In case your back-end logic is not too complex, I would suggest to migrate your back-end code to some other technology (we have great experience with node.js), and use Caché just as a datastore, not as a rendering engine. You have a variety of options on how to connect to Caché (REST, RabbitMQ etc ...)

Then your license units will limit just the number of concurrent datastore connections, not total number of connected clients.

In case you choose some popular language (node.js), this has an added benefit that you can draw from the wealth of libraries the node.js ecosystem provides. No more re-inventing the wheel in Caché.

You mention rendering html on the backend -- there is about a gazillion javascript templating libraries out there. Also, you get to work in some more modern language than COS, and, possibly, with more mature development tools.

That is just how I would do things after working with Caché for four years. Sorry InterSystems. On the other hand, I still think the database is blazing fast :)

Thanks Dimitry, for your response.

We have our own PKI deployed and configured so trust chain issues are not a problem for us.

Our problem is somewhat different.

Currently, we have (in our httpd.conf) a Redirect directive on all incoming http traffic on port 57772 to https on a different port, but this setup breaks add-ins functionality. The SOAP wizard in particular, which we need to use quite frequently, always executes in the context of %SYS namespace when SSL is enabled ( see attached screenshot).

We always need to temporarily disable SSL to use this wizard, but this is a hassle and, also, I guess that SSL usage should be seamless to the developer when configured correctly, so I suspect we might be doing something the wrong way.

With profound apologies, I feel the compulsion to add an "don't do that" comment.

Use UUIDs instead of database IDs.

Why? The reason is quite simple: With database IDs, you do not have an ID until after the object is saved into the database. Are you sure you won't need an ID before saving the object, ever? Also, saving the object just to get an ID is bad practice IMO, as it possibly encourages mixing of database layer logic with other layers.

Also, with UUIDs, implementing your desired functionality will become trivial. Just implement GetObjectByUUID using ..%ClassName() in base class.

I cannot stress the importance of network effect enough.

Recently, we have been implementing microservices written in node.js around our central Caché database and according to my experience chances are, that for all but the most obscure use cases, a library solving your particular problem exists. Features that would take days to implement in COS from scratch are generally solved with one or two api calls.

I would not mind if it were statically typed, but I know there are lots of people who would prefer otherwise.

Anyway, I would like it to have some way of declaring strings like Ruby's heredoc and string interpolation, because my code is full of ""s, """"s and "_var_" (those all in combination decrease legibility significantly IMO).

    variable = <<-TERMINATOR
      Your free trial will expire in #{days_until_expiration} days.
      Please update your billing information.

Also, lambdas and closures would be nice.

ISC advises against using %objlasterror in production code.

citation from

Using the %objlasterror error status variable
The Test class includes references to %objlasterror, which should be used as a debug resource only (for example, in development code that does not yet report errors properly), so that the underlying problem can be diagnosed and the offending code's error reporting can be corrected. It is appropriate for such code to kill %objlasterror whenever it uses an error status that is an expected condition and not a reportable error.


I have been dealing with the problem of securing the Portal on our Linux server a while ago, so I am pasting my notes on the necessary steps below. Hopefully, they will be of some use.

httpd for SSL-enabled Caché Management Portal

Download necessary tarballs:



tar xvvf ./httpd-2.4.25.tar.gz
tar xvvf ./apr-util-1.5.4.tar.bz2
tar xvvf ./apr-1.5.2.tar.gz

Copy Apache Portable Runtime sources in apache srclib directory

cp -r ./apr-1.5.2 ./httpd-2.4.25/srclib/apr
cp -r ./apr-util-1.5.4 ./httpd-2.4.25/srclib/apr-util


cd httpd-2.4.25
./configure --prefix=/cachesys/httpd --enable-ssl --enable-so --with-included-apr \
--enable-mods-static="log_config mime alias unixd authz_core rewrite ssl" --without-gdbm \
--without-ndbm --without-berkeley-db --with-expat=builtin --with-mpm=worker --disable-shared



Kill the original httpd

kill `cat /cachesys/httpd/logs/`

Backup the old httpd

sudo mv /cachesys/httpd /cachesys/httpd.old

Install the new httpd

sudo make install

Change /cachesys/httpd/conf/httpd.conf to look like this:

ServerRoot "/cachesys/httpd"
DocumentRoot "/cachesys/csp"

CSPModulePath /cachesys/csp/bin/

LoadModule csp_module_sa /cachesys/csp/bin/

User cacheusr
Group cacheusr

<Location />
    CSP On
    SetHandler csp-handler-sa

ServerName localhost
PidFile logs/
TraceEnable off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 120

UseCanonicalName Off

<VirtualHost *:57772>
        Redirect "/" ""

<VirtualHost *:57782>
        SSLEngine On
        SSLCertificateFile  "/path/to/your/public.key"
        SSLCertificateKeyFile "/path/to/your/private.key"
        <Directory />
            Options MultiViews FollowSymLinks
            AllowOverride None
            Require all granted
            <FilesMatch "\.(log|ini|pid|exe|so)$">
                Require all denied
        <Location "/csp/bin/Systems/">
            SetHandler csp-handler-sa
        <Location "/csp/bin/RunTime/">
            SetHandler csp-handler-sa
        AddHandler csp-handler-sa csp cls cxw zen

TypesConfig conf/mime.types
HostnameLookups Off

ErrorLog logs/error.log
LogLevel error
LogFormat "%h %l %u %t \"%r\" %>s %b" common
#CustomLog logs/access.log common

StartServers          1
MinSpareThreads       5
MaxSpareThreads      15
ThreadLimit          25
ThreadsPerChild       5
MaxClients           25
MaxRequestsPerChild 200

ServerTokens Prod

Listen 57772
Listen 57782

Finally, launch the new httpd

/cachesys/httpd/bin/httpd -d /cachesys/httpd -c "Listen 57772"

That's it.

IMO, SSL really should be on by default in 2017.