Nueva publicación

Pesquisar

Artículo
· 23 ene, 2026 Lectura de 6 min

Connecting IRIS to Apache Kafka securely with SSL and SASL

#Internal Tech Article Contest

1-) Introduction

This article reflects my recent experiences at trying to connect an IRIS Business Operation to a secure Kafka Server, using SSL tunnels to encrypt the communications and using SASL (Simple Authentication and Security Layer) password hashing with SCRAM-SHA-512.

2-) Background Information

Kafka implementations can be made extremely secure by using encryption and ACLs (Access Control Lists) to control access to topics and other resources in the cluster.

2.1-) SSL Encryption

The first part, encryption, can be easily implemented by configuring SSL on the Kafka Listeners.

The instructions and details can be found at this link:  https://kafka.apache.org/41/security/encryption-and-authentication-using-ssl/

From the link, it is important to notice that Kafka can implement Client Authentication through mutual authentication of the SSL tunnel, and that is the default behavior of the Kafka Listener.

However, to implement SASL (Simple Authentication and Security Layer) Authentication with SCRAM-SHA-512 (or SCRAM-SHA-256) hashing, the SSL Client Authentication must be disabled on the Listener.

To disable the Client Authentication on the SSL Listener, it is necessary to change the Kafka Server configuration:

ssl.client.auth=requested

ssl.endpoint.identification.algorithm=””

The default value for ssl.client.auth is required, which implies the client trying to connect to Kafka has to present a digital certificate to authenticate. Although extremely secure, SSL Authentication of the clients connecting to Kafka, require the overhead of issuing and managing the expiration of digital certificates to each individual client that is going to connect. Most customers, prefer not deal with this overhead and instead configure Kafka to use SASL.

The parameter ssl.endpoint.identification.algorithm must be set to an empty string.

2.2-) SASL Authentication

To enable SASL the required information can be found at this link: https://kafka.apache.org/41/security/authentication-using-sasl/

On my test environment I configured a Listener with the SASL_SSL security mapping on Kafka, using the SCRAM-SHA-512 mechanism for password hashing.

listeners=SASL_SSL://:9093

advertised.listeners=SASL_SSL://<kafka-hostname>:9093

sasl.enabled.mechanisms=SCRAM-SHA-512

On my test environment, with three Kafka Servers on the cluster, this configuration needs to be present on all servers.

2.3-) Authorizer and ACLs

To enable ACLs an Authorizer needs to be configured on each Broker and Controller of the Kafka cluster.

The relevant information can be found at this link: https://kafka.apache.org/41/security/authorization-and-acls/

My tests were executed on a cluster in Kraft Mode, so I had to add the following properties in the configuration files for the Kafka Brokers and Controller:

authorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer

allow.everyone.if.no.acl.found=true

super.users=User:broker;User:client

The authorizer.class.name points to the default Authorizer that is shipped with Kafka. 

The allow.everyone.if.no.acl.found=true is a bit of overkill that allows any authenticated users to access a resource that has no specific ACL attached to it. The default value of this parameter is false, which will deny access to resources without a specific ACL.

The super.users=User:broker;User:client is a list of Principals (aka Users) that are considered Super Users, which are allowed to access any resource.

2.4-) Create SCRAM Credentials

It is also important to create the SASL credentials on the Kafka Brokers for each user that is going to authenticate on the Cluster, by using the Kafka CLI:

$ kafka-configs.sh --bootstrap-server <Server URI> \

--alter --add-config 'SCRAM-SHA-512=[password=<passwd>]' \

--entity-type users --entity-name <USER> \

--command-config <Config File for Connection>

It is important to create the credentials with the same level of encryption that is configured on the Listener. In my tests, I configured the Listener with SCRAM-SHA-512, but it is possible to use SCRAM-SHA-256 instead.

You can verify that the SCRAM Credentials are created on the cluster by running this Kafka CLI:

$ kafka-configs.sh --bootstrap-server <Server URI> \

--describe \

--entity-type users \

--command-config <Config File for Connection>

Each User (aka Principal) with associated SASL credentials will be listed on the output, like the one bellow:

SCRAM credential configs for user-principal '<USER>' are SCRAM-SHA-512=iterations=4096

At this point, we have done all the configuration required on the Kafka side.

3-) Configuring IRIS

The tests were executed using a IRIS Version soon to be GA 2025.1.3 (Build 457U), which includes some enhancements necessary to use advanced Kafka Security options like SASL SCRAM-SHA-512 or SCRAM-SHA-256.

To test this configuration, I created a simple Business Operation, in a Production in IRIS.

3.1-) Create a Production

Create a new Interoperability Production in your Namespace, if necessary create a Namespace that is capable of running Interoperability Productions:

Create a new Production, and select the options to enable Testing and Trace Events:

3.2-) Create a Simple Business Operation

Create a new Business Operation, using the out-of-the-box Class EnsLib.Kafka.Operation, I named my “Kafka Producer”, select the “Enable Now” option.

On the Business Operation Settings make the necessary changes to the Kafka Settings section:

The above example reflect my test environment, make the necessary adjustments to reflect your environment.

  • On the Servers Setting, change the broker hostname and port number to point to a Kafka Listener that has SASL_SSL security protocol enabled;
  • Credentials point to the Interoperability Credential that has the userID and password created on the Kafka broker, that have SCRAM credentials created, see details bellow;
  • SecurityProtocol has to be set to SASL_SSL;
  • SASLMechanism is set to SCRAM-SHA-512,or the encryption level that is set on your environment;
  • TrustStoreLocation, KeyStoreLocation are the files containing the SSL TrustStore and KeyStore that are going to be used to create the SSL tunnel. Those files are created on the Kafka Server and should be copied over in jks or p12 format;
  • TrustStoreCredentials, KeyStoreCredentails and KeyCredentials point to a Interoperability Credentials that have the credentials to access the TrustStore,KeyStore and Key files, see bellow;

 

3.3-) Create the Credentials

On the Credentials page:

Create two credentials:

The Credential used to authenticate on the Kafka Broker with SCRAM Credentials created on step 2.4 above.

The second credential is the password used to access the TrustStore KeyStore and Keyfile.

In my case all files have the same password, so just one credential opens all files.

3.4-) Sending a Test Message

Now we can test the configuration settings and send a Test Message, using the Test function of the Business Operation.

If everything is configured properly you should see the Test Results instantly. If the Test Results progress bar takes some time to progress, this is an indication that some mis-configuration have occurred, and you need to double-check your settings.

Clicking on the Visual Trace shows the results:

 

And if you have a Kafka IU available you can see the message on the Topic, or you can see the messages using Kafka CLI:

$ kafka-console-consumer.sh \

--bootstrap-server <Server URI> \

--topic <TOPIC> --from-beginning \

--consumer.config <consumer.config.properties>

The above CLI show all messages on the Topic <TOPIC> and it runs until it is interrupted by a Ctrl-C.

This concludes this quick tests.

Best of luck!

1 Comentario
Comentarios (1)1
Inicie sesión o regístrese para continuar
Artículo
· 23 ene, 2026 Lectura de 2 min

Destaque de Auditoria 2024.3 - Eventos de Instrução SQL com Granularidade Refinada

#Seguridad #SQL #InterSystems IRIS #InterSystems IRIS for Health #Health Connect

A auditoria é uma capacidade crítica que garante a segurança do seu servidor e, há algum tempo, incluímos a capacidade de auditar instruções SQL executadas no servidor.

Com a v2024.3 já disponível, estamos fornecendo opções com granularidade mais refinada para definir esses eventos a serem auditados.

Anteriormente, você podia decidir auditar instruções SQL de acordo com o mecanismo de acesso, por exemplo, executando instruções via JDBC/ODBC vs. SQL embarcado (ex: usando &sql em seu código) vs. SQL Dinâmico (ex: usando %SQL.Statement no código, ou usando a Execução de Consulta SQL do Portal de Administração, ou a partir do SQL Shell no terminal) e agora, além disso, você pode decidir auditar apenas certos tipos de instruções (por mecanismo de acesso, como era possível anteriormente). Esses tipos são:

  • DDL (Linguagem de Definição de Dados) - 

Instruções que alteram elementos do banco de dados, configurações ou outras coisas que não são dados. Ex: CREATE / ALTER TABLE

  • DML (Linguagem de Manipulação de Dados) - 

Instruções que alteram dados. Ex: INSERT / UPDATE / DELETE

  • Utility (Utilitários) - 

Instruções que não alteram dados nem metadados, mas sim alteram o status do processo ou modelos de machine learning.

  • Query (Consulta) - 

Instruções que executam ou definem uma consulta que pode retornar dados. Ex: SELECT

Esta é a lista dos eventos relacionados que você pode encontrar agora na configuração de Eventos de Auditoria (Audit Events):

Veja mais informações na Documentação relacionada e nas Notas de Lançamento relacionadas.

Comentarios (0)1
Inicie sesión o regístrese para continuar
Artículo
· 23 ene, 2026 Lectura de 5 min

Finding your way on the API Manager roads

#API #InterSystems API Manager (IAM) #API REST #InterSystems IRIS #InterSystems IRIS for Health #Internal Tech Article Contest #Supply Chain Orchestrator

 

A question that quickly arises when configuring IAM (aka Kong Gateway) is how many routes should be created to reach all the business objects in an IRIS API.

A common mistake is to create one route per business object, unnecessarily multiplying the number of routes.

Let's take the example of the Supply Chain Orchestrator Data Model API:

/api/SC/scmodel/v1/objects
/api/SC/scmodel/v1/objects/BOM
/api/SC/scmodel/v1/objects/Carrier
/api/SC/scmodel/v1/objects/Customer
/api/SC/scmodel/v1/objects/DemandPlan
/api/SC/scmodel/v1/objects/InventoryThreshold
/api/SC/scmodel/v1/objects/Issue
/api/SC/scmodel/v1/objects/LeadtimeVariant
/api/SC/scmodel/v1/objects/Location
/api/SC/scmodel/v1/objects/MfgOrder
/api/SC/scmodel/v1/objects/Milestone
/api/SC/scmodel/v1/objects/Product
/api/SC/scmodel/v1/objects/ProductInventory
/api/SC/scmodel/v1/objects/ProductSupplier
/api/SC/scmodel/v1/objects/ProductionCapacity
/api/SC/scmodel/v1/objects/PurchaseOrder
/api/SC/scmodel/v1/objects/PurchaseOrderLine
/api/SC/scmodel/v1/objects/RouteLeg
/api/SC/scmodel/v1/objects/SCException
/api/SC/scmodel/v1/objects/SLA
/api/SC/scmodel/v1/objects/SalesOrder
/api/SC/scmodel/v1/objects/SalesOrderLine
/api/SC/scmodel/v1/objects/SalesShipment
/api/SC/scmodel/v1/objects/SalesShipmentLine
/api/SC/scmodel/v1/objects/ServiceSLA
/api/SC/scmodel/v1/objects/ShipmentMilestone
/api/SC/scmodel/v1/objects/ShipmentStop
/api/SC/scmodel/v1/objects/ShipmentTracking
/api/SC/scmodel/v1/objects/ShippingCost
/api/SC/scmodel/v1/objects/Supplier
/api/SC/scmodel/v1/objects/SupplyPlan
/api/SC/scmodel/v1/objects/SupplyShipment
/api/SC/scmodel/v1/objects/SupplyShipmentLine
/api/SC/scmodel/v1/objects/TrackingService

Creating a route in API Manager for each business object would be tedious and strongly discouraged, and would not protect you from changes during a version upgrade.

 

Example of a clean cut (recommended)

Route Usage Plugins
/objects$ global list of all objects Cache, rate limit
/objects/{type} BOM / Carrier / Customer Business Monitoring

Kong doesn't natively understand /objects/{type}.

👉 It needs to be translated using a regex :

{type} = [^/]+

We start by creating a service scmodel in Kong 

### Create a new service in Kong for the SC Model application
curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=scmodel' \
--data 'url=http://192.168.65.1:52880'

Then we add the route to retrieve the list of all objects with $ for the exact routes:

### Create a route for the SC Model service Objects
curl -i -X POST \
--url http://localhost:8001/services/scmodel/routes \
--data 'name=scmodel-objects' \
--data 'paths=~/api/SC/scmodel/v1/objects$' \
--data 'strip_path=false'

Then we create a generic route for all object type using [^/]+$ as the regex :

### Create a route for the SC Model for all object types
curl -i -X POST \
  http://localhost:8001/services/scmodel/routes \
  --data name=scmodel-object-type \
  --data 'paths[]=~/api/SC/scmodel/v1/objects/[^/]+$' \
  --data strip_path=false

If you want to monitor or manage one type of object in particular with different plugins or different auth, rate-limits, etc., you have to create a specific route for it, using regex_priority:

If multiple regex routes match, Kong chooses the highest regex_priority, otherwise… the internal (non-deterministic) order.

Example below for Customer and Product objects :

### Create a route for the SC Model service Customer
curl -i -X POST \
  http://localhost:8001/services/scmodel/routes \
  --data name=scmodel-object-customer \
  --data 'paths[]=~/api/SC/scmodel/v1/objects/Customer$' \
  --data 'regex_priority=10' \
  --data strip_path=false

### Create a route for the SC Model service Product
curl -i -X POST \
  http://localhost:8001/services/scmodel/routes \
  --data name=scmodel-object-product \
  --data 'paths[]=~/api/SC/scmodel/v1/objects/Product$' \
  --data 'regex_priority=10' \
  --data strip_path=false

You can also create a limited list of objects types by using regex (A,B,C).
Example below for all sales routes :

### Create a route for the SC Model Sales routes
curl -i -X POST \
  http://localhost:8001/services/scmodel/routes \
  --data name=scmodel-object-sales \
  --data 'paths[]=~/api/SC/scmodel/v1/objects/(SalesOrder|SalesOrderLine|SalesShipment|SalesShipmentLine)$' \
  --data 'regex_priority=10' \
  --data strip_path=false

 

You can then find the route configuration in the API Manager portal :

To test it, just make some calls to different routes :

### Get Object BOM
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/BOM'

### Get Object Carrier
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/Carrier'

### Get Object Customer
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/Customer'

### Get Object DemandPlan
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/DemandPlan'

### Get Object InventoryThreshold
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/InventoryThreshold'

### Get Object Issue
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/Issue'

### Get Object Product
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/Product'

### Get Object SalesOrder
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/SalesOrder'

### Get Object SalesOrderLine
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/SalesOrderLine'

### Get Object SalesShipment
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/SalesShipment'

### Get Object SalesShipmentLine
curl --user _SYSTEM:SYS 'http://localhost:8000/api/SC/scmodel/v1/objects/SalesShipmentLine'

This allows you to manipulate your Customer business object with a finer level of detail than other objects types:

Analytics for all sales objects :

Analytics of the other object types :

Comentarios (0)1
Inicie sesión o regístrese para continuar
Job
· 23 ene, 2026

From Classics to Trending Toys: Your Go-To Online Toy Store in Dubai

#Servicio empresarial #Health Connect #Oferta de empleo

Finding the perfect toy for your child can be a delightful yet overwhelming experience. From timeless classics to the latest trending toys, Dubai parents now have more options than ever. Whether you’re searching for a toy shop near me, exploring reputable toy shops in Dubai, or browsing a trusted online toy store Dubai, knowing where and how to shop smart ensures your child enjoys quality, safe, and engaging toys.

Explore Classics and Trendy Toys

Every child loves a mix of the old and the new. Classic toys like building blocks, dolls, and board games foster creativity and cognitive skills, while trending toys like STEM kits, interactive gadgets, and collectible figures encourage learning and curiosity. Browsing a trusted toy shops in Dubai selection online ensures you have access to both timeless favorites and modern innovations.

Convenience of Online Shopping

Searching for a toy shop near me is helpful, but shopping online offers convenience, variety, and quick delivery. A reputable online toy store Dubai lets parents compare prices, check safety information, and read customer reviews without leaving home. Platforms like ToyzINN combine the ease of online shopping with a wide range of toys for all ages and interests.

Safety and Quality Matter

Dubai parents prioritize safe and durable toys. Look for products that are certified and made from non-toxic materials. Avoid toys with small detachable parts for younger children. Trusted toy shops in Dubai often provide detailed safety information, helping parents make informed choices.

Tips for Choosing the Right Toy

  • Know your child’s age and developmental stage
  • Choose certified and non-toxic toys
  • Balance classics with trending options
  • Check reviews from other parents in Dubai
  • Search toy shop near me for local pick-up options

Benefits of Shopping Smart

Smart shopping means finding toys that are not only fun but also educational and developmentally appropriate. Combining classics and trending options provides children with diverse experiences that foster creativity, problem-solving, and social skills.

Conclusion

From classic favorites to the latest trends, choosing the right toys for your child in Dubai is easier than ever. Whether exploring a trusted toy shop near me or browsing popular toy shops in Dubai, parents can find quality, safe, and engaging toys that children will love. For a reliable selection and excellent service, ToyzINN is your go-to online toy store Dubai, offering both timeless classics and exciting new toys to delight every child.

Comentarios (0)1
Inicie sesión o regístrese para continuar
Anuncio
· 23 ene, 2026

InterSystems Full Stack Contest 2026

#Concurso #Eventos #InterSystems IRIS #IRIS contest

Hi Developers,

We are happy to announce the first InterSystems online programming contest of the year:

🏆 InterSystems Full Stack Contest 🏆

Duration: February 2 - March 1, 2026

Prize pool: $12,000


 The topic

Develop a full-stack solution using InterSystems IRIS, InterSystems IRIS for Health, or IRIS Cloud Service as a backend. By full stack, we mean a frontend web or mobile application that inserts, updates, or deletes data in InterSystems IRIS via REST API, Native API, ODBC/JDBC, or Embedded Python.

General Requirements:

  1. An application or library must be fully functional. It should not be an import or a direct interface for an already existing library in another language (except for C++, there you really need to do a lot of work to create an interface for IRIS). It should not be a copy-paste of an existing application or library.
  2. Accepted applications: new to Open Exchange apps or existing ones, but with a significant improvement. Our team will review all applications before approving them for the contest.
  3. The application should work either on IRIS Community Edition or IRIS for Health Community Edition. Both could be downloaded as host (Mac, Windows) versions from Evaluation site, or can be used in a form of containers pulled from InterSystems Container Registry or Community Containers: intersystemsdc/iris-community:latest or intersystemsdc/irishealth-community:latest .  
  4. The application should be Open Source and published on GitHub or GitLab.  
  5. The README file to the application should be in English, contain the installation steps, and contain either the video demo or/and a description of how the application works.
  6. Only 3 submissions from one developer are allowed.

NB. Our experts will have the final say in whether the application is approved for the contest or not based on the criteria of complexity and usefulness. Their decision is final and not subject to appeal.

Prizes

1. Experts Nomination - a specially selected jury will determine winners:

🥇 1st place - $5,000 

🥈 2nd place - $2,500 

🥉 3rd place - $1,000

🏅 4th place - $500

🏅 5th place - $300

🌟 6-10th places - $100

2. Community winners - applications that will receive the most votes in total:

🥇 1st place - $1,000 

🥈 2nd place - $600 

🥉 3rd place - $300

🏅 4th place - $200

🏅 5th place - $100

❗ If several participants score the same number of votes, they are all considered winners, and the prize money is shared among the winners.
❗ Cash prizes are awarded only to those who can verify their identity. If there are any doubts, organizers will reach out and request additional information about the participant(s).

Who can participate?

Any Developer Community member, except for InterSystems employees (ISC contractors allowed). Create an account!

Developers can team up to create a collaborative application. 2 to 5 developers are allowed in one team.

Do not forget to highlight your team members in the README of your application – DC user profiles.

Important Deadlines:

🛠 Application development and registration phase:

  • February 2, 2026 (00:00 EST): Contest begins.
  • February 22, 2026 (23:59 EST): Deadline for submissions.

 Voting period:

  • February 23, 2026 (00:00 EST): Voting begins.
  • March 1, 2026 (23:59 EST): Voting ends.

Note: Developers can improve their apps throughout the entire registration and voting period.

    Helpful Resources:

    ✓ Example applications:

    ✓ Templates we suggest starting from:

    ✓ For beginners with IRIS:

    ✓ For beginners with ObjectScript Package Manager (IPM):

    ✓ How to submit your app to the contest:

    Need Help?

    Join the contest channel on InterSystems' Discord server or talk with us in the comments to this post. 

    We're waiting for YOUR project – join our coding marathon to win! 

    By participating in this contest, you agree to the competition terms laid out here. Please read them carefully before proceeding.

    2 nuevos comentarios
    Comentarios (13)6
    Inicie sesión o regístrese para continuar