How should I go about updating Security Configuration in a Mirror environment?

Question

Question

Scott Roth · Jan 22

#Mirroring #System Administration #Health Connect #InterSystems IRIS #InterSystems IRIS for Health

We recently went through an Audit of our Security Policies and Procedures when it comes to IRIS. As a result of that Audit, we need to make adjustments to the way that Security is setup within IRIS. I have already done my changes on our TEST and DEVELOPMENT environments, but now I am trying to plan out how do we make these changes in Production.

These changes include moving away from the PWS, setting up Apache/Web Gateway, moving to LDAP instead of using Delegated Authentication, updating Web Applications, updating Resources, updating Services, etc...

To minimize the impact on our system, does anyone see an issue if I go ahead and make the necessary changes on our DR (Async), and Backup node within the MIRROR prior to scheduling a failover from the Primary Node to get it updated as well?

Product version: IRIS 2022.1

Discussion (4)1

Log in or sign up to continue

Kamal Suri · Jan 23

Hi Scott,

This is the best practice to do the changes on other mirror members before doing on Primary member. Before making changes in your DR and Backup nodes, it's recommended to test the process in a controlled environment that mimics your production setup. Take a backup of IRISSYS.DAT before making any changes. This ensures that you have a recovery point in case anything goes wrong.

1 0

score 0 · Answer 1 · 2024-01-23T07:58:42-05:00

No doubt I will do a full backup prior to the changes. But thanks just wanted to confirm. I know not all the settings are mirrored, which I have asked for some of the settings to be so we can keep the servers in sync.

score 0 · Answer 2 · 2024-01-23T06:08:36-05:00

I would not completely replace users with LDAP.

Database owner and admin should be local to the system.

Make sure your LDAP source is not a single server.

score 0 · Answer 3 · 2024-01-23T07:56:45-05:00

I have no intention of replacing the Cache users with LDAP. It is for everyone else...Password Authentication regardless of what Auditing says will always need to be available for "Emergency" purposes.