Hi,

Assume an architecture where an ECP Database Server is connected to by one or more ECP Application Servers inside a firewall.The application server hosts the web application that web users connect to.

The Web servers are outside the firewall, and, (using the CSP gateway/server mechanism) issue requests over the SuperServer port and into the application server.

I know that the traffic between the Web Server and the ECP application server can be encrypted using HTTPS, and access to the CSPServer on the Application server is username/password secured.

1 2
0 4.5K

We have a new requirement being push down by our Data Security to no longer use Local SQL Accounts to access our Databases. So they asked me to create a Service Account that is on the Domain for our connections to each database.

I tried just changing my JDBC connection to using this Service Account and Password but I am not having any luck trying to connect to the database.

" Connection failed.
Login failed for user 'osumc\CPD.Intr.Service'. ClientConnectionId:ade97239-c1c8-4ed1-8230-d274edb2e731 "

1 4
0 3.6K

Hi all, This is a bit embarrassing, and not that critical. I have a local instance of Caché 2016 on my computer, for playing around with. I was attempting to set up two-factor authentication on this instance, and I thought I simply disabled all users except for my own user and enabled two-factor for this user. The next time I tried to login to the Management portal, I received a Server Availability Error:

http://localhost:57772/csp/sys/UtilHome.csp

0 9
0 2.4K

The .NET Core Identity model has an IPasswordHasher<> interface for for

  • Hashing a password so that it can be stored in a database
  • Verifying a provided plain-text password matches a previously stored hash.

I am getting invalid password errors during the login process when the .NET Core Identity model computes a hash from a plain text input and compares it to a password hash value I've returned from Caché. The default hashing algorithm is PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, and 10,000 iterations (detailed article on .NET Core Identity PasswordHasher). The algorithm Caché uses is probably different which may be why I am getting errors.

0 6
1 2.2K

We are planning to use Caché users on a SOAP web-service, so the WS-security tokens will be used.
It will be username and password only for now.
The passwords should expire on a regular basis and this will be configured in the system-wide security settings.
The consumer of the web-service should be able to change their password on-demand or when it has expired, via a web-service call.

For the on-demand change, I can create a service method which can be called by the consumer to change the password.

0 5
0 2.1K

Hi,

I'm unable to locate a set of instructions that would allow me to encrypt the traffic to/from the Cache' Management Portal (that is - run it over HTTPS)

I am referring to the Management portal as hosted by the private Apache Web server instance installed with Cache. (I know how to do this for regular web sites hosted on, for example, IIS).

I would imagine the steps would involve, (a) enable SSL on that apache instance and (b) deploy certificates into the Apache web server.

Does anyone have a step-by-step guide on how this is accomplished ?

0 6
0 2K

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

1 8
0 1.7K

I have built an Ensemble SOAP service (EnsLib.SoapService.Service) as a business service which accepts soap requests from another application. To secure the traffic between the SOAP service and the application i'd like to enable SSL. I see that in the management portal I can upload the certificates, chains and keys and save them as an SSL / TLS configuration. However, it is not clear to me how I apply this SSL / TLS configurtion to the soap service I am running.

0 2
0 1.6K

Hi!

I am not system admin. But it used to be very simple to install CSP Gateway on an apache system on Linux with Apache installed. I used to run the CSP Gateway installation program and after it was done, all I had to do was fine tune some configurations on CSP Gateway portal on http://<ip>/csp/bin/Systems/Module.cxw and I was up and running.

0 5
0 1.3K

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

Thank you very much!

2 1
2 1.2K
Question
· Jan 23, 2019
Single Sign On (SSO)

Does Intersystems specifically Ensemble support a Single Sign On architecture? Currently we are using Delegated sign on using LDAP and TLS, however our CIO would like us to move toward a single sign on, so when you sign into your PC it would automatically pass the credentials to Ensemble.

Thanks

Scott

0 3
0 1.1K

I know %CSP.Daemon is supposed to clean up old CSP sessions (?). In my management portal, under System/ License Usage, I see 33 "Units" used (and there are 33 licenses in use), but usernames from old IP address and that are not being used. Their active times are often in the millions of seconds. They are not "on" the system right now.

At most, only 3 users are on the system right now.

Are these supposed to be cleaned up? Can I clean them up programmactially, and how would I know if they're not active?

Thanks,

Laura

0 8
0 944

I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?

Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.

1 6
1 818
Question
· Jan 15, 2018
Access token storage

Hi community ,

i work actually on the access token generation method , i want know where the generated access token are saved ?

My [OAuth2.AccessToken] tabe is empty , it's logical?

thank's for helping .

Best regards

0 5
0 765

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

1 3
1 754

We are using Cache in our application. We are using default username/password for connecting to the Cache Database through Cache Manege Provider. Can we limit the permission of the user _SYSTEM to access only limited database/namespace.

Can we create new user for ODBC connection? Is there any API provided for creating user with limited access so that the user creation process can be automated.

0 1
0 728
Question
· Jul 16, 2020
Ensemble namespace permission

Hi,

I am attempting to set up a security role for our support team so they can have read access to the production and messages.

I have given the role RW rights on the resource associated with the database. However, when I log into Management Portal and select "Ensemble", the "Available Ensemble namespaces" list is empty.

What permissions do i need to set to be able to navigate to the production?

Thanks in advance,

Carl

Edit:

0 8
0 712

Hi, Community!

Suppose I have class A with properties P1 and P2.

I want to introduce class B, which would have same records as Class A, but only one property - P2.

What is the easiest way to manage it assuming that I would like to use Class A to add records and be available for any operations to Users with Role A.

And I would like to introduce class B for Users with role B for read-only access. Preferably they shouldn't even be aware of Class A and P1 existence .

What is the easiest way to introduce it and manage it?

0 10
0 662