Why This Matters

Managing IAM can be tedious when done manually — especially when your APIs are already well-documented using OpenAPI (Swagger) specs. Wouldn't it be great if you could automatically generate Kong services and routes directly from your OpenAPI spec?

That's exactly what this ObjectScript method does: it reads an OpenAPI 2.0 spec stored in the XData block of your spec class and generates a decK-compatible YAML file that can be used to sync your IAM configuration.

This approach:

• Reduces manual configuration errors
• Keeps your gateway in sync with your API spec
• Speeds up deployment and onboarding

Prerequisites:

• InterSystems IRIS or IRIS based platform
• InterSystems API Manager
• Deck CLI tool

What the Method Does

The method ConvertOpenAPIXDataToDeckYAML:

1. Reads the OpenAPI spec from an XData block named OpenAPI in a given class.
2. Parses the JSON into a dynamic object.
3. Extracts endpoints and HTTP methods.
4. Generates a YAML file that defines:
   • A Kong service pointing to the API host and base path
   • Routes for each endpoint
   • A rate-limiting plugin on each route (optional enhancement)

Example Spec Class

You can use the below sample spec class or use the class generated from posting the spec file that is included in the previous post linked below.

Class MyApp.spec
{
XData OpenAPI [ MimeType = application/json ]
{
{
  "swagger": "2.0",
  "host": "api.example.com",
  "basePath": "/v1",
  "paths": {
    "/users": {
      "get": { "summary": "Get users" },
      "post": { "summary": "Create user" }
    },
    "/products": {
      "get": { "summary": "Get products" }
    }
  }
}
}
}

The Method and Use

Below is the ClassMethod. You can of course tweak to suit your needs.

/// Convert OpenAPI XData to Deck YAML
ClassMethod ConvertOpenAPIXDataToDeckYAML(specClassName As %String, outputFilePath As %String = "") As %Status
{
    Try {
        // Read the XData block named "OpenAPI"
        Set reader = ##class(%Dictionary.XDataDefinition).%OpenId(specClassName _ "||OpenAPI")
        If reader = "" {
            Write "Error: XData block 'OpenAPI' not found in class ", specClassName, !
            //Quit $$$ERROR
        }
        // Read the stream content into a string
        Set stream = reader.Data
        Set specJSON = ""
        While 'stream.AtEnd {
            Set specJSON = specJSON _ stream.ReadLine()
        }
        // Test call
        //Do ##class(ConsentAPI.Utils).ConvertOpenAPIXDataToDeckYAML("SpecAPI.spec")

        // Parse the JSON into a dynamic object
        Set spec = ##class(%DynamicObject).%FromJSON(specJSON)

        // Initialize YAML structure
        Set deckYAML = "services:" _ $CHAR(13)

        // Extract host and basePath
        Set host = $PIECE($SYSTEM, ":", 1)
        Set basePath = spec.basePath

        // Create service block
        Set deckYAML = deckYAML _ "  - name: " _ host _ $CHAR(13)
        Set deckYAML = deckYAML _ "    url: "_$c(34)_"http://" _ host _ basePath _$c(34)_ $CHAR(13)
        Set deckYAML = deckYAML _ "    routes:" _ $CHAR(13)
        
        // Iterate over paths
        Set pathIter = spec.paths.%GetIterator()
        While pathIter.%GetNext(.key, .value) {
            Set pathKey = key
            Set path = spec.paths.key
            Set routeName = $REPLACE(key , "/", "")
            Set deckYAML = deckYAML _ "      - name: " _ routeName _ $CHAR(13)
            Set deckYAML = deckYAML _ "        strip_path: false"_$CHAR(13)
            Set deckYAML = deckYAML _ "        preserve_host: false"_$CHAR(13)
            Set deckYAML = deckYAML _ "        paths:"_$CHAR(13)
            Set deckYAML = deckYAML _ "          - " _ pathKey _ $CHAR(13)
            Set deckYAML = deckYAML _ "        methods:"_$CHAR(13)
            Set methodIter = value.%GetIterator()
            While methodIter.%GetNext(.key, .value) {
                Set methodKey = key
                Set deckYAML = deckYAML _ "          - " _ $ZCONVERT(methodKey, "U") _ $CHAR(13)

            }
            Set deckYAML = deckYAML _ "        plugins:"_$CHAR(13)
            Set deckYAML = deckYAML _ "        - name: " _ "rate-limiting" _ $CHAR(13)
            Set deckYAML = deckYAML _ "          config:"_$CHAR(13)
            Set deckYAML = deckYAML _ $REPLACE($J("",12),"",$C(32))_"minute: 20" _ $CHAR(13)
            Set deckYAML = deckYAML _ $REPLACE($J("",12),"",$C(32))_"hour: 500" _ $CHAR(13)
        }

        // Output to file or console
        If outputFilePath '= "" {
            Set file = ##class(%Stream.FileCharacter).%New()
            Set file.Filename = outputFilePath
            Do file.Write(deckYAML)
            Do file.%Save()
            Write "YAML saved to: ", outputFilePath, !
        } Else {
            Write deckYAML, !
        }
        //Quit $$$OK
    } Catch ex {
        Write "Error: ", ex.DisplayString(), !
        //Quit ex.AsStatus()
    }
}

To use the method and have it generate a yaml file, just call it from a terminal session AKA IRIS CLI

Do ##class(MyUtils.APIConverter).ConvertOpenAPIXDataToDeckYAML("MyApp.spec", "/tmp/deck.yaml")

Or you can just print the yaml to console

Do ##class(MyUtils.APIConverter).ConvertOpenAPIXDataToDeckYAML("MyApp.spec")

What to Do Next

Once the YAML file is generated, you can use decK to sync it with your IAM instance:

deck gateway sync --workspace <WorkSpace> deck.yml

This will create or update services and routes in IAM based on your spec.

Final Thoughts

This method bridges the gap between spec driven development and gateway configuration. It’s ideal for teams using InterSystems IRIS or HealthShare and IAM in their architecture.

Want to extend it?

• Include authentication plugins
• Generate multiple services based on tags

Let me know in the comments or reach out if you'd like help customizing it!

Securing IRIS Integrations with Mutual TLS (mTLS): A Practical Guide

In today’s enterprise environments, secure communication between systems is not optional—it’s essential. Whether you're integrating InterSystems IRIS with cloud APIs, internal microservices, or third-party platforms, Mutual TLS (mTLS) offers a powerful way to ensure both ends of the connection are authenticated and encrypted.

This post walks through how to configure IRIS for mTLS and how to validate your certificates to avoid common pitfalls.

🔐 What is Mutual TLS (mTLS)?

TLS (Transport Layer Security) is the standard protocol for securing data in transit. In traditional TLS, only the server presents a certificate. Mutual TLS goes a step further: both the client and server present certificates to authenticate each other.

This bidirectional trust is ideal for:

• Internal service-to-service communication
• API integrations with sensitive data
• Zero-trust architectures

🧰 Prerequisites

Before you begin, make sure you have:

• ✅ A server certificate and private key for IRIS
• ✅ A CA certificate to validate client certificates
• ✅ A client certificate and private key for the external system
• ✅ IRIS version 202X.X, which provides support for TLS 1.2 and higher

⚙️ Configuring IRIS for mTLS

1. IRIS as a Server (Accepting mTLS Connections)

🔸 Import Certificates

Use the System Management Portal or command line to import:

• Server certificate
• Server private key
• CA certificate (to validate clients)

🔸 Create TLS Configuration

Go to:

System Administration > Security > SSL/TLS Configurations

• Create a new configuration
• Enable “Require client certificate”

🔸 Assign TLS to Listener

Apply the TLS configuration to the relevant service (e.g., web server, REST endpoint).

2. IRIS as a Client (Connecting to External Systems)

This section also applies to external client systems connecting to IRIS servers.

🔸 Import Client Certificates

Import the client certificate and private key into IRIS.

🔸 Configure Outbound TLS

Use ObjectScript to set up the connection:

set http = ##class(%Net.HttpRequest).%New()
set http.SSLConfiguration = "MyClientTLSConfig"
set http.Server = "api.external-system.com"
set http.Port = 443
set status = http.Get("/endpoint")

🧪 Testing Your Certificates for mTLS

Before deploying, validate your certificates to ensure they meet mTLS requirements.

✅ 1. Check Certificate Validity

openssl x509 -in client.crt -noout -text

Look for:

• Validity dates
• Subject and Issuer fields
• Extended Key Usage (should include TLS Web Client Authentication as shown below)

X509v3 Extended Key Usage:
    TLS Web Client Authentication

✅ 2. Verify Private Key Matches Certificate

openssl x509 -noout -modulus -in client.crt | openssl md5
openssl rsa -noout -modulus -in client.key | openssl md5

The hashes should match.

✅ 3. Test mTLS Handshake with OpenSSL

openssl s_client -connect server.example.com:443   -cert client.crt -key client.key -CAfile ca.crt

This simulates a full mTLS handshake. Look for:

• Verify return code: 0 (ok)
• Successful certificate exchange

✅ 4. Validate Certificate Chain

openssl verify -CAfile ca.crt client.crt

Ensures the client certificate is trusted by the CA.

📊 mTLS Handshake Diagram

   ![image](/sites/default/files/inline/images/mtls_diagram.png)

🧯 Troubleshooting Tips

• 🔍 Certificate chain incomplete? Ensure intermediate certs are included.
• 🔍 CN/SAN mismatch? Match certificate fields with expected hostnames.
• 🔍 Permission errors? Check file access rights on certs and keys.
• 🔍 Handshake failures? Enable verbose logging in IRIS and OpenSSL.

✅ Conclusion

Mutual TLS is a cornerstone of secure system integration. With IRIS, configuring mTLS is straightforward—but validating your certificates is just as important. By following these steps, you’ll ensure your connections are encrypted, authenticated, and enterprise-grade secure.

REST API (Representational State Transfer Application Programming Interface) is a standardized way for web applications to communicate with each other using HTTP methods like GET, POST, PUT, DELETE, etc. It's designed around resources, which can be anything from a user to a file. Each resource is identified by a unique URL, and interactions with these resources are stateless, meaning each request from a client to a server must contain all the information needed to understand and process the request. This statelessness, along with the use of standard HTTP methods, makes REST APIs highly