Access rights are part of my concern. You can connect using an SSL/TLS configuration without having read permission on %DB_CACHESYS (or the IRIS equivalent).
This command can only be invoked either from a routine that is part of the CACHESYS database or if the current privileges held include Write permission for the CACHESYS database (%DB_CACHESYS:W).
Note that setting $ROLES only alters a process’s added roles, not its login roles.
There is a third way, but I specifically did not publish it.
You can try to write to a TCP device with SSL. Doesn't require additional permissions:
ClassMethod Exists(ssl As %String) As %Boolean
{
#dim exists As %Boolean = $$$YES
set host = "google.com"
set port = 443
set timeout = 1
set io = $io
set device = "|TCP|" _ ##class(%PopulateUtils).Integer(5000, 10000)
try {
open device:(host:port:/SSL=ssl):timeout
use device
// real check
write "GET /" _ $c(10),*-3
// real check - end
// should be HTTP/1.0 200 OK but we don't really care
//read response:timeout
//write response
} catch ex {
set exists = $$$NO
}
use io
close device
quit exists
}
It's slower than direct global check but if you want to do it rarely, I think it could be okay. Doesn't require additional permissions.
Code to compare times:
ClassMethod ExistGlobal(ssl) [ CodeMode = expression ]
{
$d(^|"%SYS"|SYS("Security","SSLConfigsD",ssl))#10
}
/// do ##class().Compare()
ClassMethod Compare(count = 1, ssl = "GitHub")
{
Write "Iterations: ", count,!
Write "Config exists: ", ..Exists(ssl),!
set start = $zh
for i=1:1:count {
set exists = ..Exists(ssl)
}
set end = $zh
set time = end - start
Write "Device check: ", time,!
set start = $zh
for i=1:1:count {
set exists = ..ExistGlobal(ssl)
}
set end = $zh
set time2 = end - start
write "Global check: ", time2,!
}
Below are two ways without additional permissions on %DB_CACHESYS:
#include %systemInclude
n
try{
s sslName="Test"
w "1) GetSSLConfigList^%SYS.SECURITY1(.SSLConfigs)",!!
w $$Test1(sslName)
w !!,"2) $$ListSSLConfigs^%SYS.SECURITY(Client/Server)",!!
w $$Test2(sslName)
}catch(ex){
w "Error ", ex.DisplayString(),!
}
Test1(ssl) {
d GetSSLConfigList^%SYS.SECURITY1(.SSLConfigs)
f i=1:1:SSLConfigs return:SSLConfigs(i)=ssl $$$YES
q $$$NO
}
Test2(ssl) {
q ''$lf($lfs($$ListSSLConfigs^%SYS.SECURITY("Client")_","_
$$ListSSLConfigs^%SYS.SECURITY("Server"))
,ssl)
}
Hi Tim
write $d(^|"%SYS"|SYS("Security","SSLConfigsD",<my config> ),settings)
provided you have access rights
Cheers, Robert
Hi Robert,
Access rights are part of my concern. You can connect using an SSL/TLS configuration without having read permission on %DB_CACHESYS (or the IRIS equivalent).
OK Vitaly !
It happens under cover (from: ^%SYS.SECURITY1.int)
i '($e($roles,1,$l("%All"))="%All") { n $ET,$roles s $ET="",$roles=$roles_","_"%All"}
n $namespace
Do $zu(5,"%SYS")
In this case, you may create a Privileged Routine Application with the rights you need and the required code
calling it raises access rights just for this routine.
Hi Robert.
Exactly.
Programmatically Managing Roles:
There is a third way, but I specifically did not publish it.
You can try to write to a TCP device with SSL. Doesn't require additional permissions:
It's slower than direct global check but if you want to do it rarely, I think it could be okay. Doesn't require additional permissions.
Code to compare times:
Results:
Below are two ways without additional permissions on %DB_CACHESYS:
Social networks
InterSystems resources
Log in or sign up
Log in or create a new account to continue
Log in or sign up
Log in or create a new account to continue
Log in or sign up
Log in or create a new account to continue