Without seeing the entire method it is hard to tell.  Accepting that you have proven that the data is being retrieved I would look for issues with how it is being passed on.   The GetMasterOPDataExecute method of a custom query only does setup for the query.  Tasks such as initialization or defining a SQL cursor (if that is what you are using).

The GetMasterOPDataFetch method is what will return rows of data.  If this value is needed at that point you should include it in any information provided in the qHandle parameter.

In case you are not familiar with this I am including a link to the documentation for custom class queries.

Defining Custom Class Queries

You can try signing out of the account.  Then you would have to go through the sign-in process again.  Look for the Accounts icon in the lower left corner of VCS. 


Click it and find the namespace you are logging into in the list.  Click the arrow to the right of the name and sign out.

If you have a folder associated with a namespace that is still blocking you this folder should appear in the Explorer window on the left side of VCS.  Right click the top level of the folder and find the "Remove Folder from Workspace" option.  It should be in the middle of the menu.  That will remove it from your workspace and allow you to switch.

There are two thoughts I have on this example:

  • The use of %All is a very bad idea.  This gives the maximum permissions to the connection.  Having just attended a seminar on penetration testing it is frightening how small gaps in security can be exploited to compromise a system.  Better to identify the specific resources  and roles needed for this action to complete and give only those.
  • Authentication is only taking place after the connection has "breached the castle walls".   The code is already running inside you environment and with %All privileges

Your utility methods are fine.  However I would implement them using Delegated Authentication.  This feature of IRIS allows you to provide your own code to do authentication.  The difference is that it executes as part of the normal authentication process.  The connection has not yet gained access to the environment and will not gain access if authentication is not passed.  Any failure or attempted breach of the code causes an "Access Denied" message to be returned and the connection terminated.  It is also possible to use this in combination with other authentication methods so this only needs to be used on REST services where it is needed.  This would also remove the need to add any special permissions like %All to the Web Application definition.  Here is the documentation for this.

Delegated Authentication

Whether or not using the Adapter over an instantiation of the %Net.HttpRequest is a matter of your needs really.  The adapter seeks to make things "simpler" in some way.  However if you need greater control over the process and response using the HttpRequest directly is also a reasonable direction.  I have done both depending on my needs.

Glad it is working for you in an manner that is maintainable.  That is what is important.

First I have had success just leaving the GetCredentials out, but you are correct in that the documentation says you should have this.  Change your GetCredentials code to be just

return $$$GetCredentialsFailed

This will cause the process to revert to normal username and password prompting.   You only need to implement GetCredentials code if you are pulling the username and password from somewhere else such as taking the authentication header out of a REST call.

Link to the docs   https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GAUTHN_delegated#GAUTHN_delegated_zauthgetcreds

Sorry if I am a bit late to the discussion.  Let me address your issues in order

  • This is not necessarily a problem, but I noticed that the method SendPostRequest is executed again from start to finish for each reply, reinitializing all variables as if it were the first execution, except for the RetryCount variable, which indicates the current resend count.
    • This is expected behavior.  Messages are handled as a specific unit of work (atomic).  When a message errors and is going to retry it is basically put back on the queue to process.  When the retry occurs it is treated as a new message with the exception, as you noted, of the retry count. 
  • Setting Retry = 0 prevents message resending, even with active Reply Code Actions (e.g., E=R).
    • Also expected.  With this configuration the reply action code may be set to retry , but this setting is indicating that no (0) retries are to be attempted.
  • The timeouts are not respected. Instead, the message is resent every 30 seconds instead of 18 (I also tried other Response Timeout values like 20 or 35 seconds, but nothing changes). The Retry Interval is not respected either; the resending is attempted a number of times equal to FailureTimeout/30 instead of FailureTimeout/RetryInterval, as written in the documentation.
    • This seems to be the main issue.  The ResponseTimeout is a property of the Adapter. The default value of this setting is 30 which is what you are seeing.  It appears that you have a custom Business Operation here that is using the EnsLib.HTTP.OutboundAdapter and that you assign this adapter in code rather than using the ADAPTER parameter.  When you initialize this you should assign the reference to the Adapter property of the Business Operation.  Then when you want to set the response timeout in code you would update the property of the Adapter. I would highly recommend using the ADAPTER parameter unless you need to dynamically change the adapter at runtime.  If done in code at runtime you need to be sure that everything is initialized properly
  • After the Failure Timeout expires, an error is generated even if one or more responses have been received. Despite the responses arriving, the BO does not detect them and generates the error: "ERROR 5922: Timed out waiting for response". The message continues to be resent until the Failure Timeout expires, and finally the "ERROR <Ens>ErrFailureTimeout: FailureTimeout of 90 seconds exceeded in lombardia.OMR.BO.Sender; status from last attempt was OK".
    • What is being reported here is the last known status of the operation.  In this case that is the error indicated.   There is a difference between a reply and a response.  The Visual trace is indicating that the operation receive a  reply.  This reply was an error.   The 'Response' is what is received from the Web Server.  This never arrived hence the error.  Business Operations will always receive a reply of some kind.  This reply may indicate an error as in this case or success

If you continue to have issues I would encourage you to reach out to the Worldwide Response Center (WRC) for support.  Additionally you could contact your assigned Sales Engineer.


Rich Taylot


Well, the short answer is that you don't.  Solutions like Health Connect/IRIS for Health/Ensemble work autonomously.  There is no one sitting there to respond to the MFA Request.

The way that this is normally handled is by requesting from the MFA provider something referred to by several names.   For example in GitLab you go to your profile and request an "Access Token".  In Gmail you would go to security and get an "App Password".

The SFTP server administrator would likely have to provide this to you.

Usually these are setup specific for your application even specific to the operation if you want.  What this provides is a token that you would use as the password on the authentication.

Hope this helps.


Rich Taylor


That does present a problem.  At this time I don't believe we have a function for function replacement for that %ZEN.Auxilliary class.  There are issues with how that object to JSON mapping was done that could result in exceedingly large blocks of JSON.  I would encourage you to raise this issue with your Sales Engineer who would be in a good position to present a feature request in the proper context to Product Development.

In the meantime, I can suggest a couple of ways to deal with this.   

  1. Create a wrapper class for these message.  This wrapper would inherit from the SOAP message class and %JSON.Adaptor.  Now you should be able to use the methods to convert to JSON.  The downside of this is that you may need to create a number of these wrapper classes if the SOAP api is extensive.
  2. The "natural" form of SOAP is XML.  You could create or look for an XML to JSON conversion utility.  This could be done utilizing our Embedded Python capability.  There are techniques and Python libraries that could do this conversion.  One such technique can be found here:  https://www.geeksforgeeks.org/python-xml-to-json/.

To use Python Libraries in ObjectScript you import the Python libraries and then just call the methods.  Here is a small example of using the Python standard 'os' library.

set pyPaths = $System.Python.Import("os.path")

If you wish to try option 2 here is a documentation link to help you get started.

Introduction to Embedded Python

This error is coming out of IRIS rather than the OS.  To determine what is happening would require knowing the authentication method you are using and the IRIS user you are attempting to log in as.  At first glance I would believe that your organization is in the process of tightening security.  If this worked before and does not work now then the IRIS permissions that control access to Terminal have been removed from your user.   I would discuss this with your system administrators to determine what has changed and have access restored if that is in keeping with policy.

Due to this involving aspects of your security, if you need further assistance I would encourage you to contact InterSystems support rather than share details here.  The contact numbers are:

+1-617-621-0700 (US)

+44 (0) 844 854 2917 (UK)

0800615658 (NZ Toll Free)

1800 628 181 (Aus Toll Free)

You could also use a regular expression with the %Regex.Matcher class

set regex = ##Class(%Regex.Matcher).%New("(/w)*")

The "/w" refers to any word character include alphabetic, numeric, and connecting characters).  This is wrapped in a grouping expression '()' and finally the * say match 0 or more occurences.  

You can then examine the GroupCount and Group multidimensional properties to see the results.

As someone else indicated applications will normally have a configuration page for the driver.  

In dBeaver for example when you setup a connection there is a "Driver Settings" button 

Clicking on this will allow you to configure a JDBC driver for connecting.  To start you would go to the libraries tab and point at the InterSystems JDBC jar file as shown below.  Your path would look something like c:/InterSystemsJDBC/intersystems-jdc-3.2.0.jar (your folder may be different).

Finally on the Settings tab you would indicate the class name and other connection settings

If you are trying to connect programaticaly you can use whatever library you wish and provide the same type information.  Here is an example in Python using the JayDeBe API library.

    IRIS_JARFILE = "c:\JDBCdrivers\intersystems-jdbc-3.2.0.jar"
    IRIS_DRIVER = "com.intersystems.jdbc.IRISDriver"

    # Database settings - this should be in a config file somewhere
    # credentials.MyCreds = ["username","password"]
    dbConn = jaydebeapi.connect(IRIS_DRIVER, 
      credentials.MyCreds, JDBC_JARFILES)

You can also use the iris.system object in python. 

iris.system.Version.GetVersion() returns the full version ($ZV)

IRIS for UNIX (Ubuntu Server LTS for x86-64 Containers) 2022.2 (Build 356U) Thu Oct 6 2022 22:56:28 EDT

There are other methods here to call to such as GetMajor() which would return '2022' and GetPlatform() which returns 'Ubuntu Server LTS for x86-64 Containers'

do dir(iris.system.Version) at the python shell to see them all.

Careful with the 'objectscript.export' folder setting.  This needs to match where, under the root of your VScode project, your source lives.  For example my settings are:

        "folder": "iris/image/iris_src/dev",
        "addCategory": true,

So under my VScode project folder I have the path indicated in Folder.  This is how my git repository is setup.  Now my 'addCategory' is also true.  Therefore under that /dev folder I have sub-folders for 'cls' and 'rtn'.  All my classes should be under the 'cls' folder and any routines are under 'rtn'.  There are other sub folder too for other elements, but you should get the idea.

To add to the puzzle there is also the setting "objectscript.export.atelier".  With this setting true the plug in expects each package and sub-package to be a separate directory.  So if I have a class Example.code.test what you will end up with is a path, given my setup above, under vs code that looks like this.


If the file whose definition you are trying to get to is not in the right place it will open it in read-only mode from the server when using Client-side editing