Security

Syndicate content 14 

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

First here are the tutos found in the doc:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

Last answer 5 April 2019 Last comment 6 days ago
0   0 3
108

views

0

rating

Hello experts,

I'm new to InterSystems software and still not so familiar with it. Therefore I do apologize in front if this question is irrelevant, not making sense or answer is commonly known.
 

I've did my best in search for answer, but unfortunately i haven't found anything helpfull. So I decided to ask for help here.

 

My problem is repetitive error which occure in CSP Gateway event log : 

Error Condition: Failed to read posted content from the client (Content-Length: 1404; Data Actually Read: 0; Read Error: 70007)

It occure approximately 40 times a day. Customers do not report any specific problems, but it's still in my concern to solve errors.

 

I was looking for explanation of error in various documentations : 
https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GCGI_oper_config

0   0 1
0

answers

0

comments

23

views

0

rating

In part 1 we started working on a security model for DeepSee and create a user type having privileges typical of end users. In this part we are going to create a second user type with ability to edit and create DeepSee pivot tables and dashboards. 

+ 2   0 3
0

comments

163

views

+ 2

rating

Hi,

I am trying to create a user role which shall allow users the access to only one specific namespace in an Ensemble system. I´ve startet creating the namespace with a database (with own ressource and no public access). In the second step I´ve created a role by copying it from the predefined role %Developer and assigned the ressource of the created database. After that i´ve created a user and assign him to the created role.

When trying to login to ensemble - the management portal comes up but the Ensemble tab is showed deactived. Looking in the audit protocoll I am getting the typical PROTECT notifications telling that user is not permitted to access a protected global in the cachelib database

Last answer 7 March 2019 Last comment 7 March 2019
0   0 2
48

views

0

rating

I have a few cubes and numerous dashboards and I am ready to deploy them to our end users and administrators. How to configure DeepSee so that users don’t disrupt each other’s areas and are restricted from using functionalities specific to developers?


Last comment 22 February 2019
+ 1   0 2
295

views

+ 1

rating

This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.

Last comment 13 February 2019
+ 11   1 4
3964

views

+ 11

rating

Hi guys,

 

Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.

After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.

+ 2   0 1
0

comments

212

views

+ 2

rating

Hello everyone,

I'm using Atelier 1.3. When we configure a server and use HTTP to connect, works fine. But when we activate the Secure connection option I get the Unregonized SSL message, plaintext connection?

Do I need to perform any configuration on my server so that Atelier can access a secure connection?

Last answer 2 January 2019 Last comment 7 February 2019
0   1 4
147

views

0

rating

Hi All,

Can someone help me getting the security features & standards which InterSystmes Cache adheres to ISO 27001 & other security & privacy standards.

Also if you can tell me the algorithm used for database encryption & key strength by default.

This is required for a security audit.

Thanks in advance.
Ashish

Last answer 1 February 2019
0   0 3
0

comments

84

views

0

rating

Hi Community!

New video is already on DC YouTube Channel:

Certificate Revocation, OCSP Stapling and KMIP

0   0 1
0

comments

33

views

0

rating

Hi Community!

Please welcome a new video on Developer Community YouTube Channel:

Building Powerful LDAP Configurations

 

0   0 1
0

comments

32

views

0

rating

Does Intersystems specifically Ensemble support a Single Sign On architecture? Currently we are using Delegated sign on using LDAP and TLS, however our CIO would like us to move toward a single sign on, so when you sign into your PC it would automatically pass the credentials to Ensemble.

Thanks

Scott

Last answer 23 January 2019 Last comment 23 January 2019
0   0 3
126

views

0

rating

I need to automate the handling of usernames passwords, serverNames etc for use in the sending and receiving  of emails, logging into SFTP servers etc etc for use within COS code
To manage external passwords we could use LastPass or any other proprietary password loggers, but I need to be able to call them as part of the automation (COS code) and occasionally visually look them up to "remind" the staff of their passwords.

any suggestions as to the best class data constructs to handle this scenario. Should the whole table be encrypted, only the passwords etc.

each employee has their own login details, past password storage (non-re-use)  could be useful.

we're talking of 200-300+ passwords here.

kevin

Last answer 18 January 2019 Last comment 22 January 2019
0   0 3
184

views

0

rating

This article was written as an attempt to share the experience of installing the InterSystems Caché DBMS for production environment.
We all know that the development configuration of a DBMS is very different from real-life conditions.
As a rule, development is carried out in “hothouse conditions” with a bare minimum of security measures, but when we publish our project online, we must ensure its reliable and uninterrupted operation in a very aggressive environment.

The process of installing the InterSystems Caché DBMS with maximum security settings

OS security settings

The first step is the operating system. You need to do the following:

Last comment 19 December 2018
+ 6   4 6
652

views

+ 6

rating

Hi All,

Actually, I'm developing few restful API's. I want to create a authentication tokens and display it on my login restful API. If I'm using CSP sessionId, how can I validate the session Id's in another or continues restful API's. else, is there any other approach to handle this task. 

My Primary goal is, I have to integrate 2 different front end applications. One is Zen framework another one is web pages from Python. 

If any lead, it would be appreciated. 

Thanks,

Arun Kumar Durairaj. 

0   0 1
0

answers

0

comments

104

views

0

rating

My administrator was wondering where %SYS/ZAUTHENICATE.mac is stored?

He preforms a nightly backup, and would like to include the custom ZAUTHENTICATE.mac that was written for our Delegated/LDAP configuration.

Thanks

Scott Roth

The Ohio State University Wexner Medical Center

Last answer 14 October 2018
0   0 2
0

comments

113

views

0

rating

I have created some roles, and would like to know if there is a way to export the Roles and save them off to a file? I want to create a backup file of these roles for DR purpose, and in case I ever get hit by the preverbal bus.

Thanks

Scott Roth

The Ohio State University Wexner Medical Center

Last answer 8 October 2018 Last comment 8 October 2018
0   0 3
135

views

0

rating

We have a new requirement being push down by our Data Security to no longer use Local SQL Accounts to access our Databases. So they asked me to create a Service Account that is on the Domain for our connections to each database.

I tried just changing my JDBC connection to using this Service Account and Password but I am not having any luck trying to connect to the database.

" Connection failed.
Login failed for user 'osumc\CPD.Intr.Service'. ClientConnectionId:ade97239-c1c8-4ed1-8230-d274edb2e731 "

In reading some of the material about using a Domain Service Account it mentions having kerberos installed. Is this needed for Ensemble JDBC connection to a Microsoft SQL Database to work using a Domain Service Account?

Does anyone use JDBC connections to connect to non cache databases using a Domain Service Account? If so how was this accomplished?

Thanks

Scott

Last answer 16 August 2018 Last comment 16 August 2018
0   0 3
354

views

0

rating

Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

In the previous part of this short series, we have learned about simple use case – acting as an OAUTH[1] client. Now, it’s time to bring our experience to a whole new level. We are going to build much more complex environment, where InterSystems IRIS is going to play all OAUTH roles

Last comment 10 August 2018
+ 7   0 6
2152

views

+ 7

rating

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Error message: Cache error: <UNDEFINED>ZAUTHENTICATE+104^ZAUTHENTICATE *LD

its not displaying the error code it should be from the ZAUTHENTICATE in the Audit Database. How do I get it to tell me where it is actually stopping in the ZAUTHENTICATE code? Or can someone look at the code below and see what I might be doing wrong

Last answer 30 June 2018 Last comment 24 July 2018
+ 1   0 3
202

views

+ 1

rating

In old Caché versions it was possible to create a new role based on predefined %Developer by copying it and adding some resources as needed. It was true at least from 2010.1 to 2015.1.

After upgrade from 2015.1.4 to 2017.2.1 it turned that it's only partially true now. User with a "New-Developer" role can enter Studio and open existing cls/mac/etc for editing and everything is OK unless he tries to create something new (Ctrl-N), than he gets a pop-up with %msg: <User xxx does not have enough privilege to execute stored procedure %CSP.StudioTemplateMgr_Templates>

The solution found was simple: user defined roles based on %Developer should be assigned to %Developer rather than contain all its resources inside. The simplest way to achieve it is to make a "New-Developer" role a member of %Developer. To be fair, InterSystems docs always contained a note

Last comment 31 May 2018
+ 1   0 3
173

views

+ 1

rating

When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.

Last comment 29 May 2018
+ 2   0 3
321

views

+ 2

rating

Hi,

I have a client who is considering encryption options in order to comply with a tendering requirement.

Were they to encrypt the production database then what would be a reasonable expectation forthe impact on message throughput. Or possibly more easily answered: what would be the expected impact be on I/O rate and CPU utilization. Are there any benchmarks to which could support an estimate ?

How would this compare with plan B: to use disk encryption ?

Thanks

Last comment 9 May 2018
0   0 5
0

answers

199

views

0

rating

Is there a way to make the system users like _SYSTEM and ensadm bypass the Delegated sign-on and not cause it to fill up the Audit trail with "Programmer mode login failure"?? I figured I still had to leave password login enabled for the background users to run. How would I script if username = "_SYSTEM" then don't do the Delegated sign on?

Here is my ZAUTHENTICATE

Last answer 11 April 2018 Last comment 11 April 2018
0   0 3
151

views

0

rating

I need to offer new users on our system a temporary password that is valid for only 48 hours.  This is different than a 60-day password expiration window for existing users' passwords (where a password needs to be changed every 60 days), and is different than a "user expiration date", where you can set a date where the user's account expires and is disabled on that date, and different than the inactivity expiration date where a user becomes active if his account is not used within, say, 30 days.  

What I need is a password-inactivity expiration date such that if the user does not log  for a first time within the time limit (48 hours), then the user account is disabled - but not expired! - and then must be "reset" to a new password (whereupon the cycle begins again, and the user is disabled withint 48 hours if he doesn't log in and change his password!). 

Last answer 21 March 2018 Last comment 21 March 2018
0   0 2
199

views

0

rating

Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.

Thanks

Scott

Last answer 24 February 2018 Last comment 1 March 2018
+ 1   0 5
483

views

+ 1

rating

I was running the %File:FileSet class query, with my development user, but I am unable to run this query for an application user.  Does anyone know what resource or service is needed to run this query?  Assume the user has access to a certain directory on the file system needed for the query.

On second though, having tried almost all the available resources and services, perhaps the user doesn't have access to the directory.  How to tell when the error is this: 

set ok=st.%PrepareClassQuery("%File","FileSet")

d $system.Status.DisplayError(ok)
 
ERROR #5540: SQLCODE: -99 Message: User Laura_Test_DEV is not privileged for the operation

Thanks,

Laura

Last answer 23 February 2018 Last comment 23 February 2018
0   0 3
212

views

0

rating

Hi,

I need list all available Windows AD groups .

How I do it?

I need to change the attributes of Windows Users of AD, adding and remove groups.

Note: I was able to make the connection to LDAP, and I listed the groups that a user.

Last answer 15 February 2018 Last comment 15 February 2018
0   0 2
171

views

0

rating