InterSystems IRIS Managed Service Reference Information

In the Deployment Details section of the Overview page for your deployment, you can view the details of your deployment, including:

• Deployment size

• Creation date

• Deployment ID

• Cloud provider and region

• High Availability State

• Underlying InterSystems IRIS platform

The xDBC Details section of the Overview page provides information on how to connect to your InterSystems IRIS Managed Service database using a JDBC or ODBC client. You can also find out how to install the necessary InterSystems IRIS JDBC or ODBC driver.

You also need to create an inbound firewall rule to open port 1972 on the Firewall page.

For more information on querying your InterSystems IRIS Managed Service database using JDBC or ODBC, see Query Your Data.

The Interoperability Details section of the Overview page displays the File System Interoperability directory name to be used by Interoperability Productions Opens in a new tab that need to store files on the file system. If you have a High Availability configuration, files in this directory are copied automatically from the primary mirror member to the backup mirror member.

This section also displays the CIDR Block for the private network used for this deployment, as well as the Virtual IP Address of the deployment. This CIDR block defines the range of IP addresses used for the internal InterSystems IRIS Managed Service components. The Virtual IP address is a static address within the CIDR block that you use to communicate with this InterSystems IRIS Managed Service deployment. If you have a High Availability configuration, this Virtual IP address will continue to work no matter which mirror member is the primary member.

The External IP is displayed only if you have enabled public access on the Firewall page.

If you have a High Availability configuration, the High Availability section of the Overview page displays whether or not your mirror is healthy, shows you the current state of each mirror member, and identifies which mirror member is the primary member and which mirror member is the backup member.

When you create an interoperability production, the Cloud Services Portal also creates a namespaceOpens in a new tab for the production, which includes a database for the code and data for that production. After creating a production, you can configure and manageOpens in a new tab it using the Management Portal.

For more information on developing productions, see the InterSystems IRIS documentation setOpens in a new tab.

If your InterSystems IRIS Managed Service deployment was created with the High Availability configuration, the databases for your interoperability productions are automatically mirrored to the backup server.

To create a production:

1. On the Productions page, under Create Interoperability Production, type the desired name of your production.

2. Click Create Production.

After you create a production, it shows up in the Productions list at the top of the page with a Production State of Stopped. When the creation process is finished, the Production State changes to Running. The Production Started column shows the time the production was started, in GMT. You may need to click Refresh to update the status.

To manage the production in the Management Portal, click Manage in the row for that production. You will need to log in as a user that you or a team member has created (and granted production access to) on the Connect Users page

To delete an interoperability production:

1. On the Productions page, click the Delete Production icon in the Actions column for that production.

2. In the Delete Production dialog box, type Permanently Delete, and click Delete.

The production is removed from the Productions list at the top of the page.

To create a new SSL/TLS Configuration:

1. On the SSL/TLS Configurations page, under Create SSL/TLS Configuration, type the desired name of your SSL/TLS Configuration.

   Only alphanumeric characters are allowed. No spaces or special characters.

2. Type an optional Description.

3. If desired, check Enabled to enable the configuration after creating it.

   You can enable or disable it later by editing the configuration.

4. Choose a Type for the configuration.

   Client means that this configuration is used when InterSystems IRIS Managed Service initiates a connection to another system, for example, in an outbound TCP adapter in a production’s business operation.

   Server means that this configuration used when another systems initiates a connection to InterSystems IRIS Managed Service, for example, in an inbound TCP adapter in a production’s business service.

5. Choose the desired Certificate Verification for this configuration.

   If this is a Client configuration:

   • None means that the server does not need to provide a certificate and the client performs no verification.

   • Required means that the server must provide a certificate and the client verifies the certificate with the Certificate Authority that issued the certificate.

   If this is a Server configuration:

   • None means that the client neither requires or requests a certificate.

   • Request means that the client may or may not provide a certificate and the server verifies the certificate only if provided.

   • Required means that the client must provide a certificate and the server verifies the certificate with the Certificate Authority that issued the certificate.

6. Upload the file containing the trusted Certificate Authority certificate(s).

   This file contains the X.509 certificate(s) in PEM format of the Certificate Authority (CA) or Certificate Authorities that this configuration trusts. The configuration uses the certificates of the trusted CA(s) to verify peer certificates. Typically, a production system uses certificates from commercial CAs with publicly available certificates.

   This field does not appear if certificate verification is not needed for this configuration.

7. Upload the file containing configuration certificate.

   This is the configuration’s own X.509 certificate(s) in PEM format, if required.

8. Upload the file containing associated private key.

   This is the configuration’s private key file.

   If a configuration certificate is provided, a private key is required.

9. Select the Private Key Type.

   This is the algorithm used to generate the private key, where valid options are DSA (Digital Signature Algorithm) and RSA (Rivest, Shamir, and Adleman).

10. Type the Private Key Password.

    If the private key is password-protected and you do not enter a value here, InterSystems IRIS Managed Service cannot confirm that the private key and the certificate’s public key match each other.

11. Select the Minimum Protocol Version supported by this configuration.

    This is the earliest version of the TLS protocol that this configuration supports.

12. Select the Maximum Protocol Version supported by this configuration.

    This is the latest version of the TLS protocol that this configuration supports.

13. If desired, edit the Enabled Cipherlist.

    The default set of cipher suites is:

    • ALL — Includes all cipher suites except the eNULL ciphers

    • !aNULL — Excludes ciphers that do not offer authentication

    • !eNULL — Excludes ciphers that do not offer encryption

    • !EXP — Excludes export-approved algorithms (both 40- and 56-bit)

    • !SSLv2 — Excludes SSL v2.0 cipher suites

14. For Server configurations only, select the size of Diffie-Hellman key (if using).

15. For Server configurations only, optionally enable and configure OSCP Stapling.

    OCSP (Online Certificate Status Protocol) is an internet protocol that checks the validity status of a certificate in real-time.

16. Click Create Configuration.

For more information on the fields on this page, see About ConfigurationsOpens in a new tab.

After you create a configuration, it shows up in the SSL/TLS Configurations list at the top of the page.

To edit an SSL/TLS Configuration:

1. On the SSL/TLS Configurations page, click the Edit Configuration icon in the Actions column for that SSL/TLS Configuration.

2. In the dialog box, edit any of the fields, and click Submit.

See Create an SSL/TLS Configuration for information on each field.

To delete an SSL/TLS Configuration:

1. On the SSL/TLS Configurations page, click the Delete Configuration icon in the Actions column for that SSL/TLS Configuration.

2. In the Delete Configuration dialog box, type Permanently Delete, and click Delete.

The configuration is removed from the SSL/TLS Configurations list at the top of the page.

To test an SSL/TLS Configuration (client configurations only):

1. On the SSL/TLS Configurations page, click the Test Connection icon in the Actions column for that SSL/TLS Configuration.

2. In the SSL/TLS Connection Test dialog box, type a Hostname (not its URL) and a Port.

3. Click Test Connection.

   The dialog box is updated with information saying whether the connection test succeeded or failed. If the test succeeded, additional details of the connection are provided, such as the protocol and ciphersuite that were used.

To create a new SQL Gateway configuration:

1. On the SQL Gateways page, under Create SQL Gateway Configuration, type the Configuration Name of your SQL Gateway configuration.

   Only alphanumeric characters are allowed. No spaces or special characters.

2. Choose a Driver to use for the connection.

3. In the Server box, type the URL of the server to use for this connection.

4. In the Port box, type the port number to connect to on the server.

5. In the Database box, type the name of the external database.

6. In the User box, type the username to use to connect to the external database.

7. In the Password box, type the password to use to connect to the external database.

8. Click Create Configuration.

After you create a configuration, it shows up in the SQL Gateway Configurations list at the top of the page.

To test a SQL Gateway configuration:

On the SQL Gateways page, click the Test Configuration icon in the Actions column for that configuration.

You should see the message “Successfully connected to remote server.”

If you see the message “There was an issue testing configuration. Please double check configuration parameters.” then edit the SQL Gateway configuration and try again.

To edit a SQL Gateway configuration:

1. On the SQL Gateways page, click the Edit Configuration icon in the Actions column for that configuration.

2. In the dialog box, edit any of the fields, and click Save.

See Create a SQL Gateway Configuration for information on each field.

To delete a SQL Gateway configuration:

1. On the SQL Gateways page, click the Delete Configuration icon in the Actions column for that configuration.

2. In the Delete Configuration dialog box, type Permanently Delete, and click Delete.

The configuration is removed from the SQL Gateway Configurations list at the top of the page.

Working with firewall rules consists of three basic steps:

1. Create, update, or delete one or more firewall rules.

   The rules now show status indicators for Pending Creation, Pending Update, or Pending Deletion.

2. Save your changes.

   The rules now show status indicators for Needs Deployment.

3. Deploy your saved changes.

   All saved changes are now deployed.

This allows you to stage a number of changes and deploy them at a later date or time. This deploys changes to both private and public network rules.

For information on using firewall rules with productions you have created, see Configuring a Production to Use a Firewall Rule.

The Advanced Firewall option provides additional capabilities beyond the default firewall functionality, such as the ability for a rule to deny traffic (instead of allowing traffic) or to filter traffic by application type (SSL, HL7, or Ping).

Before creating a private firewall rule, you must create a InterSystems Network ConnectOpens in a new tab deployment to create a VPN hub and then connect a VPN gateway device (or private circuit) and your deployment.

To add a private firewall rule to your deployment:

1. On the Firewall page, select the Private Network tab, and click Create.

2. In the Create Firewall Rule dialog box:

   1. In the Rule Name box, type a name to identify the rule.

      This name should be unique to avoid confusion.

   2. In the Direction drop-down, select either Inbound or Outbound.

   3. For Inbound rules, in the Source Address box, type a single CIDR block or a comma-separated list that defines the source IP addresses allowed using this rule.

      The Destination Address is filled in automatically,

   4. For Outbound rules, in the Destination Address box, type a single CIDR block or a comma-separated list that defines the destination IP addresses allowed using this rule.

      The Source Address is filled in automatically,

   5. In the Port Range box, type the port number(s) or range(s) to use for this rule.

      For inbound rules, the allowed ports are 443 and 1972. Use port 443 to allow a user to log into the deployment’s Management Portal. Use port 1972 to connect to your deployment’s database using a JDBC or ODBC client. Inbound access to other ports is not permitted.

      For outbound rules, the allowed ports are 22, 53, 80, 123, 443, 465, 587, 1024 through 65535.

      Use a hyphen to specify a contiguous range of port numbers (for example, 1040-1050). Use commas to separate multiple non-contiguous port numbers (for example, 1040, 1050, 1060).

      Leave this field blank if the Protocol is Ping.

   6. In the Protocol drop-down, select TCP, UDP, Ping, or Any, depending the type of traffic to which this rule applies.

   7. In the Application drop-down, select the type of application to filter by (Any, SSL, HL7, or Ping).

      Filtering by application requires the Advanced Firewall feature.

   8. If this is an outbound rule, optionally check Allow Internet Access to allow traffic from this deployment to reach the internet. Leave the box unchecked to restrict traffic to within the internal network only.

   9. In the Action box, select whether this rule allows or denies traffic to or from the deployment.

      Deny rules require the Advanced Firewall feature.

   10. Check the Rule Enabled box to enable the rule when it is deployed.

       If you leave the box unchecked, you can enable the rule at a later time.

3. Click Create.

   The firewall now appears in the list of rules as Pending Creation, however, it is not yet active.

4. Click Save to save the rule.

   The firewall rule now appears in the list as Needs Deployment.

   This also saves any other rules marked as Pending Creation, Pending Update, or Pending Deletion.

5. Click Deploy to deploy the rule.

   The firewall rule is now deployed.

   This also deploys any other rules marked as Needs Deployment.

To manage multiple rules, select the rules and then use the Enable, Disable, or Delete icons above the rules table to mark them to be enabled, disabled, or deleted.

To manage single rules, use the Edit, Enable/Disable, or Delete icons in the Actions column for that rule.

Then click Save to save the changes and then Deploy to deploy them.

Before creating the first public firewall rule, you must enable Public Access:

1. On the Firewall page, in the Global Network Settings section, slide the Enable External Connections slider to the right.

   You are redirected to the list of deployments while the deployment is updated. This may take a few minutes.

2. When the status for your deployment changes from UPDATING back to COMPLETE, click the card and navigate back to the Firewall page.

To add a public firewall rule to your deployment:

1. On the Firewall page, select the Public Network tab, and click Create.

2. In the Create Firewall Rule dialog box:

   1. In the Rule Name box, type a name to identify the rule.

      This name should be unique to avoid confusion.

   2. In the Direction drop-down, select either Inbound or Outbound.

   3. For Inbound rules, in the Source Address box, type a single CIDR block or a comma-separated list that defines the source IP addresses allowed using this rule.

      The Destination Address is filled in automatically,

   4. For Outbound rules, in the Destination Address box, type a single CIDR block or a comma-separated list that defines the destination IP addresses allowed using this rule.

      The Source Address is filled in automatically,

   5. In the Port Range box, type the port number(s) or range(s) to use for this rule.

      For inbound rules, the allowed ports are 443 and 1972. Use port 443 to allow a user to log into the deployment’s Management Portal. Use port 1972 to connect to your deployment’s database using a JDBC or ODBC client. Inbound access to other ports is not permitted.

      For outbound rules, the allowed ports are 22, 53, 80, 123, 443, 465, 587, 1024 through 65535.

      Use a hyphen to specify a contiguous range of port numbers (for example, 1040-1050). Use commas to separate multiple non-contiguous port numbers (for example, 1040, 1050, 1060).

      Leave this field blank if the Protocol is Ping.

   6. In the Protocol drop-down, select TCP, UDP, Ping, or Any, depending the type of traffic to which this rule applies.

   7. In the Application drop-down, select the type of application to filter by (Any, SSL, HL7, or Ping).

      Filtering by application requires the Advanced Firewall feature.

   8. In the Action box, select whether this rule allows or denies traffic to or from the deployment.

      Deny rules require the Advanced Firewall feature.

   9. Check the Rule Enabled box to enable the rule when it is deployed.

      If you leave the box unchecked, you can enable the rule at a later time.

3. Click Create.

   The firewall rule now appears in the list of rules as Pending Creation, however, it is not yet active.

4. Click Save to save the rule.

   The firewall rule now appears in the list as Needs Deployment.

   This also saves any other rules marked as Pending Creation, Pending Update, or Pending Deletion.

5. Click Deploy to deploy the rule.

   The firewall rule is now deployed.

   This also deploys any other rules marked as Needs Deployment.

To manage multiple rules, select the rules and then use the Enable, Disable, or Delete icons above the rules table to mark them to be enabled, disabled, or deleted.

To manage single rules, use the Edit, Enable/Disable, or Delete icons in the Actions column for that rule.

Then click Save to save the changes and then Deploy to deploy them.

If you are no longer using any public firewall rules, slide the Public Access slider to the left to disable all external connections to the deployment. Any existing public rules are hidden on the Firewall page, but they are not deleted and will be displayed again if you re-enable public access.

The Network Connectivity Test section of the Network page allows you to test connectivity from this deployment to a particular server and port. The server could be an external server or an on-premise server accessed over your company’s VPN.

To perform a connectivity test:

1. In the Network Connectivity Test section of the Network page, in the IP or Hostname box, type the IP address (such as 203.0.113.0) or hostname (such as example.com) of the server to which you want to connect.

2. In the Port box, type the port number to which you want to connect on that server.

   You can specify one of the following ports: 21, 22, 53, 443, 465, 587, or a port in the range 1024-65535.

3. Click Test Connection.

   You will see either a success or failure message.

The VPC Flow Logs section of the Network page allows you to monitor the traffic coming in and out of this deployment. This allows you to confirm that your network configuration is correct, debug network issues, monitor traffic patterns, or identify unauthorized access attempts.

To view flow log entries:

1. In the VPC Flow Logs section of the Network page, optionally filter the log by entering one or more of the following fields:

   • Actions — Choose ACCEPT to see only traffic that was permitted to flow from the source to the destination or REJECT to see only traffic that was blocked from reaching its intended destination.

   • Host IP — Type the IP address of either the source or destination.

   • Host Port — Type the port of either the source or destination.

2. Enter the Start Time and End Time of the period of time you want to examine.

   The default window is the most recent 10 minutes. The maximum window is 30 minutes in duration.

3. Click Find.

   Flow log entries matching the entered criteria are displayed.

4. Optionally, click Load More to load more log entries.

   This button only appears if more log entries remain to be loaded.