Security

Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

This post is meant to provide a quick possible explanation for a very perplexing problem.

Scenario:  You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché.  You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.

You’ve written a very advanced routine with a break command in it for debugging:

Created by Daniel Kutac, Sales Engineer, InterSystems

Part 3. Appendix

InterSystems IRIS OAUTH classes explained

In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.

The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

It's almost a year since I have published a series of articles explaining how to configure Cache instance as a client / resource server / authorization server. By that time, the implementation of OAuth 2.0 was still a pre-release software.

Hi guys,

Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.

After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.

This is a translation of the following article. Thanks [@Evgeny Shvarov] for the help in translation.

Someone posted a question on DC asking whether it was possible to determine access rights for a particular table row always at runtime, and if it was, how could one do that?
Answer: it is possible and it’s not hard at all.

Have you ever thought about leveraging IIS (Internet Information Services for Windows) to improve performance and security for your Caché web applications?  
Are you worried about the complexity of properly setting up IIS?

In part 1 we started working on a security model for DeepSee and create a user type having privileges typical of end users. In this part we are going to create a second user type with ability to edit and create DeepSee pivot tables and dashboards. 

With the recent release of Caché and Ensemble 2017.1, InterSystems customers can now create configurations where the data-at-rest cryptographic library used is compliant with FIPS 140-2.

Caché and Ensemble now provides you with the option to enable FIPS mode on RedHat 6.6, 7.1 on x86-64. This means is, that InterSystems products will no longer use the supplied crypto libraries that come with the kit, but will use the FIPS validated libraries provided by the Operating Systems vendor.

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

Thank you very much!

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.

Thanks

Scott