Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
In the previous article, I had just started working with Arduino, and got a meteorological station to show as a result. In this article, let's go further: we will set up authentication via RFID cards and Arduino against the InterSystems Caché application.
We are using Cache in our application. We are using default username/password for connecting to the Cache Database through Cache Manege Provider. Can we limit the permission of the user _SYSTEM to access only limited database/namespace.
Can we create new user for ODBC connection? Is there any API provided for creating user with limited access so that the user creation process can be automated.
I use Cache Instance. I'm trying to implement OAuth 2.0 in Cache instance.
Is it possible to use Cache instance as Client and Server?
And What is the Difference between CLIENT and AUTHSERVER instance?
Why is it used? I want to know which instance use which type of application?
The recent announcement of a collision for the SHA-1 hash algorithm has caused some consternation:
Here is some background to help put this in perspective.
Cryptographic hash functions can have a variety of properties. The property at issue here is:
"Collision resistance - it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x')."
(Menezes, van Oorchot, and Vanstone, "Handbook of Applied Cryptography", section 9.2.2)
I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL. Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.
Hi,
i have a csp application (namespace default) to which i like to login from remote. This is possible via
http://localhost:57772/csp/namespace/MyApp.MyPage.cls?CacheUserName=<us…;
So the credentials need to be in cleartext which is in fact a problem. The invocation is made within a lan so we don´t need to transport the credentials over the web. Anyway, a remote application likes to use that page (display and work with it) and is able to pass in different parameters. These parameters are encoded in a way I couldn´t figure out yet.
Hi -
I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)
Has anyone ever used the LogoutAll method in the %CSP.Session class successfully? I'm wondering what I need to do to use it.
Thanks,
Laura
This post is meant to provide a quick possible explanation for a very perplexing problem.
Scenario: You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché. You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.
You’ve written a very advanced routine with a break command in it for debugging:
MyTestRoutine
set ^MyInitGlobal = 1
write "Hello, my name is..."
break
write "Steve"
quit
How can we make sure that the Cache userid passwords are encrypted on storage? We want to make sure that the Cache passwords cannot be decrypted - how can we ensure that?
Is there any method or routine available to export and import the user roles and the sql table and sql procedures associated with each role?
Thanks for all replies in advance.
Is it possible to modify a users security from a batch script? If it is possible can someone point me to some examples or documentation?
I have a list of about 100 MPI IDs that I would like to run a report on. I want to list times that any data for these patients were accessed. Currently in "Managed Reports" we have a "Disclosure Report" which I think was a custom development effort, but it is per-patient.
I have a SQL query for the ATNA log but I'm not confident in its accuracy, so I thought I'd reach out and see how other Information Exchange's might get this data.
I know %CSP.Daemon is supposed to clean up old CSP sessions (?). In my management portal, under System/ License Usage, I see 33 "Units" used (and there are 33 licenses in use), but usernames from old IP address and that are not being used. Their active times are often in the millions of seconds. They are not "on" the system right now.
At most, only 3 users are on the system right now.
Are these supposed to be cleaned up? Can I clean them up programmactially, and how would I know if they're not active?
Thanks,
Laura
We are currently performing encryption at the OS level but it makes storage expansion complicated. Any feedback on OS encryption vs. Ensemble? Pros/Cons. We will have CentOS7 on our new server.
Thanks
We had a major problem recently where a participant was sending unexpected data. It was not enough to throw an error or warning in the actual trace, but when examining the message in the viewer it did show the following:
Build Map Status = 'ERROR <EnsEDI>ErrMapSegUnrecog: Unrecognized Segment 4:'CON' found after segment 3 (CON)'
How can I query for these or be notified of them? This caused major ramifications but we did not notice it. I have Managed Services investigating but I want to cover all my bases.
Hi,
Assume an architecture where an ECP Database Server is connected to by one or more ECP Application Servers inside a firewall.The application server hosts the web application that web users connect to.
The Web servers are outside the firewall, and, (using the CSP gateway/server mechanism) issue requests over the SuperServer port and into the application server.
I know that the traffic between the Web Server and the ECP application server can be encrypted using HTTPS, and access to the CSPServer on the Application server is username/password secured.
Hi!
I am trying to create a %Installer script and I noticed from our documentation that %Installer's <CSPAuthentication> will only accept:
<CSPApplication> Optional; within <Namespace>. Defines one or more CSP applications; the supported authentication flags are 4 (Kerberos), 32 (Password), and 64 (Unauthenticated).
Is "Delegated" authentication supported? What is it's code?
Kind regards,
Amir Samary
Presenter: Rich Taylor
Task: Use an LDAP schema that differs from the provided default
Approach: Give examples of customized LDAP schema development, using LDAP APIs and ZAUTHORIZE
In this session we explore the various options of for working with LDAP as an authentication and authorization framework. We will look beyond the simple LDAP schemas into working with more complex LDAP configurations that incorporate application level security information.
Content related to this session, including slides, video and additional learning content can be found here.
Presenter: Andreas Dieckow
Task: Securely store sensitive information
Approach: Give examples of data-at-rest encryption and data element encryption
Description: In this session, InterSystems will showcase how to use API calls to programmatically do everything using your own scripts. This approach is highly effective if you have recipe based settings and configurations that you would like to roll out in a controlled and fast fashion.
Problem: Implement Security relevant information correctly and how. Examples are Credit Card information, Sensitive information (e.g. SSN, Classified Information)
Solution: Data-at-rest encryption and data element encryption
Content related to this session, including slides, video and additional learning content can be found here.
Presenter: Andreas Dieckow
Task: Apply SQL security to multiple servers in a distributed system
Approach: Provide code samples for using new API calls to apply SQL security statements to multiple instances of our products
Description: The requirement that started at all. See examples on how to use this new feature and integrate it into your application by discuss code examples.
Problem: SQL Security is local to the instance and most of time driven by customer application code. That it is only local to the instance and is not automatically going to other instances requires a solution.
Solution: With application code use new API calls to issue SQL security statements that is applied to multiple instances.
Content related to this session, including slides, video and additional learning content can be found here.
Presenter: Saurav Gupta
Task: Provide customized authentication support for biometrics, smart cards, etc.
Approach: Provide code samples and concept examples to illustrate various custom authentication mechanisms
Description: In this session we will discuss customized way to solve various authentication mechanism and show case some sample code.
Problem: Using custom Authentication mechanism to support devices like biometrics, smart cards, or create an authentication front end for existing applications.
Solution: Code samples and concept examples.
Content related to this session, including slides, video and additional learning content can be found here.
At the end of this year support for OpenSSL 1.0.1 will end. InterSystems has started the process to move to OpenSSL 1.0.2 and use the 1/28/2016 release (1.0.2f) for verification and product inclusion. I will update this post once InterSystems decided which versions will receive support for OpenSSL 1.0.2.
I need to perform additional checks before Cache user logins (let's say in a terminal for simplicity) and allow access only to those, who passed them. How do I do it?
After reading about delegated authentication in docs I created this ZAUTHENTICATE routine:
ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,Properties) PUBLIC { #include %occErrors #include %occStatus quit $$$ERROR($$$GeneralError,"No access") }and set Password and Delegated as Allowed Authentication Methods in %Service_Console (it's a windows install)
Expected result: no one can login via the terminal
In preparation for a presentation I need a real-world LDAP schema that has been customized a bit beyond the basics. Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation.
If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com
Thanks in advance.
Rich Taylor
I'm interested in different approaches on how to store user data in Caché. I'm assuming that application uses Caché security/Caché users and not a self-made authentication system.
Several approaches, I'm familiar with:
There seems to be little point to journal audit db updates; why rollback an audit entry for an attempted update?
I’m working on some auditing code and I have a few questions (feel free to respond regarding 2016.1 or later).
Introduction
If the administrators responsible for securing applications had their way, passwords would be long complex strings of random symbols, and users would memorize different passwords for every application they use. But in the real world, few people are capable of such prodigious feats of memory. The typical user can only remember a handful of relatively short passwords.
Using Intel® Advanced Encryption Standard New Instructions with InterSystems Caché Substantially Improves Encryption Performance and Reduces Computational Overhead
Executive Summary
Introduction