I guess it depends a little on what you mean by integrate.  I know of a customer that has an application on Dynamics and uses Ensemble to integrate with some back end systems.  Dynamics itself is very much tied it's data model.  If you want to call out to another system for data to use in Dynamics, I think you'll want to look into best practices from Microsoft.   But as a messaging platform, Ensemble should support most integration needs well.  If you have a specific protocol or standard in mind you might verify that it is available in the adapters that ship with Ensemble.

I'm not at all familiar with this eCQM package, but I don't see any reason it wouldn't work on IRIS.  Just import the code.  The system interaction and device handling is where you would be most likely to encounter issues.  The VistA Kernel encapsulates these and so insulates application code from those details.  You may not encounter issues with Kernel but if you do, solving them would require an advanced level of VistA skills.  I think the easiest/fastest path would be to just load it up and see what breaks.  It may be that you can get your work done without any issues.

Hello,

There are several alternatives described in the standard.  Check out section 4.3 and section 5 at this link http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

I have seen an implementation of SSO where the information that would be in a SAML token is passed in http headers.  This implementation used delegated authentication to sign in the user based on these http headers.  This link is to documentation for delegated authentication https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_delegated

You might also consider using OAuth if you are using a REST interface.  https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GOAUTH

#

SSL Demo Configuration for Apache Haus Distribution

FileName: conf/extras/mod_ahssl.conf

#

This is the Apache server configuration file providing SNI support.

It contains the configuration directives to instruct the server how to

serve pages over an https connection. For detailed information about these

directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>

Do NOT simply read the instructions in here without understanding

what they do. They're here only as hints or reminders. If you are unsure

consult the online docs. You have been warned.

#

Required modules: mod_log_config, mod_setenvif, mod_ssl,

socache_shmcb_module (for default value of SSLSessionCache)

Listen 443 https

#

SSL Global Context

#

All SSL configuration in this context applies both to

the main server and all SSL-enabled virtual hosts.

#

SSL Protocols:

List the protocols that the client is permitted to negotiate.

See the mod_ssl documentation for a complete list.

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

SSL Cipher Suite:

List the ciphers that the client is permitted to negotiate.

See the mod_ssl documentation for a complete list.

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

SSL Honer Cipher Suite Order:

Forces the order of allowed cipher suites to the order above.

See the mod_ssl documentation for a complete list.

SSLHonorCipherOrder On

Pass Phrase Dialog:

Configure the pass phrase gathering process.

The filtering dialog program (`builtin' is a internal

terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog builtin

Inter-Process Session Cache:

Configure the SSL Session Cache: First the mechanism

to use and second the expiring timeout (in seconds).

SSLSessionCache "dbm:${SRVROOT}/logs/ssl_scache"

SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

#

Some MIME-types for downloading Certificates and CRLs

#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSL_CLIENT_CERT and

SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is sent or allowed to be received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Per-Server Logging:

The home of a custom SSL log file. Use this when you want a

compact non-error SSL logfile on a virtual host basis.

CustomLog "${SRVROOT}/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=HTTPS

#

SSL Virtual Host Context

#

SSLEngine on
ServerName localhost:443
#SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
#SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
SSLCertificateFile "E:/certs/USVMDEMO-GS-Web.cer"
SSLCertificateKeyFile "E:/certs/USVMDEMO-GS-Web.key"
SSLCACertificatePath "E:/certs"
SSLCACertificateFile "E:/certs/ISCDemoCA.cer"
DocumentRoot "${SRVROOT}/htdocs"

DocumentRoot access handled globally in httpd.conf

CustomLog "${SRVROOT}/logs/ssl_request.log" \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>

SSLEngine on

ServerName localhost:443

SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"

SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"

DocumentRoot "${SRVROOT}/htdocs"

DocumentRoot access handled globally in httpd.conf

CustomLog "${SRVROOT}/logs/ssl_request.log" \

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Options Indexes Includes FollowSymLinks

AllowOverride AuthConfig Limit FileInfo

Require all granted

SSLEngine on

ServerName serverone.tld:443

SSLCertificateFile "${SRVROOT}/conf/ssl/serverone.crt"

SSLCertificateKeyFile "${SRVROOT}/conf/ssl/serverone.key"

DocumentRoot "${SRVROOT}/htdocs"

CustomLog "${SRVROOT}/logs/ssl_request.log" \

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Options Indexes Includes FollowSymLinks

AllowOverride AuthConfig Limit FileInfo

Require all granted

SSLEngine on

ServerName servertwo.tld:443

SSLCertificateFile "${SRVROOT}/conf/ssl/servertwo.crt"

SSLCertificateKeyFile "${SRVROOT}/conf/ssl/servertwo.key"

DocumentRoot "${SRVROOT}/htdocs"

CustomLog "${SRVROOT}/logs/ssl_request.log" \

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Options Indexes Includes FollowSymLinks

AllowOverride AuthConfig Limit FileInfo

Require all granted

End SNI Demonstration Config

There are many ways to setup apache, and what works for your situation may vary.  My used a single instance of HealthShare, and two SMART applications that were hosted locally and served via CSP applications defined on my HealthShare instance.  I was running on Windows.

I used binaries from ApacheHaus,

Download here - https://www.apachehaus.com/cgi-bin/download.plx .

Unzip and read the readme. 

Download the c++ runtime https://www.microsoft.com/en-us/download/details.aspx?id=49984.

Install, restart

Test apache installation http://localhost

Generate certificates.  I did this from HealthShare, but you can do it with openSSL, or other tools.

Configure the httpd.conf – change the server root, load the CSP modules, define the csp alias, create location entries, and create directory entries.  I’ll attach the conf file I used.

Configure the httpd-ahssl.conf – load webserver cert and key, and CA cert.  I’ll attached the file I used.

Configure CSP.ini to connect to HealthShare instance, need to make sure superserver port is correct, and username and password for the CSPService.  I just pasted in the encoded string from CSP.ini from the private webserver configuration

Run apache as a service. From bin directory in Apache:  httpd.exe -k install [-n “ServiceName”]

 I recommend starting without SSL, so comment out the #include of httpd-ahssl.conf in the httpd.conf file. Test, then put the SSL back in and test.

For the SMART apps:

I setup /csp applications one for each application.  You may want to do something different depending on your situation and the applications you are using.

Test that the web server routes to the apps.

You do need to have the common name in the cert match the host name.

My demo used SMART applications that I downloaded from SMARTHealthIT.org.  I created csp application definitions to launch the SMART apps I had downloaded.

I guess Cache could fill a few different roles in back end services.  I'll get back to you on that.