Using the PKI to generate certificates is NOT supported for production systems, as documented here:

I can't stress that enough.  It is provided for convenience for testing purposes.  For production systems or test systems that require proper security, please use certificates/keys specified from the source determined by your security admins, and make sure the procedures they specify for safeguarding the keys are in place and adhered to.

This is sort of the minimum for just enabling SSL/TLS on apache.  Please see apache documentation for further configuration options, including but not limited to selecting ciphersuites and configuring client verification:

Also, please recall that private web server is provided for convenience and that for production purposes you should install a CSP/Web Gateway into a full web server.  Per this documentation, quote:

When installing InterSystems IRIS, this private version of Apache is installed to ensure that:

  1. The Management Portal runs out of the box.
  2. An out-of-the-box testing capability is provided for development environments.

The PWS is not supported for any other purpose.

For deployments of http-based applications, including REST, CSP, Zen, and SOAP over http or https, you should not use the private web server for any application other than the Management Portal; instead, you must install and deploy one of the supported web servers. For information, see the section “Supported Web Servers” in the online InterSystems Supported Platforms document for this release.

end quote.


1. InterSystems has tested the new settings related to these Microsoft changes (signing and channel binding) and seen that simple binds to Active Directory servers from InterSystems instances will fail if not using TLS.  Enforcement of these settings is up to Microsoft and subject to change by them, so knowing how and when such changes might be made without manual intervention would be a question best addressed to Microsoft.

2. Regarding your particular set up, a CA file should be able to contain multiple CA certificates.  I’ve tested putting the right CA certificate for the server I was connecting to after a different CA certificate in the file and found that the connection still worked, so it appears capable of going through more than one.

What might be a concern is that hostname checking is done by the LDAP connection, so the subject name for the certificate the server presents needs to match the hostname the client is configured to connect to.  If your three different AD machines have three different certificates (which would be the case if they were signed by three different CAs), then you might want to check that the subject names for the certificates all match the actual configured hostname in the LDAP configuration on the instance.  I’m fairly certain that a match for the subject alternative name extension for the certificate (instead of the subject name field itself) would suffice, but I have not tested it.

If you’d like to explore this in more depth, we encourage you to open a WRC case.

Additionally, you may want to look at this series of posts about performance in general:

There are a lot of posts that cover quite a bit of ground, so it may be more than you bargained for, but performance issues are usually more complicated than we wish they were.

In particular, you want to read the first article on setting up and running pButtons (and the link on downloading the latest version of pButtons).  pButtons is a utility that captures various performance metrics at both the Cache and the host levels (including mgstat outputs like the ones asked for in other comments to this post); it is most useful when you have pButtons outputs from times of normal operation and from times of problem operation so they can be compared for differences.  If you're planning to open a WRC case, having pButtons from during the time of the problem and from during normal operation would be a definite plus.

Привет, Алексей!

CPUPct is the percentage of CPU used (in aggregate) by jobs of particular predetermined “types.”  These types include categories like “ECPWorker”, “ECPCliR”,“ECPCliW”, or other ECP categories as well as things like “WRTDMN”, “JRNDMN”, and various mirror related categories.

Since this information is not necessarily useful and since some false positive alerts were being thrown because of problems in calculating this value, tracking and alerts of CPUPct was actually removed starting in 2016.1 with dev change SAP2016, so the next time you upgrade, you shouldn’t see these particular alerts anymore.  If there really is a problem with processes using resources on your system, it will be evident in other ways and can be investigated using other tools.  If you are still seeing these alerts in later versions, please open a WRC case to report it.

С уважением

Jon Sue-Ho

(Товарищ Сухов)

It is a pretty good idea to run pButtons all the time.  That way you know you’ll have data for any acutely weird performance behavior during the time of the problem.

The documentation has an example of setting up a 24 hour pButtons to run every week at a specific time using Task Manager:

You can also just set the task to run every day rather than weekly.

If you're worried about space, the reports don't take up too much room, and (since they're fairly repetitive) they zip pretty well.