Interoperability Production Credentials Password storage

Question

Question

David Underhill · Aug 23, 2022

#Authentication #Encryption #Interoperability #Security #Caché #Ensemble #InterSystems IRIS

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

Discussion (2)1

Log in or sign up to continue

Eduard Lebedyuk · Aug 24, 2022

Users certainly should not be able access Ens_Config.Credentials table, maybe some user has permissions too broad?

What you can do additionally is to store credentials in a separate SECONDARY database. When you create a new interoperability namespace (in non HS installs), it should be created automatically. Still, you can manually create this DB and related mappings by calling CreateNewDBForSecondary.

After creating secondary db, check that no one has R on DB resouce.

Additionally you can encrypt the db file.

2 0

score 0 · Answer 1 · 2022-08-30T06:58:22-04:00

Thanks for the reply.

If a user needs to be able to monitor and operate a Production would they not still need access to that data base? Also, that table is granted via %ENSROLE_OPERATOR which such a user will need?