question on ExternalFreeze on windows platform --

Question

Question

William Proctor · Sep 27, 2016

All responses are appreciated. I am new to both scripting and CACHE so please bear with me. I am setting up a nightly backup script for freezing cache then backing it up and then thawing it back out. Currently when I enter the freeze command I am getting a response of access denied even though my id has %all access. I've tried passing the userid/password as a parameter in the externalfreeze command and passing it from a file. I've used my id and lastly I used the _system id in the file. What ID should I use for this or am I passing it wrong?

sample 1: ..\bin\cache -s. -u%%sys ##class(backup.General).externalfreeze() <c:\temp\login.scr

sample 2: ..\bin\cache -s. -u%%sys ##class(backup.General).externalfreeze(username="?????",password="???????")

..\bin

Discussion (17)0

Log in or sign up to continue

Stefano Cairoli · Sep 28, 2016

Hi William,

I write this as a new answer, and not as a comment on the existing threads, as I think I could spot what your actual issue is, and hopefully also how to get your command working..

You indicated your Powershell command as follow:

sample 1: ..\bin\cache -s. -u%%sys ##class(backup.General).externalfreeze() <c:\temp\login.scr

We can see that you took the syntax directly from the Backup.General class documentation, where the example is part of a batch file example, and as part of being a batch file, in Windows you will need to escape special characters like "%", typing them twice, so that the parameter -U%SYS becomes -U%%SYS when scripted.

The problem is that you are not scripting it as a batch file..

Look what happens when I use your syntax in my test environment:

PS C:\InterSystems\E20161\mgr> ../bin/cache -s. -U%%sys

Knoten: VM-WIN8, Instanz: E20161

Zugriff verweigert

That error translates to access denied, only in German..

Look now if I remove the double %% to the -U parameter:

PS C:\InterSystems\E20161\mgr> ../bin/cache -s. -U%sys

Knoten: VM-WIN8, Instanz: E20161

%SYS>

Success, I actually logged in %SYS!

And now I can even complete your original call to ExternalFreeze(), PowerShell-style:

PS C:\InterSystems\E20161\mgr> ../bin/cache -s. -U%SYS "##Class(Backup.General).ExternalFreeze()"
PS C:\InterSystems\E20161\mgr> ../bin/cache -s. -U%SYS "##Class(Backup.General).ExternalThaw()"

All of the above assumes that you have "Unauthenticated" allowed for your %Service_Console service, option that I understand you have?

I am not that great in PowerShell scripting at all, so my final examples are very, very basic, but the two following PowerShell do work for me and call ExternalFreeze() and ExternalThaw():

Freeze.ps1:

C:\InterSystems\E20161\bin\cache -sC:\InterSystems\E20161\mgr -U%SYS "##Class(Backup.General).ExternalFreeze()"

Thaw.ps1:

C:\InterSystems\E20161\bin\cache -sC:\InterSystems\E20161\mgr -U%SYS "##Class(Backup.General).ExternalThaw()"

Hopefully these examples will A) work for you too, and B) allow you to further continue your scripting work..

Keep us updated on your progress

1 0

score 0 · Answer 1 · 2016-09-27T12:42:23-04:00

first sample is correct, but depends on what is login.scr contains. This file should only contains 'answers' for login.

so, it is a plain file, with login and password, in each line, and last empty file.

login<\n>
password<\n>

<\n> - it is just a line break, which is required

score 0 · Answer 2 · 2016-09-27T13:49:59-04:00

William Proctor · Sep 27, 2016

I'm still getting the same error.

login.scr file has

????? <\n>

???????? <\n>

0 0

score 0 · Answer 3 · 2016-09-27T13:54:23-04:00

Ok, looks like, it does not matter who tried to connect to cache, any terminal access is forbidden.

You should allow Password or Unauthenticated method for %Service_Terminal.

score 0 · Answer 4 · 2016-09-27T14:16:41-04:00

The description under system>security Management > resources in the portal indicates that %service_Terminal is for Unix. %service_telnet is for windows and that is set to unauthenticated and is enabled. I am currently running this command from powershell, that shouldn't be a problem right?

score 0 · Answer 5 · 2016-09-27T14:24:24-04:00

Sorry my mistake, I don't have widows system currently, for windows you should change %Service_Console

to check access, you may use this command

..\bin\cache -s.

Powershell or cmd does not matter.

score 0 · Answer 6 · 2016-09-27T16:47:56-04:00

Any other suggestions. I've made all of the suggested changes but I'm still getting access denied and nothing is showing up in the console log

score 0 · Answer 7 · 2016-09-28T00:44:52-04:00

It is hard to guess what a kind of problem you have without looking at Cache Security audit records of your logon attempts.

score 0 · Answer 8 · 2016-09-28T09:37:15-04:00

Good Morning, I have turned on Auditing and here is a screen shot of the record produced when I execute the freeze command. It looks like even though I'm passing the password file that the process is using the unknownuser id.

Command is:

I put the logfile parameter in but it doesn't create anything.

password file is:

?????<\n> (userid)

???????<\n> (password)

score 0 · Answer 9 · 2016-09-28T09:42:33-04:00

Dmitry Maslennikov · Sep 28, 2016

Ok, Is terminal working well ?

and command

..\bin\cache -s.

0 0

score 0 · Answer 10 · 2016-09-28T10:23:31-04:00

I just looked at the profile for the unknownuser and noticed that it failed due to the namespace %%SYS doesn't exist. I removed one of the % signs and now the access denied message has quit coming up but the system is just sitting there and I'm not getting any response back to powershell nor to the console log. When I enter the command ..\bin\cache -s. I get the same response and I have to hit ctrl-c to break in. Screen below is what I'm getting now with the freeze or the -s. command.

score 0 · Answer 11 · 2016-09-28T10:12:47-04:00

Alexey Maslov · Sep 28, 2016

Good Morning, William!

To trace logon errors you should be interested in events with Name = LoginFailure

0 0

score 0 · Answer 12 · 2016-09-29T02:24:50-04:00

William, following up on Stefano's last answer (and previous comments), I just wanted to add that you can consider using OS Authentication instead of leaving this open for unauthenticated access. This way you can allow only for the appropriate Windows User to run this command from the Windows command prompt.

score 0 · Answer 13 · 2016-09-29T14:10:59-04:00

Hello, I want to thank everyone for there input it was a great help. I have the powershell script working on my sandbox server. two things were really important in getting it to work. that was different than what I had found in the documentation. The first was using -U%SYS rather than _U%%SYS. the second was putting the freeze command in double quotes like this "##Class(Backup.General).ExternalFreeze()".

Today I migrated it over to my production server and I'm having one final issue. Our production server is in lock down security mode and using the example of passing a file with the userid/password I still get access denied. Tani do you have an example of using windows authentication and will it work with the powershell script? The < in the command <c:\login.scr causes errors in powershell indicating it's a reserved symbol.

score 0 · Answer 14 · 2016-10-05T06:11:50-04:00

William, for more info about using OS authentication see here from the docs. Specifically see also there a note regarding Kerberos on Windows and using Domain users. This might play better for you with your locked-down installation as OS authentication is not on by default (system-wide).

Assuming you want to use OS Authentication - you need to first make sure this on system-wide:

Then make sure it is on for the service (%Service_Console is this case):

And that you have a Caché User with the same name as the OS User (and that of course has the relevant authorization):

Then you should be able to run without having to authenticate separately to Caché.

For example opening the Terminal without getting prompted for login:

[ As opposed to the behavior without OS authentication enabled:

]

Hope this helps.

score 0 · Answer 15 · 2018-09-26T07:07:51-04:00

Thanks for providing useful information. Above mentioned approach works in windows command prompt. But through Cache Object script,

##Class(Backup.General).ExternalFreeze() method response is incorrect. In case of ##Class(Backup.General).ExternalThaw() response works as expected because this method could not expects credentials. Only issue with externalFreeze() method. Any help on this issue?

score 0 · Answer 16 · 2018-10-17T14:56:51-04:00

Do you have an example of the calls you're making and the errors you're seeing? I don't understand whats wrong from your description and think an example would help.