Question
· Oct 4, 2023

Making IRIS Calls externally via scripting - Security

We currently have a couple of Shell scripts we have written to EnableConfigItem from a Unix (Red Hat) command line, so we can control when a Service/Operation is running via the cron in Unix. We do this by calling

:>iris session xxxxx

using _system user.

During our Security audit it was mentioned that we need to lock down some of the cache users. 

  • So, has others written scripts to make IRIS calls via command line?
    • If so, what is the consensus of using a Cache user vs using say a LDAP service account?
  • Or what have you used in the past to ensure that the password is not hardcoded anywhere?
Product version: IRIS 2022.1
Discussion (3)1
Log in or sign up to continue

An easy way is setup Operating System–Based Authentication
in %sys
^SECURITY
12) System parameter setup
2) Edit authentication options
Allow O/S authentication? Yes   

This allows scripts like this

iris session ${INST} -U %sys << EOF

w "stopping the mirror 1 is sucess: " zw ##class(SYS.Mirror).StopMirror("MIRROR") h
EOF
Once an IRIS LDAP account exists it does not appear to be different local account.

You can do this too:
iris session [instance] -U [namespace] tag^routine

While thinking about this, I am wondering if using an encryption key might be a possible solution as well that way there is limited access to the password, and the key would just have to be regulated to be updated every so often. With using a AD service account, the password still needs to be updated or kept up to date, and still needs to be passed into the shell script for Terminal to open.

I have submitted the following IDEA...

https://ideas.intersystems.com/ideas/DPI-I-466