Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
I'm trying to create a user with access to the HS namespaces management portal. I'm having trouble identifying the correct resource to assign to the user. I'm testing various resources, but every time I go to the HS management section, a blank page appears, and the Home button disappears.
In a customer project we started enforcing the "Inactivity Limit" as defined in System-Wide Security Parameters. The customer would expect accounts to become Disabled after they have been inactive for the specified amount of days. However, that doesn't happen; it seems the Inactivity Limit is only established after logging in.
Furthermore, the account inactivity only starts being applied after the first login. Can you confirm that?
Lastly, for accounts that have been manually Disabled, and have an expired password, we see the following weird behavior:
Is there any mechanism already implemented in IRIS to prevent XSS exploits ?
This case happen when user input html/javascript content into fields and submit the page. If saved content is rendered as is, it's going to be executed by anyone visiting the page.
I'm performing a migration of some services from one instance to another, and I noticed that the technique defined within the InterSystems Server Migration Guide does not include OAuth client configurations. The recommended technique is to use the ##class(Security.System).ExportAll() and ##class(Security.System).ImportAll() methods.
Is there a way to migrate OAuth client configurations, or do those have to be re-created manually?
I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.
I try to generate JWT tokens in Cache (not in IRIS).
In IRIS I managed to generate tokens using ##class(%OAuth2.JWKS).AddOct("HS256",secret,.jwks).
But In Cache there is no such routine.
Could you provide me a place to find an example how to use JWT, please ? I am interested to generate a token in Cache, send it to javascript client, and read a token provided by the client and check it is valid.
I want to try out iris-DataViz app to visualize my own data. I cloned the repo and docker-compose up -d in AWS. IRIS portal works, but on port 8051 I get nothing. I checked my AWS security groups. I reversed IRIS webserver port and 8051 and I can connect to Management portal using port 8051. I don't understand what is refusing connection on port 8051 running in iris-DataViz container.
We have a CSP pages script, which gets and sets a cookie for email tracking purposes, we had problems with cookies not being passed to this script when the URL was opened from an email client due to being cross-site, so I set Session Cookie Scope & User Cookie Scope to None instead of Strict.
This solved the issue with cookies not being passed, however the script entirely does not work anymore due to the error:
"Invalid CSP response cookie. SameSite cannot be set to None without Secure. : CSP Error"
We recently moved from using the Private Web Server, to using an Apache/Web Gateway setup and moved towards using the built in LDAP functionality within IRIS. Since then, we have 1 user that uses VSCode (/api/atelier) heavily that continues to have issues signing into IRIS through VS Code and the /api/atelier extension.
How do you authenticate with a rest api? The rest api implemention allows us to add in the header Authentication: 'Basic ' + btoa(user + ':' + password) but it is not really secure as a user can inspect and with the right decoding tool see a user password
Up until recently, I have been toying around with REST/FHIR capabilities but only internally. Now I have a request to make REST API calls outside of our Network.
I am using an RSA 4096 key, because Microsoft Active Directory Services which generates the signed certificate could not handle the Elliptical Key (ECC) when I put the request in.
I need a way to securely store credentials in IRIS that are used to access third-party APIs. These credentials include different clientId/secret pairs that I don't want to expose. While I know that it's possible to define Production Credentials in Ens.Config.Credentials, I understand that they are stored in plain text.
I created a Dotnet api to connect with IRIS database to do some task. "InterSystems.Data.IRISClient.dll" (NativeAPI) is used in dotnet api to connect IRIS. I used following code in dotnet to open and close the IRIS connection.
in addition to HL7 V2 interfaces mediated via TCP/IP, we have been implementing more and more HS.FHIRServer.Interop.Service based services that are addressed via port 57772. We would like to secure access to the Management Portal now and have come up with a procedure that I would like to discuss.
I have my server setup a resource server. When a user calls our API they submit a bearer token as authorization and in our dispatch class AccessCheck() we validate the JWT using ##class(%SYS.OAuth2.Validation).ValidateJWT().
If I include a scope to check in that method I get the error Scope check may only be done on requesting client and I'm not sure what this means. The method works without include the scope and will let me know if I have an unsigned token or an expired token.
I am looking for the syntax or the way to use a class created in the "BNA" Namespace (my application) from the %SYS Namespace.
Here is the context:
I have a "BNA" application contained in the "BNA" NS, this application provides a user creation functionality. This feature creates both the user in a table in the application and in the Iris system.
I saw that IRIS has some built-in%SYSTEM.Encryption Encryption functions, but what should we do when we see encryption AES/ECB/PKCS5Padding ? I wonder if there is a good solution?
Is it possible to authenticate an xDBC (ODBC/JDBC) connection to InterSystems IRIS via (a 3rd party) OAuth server?
For REST APIs this is possible, but could this be achieved with OAuth?
Out-of-the-box the ODBC/JDBC Drivers don't seem to have this option, but maybe some custom code could enable this? perhaps via Delegated Authentication and some OAuth classes customization, or some other way?
Has anyone done this already and can share how it was implemented, or someone with some guideline suggestions?
Lately my group has been seeing issues when signing in through the Management Portal or VS Code we are getting "Service Unavailable" errors returned to us. We recently migrated away from using the PWS to using Apache/InterSystems Web Gateway and using LDAP instead of Delegated Authentication.
Our application needs to create system users from a request form.
To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.
It is not desirable for these users to have this role permanently, so I proceeded as follows:
I created a facade class for the Security.Users, Security.Roles, Security.Resources classes which allows me to log in with an authorized user on the NS %SYS
I´ve setup a local FHIR server via the framework functionality und set a service config name for the created endpoint since I plan to use a production based FHIR server. I´ve created an additional ressource "FhirClientRessource" and role "FhirClientRole" as well as a user named "FhirClient". The Role resource "FhirClientRessource" ist set as "required resource" in the FHIR server configuration page. The user "FhirClient" is member of the Role "FhirClientRole" which in turn holds RWU priveliges on the "FhirClientRessources".
I have a case where the Active Directory Service Account passwords will be changed periodically every 3 months and the changes are shared via the LastPass application which requires logging into the app to retrieve the new password and manually entering it into the Interoperability Credentials configuratrion, or the Service Registry.
Will it hurt anything if I disable the user that installed IRIS, within IRIS? Does this cause a problem with background processes running or with the restart? I know the _Ensemble user is used to start/stop/restart objects within IRIS, just didn't see anything in the documentation about the user that installed IRIS.
By update
.png)
.png)