New post

#SSL

5

Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client - typically a web server (website) and a browser, or a mail server and a mail client.

Learn more.

So I have a base string that I want to sign using RSA-SHA256. I have a .p12 file and passphrase to get the RSA Private key using NodeJS (pem.readPkcs12 library), which I don't know how to do that in intersystems as well. (would appreciate if you can include a solution for that too)

The main problem here is I am trying to sign a string and print the result to terminal, using the code below in a routine (.mac file).

0 2
0 665

Hi Team ,

Can I please check if anyone has encountered SOAP authentication error when trying to submit a certificate signing request or when trying to get certificate .

I configured a local CA server without SMTP configuration and I configured a local CA client. These steps worked okay.

Then I tried to Submit Certificate Signing Request to Certificate Authority server and I am getting the following error :

0 1
0 310

Hi all,

I am trying to use some process private variables (percent variables) in Triggers.

I am referring to values from $System.Process, like the ClientIPAddress and CSPSessionID.
These do to not contain values and I suspect it is bacause of scope. I also checked, and the %session variable is not available if the change originated from a CSP request.
I know that in triggers the scope of the variables are to be kept local, that is why NEW is to be used.

0 10
0 353

Hello Community,

when trying to send HS.FHIRServer.Interop.Request objects to an external FHIR server, I get errors: ERROR #6156: No match between server name '...' and SSL certificate values '...'. The reason is pretty clear, the problem is that we don't get correct certificates in time, but have some pressure to go live with the interface.

0 3
0 461

NB. Please be advised that PKI is not intended to produce certificates for secure production systems. You should make alternate arrangements to create certificates for your productions.
NB. PKI is deprecated as of IRIS 2024.1: documentation and announcement.

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to InterSystems IRIS Data Platform. I did a similar post in the past for Caché, so feel free to check that out here if you are not running InterSystems IRIS. Much like the original, the goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running. Example screenshots are taken on a 2018.1.1 version of IRIS, so yours may look slightly different.

8 3
4 1.6K
Article
· Aug 26, 2016 2m read
TLS v1.2 support in Caché

Question:

What version of Caché supports TLS v1.2?

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2. In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually. This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

6 1
0 2.3K

I am not sure if this is the correct place for this question, but I am struggling to setup TLS security for our IRIS Management Portal and etc. through Apache and the Web Gateway. I have a couple of questions when it comes to the setup.

  • if I build a private key and certificate within Red Hat, does that certificate have to be on everyone's pc to connect to the Management Portal?
  • Can I use a self signed Certificate?
  • Can I use the existing CA on the server, or do I need to work with my Data Security team to get a Certificate?
0 1
0 523

I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?

Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.

1 6
1 1K
Article
· Nov 23, 2021 4m read
Mutual TLS setup

Hi,

I recently needed to setup an SSL/TLS configuration in IRIS that supported mutual authentication (where the server IRIS is establish a connection to is verified, and, where IRIS is in turn verified by the remote host). After a bit of research and getting it done, I thought it worthwhile to just go over the process I went through in order to potential help others, and save you some time .

4 1
2 1K

Hi

We have ODBC 32bit Encryption working on our database with a SSLDEFs.ini file. However 64 bit ODBC Encryption will not work and give generic error, same error if the ini file is not there for 32BIT.

We have copied the ini file to the 64bit folder? Any ideas please?

thanks

0 2
0 325

I'm trying to implement an OAuth2 server, but I have som issues when trying to setup JWT under OAuth 2.0->Client.

I get the error message saying "No match between server name 'localhost' and SSL certificate values 'cache'". I have set up a SSL/TLS configuration as simple as possible without any certificate files. I'm accessing my server via HTTPS with an unsigned certificate.

Can anyone point me in the right direction on how to resolve the issue I'm encountering.

0 1
0 619

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old, legacy method, it will continue to work, but I would recommend you consider switching to the new one.

25 7
3 6K
Question
· May 14, 2021
SSLConfig with ECC

Hello everyone,
I can choose between RSA and DSA. ECC seems to be unsupported.
Is there any workarounds without using external binary like curl?

Best regards
RY

0 5
0 414

I have 2 instances of Cache, one of 2010 and the other 2016. On both I have created a SSL Configuration with same name.

When I connect to a SOAP Service Client from Cache 2010, I get the above error.

If I connect from Cache 2016, the connection get through.

How can get more details of the error in the Cache 2010 instance to be able to fix this issue.

I have enabled the SOAP Log and it does not give much of details.

Regards

Anil

1 6
0 5.6K

We are getting more and more request wondering if we could send/receive data via HTTPS to the outside world from within our Hospital Network. As you can imagine our Ensemble/Cache productions are not exposed to the DMZ or has access outside of the network. We only communicate with external vendors through a VPN, so communicating not using a VPN is rather new to us.

Currently there is a project to get rid of using Proxy, and instead of through a Load Balancer that can use rules to filter out traffic, which adds another layer of complexity.

1 3
0 270

Hi, a client have a installed enviroment with mirror activated, but when you test SSL on webservices you can get an error, not SSL access correctly from browser because certificate problem apparently with TLS Version, someone have a suggestion to reinstall SSL Certificates on mirrors ?

Chrome : something wrong, no details or diagnostic
Firefox : SSL_ERROR_HANDSHAKE_FAILURE_ALERT

We try simple regenerate Authority an regenerate all certificates, but not worked. Same results.

0 4
0 217

Hello Community,

I want to secure a SOAP Webservice (an EnsLib.SOAP.Service one, if that matters) adding a SSL/Username Policy to it. As im not sure how detailed my request here should get, ill try giving a detailed as-is description of my setup, what I've tried, how I tried to test the connection and what problems including some logs I ran into.

As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself.

System:

1 3
0 750

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

1 3
1 934

This is more for my memory that anything else but I thought I'd share it because it often comes up in comments, but is not in the InterSystems documentation.

There is a wonderful utility called ^REDEBUG that increases the level of logging going into mgr\cconsole.log.

You activate it by

a) start terminal/login

b) zn "%SYS"

c) do ^REDEBUG

6 0
1 1.4K

Hello all,

Been doing Ensemble for a while but I am struggling with this SOAP set up.

Currently in Cloverleaf, we are taking the HL7 feed out of Epic, and then we put the SOAP wrapper around it. Then using a CAIR provided wsdl, we seem to be using a JKS file and a PFX file to send the data to CAIR (http://cairweb.org/next-steps-page/).

Here is what I have done so far: I used the SOAP wizard with the wsdl file to create a new Operation.

My questions are these:

0 2
0 415

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

1 8
0 2K