Hi,

Has anyone tried to call Security.Users class (in %SYS namespace) for creating or editing users from a shell script (or any programming language)?

If yes, can you please share your code?

We are trying to automate some stuff and would like to know how this worked for others.

Thanks,

Bharath Nunepalli.

1 7
0 231
Article
Daniel Kutac · Feb 11, 2019 4m read
Using Oauth2 with SOAP (Web)Services

Hi guys,

Couple days ago, a customer approached me with the wish to enhance their existing legacy application, that uses SOAP (Web)Services so it shares the same authorization with their new application API based on REST. As their new application uses OAuth2, the challenge was clear; how to pass access token with SOAP request to the server.

After spending some time on Google, it turned out, that one of possible ways of doing so was adding an extra header element to the SOAP envelope and then making sure the WebService implementation does what is needed to validate the access token.

6 1
1 8,136

In this 3-part series of articles, is shown how you can use IAM to simply add security, according to OAuth 2.0 standards, to a previously unauthenticated service deployed in IRIS.

In the first part, was provided some OAuth 2.0 background together with some IRIS and IAM initial definitions and configurations in order to facilitate the understanding of the whole process of securing your services.

4 0
0 749
Question
Daniel Lee · Mar 24, 2020
Cannot type password in Terminal

I just tried to log into our QA server and connect to Terminal (v 2013.1).

I can type in my username but when I attempt to type my password, no characters are typed. When I press ENTER the password is invalid.

I can connect to the management portal and the studio development environment without any problems. Also, I do not have this problem when connecting to the terminal in our production environment (2010).

Does anyone know what can cause this type of problem?

Thanks.

0 2
0 208

I am attempting to pragmatically create a bunch of roles and then assign the appropriate resources to that role.

Currently, the only ways to add resources to a role are to:

1. Do through Management Portal

2. Go through ^SECURITY (add resource one at a time)

My Intention would be to do the following: do ^SECURITY Role Setup Edit Role When prompted for resources to add, be able to use *

0 2
0 190
Question
Randall Hiser · Mar 13, 2020
List All Available Resources

Maybe I haven't seen anything about it in the documentation, but why isn't there a way to list all the Resources from the %SYS namespace from a class rather than through ^SECURITY

Thinking maybe something like this:
##Class(Security.Resources).ListAll(.result)

0 1
0 213
Article
Peter Steiwer · Mar 2, 2020 2m read
SQL -99 error while viewing a listing

This error is sometimes seen while viewing a listing in InterSystems IRIS Business Intelligence:
ERROR #5540: SQLCODE: -99 Message: User <USERNAME> is not privileged for the operation (4)

As the error suggests, this is due to a permission error. To figure out which permissions are missing/needed, we can take a look at the SQL query that is generated. We will use a query from SAMPLES as an example.

1 0
0 427
Question
Orlando Lagman · Jan 16, 2020
debugging web client

I used the soap wizard to create a web client based on the wsdl. I was able to get a valid response back, and now it looks like the error is in decrypting the soap message response "inbound"

ERROR #6284: Security header error: SecurityTokenUnavailable.

0 1
0 358

Hello,

I am working on Ensemble 2017.2.1 .
I need to export my security settings into an extern database, in order to make a report.

I've created a Business Operation with an SQL Adapter into a Namespace, but I don't know how to get every security data from "%SYS" Namespace ( SQLPrivileges , Resources , Roles , Services , Users ... ).

I dont't want to use the terminal and the ^SECURITY routine, because i don't want to store a XML file on the server.

0 2
0 196

Cache / Ensemble version 2016.2.2.853.0

I have a need to restrict ODBC access to certain users to prevent unwanted access to our cache database.

We have a limited number of legacy applications that use ODBC to connect to read data and are currently not in a position to have these amended any time soon so in the interim, I am hoping someone will be able to provide me with some assistance.

Any suggestions on where to start?

0 1
0 331

InterSystems Data Platforms products allow you to export and import security settings in two different ways.

This article talks about those options:
- On the command line, using ^SECURITY
- Programmatically, using the Export and Import methods of classes in the Security package

Exporting settings on the command line (^SECURITY)

You can export everything or individual sections of the security settings.

4 4
0 1,321

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

1 3
1 577

The .NET Core Identity model has an IPasswordHasher<> interface for for

  • Hashing a password so that it can be stored in a database
  • Verifying a provided plain-text password matches a previously stored hash.

I am getting invalid password errors during the login process when the .NET Core Identity model computes a hash from a plain text input and compares it to a password hash value I've returned from Caché. The default hashing algorithm is PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, and 10,000 iterations (detailed article on .NET Core Identity PasswordHasher). The algorithm Caché uses is probably different which may be why I am getting errors.

0 6
1 1,686

I would like to allow some departmental user to view the ensemble portal. I want to make sure they are not allowed to do any changes (like stop and start interfaces from portal)

I have created one userbut limited with SQL privilages. But using this account, the portal view is not accessible.

It would be appreciated if anyone can adice me on this. I know this may be a silly question.

Regards,

Bava

0 1
0 169

Just wondering if anyone knows if there is a way to get daily emails or alerts about changes to a cache database. I know that all of that information is contained within the journal files, just wondering if there is a way to bundle it up each day and send it off for auditing, etc.

Any solution where a plain-text/readable format of changes to the cache database could be sent or stored for review would solve the issue.

Thanks!

0 3
0 326
Article
David Crawford · Jul 31, 2019 2m read
Anti CSRF Methods

IRIS provides us with anti login CSRF attack mitigation, however this is not the same as a CSRF attack, as login attacks only occur on the login form. There are currently no built-in tools to mitigate CSRF attacks on api calls and other forms, so this is a step in mitigating these attacks.

See the following link from OWASP for the definition of a CSRF attack:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

4 5
1 525

Presenter: Dan Kutac
Task: Use a common login identity and a central mechanism of authentication across environments from multiple entities
Approach: Provide examples and code samples of an application environment using OpenID Connect and OAuth 2.0

Description: In this session we will demonstrate an application environment using OpenID Connect and OAuth 2.0. Hear how this is done and what options you have; and yes, you get to keep the code.

Problem: How to use a a common login identity (e.g. Facebook credentials) and a central mechanism of authorization cross environments from multiple entities.

Solution: Create awareness and interest in using OAuth 2.0

Content related to this session, including slides, video and additional learning content can be found here.

0 2
0 631

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

Thank you very much!

2 1
2 981

Hello experts,

I'm new to InterSystems software and still not so familiar with it. Therefore I do apologize in front if this question is irrelevant, not making sense or answer is commonly known.

I've did my best in search for answer, but unfortunately i haven't found anything helpfull. So I decided to ask for help here.

My problem is repetitive error which occure in CSP Gateway event log :

Error Condition: Failed to read posted content from the client (Content-Length: 1404; Data Actually Read: 0; Read Error: 70007)

0 1
0 328

Hello everyone smiley

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

1 8
0 1,345

Hi,

I am trying to create a user role which shall allow users the access to only one specific namespace in an Ensemble system. I´ve startet creating the namespace with a database (with own ressource and no public access). In the second step I´ve created a role by copying it from the predefined role %Developer and assigned the ressource of the created database. After that i´ve created a user and assign him to the created role.

0 2
0 395

Hello everyone,

I'm using Atelier 1.3. When we configure a server and use HTTP to connect, works fine. But when we activate the Secure connection option I get the Unregonized SSL message, plaintext connection?

Do I need to perform any configuration on my server so that Atelier can access a secure connection?

0 6
1 360