New post
AllAccepted answers
Scott Roth · Mar 2, 2022

I generated the Key and CSR from openssl on the Red Hat server. I sent the CSR to our server folks for them to generate the Cert. 

SSL/TLS configuration: %SuperServer
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
TLS enabled versions, minimum: 16, maximum: 32
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Cipher list for TLSv1.2 and below: ALL:!aNULL:!eNULL:!EXP:!SSLv2
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Ciphersuites for TLSv1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Certificate file: /etc/pki/tls/certs/ssl_vd01.crt
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Private key file: /etc/pki/tls/private/ssl_vd01.key
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
02/28/22-14:49:02:170 (770555) 0 [Utility.Event] REDEBUG: new netdebugflags FF
02/28/22-18:01:15:093 (759932) 1 [Utility.Event] [SYSTEM MONITOR] DBLatency(/ensemble/DEV/mgr/iristemp/) Warning: DBLatency = 2075.368 ( Warnvalue is 1000).
02/28/22-18:11:45:685 (759932) 0 [Utility.Event] [SYSTEM MONITOR] DBLatency(/ensemble/DEV/

So it sounds like the Key and CSR/Cert wasn't generated correctly.

Scott Roth · Feb 28, 2022

@Vic Sun 

Private key file: /etc/pki/tls/private/ssl_vd01.key
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
 

Did I miss something in the documentation that the private key needed to be pkcs12 format? This is the first time I have seen this requirement.

Scott Roth · Feb 28, 2022

I am also getting SSL/TLS error in SSL_connect(), SSL_ERROR_SYSCALL: I/O error (104) but this time it is in IRIS HealthShare HealthConnect 2021.2 on RedHat using Apache and the Web Gateway. As soon as I turn on the SSL/TLS within the server settings on the Gateway I am getting the error. But as soon as I switch it back to password I am able to get the "Test Server Connection" to work.

Scott Roth · Feb 28, 2022

I have tried what it suggested but now I am getting the following error and can not start apache...

[root@xxxxxxx conf.modules.d]# apachectl configtest
[Mon Feb 28 11:00:01.370361 2022] [so:warn] [pid 762836:tid 140580690286912] AH01574: module cgid_module is already loaded, skipping
AH00534: httpd: Configuration error: More than one MPM loaded.
[root@int-lxiris-vd01 conf.modules.d]#

I also have noticed as soon as I turned on SSL/TLS on the web gateway I start getting 

  • Server Unavailable

but as soon as I turn it off it works again. Is it truly secure at that point?

Scott Roth · Feb 22, 2022

We are also seeing a similar issue when the PDF is over 44 mb.

<foreach property='source.{ORCgrp(1).OBRgrp(1).OBXgrp()}' key='k1' >
<if condition='source.{ORCgrp(1).OBRgrp(1).OBXgrp(k1).OBX:ValueType}="ED"' >
<true>
<assign value='"1"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:SetIDOBX}' action='set' />
<assign value='"ED"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ValueType}' action='set' />
<assign value='"7"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationIdentifier.Identifier}' action='set' />
<assign value='"URL"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationIdentifier.Text}' action='set' />
<assign value='"EXTLRR"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationIdentifier.NameofCodingSystem}' action='set' />
<assign value='"1"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationSubID}' action='set' />
<assign value='"PDF"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationValue(1).Identifier}' action='set' />
<assign value='source.{ORCgrp(1).OBRgrp(1).OBXgrp(k1).OBX:ObservationValue(1).Text}' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationValue(1).Text}' action='set' />
<assign value='"PDF"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationValue(1).NameofCodingSystem}' action='set' />
<assign value='"Base64"' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationValue(1).AlternateIdentifier}' action='set' />
<assign value='##class(%Stream.GlobalCharacter).%New()' property='tStream' action='set' />
<assign value='source.GetFieldStreamRaw(.tStream,"ORCgrp(1).OBRgrp(1).OBXgrp("_k1_").OBX:5.5",.tRemainder)' property='tSC' action='set' />
<assign value='target.StoreFieldStreamRaw(tStream,"ORCgrp(1).OBRgrp(1).OBXgrp("_1_").OBX:5.5",tRemainder)' property='tSC' action='set' />
<assign value='""' property='$P(tRemainder,"|",11)' action='set' disabled='1' />
<assign value='..replace(..ReplaceStr(target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationValue()}),"VASC^IMAGE/PDF^BASE64^","PDF^^PDF^Base64^")' property='target.{ORCgrp(1).OBRgrp(1).OBXgrp(1).OBX:ObservationValue()}' action='set' disabled='1' />
</true>
</if>
</foreach>

Did anyone come up with solution to this issue?

Scott Roth · Feb 8, 2022

With upgrading to 2021.2 and moving to Red Hat servers we decided to pursue securing the management portal. I have read the documentation but I am still confused on how this should work. 

I have installed Apache and a standalone Web Gateway. Does this mean I need to stop the Private Web Gateway that was installed with  IRIS? How do I get calls to the Management Portal to go through the standalone Web Gateway? I am having issues trying to connect the parts.

Has anyone installed Apache and the standalone Web Gateway on the same server (Red Hat 8) that IRIS is running on? How did you configure it? 

Scott Roth · Oct 22, 2021

So how do you know which is best to use? Currently we are using EDI to ingest an XML file from WorkDay, but we are running into throughput issues, so I was thinking it might be related to the service. We take the ingested data and put it into a class file, using a BPL and DTL, that is executed using a stored procedure to insert the data into a MS SQL table. 

Scott Roth · Oct 21, 2021

I am confused so bare with me... We currently use EnsLib.EDI.XML.Service.FileService to read the data and send it to a BPL which we just insert the data elements into the parameters for the stored procedure call.  Are you saying we need to add another step in between? Is the SAX Parser only part of IRIS? We are still on Healthshare 2018.1.3 for the time being.

The documentation doesn't always give clear views on how it should be setup within the GUI. I tried looking for an example in ENSDEMO but did not see one. Do you have an example?

Scott Roth · Oct 21, 2021

I believe the bottleneck is in the BPL with the sheer quantity/format of records.

I have done several BPL's that take either flat file data, or HL7 messages and insert them into SQL tables using a JDBC Stored Procedure call. 

Looking over the Adapter you mention, how is that different than just inserting the data into a stored procedure to do the insert? It appears that you are creating the "Dynamic" SQL statement in the class file to be sent and executed. In the past I have tried making "Dynamic" SQL statements through a JDBC call and it slows the process down, because the SQL statement will have to be built in SQL before it executes. With Stored Procedures the SQL statement is already on the MS SQL database so it just needs to pass the variables, and doesn't have to add that extra step of validating, and building the SQL query before execution.

Scott Roth · Oct 4, 2021

I do something similar to what you are trying to do, I Decode the PDF, save the PDF locally, and return a path to the DTL.

Several on the developer community helped me figure this out...

ClassMethod DecodeBase64HL7ToFile(base64 As %Stream.GlobalBinary, Ancillary As %String, FileName As %String) As %String

{

    set ArchDir = "/ensemble/data/transfer/AncillaryPDF/"

    set ArchAncDir = ArchDir_Ancillary_"/"

    set FaxDateDir = ArchAncDir_$PIECE($ZDATE($HOROLOG,7)," ",1)_"-"_$PIECE($ZDATE($HOROLOG,7)," ",2)_"-1/"

    if '##class(%Library.File).DirectoryExists(ArchDir)

    {

        do ##class(%Library.File).CreateDirectory(ArchDir)

    }

    if '##class(%Library.File).DirectoryExists(ArchAncDir)

    {

        do ##class(%Library.File).CreateDirectory(ArchAncDir)

    }

    if '##class(%Library.File).DirectoryExists(FaxDateDir)

    {

        do ##class(%Library.File).CreateDirectory(FaxDateDir)

    }

    

    

    set Oref = ##class(%FileBinaryStream).%New()

    ///$$$LOGINFO(FaxDateDir_FileName)

    set Oref.Filename = FaxDateDir_FileName

    Do base64.Rewind()

    While 'base64.AtEnd {

        set ln = base64.ReadLine()

        set lnDecoded = $system.Encryption.Base64Decode(ln)

        do Oref.Write(lnDecoded)

    }

    Do Oref.%Save()

    set PDFFilePath = FaxDateDir_FileName

    return PDFFilePath

}