Security

Syndicate content 14 

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old method, it will continue to work, but I would recommend you consider switching to the new one.

Last reply 1 days ago
+ 17   0 8
2,679

views

+ 17

rating

Hello,

I am working on Ensemble 2017.2.1 .
I need to export my security settings into an extern database, in order to make a report.

I've created a Business Operation with an SQL Adapter into a Namespace, but I don't know how to get every security data from "%SYS" Namespace  ( SQLPrivileges , Resources , Roles , Services , Users ... ).

I dont't want to use the terminal and the ^SECURITY routine, because i don't want to store a XML file on the server.

Last reply 30 January 2020
0   0 2
69

views

0

rating

Cache / Ensemble version 2016.2.2.853.0

I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.

We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.

Any suggestions on where to start?

0   0 0
113

views

0

rating

InterSystems Data Platforms products allow you to export and import security settings in two different ways.

This article talks about those options:
- On the command line, using ^SECURITY
- Programmatically, using the Export and Import methods of classes in the Security package

Exporting settings on the command line (^SECURITY)

You can export everything or individual sections of the security settings.

Last reply 22 November 2019
+ 3   0 2
309

views

+ 3

rating

There's an easy new way to add certificate authority (CA) certificates to your SSL/TLS configurations on InterSystems IRIS 2019.1 (and 2018.1.2) on Windows and Mac.  You can ask IRIS to use the operating system's certificate store by entering:

%OSCertificateStore

in the field for "File containing Trusted Certificate Authority X.509 certificate(s)".   Here's an image of how to do this in the portal:

Last reply 13 November 2019
+ 12   4 5
372

views

+ 12

rating

When deploying IRIS in a container, what are recommendations for permitting users terminal access? There is docker exec -it, but that does not work from a user's workstation where - in the old deployment model - they would connect to the server over ssh using Putty and open a terminal session from there.

Last reply 29 October 2019
0   1 4
159

views

0

rating

How can you allow computers to trust one another in your absence while maintaining security and privacy?

“A Dry Martini”, he said. “One. In a deep champagne goblet.”
“Oui, monsieur.”
“Just a moment. Three measures of Gordons, one of vodka, half a measure of Kina Lillet. Shake it very well until it’s ice-cold, then add a large thin slice of lemon peel. Got it?”
"Certainly, monsieur." The barman seemed pleased with the idea.
Casino Royale, Ian Fleming, 1953


OAuth helps to separate services with user credentials from “working” databases, both physically and geographically. It thereby strengthens the protection of identification data and, if necessary, helps you comply with the requirements of countries' data protection laws.

With OAuth, you can provide the user with the ability to work safely from multiple devices at once, while "exposing" personal data to various services and applications as little as possible. You can also avoid taking on "excess" data about users of your services (i.e. you can process data in a depersonalized form).

+ 6   5 1
0

replies

229

views

+ 6

rating

This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.

Last reply 27 September 2019
+ 12   6 6
4,982

views

+ 12

rating

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:  

Last reply 2 September 2019
+ 1   1 2
143

views

+ 1

rating

The .NET Core Identity model has an IPasswordHasher<> interface for  for 

  • Hashing a password so that it can be stored in a database
  • Verifying a provided plain-text password matches a previously stored hash. 

I am getting invalid password errors during the login process when the .NET Core Identity model computes a hash from a plain text input and compares it to a password hash value I've returned from Caché. The default hashing algorithm is PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, and 10,000 iterations (detailed article on .NET Core Identity PasswordHasher). The algorithm Caché uses is probably different which may be why I am getting errors.

Last reply 23 August 2019
0   1 1
355

views

0

rating

I would like to allow some departmental user to view the  ensemble portal.  I want to make sure they are not allowed to  do any changes (like stop and start interfaces from portal)

I have created  one userbut limited with SQL privilages.  But  using this account,  the portal view is not accessible.

It would be appreciated if anyone can adice me on this. I know this may be a silly question.

 

Regards,

Bava

0   0 2
94

views

0

rating

Just wondering if anyone knows if there is a way to get daily emails or alerts about changes to a cache database.  I know that all of that information is contained within the journal files, just wondering if there is a way to bundle it up each day and send it off for auditing, etc.

Any solution where a plain-text/readable format of changes to the cache database could be sent or stored for review would solve the issue.

 

Thanks!

0   0 3
174

views

0

rating

IRIS provides us with anti login CSRF attack mitigation, however this is not the same as a CSRF attack, as login attacks only occur on the login form. There are currently no built-in tools to mitigate CSRF attacks on api calls and other forms, so this is a step in mitigating these attacks.

See the following link from OWASP for the definition of a CSRF attack:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Last reply 7 August 2019
+ 4   1 2
183

views

+ 4

rating

Presenter: Dan Kutac
Task: Use a common login identity and a central mechanism of authentication across environments from multiple entities
Approach: Provide examples and code samples of an application environment using OpenID Connect and OAuth 2.0
 

Description: In this session we will demonstrate an application environment using OpenID Connect and OAuth 2.0. Hear how this is done and what options you have; and yes, you get to keep the code.

Problem: How to use a a common login identity (e.g. Facebook credentials) and a central mechanism of authorization cross environments from multiple entities.

Solution: Create awareness and interest in using OAuth 2.0

 

Content related to this session, including slides, video and additional learning content can be found here.

Last reply 4 July 2019
0   1 2
438

views

0

rating

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

 

Thank you very much!

+ 2   2 2
297

views

+ 2

rating

Hello experts,

I'm new to InterSystems software and still not so familiar with it. Therefore I do apologize in front if this question is irrelevant, not making sense or answer is commonly known.
 

I've did my best in search for answer, but unfortunately i haven't found anything helpfull. So I decided to ask for help here.

 

My problem is repetitive error which occure in CSP Gateway event log : 

Error Condition: Failed to read posted content from the client (Content-Length: 1404; Data Actually Read: 0; Read Error: 70007)

0   0 3
109

views

0

rating

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

Last reply 16 April 2019
+ 1   0 3
426

views

+ 1

rating

Hi,

I am trying to create a user role which shall allow users the access to only one specific namespace in an Ensemble system. I´ve startet creating the namespace with a database (with own ressource and no public access). In the second step I´ve created a role by copying it from the predefined role %Developer and assigned the ressource of the created database. After that i´ve created a user and assign him to the created role.

Last reply 7 March 2019
0   0 2
153

views

0

rating

Hi guys,

 

Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.

After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.

+ 4   1 1
0

replies

1,854

views

+ 4

rating

Hi Community!

New video is already on InterSystems Developers YouTube Channel:

Certificate Revocation, OCSP Stapling and KMIP

+ 1   0 1
0

replies

112

views

+ 1

rating

Hi Community!

Please welcome a new video onInterSystems Developers YouTube Channel:

Building Powerful LDAP Configurations

 

0   0 1
0

replies

92

views

0

rating