#Security

5 Followers · 330 Posts

Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.

See the InterSystems Documentation on Security.

Question Susobhan Pandit · Mar 22, 2017

We are using Cache in our application. We are using default username/password for connecting to the Cache Database through Cache Manege Provider. Can we limit the permission of the user _SYSTEM to access only limited database/namespace.

Can we create new user for ODBC connection? Is there any API provided for creating user with limited access so that the user creation process can be automated.

1
0 836
Article David Shambroom · Feb 24, 2017 1m read

The recent announcement of a collision for the SHA-1 hash algorithm has caused some consternation:

https://shattered.io/

Here is some background to help put this in perspective.

Cryptographic hash functions can have a variety of properties.  The property at issue here is:

"Collision resistance - it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x')."

(Menezes, van Oorchot, and Vanstone, "Handbook of Applied Cryptography", section 9.2.2)

0
0 666
Question Chris Stewart · Jan 5, 2017

I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL.  Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.  

5
0 639
Question Sebastian Thiele · Dec 14, 2016

Hi,

i have a csp application (namespace default) to which i like to login from remote. This is possible via

http://localhost:57772/csp/namespace/MyApp.MyPage.cls?CacheUserName=<us…;

So the credentials need to be in cleartext which is in fact a problem. The invocation is made within a lan so we don´t need to transport the credentials over the web. Anyway, a remote application likes to use that page (display and work with it) and is able to pass in different parameters. These parameters are encoded in a way I couldn´t figure out yet.

2
0 441
Question Chip Gore · Nov 23, 2016

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

3
0 762
Article Stephen Walasavage · Nov 1, 2016 2m read

This post is meant to provide a quick possible explanation for a very perplexing problem.

Scenario:  You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché.  You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.

You’ve written a very advanced routine with a break command in it for debugging:

MyTestRoutine
            set ^MyInitGlobal = 1
            write "Hello, my name is..."
            break
            write "Steve"
            quit

1
0 576
Question Scott Beeson · Oct 11, 2016

I have a list of about 100 MPI IDs that I would like to run a report on.  I want to list times that any data for these patients were accessed.  Currently in "Managed Reports" we have a "Disclosure Report" which I think was a custom development effort, but it is per-patient.

I have a SQL query for the ATNA log but I'm not confident in its accuracy, so I thought I'd reach out and see how other Information Exchange's might get this data.

7
0 587
Question Laura Cavanaugh · Sep 9, 2016

I know %CSP.Daemon is supposed to clean up old CSP sessions (?).  In my management portal, under System/ License Usage, I see 33 "Units" used (and there are 33 licenses  in use), but usernames from old IP address and that are not being  used.  Their active times are often in the millions of seconds.  They are not "on" the system right now.  

At most, only 3 users are on the system right now.

Are these supposed to be cleaned up?  Can I clean them up programmactially, and how would I know if they're not active?

Thanks,

Laura

8
0 1307
Question Scott Beeson · Jul 11, 2016

We had a major problem recently where a participant was sending unexpected data. It was not enough to throw an error or warning in the actual trace, but when examining the message in the viewer it did show the following:

Build Map Status = 'ERROR <EnsEDI>ErrMapSegUnrecog: Unrecognized Segment 4:'CON' found after segment 3 (CON)'

How can I query for these or be notified of them?  This caused major ramifications but we did not notice it.  I have Managed Services investigating but I want to cover all my bases.

4
0 517
Question Steve Pisani · May 25, 2016

Hi,

Assume an architecture where an ECP Database Server is connected to by one or more ECP Application Servers inside a firewall.The application server hosts the web application that web users connect to.

The Web servers are outside the firewall, and, (using the CSP gateway/server mechanism) issue requests over the SuperServer port and into the application server.

I know that the traffic between the Web Server and the ECP application server can be encrypted using HTTPS, and access to the CSPServer on the Application server is username/password secured.

2
0 4829
Question Amir Samary · May 24, 2016

Hi!

I am trying to create a %Installer script and I noticed from our documentation that %Installer's <CSPAuthentication> will only accept:

<CSPApplication>
Optional; within <Namespace>. Defines one or more CSP applications; the supported authentication flags are 4 (Kerberos), 32 (Password), and 64 (Unauthenticated).

 

Is "Delegated" authentication supported? What is it's code?

Kind regards,

Amir Samary

2
0 474
Article Rich Taylor · Apr 7, 2016 1m read

Presenter: Rich Taylor
Task: Use an LDAP schema that differs from the provided default
Approach: Give examples of customized LDAP schema development, using LDAP APIs and ZAUTHORIZE
 

In this session we explore the various options of for working with LDAP as an authentication and authorization framework. We will look beyond the simple LDAP schemas into working with more complex LDAP configurations that incorporate application level security information.

Content related to this session, including slides, video and additional learning content can be found here.

1
0 505
Article Andreas Dieckow · Apr 7, 2016 1m read

Presenter: Andreas Dieckow
Task: Securely store sensitive information
Approach: Give examples of data-at-rest encryption and data element encryption
 

Description: In this session, InterSystems will showcase how to use API calls to programmatically do everything using your own scripts. This approach is highly effective if you have recipe based settings and configurations that you would like to roll out in a controlled and fast fashion.

Problem: Implement Security relevant information correctly and how. Examples are Credit Card information, Sensitive information (e.g. SSN, Classified Information)

Solution: Data-at-rest encryption and data element encryption

Content related to this session, including slides, video and additional learning content can be found here.

1
0 321
Article Andreas Dieckow · Apr 7, 2016 1m read

Presenter: Andreas Dieckow
Task: Apply SQL security to multiple servers in a distributed system
Approach: Provide code samples for using new API calls to apply SQL security statements to multiple instances of our products
 

Description: The requirement that started at all. See examples on how to use this new feature and integrate it into your application by discuss code examples.

Problem: SQL Security is local to the instance and most of time driven by customer application code. That it is only local to the instance and is not automatically going to other instances requires a solution.

Solution: With application code use new API calls to issue SQL security statements that is applied to multiple instances.

Content related to this session, including slides, video and additional learning content can be found here.

1
0 274
Article Saurav Gupta · Apr 8, 2016 1m read

Presenter: Saurav Gupta
Task: Provide customized authentication support for biometrics, smart cards, etc.
Approach: Provide code samples and concept examples to illustrate various custom authentication mechanisms
 

Description: In this session we will discuss customized way to solve various authentication mechanism and show case some sample code.

Problem: Using custom Authentication mechanism to support devices like biometrics, smart cards, or create an authentication front end for existing applications.

Solution: Code samples and concept examples.

Content related to this session, including slides, video and additional learning content can be found here.

0
0 336
InterSystems Official Andreas Dieckow · Jan 27, 2016 1m read

At the end of this year support for OpenSSL 1.0.1 will end. InterSystems has started the process to move to OpenSSL 1.0.2 and use the 1/28/2016 release (1.0.2f) for verification and product inclusion. I will update this post once InterSystems  decided which versions will receive  support for OpenSSL 1.0.2.

1
0 555
Question Eduard Lebedyuk · Feb 24, 2016

I need to perform additional checks before Cache user logins (let's say in a terminal for simplicity) and allow access only to those, who passed them. How do I do it?

After reading about delegated authentication in docs I created this ZAUTHENTICATE routine:

ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,Properties) PUBLIC { #include %occErrors #include %occStatus quit $$$ERROR($$$GeneralError,"No access") }

and set Password and Delegated as Allowed Authentication Methods   in %Service_Console (it's a windows install)

Expected result: no one can login via the terminal

14
0 1427
Question Rich Taylor · Feb 8, 2016

In preparation for a presentation I need a  real-world LDAP schema that has been customized a bit beyond the basics.   Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation. 

If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com

Thanks in advance.

Rich Taylor

1
0 390
Article Developer Community Admin · Oct 21, 2015 1m read

Introduction

If the administrators responsible for securing applications had their way, passwords would be long complex strings of random symbols, and users would memorize different passwords for every application they use. But in the real world, few people are capable of such prodigious feats of memory. The typical user can only remember a handful of relatively short passwords.

0
0 416