Securing IRIS Integrations with Mutual TLS (mTLS): A Practical Guide
Securing IRIS Integrations with Mutual TLS (mTLS): A Practical Guide
In today’s enterprise environments, secure communication between systems is not optional—it’s essential. Whether you're integrating InterSystems IRIS with cloud APIs, internal microservices, or third-party platforms, Mutual TLS (mTLS) offers a powerful way to ensure both ends of the connection are authenticated and encrypted.
This post walks through how to configure IRIS for mTLS and how to validate your certificates to avoid common pitfalls.
🔐 What is Mutual TLS (mTLS)?
TLS (Transport Layer Security) is the standard protocol for securing data in transit. In traditional TLS, only the server presents a certificate. Mutual TLS goes a step further: both the client and server present certificates to authenticate each other.
This bidirectional trust is ideal for:
- Internal service-to-service communication
- API integrations with sensitive data
- Zero-trust architectures
🧰 Prerequisites
Before you begin, make sure you have:
- ✅ A server certificate and private key for IRIS
- ✅ A CA certificate to validate client certificates
- ✅ A client certificate and private key for the external system
- ✅ IRIS version 202X.X, which provides support for TLS 1.2 and higher
⚙️ Configuring IRIS for mTLS
1. IRIS as a Server (Accepting mTLS Connections)
🔸 Import Certificates
Use the System Management Portal or command line to import:
- Server certificate
- Server private key
- CA certificate (to validate clients)
🔸 Create TLS Configuration
Go to:
System Administration > Security > SSL/TLS Configurations
- Create a new configuration
- Enable “Require client certificate”
🔸 Assign TLS to Listener
Apply the TLS configuration to the relevant service (e.g., web server, REST endpoint).
2. IRIS as a Client (Connecting to External Systems)
This section also applies to external client systems connecting to IRIS servers.
🔸 Import Client Certificates
Import the client certificate and private key into IRIS.
🔸 Configure Outbound TLS
Use ObjectScript to set up the connection:
set http = ##class(%Net.HttpRequest).%New()
set http.SSLConfiguration = "MyClientTLSConfig"
set http.Server = "api.external-system.com"
set http.Port = 443
set status = http.Get("/endpoint")
🧪 Testing Your Certificates for mTLS
Before deploying, validate your certificates to ensure they meet mTLS requirements.
✅ 1. Check Certificate Validity
openssl x509 -in client.crt -noout -text
Look for:
- Validity dates
- Subject and Issuer fields
- Extended Key Usage (should include
TLS Web Client Authenticationas shown below)
X509v3 Extended Key Usage:
TLS Web Client Authentication
✅ 2. Verify Private Key Matches Certificate
openssl x509 -noout -modulus -in client.crt | openssl md5
openssl rsa -noout -modulus -in client.key | openssl md5
The hashes should match.
✅ 3. Test mTLS Handshake with OpenSSL
openssl s_client -connect server.example.com:443 -cert client.crt -key client.key -CAfile ca.crt
This simulates a full mTLS handshake. Look for:
Verify return code: 0 (ok)- Successful certificate exchange
✅ 4. Validate Certificate Chain
openssl verify -CAfile ca.crt client.crt
Ensures the client certificate is trusted by the CA.
📊 mTLS Handshake Diagram
🧯 Troubleshooting Tips
- 🔍 Certificate chain incomplete? Ensure intermediate certs are included.
- 🔍 CN/SAN mismatch? Match certificate fields with expected hostnames.
- 🔍 Permission errors? Check file access rights on certs and keys.
- 🔍 Handshake failures? Enable verbose logging in IRIS and OpenSSL.
✅ Conclusion
Mutual TLS is a cornerstone of secure system integration. With IRIS, configuring mTLS is straightforward—but validating your certificates is just as important. By following these steps, you’ll ensure your connections are encrypted, authenticated, and enterprise-grade secure.