Security

Syndicate content 15 

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old method, it will continue to work, but I would recommend you consider switching to the new one.

+ 15   0 5
0

comments

2199

views

+ 15

rating

This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.

Last comment 26 May 2019
+ 12   2 5
4286

views

+ 12

rating

Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

Last comment 10 August 2018
+ 8   0 6
2353

views

+ 8

rating

InterSystems continuously monitors our systems for any evidence of attempts to exploit vulnerabilities such as the newly announced Meltdown and Spectre attack vectors.
 
At this time we have seen no indications of attempts to target InterSystems systems or technology using these vulnerabilities.
 
·         InterSystems is aware of recently reported cybersecurity vulnerabilities known as Meltdown and Spectre that affect a wide range of computer processors (See US-CERT Alert TA 18-004A, Meltdown and Spectre Side-Channel Vulnerability Guidance,
+ 7   0 3
0

comments

848

views

+ 7

rating

If you are developing applications that use CSP or Zen, or potentially any of the other InterSystems web-related stuff that's built on top of CSP, then it's important to know how to keep one particular secret.

A central part of the CSP security architecture is a server-side session key. "Server-side" because its value should never be revealed to the client that is issuing the web requests. If it is revealed, a malicious client might be able to use it to bypass your security and make your server do things you don't want it to.

Last comment 20 April 2017
+ 7   0 1
506

views

+ 7

rating

This post is meant to provide a quick possible explanation for a very perplexing problem.

 

Scenario:  You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché.  You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.

You’ve written a very advanced routine with a break command in it for debugging:

 

Last comment 1 November 2016
+ 7   0 2
268

views

+ 7

rating

This article was written as an attempt to share the experience of installing the InterSystems Caché DBMS for production environment.
We all know that the development configuration of a DBMS is very different from real-life conditions.
As a rule, development is carried out in “hothouse conditions” with a bare minimum of security measures, but when we publish our project online, we must ensure its reliable and uninterrupted operation in a very aggressive environment.

Last comment 19 December 2018
+ 6   4 6
727

views

+ 6

rating

Created by Daniel Kutac, Sales Engineer, InterSystems

 

Part 3. Appendix

InterSystems IRIS OAUTH classes explained

In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.

The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.

+ 6   0 2
0

comments

1299

views

+ 6

rating

I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.

Let us look at the facts and figures involved...

1) Active Directory's (AD) date 0 (zero) is 1601-01-01 00:00:00.000 or January 1st, 1601 at midnight (00:00:00)

2) AD timestamps are calculated as the number of 100 nanosecond intervals from date 0

3) 864000000000 is the number of 100 nanosecond intervals per day

+ 5   0 2
0

comments

434

views

+ 5

rating

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

+ 5   0 0
0

comments

1030

views

+ 5

rating

It's almost a year since I have published a series of articles explaining how to configure Cache instance as a client / resource server / authorization server. By that time, the implementation of OAuth 2.0 was still a pre-release software.

Last comment 7 May 2017
+ 4   0 5
269

views

+ 4

rating

There's an easy new way to add certificate authority (CA) certificates to your SSL/TLS configurations on InterSystems IRIS 2019.1 (and 2018.1.2) on Windows and Mac.  You can ask IRIS to use the operating system's certificate store by entering:

%OSCertificateStore

in the field for "File containing Trusted Certificate Authority X.509 certificate(s)".   Here's an image of how to do this in the portal:

+ 3   0 1
0

comments

14

views

+ 3

rating

Hi guys,

 

Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.

After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.

+ 3   0 1
0

comments

619

views

+ 3

rating

I am trying to find documentation on how Cache Studio locks a Routine/Class a developer is editing.

On the flip side, I am looking for documentation on how Atelier does the same.

Ultimately I am looking for the differences and what happens if both Studio and Atelier through different developers go after the same Routine/Class.

I am not asking for an answer (however that would be nice), I am looking for pointers to documentation.

Last answer 6 November 2017 Last comment 29 November 2017
+ 3   0 2
299

views

+ 3

rating

This is a translation of the following article. Thanks [@Evgeny Shvarov] for the help in translation.

Someone posted a question on DC asking whether it was possible to determine access rights for a particular table row always at runtime, and if it was, how could one do that?
Answer: it is possible and it’s not hard at all.

Last comment 14 June 2017
+ 3   0 3
276

views

+ 3

rating

Wanna Cry

Most of you should be aware that the Wanna Cry virus is massively infecting un-patched windows machines all around the world. It's particularly affecting the NHS, one of my main clients. 

Wanna Cry is one of a line of Viruses that exploit SMBv1 over ports 135 and 445.

A kill switch has been enabled, but this won't protect machines sitting behind http proxies, and there are already reports of new versions without a kill switch.

All windows machines should be isolated and updated a.s.a.p. 

Last comment 15 May 2017
+ 3   0 5
461

views

+ 3

rating

In part 1 we started working on a security model for DeepSee and create a user type having privileges typical of end users. In this part we are going to create a second user type with ability to edit and create DeepSee pivot tables and dashboards. 

+ 2   0 3
0

comments

179

views

+ 2

rating

When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.

Last comment 29 May 2018
+ 2   0 3
347

views

+ 2

rating

With the recent release of Caché and Ensemble 2017.1, InterSystems customers can now create configurations where the data-at-rest cryptographic library used is compliant with FIPS 140-2.

Caché and Ensemble now provides you with the option to enable FIPS mode on RedHat 6.6, 7.1 on x86-64. This means is, that InterSystems products will no longer use the supplied crypto libraries that come with the kit, but will use the FIPS validated libraries provided by the Operating Systems vendor.

+ 2   0 1
0

comments

150

views

+ 2

rating

The recent announcement of a collision for the SHA-1 hash algorithm has caused some consternation:

https://shattered.io/

Here is some background to help put this in perspective.

Cryptographic hash functions can have a variety of properties.  The property at issue here is:

"Collision resistance - it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x')."

(Menezes, van Oorchot, and Vanstone, "Handbook of Applied Cryptography", section 9.2.2)

+ 2   0 4
0

comments

214

views

+ 2

rating

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

 

Thank you very much!

Last answer 9 May 2019
+ 1   1 2
0

comments

86

views

+ 1

rating

I have a few cubes and numerous dashboards and I am ready to deploy them to our end users and administrators. How to configure DeepSee so that users don’t disrupt each other’s areas and are restricted from using functionalities specific to developers?


Last comment 22 February 2019
+ 1   0 2
325

views

+ 1

rating

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Last answer 30 June 2018 Last comment 24 July 2018
+ 1   0 3
217

views

+ 1

rating

In old Caché versions it was possible to create a new role based on predefined %Developer by copying it and adding some resources as needed. It was true at least from 2010.1 to 2015.1.

After upgrade from 2015.1.4 to 2017.2.1 it turned that it's only partially true now. User with a "New-Developer" role can enter Studio and open existing cls/mac/etc for editing and everything is OK unless he tries to create something new (Ctrl-N), than he gets a pop-up with %msg: <User xxx does not have enough privilege to execute stored procedure %CSP.StudioTemplateMgr_Templates>

Last comment 31 May 2018
+ 1   0 3
185

views

+ 1

rating

Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.

Thanks

Scott

Last answer 24 February 2018 Last comment 1 March 2018
+ 1   0 5
581

views

+ 1

rating

In part 1part 2, and part 3 parts of this series we set up three user types. In part 4 we saw how to secure model elements and DeepSee items. In this last part of the tutorial we conclude with some remarks on DeepSee security and troubleshooting tips. In particular, we see how pivot tables in User Portal can be "hidden".

+ 1   0 1
0

comments

172

views

+ 1

rating