Episode Transcript
[00:00:01] Brenna Quirk: Welcome to Data Points, a podcast by InterSystems Learning Services. Make sure to subscribe to the podcast on your favorite podcast app. Links can be found at datapoints.intersystems.com. I'm Brenna Quirk, and on this episode, I'll chat with Andreas Dieckow, Principal Product Manager at InterSystems, about the discontinuation of the InterSystems private web server.
Welcome to the Data Points podcast by InterSystems Learning Services. I'm Brenna Quirk, a Technical Online Course Developer at InterSystems. I've joined our regular host, Derek on the podcast once before, but today I'm excited to be taking over the whole episode, start to finish.
On this episode, I will be talking with Andreas Dieckow about the discontinuation of the InterSystems private web server. Andreas's main focus is on product security, and there's been a lot of buzz recently about security relating to the PWS, and how removing it improves security. So I've been working with Andreas the past few months to make sure that we're equipping our customers with all the information needed for this change. So let's hear from Andreas as he shares with us everything we need to know about this project.
[00:14:12] Brenna Quirk: Okay, today we have Andreas Dieckow on the podcast, and Andreas, recently you've been working on improving product security for the internal web server. So if anyone has used InterSystems products before, you likely know that the installation kit includes a limited Apache web server, which is often referred to as the private web server, or PWS. And we've offered this for convenience purposes, but it was never recommended for use in production. And starting with 2023.2, InterSystems has removed the PWS from the installation kit. So, Andreas, what was the main motivation for removing the PWS?
[00:01:56] Andreas Dieckow: Security and risk assessments are increasingly getting more important, and customers have heightened sensitivity in these areas. Protecting the environment is one of the core, must-have components. InterSystems is happy to see how many customers are engaging in best practices like scanning for vulnerabilities, continuous education on security topics, and monitoring the market for potential vulnerabilities related to their product use.
Once a vulnerability is detected, the risk assessment process helps identifying impact scope and mitigation urgency, among others.
[00:02:38] Brenna Quirk: So what actually happens when a security vulnerability comes up?
[00:02:42] Andreas Dieckow: The major concern is the mitigation of the vulnerability. Besides this, the details of the vulnerability, together with how fast the correction can be available. Typically, additional questions are, do I have to take downtime to mitigate the issue, or is there a correct backward compatibility?
[00:03:02] Brenna Quirk: Got you. So now let me shift gears for just a second and ask you a little bit more about the PWS. So what was the PWS, and what did it do?
[00:03:11] Andreas Dieckow: The PWS is a web server that was built from Apache source code. We included it in our products, and it was always available.
Because it was built from source code, it could just be placed everywhere. Every IRIS instance has its own web server, and it was available on all IRIS platforms. As previously mentioned, we offered it for convenience and not for instances holding any kind of sensitive data.
[00:03:40] Brenna Quirk: Okay, so going along with that, what does it look like if a security vulnerability comes up specifically with the PWS?
[00:03:47] Andreas Dieckow: I will use Apache as an example. Please keep in mind that this will also apply to IIS. Because the PWS is built from the source of Apache, the concern would be a vulnerability in InterSystems IRIS. Customers not using the PWS could simply make sure that it was not used by disabling the private web server. Customers relying on the PWS would like to get a corrected Apache version as fast as possible. Web servers are often at the heart of many applications, and disabling it is typically not an option.
Once a web server vendor has completed the correction process, InterSystems would get those source code files, compile, and test them. As mentioned earlier, the PWS was delivered to customers using InterSystems IRIS kits. Those kits had to be built and tested, and then released to customers.
Customers would often have the need to apply their own quality testing before they could perform the IRIS upgrade installation. As you have guessed by now, a pretty lengthy process.
[00:04:53] Brenna Quirk: Right. So how does getting rid of the PWS help?
[00:04:58] Andreas Dieckow: InterSystems created the NoPWS project to remove it from our distribution. The goal is to make sure that all the challenges mentioned previously are addressed. By no longer relying on the PWS, but installing and using the web server as offered by the web server vendors. There is no longer a requirement for InterSystems to build the PWS, or to provide upgrade kits in case of a web server vulnerability correction.
Currently, InterSystems IRIS versions will no longer install the private web server.
Customers will now need to install a web server if one is needed for your application, or you would like to use it for system management portal access. Those installations require SUDO or root rights, which is a new requirement that was not needed with the private web server. On the plus side, it is a web server installation with a much better security posture.
[00:05:57] Brenna Quirk: Okay, yeah, that's great.
So it sounds like users probably have a lot of different setups on their different systems. So who does this change actually affect?
[00:06:08] Andreas Dieckow: In short, customers that used the PWS. I know a lot of customers that are already installing a web server other than the PWS, or have started to move away from the PWS after we announced the discontinuation a few years back. The migration from the PWS or IIS will have some differences. First, you will have one web server that will manage your web server configurations for all local instances. With the PWS, every instance had its own web server. Second, after migration from the PWS to IIS or Apache, the URL will change. The previous URL was using the port number to identify the instance. Now it is the instance name.
[00:06:52] Brenna Quirk: And now, that's the URL for the system Management Portal?
[00:06:56] Andreas Dieckow: Yes.
[00:06:56] Brenna Quirk: Okay.
[00:07:00] Andreas Dieckow: One change you might notice is that with the NoPWS project, we also addressed a lot of small issues, so the overall experience is improved.
[00:07:11] Brenna Quirk: That sounds great! And I know that moving forward there will be autoconfiguration available as part of InterSystems products installations. So can you walk me through that process in more detail?
[00:07:23] Andreas Dieckow: Yes. Autoconfiguration is new with the NoPWS project. With the PWS, we had a pre-configured instance. With Apache, we're using one web server that holds the configuration for all instances. The same applies to the Internet Information Services, or IIS.
The IRIS installer will check if it finds an enabled IIS or Microsoft Windows or an Apache installation in the default directory on all other platforms. During the installation, it will notify the user of a local web server if a local web server is available or not. Should the local web server be detected, the user has the option to request the autoconfiguration process for the instance. This step is the same for new or upgrade installations.
If the upgrade installation is upgrading from an instance that is using the PWS, the installer would disable the private web server if it was selected during the autoconfiguration option.
For IIS, the dialogue is slightly different but well documented in the InterSystems IRIS product documentation.
[00:08:32] Brenna Quirk: Okay, so what happens if the instance that someone was using before, if they were using the PWS there?
[00:08:39] Andreas Dieckow: In this case, the IRIS installer will also look for Apache to be installed. If the installer is requesting to perform the autoconfiguration, it will perform this task and afterwards disable the PWS. The PWS is still there and can be used in fallback situations.
[00:08:56] Brenna Quirk: Okay, great, so it sounds like we've got a pretty good picture here. Is there anything else that our listeners should know about this project?
[00:09:03] Andreas Dieckow: There are a few details worth mentioning. New InterSystems IRIS installations will no longer install the private web server. On upgrade, if the instance is using the PWS, IRIS will continue to use it unless the user started the migration process using the autoconfiguration. Eventually, InterSystems IRIS will no longer support the private web server. We have not yet published when that will be. As this is an important security improvement, InterSystems assumes that customers will move away from the PWS with high priority. Customers do not have to use Apache or IIS. For those web servers, customers need to perform their own configuration steps. For NGINX, InterSystems has published some guidance on how to use it. If customers made changes to the configuration of the PWS, they should switch manually. Remote configurations are of course still supported and mostly unchanged. Customers do not need to install a local web server. The main change here is the connection to the instance. We mentioned earlier that the URL is switching from using the port number to using the instance name.
InterSystems only supports IIS on Windows for autoconfiguration. Customers can still use Apache on Microsoft Windows if desired, but need to perform their own configuration changes.
A significant change is in the support for SELinux. With the private web server, SELinux was not aware of it. Using your own Apache installation, SELinux will need to be configured if HTTP or HTTPS connections are required for this instance. Starting with InterSystems IRIS 2023.3, InterSystems is shipping the files that SELinux requires. That enables customers to run SELinux in enforce mode, in most cases without additional changes.
Brenna, you have worked on some additional material for our customers. What resources are available, and how will they help?
[00:11:09] Brenna Quirk: Yeah, so we have a few different resources available for our customers here. So one that you mentioned already is the product documentation.
Another big one is that InterSystems will be sharing installation scripts for Apache that perform the default root installation of the Apache web server so that it's correctly installed, ready to be automatically configured during product installation or product upgrade.
And along with these, we have also created three videos that walk through the whole process from installing or enabling the web server through product installation, including autoconfiguring the web server. And these videos offer specifics both for Linux-based platforms and for Windows. So we show in Linux using an Apache web server with a single product instance, and then in Windows using IIS with a single product instance. And then in the third video, we have a slightly more complex configuration, where we show how to use an Apache web server with a mirrored configuration setup.
This is a typical setup for users of HealthShare Health Connect, so that video will be specifically useful there. And in that video we also cover, as you mentioned, any considerations that might need to be made for SELinux, if you're running your instances on Red Hat.
[00:12:31] Andreas Dieckow: How can our audience access those videos?
[00:12:36] Brenna Quirk: So those videos are live on the InterSystems Learning site, which is learning.intersystems.com.
We'll also link those on the page with this podcast. So if you're listening, there will be easy access there.
And then the installation scripts that I mentioned for Apache, those will be available on the Developer Community. So since Apache is a third-party app, those aren't going to live on the InterSystems Learning site, but we do want to provide as much support to our users as possible. So we'll be making those available there as well.
[00:13:05] Andreas Dieckow: That is great. Thank you.
[00:13:06] Brenna Quirk: Yeah. So now that we've talked about all this for on-prem solutions, how is this different in the cloud?
[00:13:15] Andreas Dieckow: Here, this will be even easier. In the cloud you don't do upgrade installations. Instead, you replace the container with a new one. But you still have to switch to a container that doesn't support the PWS. You have a few options. Run a web server container next to an IRIS container, or on Kubernetes, add a sidecar for the web server. There is a GitHub repo that has a few examples showing the option. It requires a bit more thought, but it is easy to make those changes. And the same principle applies where multiple instances can share the same web server.
[00:13:53] Brenna Quirk: All right, great. So should be useful for anyone who's running in the cloud there.
Now for the people listening today, Andreas, what would you say is the main takeaway that people should get from this conversation?
[00:14:05] Andreas Dieckow: The quick answer is NoPWS equals better security.
[00:14:09] Brenna Quirk: Great.
[00:14:10] Andreas Dieckow: The process of using a web server has changed and seems intimidating at first, but after you have gone through it, it will feel as easy and natural as previous upgrade processes. As we have heard from Brenna, there is a good amount of information available to get started. That information might change over time as web server vendors adjust and improve their products. We hope you will find this new process quickly, easily, and straightforward. Changing the procedure was not an easy decision, but often requested by customers, and in line with best practices. Once you switched away from this private web server, it is probably as easy as doing an update on your mobile device.
[00:14:54] Brenna Quirk: All right, so thank you very much for listening today, everyone, and thanks for joining me, Andreas!
[00:15:00] Andreas Dieckow: Thank you very much.
[00:15:03] Brenna Quirk: Thanks again, Andreas, for telling us all about the project to remove the private web server from InterSystems products. This is a really important project when it comes to keeping instances secure and mitigating risk in that area. If you want to learn more about it, you can visit the links to other learning content alongside this podcast. Thanks for joining us today, and we'll see you next time on Data Points.
