Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Hi, Community!
Check the new video of the week on the InterSystems Developers YouTube Channel:
LDAP - Beyond the Simple Schema
This is a translation of the following article. Thanks [@Evgeny Shvarov] for the help in translation.
Someone posted a question on DC asking whether it was possible to determine access rights for a particular table row always at runtime, and if it was, how could one do that?
Answer: it is possible and it’s not hard at all.
Hi, Community!
Suppose I have class A with properties P1 and P2.
I want to introduce class B, which would have same records as Class A, but only one property - P2.
What is the easiest way to manage it assuming that I would like to use Class A to add records and be available for any operations to Users with Role A.
And I would like to introduce class B for Users with role B for read-only access. Preferably they shouldn't even be aware of Class A and P1 existence .
What is the easiest way to introduce it and manage it?
Use some proxy-classes? Property-level security?
Hi Community!
If you need to help maintain and monitor your system, you could give additional users access to the Management Portal.
Are you interested? So, check the new Developer Video of the week:
Webinar: Securing the Management Portal
Hi,
I'm unable to locate a set of instructions that would allow me to encrypt the traffic to/from the Cache' Management Portal (that is - run it over HTTPS)
I am referring to the Management portal as hosted by the private Apache Web server instance installed with Cache. (I know how to do this for regular web sites hosted on, for example, IIS).
I would imagine the steps would involve, (a) enable SSL on that apache instance and (b) deploy certificates into the Apache web server.
Does anyone have a step-by-step guide on how this is accomplished ?
Thanks in advance -
Steve
Today I helped someone solve a mystery. He had been trying to use the -U namespace argument of a csession command to specify the namespace in which to run a particular routine, and was puzzled when the routine could not be found.
Wanna Cry
Most of you should be aware that the Wanna Cry virus is massively infecting un-patched windows machines all around the world. It's particularly affecting the NHS, one of my main clients.
Wanna Cry is one of a line of Viruses that exploit SMBv1 over ports 135 and 445.
A kill switch has been enabled, but this won't protect machines sitting behind http proxies, and there are already reports of new versions without a kill switch.
All windows machines should be isolated and updated a.s.a.p.
If automatic updates is not on, a patch can be dowloaded from here...
How is the security handled in intersystems for GUI and web services testing part ? Does it have inbuilt security handling packages ? what are the limitations ? Please enlighten.
It's almost a year since I have published a series of articles explaining how to configure Cache instance as a client / resource server / authorization server. By that time, the implementation of OAuth 2.0 was still a pre-release software.
With the advent of Cache version 2017.1 a lot has changed. OAuth 2.0 implementation is fully completed and supported. Numerous new features were added (e.g. dynamic client registration) - see release notes here for full details - and configuration pages have been redesigned to a great extent as well.
Created by Daniel Kutac, Sales Engineer, InterSystems
Part 3. Appendix
In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.
The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.
Have you ever thought about leveraging IIS (Internet Information Services for Windows) to improve performance and security for your Caché web applications?
Are you worried about the complexity of properly setting up IIS?
See the webinar Configuring a Web Server presented by @Kyle Baxter, InterSystems Senior Support Specialist. Learn how to install IIS, set up it up to work with the CSP Gateway, and configure the CSP Gateway to talk to Caché.
If you have not subscribed to our Developer Community YouTube Channel yet, let's get started right now.
Enjoy!
With the recent release of Caché and Ensemble 2017.1, InterSystems customers can now create configurations where the data-at-rest cryptographic library used is compliant with FIPS 140-2.
Caché and Ensemble now provides you with the option to enable FIPS mode on RedHat 6.6, 7.1 on x86-64. This means is, that InterSystems products will no longer use the supplied crypto libraries that come with the kit, but will use the FIPS validated libraries provided by the Operating Systems vendor.
To configure your system, RedHat must operating in FIPS mode.
Has anyone created Delegated Authentication using the Windows Certificate Store? Thank you for any feedback.
I have built an Ensemble SOAP service (EnsLib.SoapService.Service) as a business service which accepts soap requests from another application. To secure the traffic between the SOAP service and the application i'd like to enable SSL. I see that in the management portal I can upload the certificates, chains and keys and save them as an SSL / TLS configuration. However, it is not clear to me how I apply this SSL / TLS configurtion to the soap service I am running.
If you are developing applications that use CSP or Zen, or potentially any of the other InterSystems web-related stuff that's built on top of CSP, then it's important to know how to keep one particular secret.
A central part of the CSP security architecture is a server-side session key. "Server-side" because its value should never be revealed to the client that is issuing the web requests. If it is revealed, a malicious client might be able to use it to bypass your security and make your server do things you don't want it to.
Your session key is available as a property named Key of your %CSP.
In this recent post I highlighted the importance of a CSP session's Key property in enforcing the level of security your web application may be relying on, and in particular the need to keep the property value secret.
We are planning to use Caché users on a SOAP web-service, so the WS-security tokens will be used.
It will be username and password only for now.
The passwords should expire on a regular basis and this will be configured in the system-wide security settings.
The consumer of the web-service should be able to change their password on-demand or when it has expired, via a web-service call.
For the on-demand change, I can create a service method which can be called by the consumer to change the password.
I have multiple namespaces in a Cache environment say NS1 & NS2. I want to add some restriction so that a routine running in the NS1 should not access any resource(global/routine) belongs to namespace NS2.
The above restriction need for few of the clients only, so we do not want to write any custom logic in code.
We are looking for some solution provided by Cache where we can restrict the namespace access.
Can somebody please help me on this.
In the previous article, I had just started working with Arduino, and got a meteorological station to show as a result. In this article, let's go further: we will set up authentication via RFID cards and Arduino against the InterSystems Caché application.
We are using Cache in our application. We are using default username/password for connecting to the Cache Database through Cache Manege Provider. Can we limit the permission of the user _SYSTEM to access only limited database/namespace.
Can we create new user for ODBC connection? Is there any API provided for creating user with limited access so that the user creation process can be automated.
I use Cache Instance. I'm trying to implement OAuth 2.0 in Cache instance.
Is it possible to use Cache instance as Client and Server?
And What is the Difference between CLIENT and AUTHSERVER instance?
Why is it used? I want to know which instance use which type of application?
The recent announcement of a collision for the SHA-1 hash algorithm has caused some consternation:
Here is some background to help put this in perspective.
Cryptographic hash functions can have a variety of properties. The property at issue here is:
"Collision resistance - it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x')."
(Menezes, van Oorchot, and Vanstone, "Handbook of Applied Cryptography", section 9.2.
I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL. Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.
I've come across an architecture issue recently, and am trying to assess the options I have. At present, we encode a call to a class which takes in an OID and returns the Stream to the browser.
Hi,
i have a csp application (namespace default) to which i like to login from remote. This is possible via
http://localhost:57772/csp/namespace/MyApp.MyPage.cls?CacheUserName=<us…;
So the credentials need to be in cleartext which is in fact a problem. The invocation is made within a lan so we don´t need to transport the credentials over the web. Anyway, a remote application likes to use that page (display and work with it) and is able to pass in different parameters. These parameters are encoded in a way I couldn´t figure out yet.
Hi -
I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)
Has anyone ever used the LogoutAll method in the %CSP.Session class successfully? I'm wondering what I need to do to use it.
Thanks,
Laura
This post is meant to provide a quick possible explanation for a very perplexing problem.
Scenario: You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché. You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.
You’ve written a very advanced routine with a break command in it for debugging:
MyTestRoutine
set ^MyInitGlobal = 1
write "Hello, my name is.
How can we make sure that the Cache userid passwords are encrypted on storage? We want to make sure that the Cache passwords cannot be decrypted - how can we ensure that?
Is there any method or routine available to export and import the user roles and the sql table and sql procedures associated with each role?
Thanks for all replies in advance.
Is it possible to modify a users security from a batch script? If it is possible can someone point me to some examples or documentation?