Hello,I am currently facing the task of retrieving or sending HL7 messages from a web API. Since we only send HL7 messages via internal sockets, web APIs are relatively new to me.The following is my plan for the new interface:I have created a new custom business service that periodically sends requests to a business process. In this business process, the HTTP request (HTTP.GenericMessage) is then created from scratch. The special feature is the "Authorisation" header field, where a signature is inserted, which consists of a base64-encoded hash value. The request is then sent to the API via a

What is TLS?

TLS, the successor to SSL, stands for Transport Layer Security and provides security (i.e. encryption and authentication) over a TCP/IP connection. If you have ever noticed the "s" on "https" URLs, you have recognized an HTTP connection "secured" by SSL/TLS. In the past, only login/authorization pages on the web would use TLS, but in today's hostile internet environment, best practice indicates that we should secure all connections with TLS.

Why use TLS?

Securing IRIS Integrations with Mutual TLS (mTLS): A Practical Guide

In today’s enterprise environments, secure communication between systems is not optional—it’s essential. Whether you're integrating InterSystems IRIS with cloud APIs, internal microservices, or third-party platforms, Mutual TLS (mTLS) offers a powerful way to ensure both ends of the connection are authenticated and encrypted.

This post walks through how to configure IRIS for mTLS and how to validate your certificates to avoid common pitfalls.

🔐 What is Mutual TLS (mTLS)?

Hello,

I'm trying to connect a Python backend application to an InterSystems IRIS Community Edition instance running in a Docker container on an AWS EC2 instance. I'm facing persistent connection issues and an SSL Error despite the Superserver apparently having SSL disabled. I'm hoping for some insight into what might be causing this contradictory behavior.

My Setup:

Good day 

I am trying to connect a business service to fileZilla using FTP on my local PC Win 11.

I am trying to setup my training after attending the Building HL7 interfaces course with ISC.

The connection is failing. He is the error below

ERROR <Ens>ErrOutConnectFailed: FTP Connect failed for localhost:21//SSL=' with error ERROR <Ens>ErrFTPConnectFailed: FTP: Failed to connect to server 'localhost:21//SSL='/' (msg='Missing required argument',code=501)

I'm using a %Net.HttpRequest which had been successful in the past, but started failing at some point with a SSL/TLS protocol error.

ERROR #6085: Unable to write to socket with SSL/TLS configuration 'groundca', error reported 'SSL/TLS error in SSL_connect(), SSL_ERROR_SSL: protocol error, error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol'

The SSL/TLS configuration:

The request's SSLConfig is set to the "groundca" config when making the request.

For those that use IRIS for Health, HealthShare, and or Health Connect...

As Health Applications are moving to the Cloud, how have you handled communication from the Application to your instances via HTTPS?

Trying to figure out the best path on designing the proper workflow to allow these messages to be allowed to be eventually sent to our EMR to post to the patient chart.

We are very wary of opening a connection from the internet to our instance of Health Connect.

Thanks

With the release of InterSystems IRIS Cloud SQL, we're getting more frequent questions about how to establish secure connections over JDBC and other driver technologies. While we have nice summary and detailed documentation on the driver technologies themselves, our documentation does not go as far to describe individual client tools, such as our personal favourite DBeaver. In this article, we'll describe the steps to create a secure connection from DBeaver to your Cloud SQL deployment.

Does %OSCertificateStore only check the trusted root folder in windows?

Can it be used for Personal store on servers or is there another condition can be used? 

Used it for a first time and writing a function to check specific ones being used for expiry but had one this week that was to be installed in personal rather than the trusted root and didn't know if stating OSCertificateStore or a url otherwise to look in the personal installed certs on the server could be used instead so stuck with the original way (which can get confusing)

Hi,

I recently had a company-enforced OS upgrade, and ever since going from mac OS 14.x to 15.x, I am currently having issues with SSL in IRIS.

An ARM (M3 pro) machine running OS 15.2, with the latest Docker Desktop (at the time of writing, 4.37.0). The Docker container runs IRIS for UNIX (Ubuntu Server LTS for x86-64 Containers) 2022.1.2 (Build 574_0_22161U). This container has not changed.

Hello,

I was just trying to get to the bottom of a TLS config - we have an interface with a TLS config that has had 'Server certificate verification' set to 'On', however the cert file specified either did not exist or contained a cert that was expired.

Does anyone know what the behavior is for this typically? I would expect this to not allow traffic on the interface, however this has been working fine for a few years now with an invalid cert specified for 'Server certificate verification' and set to 'On'.

I have started working on utilizing Epic on FHIR about a month ago.

Creating a Public Private Key Pair

mkdir /home/ec2-user/path_to_key
openssl genrsa -out ./path_to_key/privatekey.pem 2048

For backend apps, you can export the public key to a base64 encoded X.509 certificate named publickey509.pem using this command...

openssl req -new -x509 -key ./path_to_key/privatekey.pem -out ./path_to_key/publickey509.pem -subj '/CN=medbank'

A Quick Start to InterSystems Cloud SQL Data in Databricks

Hi all,

I am trying to establish an HTTPS connection to a server using a %Net.HttpRequest object. I'm able to ping and curl the server via command line. The issue I am running into is that I am able to establish a connection, but something seems to be going wrong with verification from the server side. For example, if I use the CheckSSLCN method on the server, it returns this error message 

ERROR #6155: Unable to verify SSL/TLS connected to correct system as no SSL certificate present for this socket. */

However, if I go ahead and try to post something to the server I get this error message:

Greetings dear community members!

I have recently been deploying an IRIS for Health image on a Docker with a preconfigured Webgateway image and I have come across the problem of the SSL configurations that allow us to connect to the IRIS instance using HTTPS and going through our Webgateway.

Until now I had always deployed IRIS for Health with a Community license, which still has the Private Web Server installed, so I only needed to configure the Webgateway connection with the deployed IRIS instance:

I am developing a business operation that receives a request, creates a message with the data contained in it and sends it to an outlook email. For testing purposes both the sender and the destination are the same email account
This is the code:
ClassBO.AlertEmailSenderExtendsEns.BusinessOperation{

There's an easy new way to add certificate authority (CA) certificates to your SSL/TLS configurations on InterSystems IRIS 2019.1 (and 2018.1.2) on Windows and Mac.  You can ask IRIS to use the operating system's certificate store by entering:

%OSCertificateStore

in the field for "File containing Trusted Certificate Authority X.509 certificate(s)".   Here's an image of how to do this in the portal:

And here's a link to the documentation which describes this.  It's in the list of options under "File containing trusted Certificate Authority certificate(s)".

Does anyone know what this task does exactly? And what problems would I have if I didn't use an SSL certificate?

I got the error: "SSL/TLS error in SSL_connect(), SSL_ERROR_SSL: protocol error, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

Has anyone encountered this problem before?

Hello,

Recently I have been tinkering with VSCode and ObjectScript extension to connect to my dockerized IRIS instance. I have configured the instance to use Apache as a Web Gateway as per instructions and it has been working well. Currently I'm using a self-signed certificate for the SSL part of the connection. The browser nags about insecure certs when connecting to Management Portal but that's expected. 

However when I try to connect to the instance with VSCode it simply fails with the following error message

We're excited to continue to roll out new features to InterSystems IRIS Cloud SQL, such as the new Vector Search capability that was first released with InterSystems IRIS 2024.1. Cloud SQL is a cloud service that offers exactly that: SQL access in the cloud. That means you'll be using industry-standard driver technologies such as JDBC, ODBC, and DB-API to connect to this service and access your data. The documentation describes in proper detail how to configure the important driver-level settings, but doesn't cover specific third-party tools as - as you can imagine - there's an infinite number

Up until recently, I have been toying around with REST/FHIR capabilities but only internally. Now I have a request to make REST API calls outside of our Network. 

I am using an RSA 4096 key, because Microsoft Active Directory Services which generates the signed certificate could not handle the Elliptical Key (ECC) when I put the request in.

In this article we are going to see how we can use the WhatsApp instant messaging service from InterSystems IRIS to send messages to different recipients. To do this we must create and configure an account in Meta and configure a Business Operation to send the messages we want.

Let's look at each of these steps in more detail.

Setting up an account on Meta

This is possibly the most complicated point of the entire configuration, since we will have to configure a series of accounts until we can have the messaging functionality.

Here you can read the official Meta documentation.

Hi,

Question for folks who have connected to an External FHIR repository outside of IRIS. Within the HS.FHIRServer.Interop.HTTPOperation there is not an option to include TLS or an OAuth authentication when connecting to an external Repository. So then how is that piece done if you need to Authenticate against an OAuth Server before you are able to access the data or call the Web Services/REST calls?

I am trying to setup a OAuth2.0 configuration to connect to a server within our Network using OAuth2.0. My previous attempt worked, however forgot to capture the steps before I had whipped the System so please bear with me. 

I have an SSL/TLS Client configuration setup as we use the setup for our LDAP configuration. 

When I go through the following steps within the Terminal, I am getting the following error...

I'm trying to configure an SSL/TSL configuration in our test environment so we can send ADT messages to an external server. I've verified connectivity/firewall to the external server.

type is set to Client, Server certificate verification is set to Require.

I have received a certificate from the external supplier and linked that in the "File containing trusted Certificate Authjority certificate" field. (I've also imported it into the cert store and tried using %OSCertificateStore).

Updated Jan 19th, 2023.

Hi all,

I want to share a quick little method you can use to enable ssl with a self signed certificate on your local development instance of IRIS/HealthShare. This enables you to test https-specific features such as OAuth without a huge lift.

1. Install OpenSSL

Windows     : Download from https://www.openssl.org or other built OpenSSL Binary. 

Debian Linux: $ sudo apt-get -y install openssl

RHEL        : $ sudo yum install openssl

2. Create a self-signed certificate pair. In your terminal (powershell, bash, zsh, etc)

Hi,

I am trying to connect to another server using  %Net.HttpRequest.

I keep getting this error  : SSL23_GET_SERVER_HELLO:unsupported protocol.

My guess is that the site I am reaching for uses TLS1.3 which is not supported in 2016, But I cant right now ask my client to upgrade.

Is it possible to override this ? install some kind of a patch or a more recent version of openssl on the server ?

Thanks

Amiram

Hello,

I have recently created a HA by "Cloning" the existing server. Everything worked fine until I have to failover the Primary in order to process. The Backup Failover member successfully promoted to the status of primary. Everything was working fine except on one of the Services, I receieved the following error message;

> ERROR #6156: No match between server name 'Test111b.domain.local' and SSL certificate values 'Test111a.domain.local'.

The Test111a was the original server that has been cloned to create the Test111b as a backup/failover member. 

Any help will be highly appreciated.

Thank you,

I am trying to move us to Securing the Management Portal using Apache and the Web Gateway.

Our Development environment/namespace only has 1 server, but both Test and Production have failover/DR mirroring containing 3 servers for Test, and 3 additional servers for Production. 

• Development - 1 server
• Test -2 server's setup for Failover, and 1 Async DR Mirror
• Production - 2 servers' setup for Failover, and 1 Async DR Mirror

In Test and Production, the mirroring is setup using an Arbiter and the VIP address is controlled at the Hardware level.