway for calling insert, select, update, and stored procedure calls.

ERROR <Ens>ErrFailureTimeout: FailureTimeout of 20 seconds exceeded in osuwmc.Visit.

We are migrating to new servers, and I need to copy the information from Business Partner's over to the new server. Is this information in a Global or SQL table somewhere that I can export and import into the new IRIS environment?

Thanks

Scott

I am looking into creating a ZSTOP as you probably have seen from my previous posts, is there a way to capture the type of shutdown that occurred? So say if there was an unknown hardware failure (forced), vs a user shutdown? Mainly looking for user or system shutdown when we force another destination to become the primary in the mirror. So if a user shutdown the production to do.,... Task A, Task B etc..

Thanks

Scott 

We have messages that are in a queued state for various reasons and when we do a manual shutdown of the instance, they are moved to a Suspended state. I thought I saw in the documentation somewhere a setting to make sure these messages stay in a queued state and not suspend them. Can someone confirm and point me in the correct location for that documentation, as I am trying to ensure that if we do have to manually shutdown a instance, someone doesn't have to remember to go back in and check for suspended messages and resubmit them?

Thanks