Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
For a few latest versions, I noticed that Web Applications got some support for JWT Authentication
.png)
Hello,
I need a way to securely store credentials in IRIS that are used to access third-party APIs. These credentials include different clientId/secret pairs that I don't want to expose. While I know that it's possible to define Production Credentials in Ens.Config.Credentials, I understand that they are stored in plain text.
Does anyone have an idea of how to securely store credentials in IRIS? For your information, I am using IRIS with docker-compose and I am wondering if using HashiCorp Vault together with IRIS could be the solution. Has anyone used Vault before with their IRIS installations?
I created a Dotnet api to connect with IRIS database to do some task.
"InterSystems.Data.IRISClient.dll" (NativeAPI) is used in dotnet api to connect IRIS.
I used following code in dotnet to open and close the IRIS connection.
Open Connection
---------------------------
IRISConnection iRISConnect = new IRISConnection();
IRISCommand command = new IRISCommand();
iRISConnect.ConnectionString = "Server=xxxx.com; Port=1972; Namespace=aaa; Password=yyyy; User ID=xxxxxx;";
IRIS NativeAPI = IRIS.CreateIRIS(iRISConnect);
iRISConnect.Open();
Connection Close
--------------------------
command.
I'm currently fighting with SoapUI to get the HS WSDLs imported.
My first issue is, the IRISUsername and IRISPassword parameters don't seem to work.
i've tried the following url:
https://ifwap0661.ad.klinik.xxxyyy.de/ucrdev/csp/healthshare/hsreposito…
result:
Error loading: org.apache.xmlbeans.XmlException: org.apache.xmlbeans.XmlException: error: The entity name must immediately follow the '&' in the entity reference.
not entirely sure what is happening here.
Hello community,
in addition to HL7 V2 interfaces mediated via TCP/IP, we have been implementing more and more HS.FHIRServer.Interop.Service based services that are addressed via port 57772.
We would like to secure access to the Management Portal now and have come up with a procedure that I would like to discuss.
1. The local server firewall only allows access to port 57772 for the IPs of the administration PCs (and some few other exceptions).
2. A REST service is introduced for access to FHIR endpoints, which listens on a different (accessible) port.
Hello,
I have my server setup a resource server. When a user calls our API they submit a bearer token as authorization and in our dispatch class AccessCheck() we validate the JWT using ##class(%SYS.OAuth2.Validation).ValidateJWT().
If I include a scope to check in that method I get the error Scope check may only be done on requesting client and I'm not sure what this means. The method works without include the scope and will let me know if I have an unsigned token or an expired token.
I noticed that the implementation of the method calls Set token=##class(OAuth2.AccessToken).Open(accessToken,.sc)
Hi,
I am trying to connect to another server using %Net.HttpRequest.
I keep getting this error : SSL23_GET_SERVER_HELLO:unsupported protocol.
My guess is that the site I am reaching for uses TLS1.3 which is not supported in 2016, But I cant right now ask my client to upgrade.
Is it possible to override this ? install some kind of a patch or a more recent version of openssl on the server ?
Thanks
Amiram
The InterSystems PKI is for testing purposes only. Do not use it in a production setting.
As of today March 26, 2024, the InterSystems PKI is now deprecated.
Hello everyone,
I am looking for the syntax or the way to use a class created in the "BNA" Namespace (my application) from the %SYS Namespace.
Here is the context:
I have a "BNA" application contained in the "BNA" NS, this application provides a user creation functionality. This feature creates both the user in a table in the application and in the Iris system.
I created an initialization script for my database to be able to reset it at will, this script starts by emptying the database of this data, then initializes the basic data.
In the WRC, we often see customers contact us because they are having been provided a .PPK file for use with SFTP connections, but they don’t know how to use that key within InterSystems IRIS. This article will explain why this represents such a problem, and explain how to use the .PPK key to generate a Private / Public Key pair in a format recognized by InterSystems IRIS.
The Problem:
You are trying to use InterSystems IRIS to connect to a remote SFTP server. The SFTP Server admins have provided you with a key file saved in .
I saw that IRIS has some built-in%SYSTEM.Encryption Encryption functions, but what should we do when we see encryption AES/ECB/PKCS5Padding ? I wonder if there is a good solution?
最近应用到加密技术,看到平台具有内置的%SYSTEM.Encryption 有具有一些内置的函数,但是,应用过程中碰到加密AES/ECB/PKCS5Padding,我们应该如何处理?不知道有没有好的解决方式?
The %CSP.Login class is the utility class provided by InterSystems IRIS to do custom login pages. If you want to control your IRIS application authentication UI, you must extend %CSP.Login and override some methods according to your needs. This article is going to detail those methods and what you can do with them. In addition to that, you will get an explanation of the delegated authentication mechanism provided by ZAUTHENTICATE.mac routine.
“I have been waiting for thirty seconds for service. This is outrageous! I am leaving!”
“I am very sorry to hear that, sir. Perhaps, next time, you should make a reservation.”
If you heard that comment at your favorite restaurant, you would think the person saying it was being ridiculous. However, in the context of your API, it makes perfect sense. Just like your favorite eatery, your API has some regular patrons who, as you know, will be visiting one day or another. It would be great to be able to make a standing reservation for them as well.
It will involve a couple of IRIS fundamentals.
Hi Developers,
Watch this video to learn the different roles in OAuth 2.0, scopes, tokens, important authentication flows/grant types, and more:
Is it possible to authenticate an xDBC (ODBC/JDBC) connection to InterSystems IRIS via (a 3rd party) OAuth server?
For REST APIs this is possible, but could this be achieved with OAuth?
Out-of-the-box the ODBC/JDBC Drivers don't seem to have this option, but maybe some custom code could enable this? perhaps via Delegated Authentication and some OAuth classes customization, or some other way?
Has anyone done this already and can share how it was implemented, or someone with some guideline suggestions?
Lately my group has been seeing issues when signing in through the Management Portal or VS Code we are getting "Service Unavailable" errors returned to us. We recently migrated away from using the PWS to using Apache/InterSystems Web Gateway and using LDAP instead of Delegated Authentication.
I have been on the hunt to find out where the problem might lie. When I run the "Test LDAP Authentication" from within the Management Portal, eventually I receive a response after getting a couple of timeouts while waiting for the response.
Authenticated user roth16 10 times in 26.177111 seconds - 0.
When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.
The ideal number of table permissions to assign for your users is zero. Permissions should be granted upon sign-in based on the application used for access. For web applications, we have a simple way of doing this by appointing application roles, matching roles, and required resources in the System Management Portal.
ODBC and JDBC connections present a different problem, however, especially when third-party applications are involved. As providers of an ERP system, our customers often wish to be able to employ various software packages to integrate with or report on their data. Many of these programs are capable of running any kind of query. Yet, letting them do that can be devastating to a customer’s data.
So far, we have covered how to use ObjectScript to manage users, roles, resources, and applications. There are a few other classes in this package that work similarly to the ones mentioned above. However, these four classes are the ones everyone will have to use to manage their application security. Suppose you wanted to create your own Security management portal for this package. There would be some specific issues to think about for an API. Since the classes use similar methods, we can create fewer API endpoints using indirection.
.png)
All FHIR resources have a Meta element containing metadata about the resource. Some attributes are updated by the server, others are populated by the app constructing the resource.
1. versionId
This is an ID that identifies a saved version of the resource on the FHIR server. Many servers use a GUID here, others use an integer. But it’s a string value, so don’t write code against this assuming a sequential integer, regardless of what the server does.
2. lastUpdated
The date and time that the resource was last updated, populated by the server.
What comes to the data platform (not the user facing application) most of the the events of interest/required are available as predefined system audit events in audit log - out of the box. They just need to be enabled.
Hi,
Our application needs to create system users from a request form.
To use Security classes, it is necessary to have rights to use the %SYS namespace, which is not the case for users who validate requests.
It is not desirable for these users to have this role permanently, so I proceeded as follows:
I created a facade class for the Security.Users, Security.Roles, Security.
Hi community,
I´ve setup a local FHIR server via the framework functionality und set a service config name for the created endpoint since I plan to use a production based FHIR server. I´ve created an additional ressource "FhirClientRessource" and role "FhirClientRole" as well as a user named "FhirClient". The Role resource "FhirClientRessource" ist set as "required resource" in the FHIR server configuration page. The user "FhirClient" is member of the Role "FhirClientRole" which in turn holds RWU priveliges on the "FhirClientRessources".
The user itself does not have the %All Permission.
I have a case where the Active Directory Service Account passwords will be changed periodically every 3 months and the changes are shared via the LastPass application which requires logging into the app to retrieve the new password and manually entering it into the Interoperability Credentials configuratrion, or the Service Registry.
> Is there a way to retrieve the password automatically?
In this case the organization plans to use gMSA (Group Managed Service Account) and BeyondTrust for setting up new password in the future.
How have people delt with this?
I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.
Let us look at the facts and figures involved...
Will it hurt anything if I disable the user that installed IRIS, within IRIS? Does this cause a problem with background processes running or with the restart? I know the _Ensemble user is used to start/stop/restart objects within IRIS, just didn't see anything in the documentation about the user that installed IRIS.
Thanks
Scott
We are back to %SYS once again! Since we covered managing users and resources in the last two articles, we can finally move on to roles. As you may have guessed, there are a lot of methods of managing them that you have already seen in our previous writings. However, we can still encounter key differences in this particular class.
Before we begin, bear in mind that this is another class that should not be manipulated through direct SQL access. In newer versions of IRIS, you will find a NoSQL trigger that will prevent you from doing that anyway.
I recently started work on trying to Tighten Security in our Development Instance of IRIS that is running based on recommendations from our Audit as you might of seen from my other posts. I am currently trying to get into the Private Web Gateway Manager within IRIS as CSPSystem, but when I attempt to sign in nothing happens.
I went through and reset the password in the CSP.ini and within IRIS for CSPSystem. I made sure it had the new GatewayRole per suggested
I am trying to lock down security within our Development environment per requirements from a Security Audit that was done earlier this year. I need to try to limit access at a public level, access to cache users, and exposure.
I installed IRIS with the Lockdown method, and have configured my web applications, services, resources, etc.
When I go into my namespace, I am constantly presented with the following error when I try to start or stop an Object...
Cannot login as IRIS manager. Please confirm the '_Ensemble' user is enabled and is assigned the '%All' role.
My original ZAUTHENTICATE.mac to use Delegated sign on did not include GetCredentials(), however I am being told it probably should have it so I am eliminate an error I am seeing when trying to troubleshoot the ZAUTHENTICATION. I am trying to add the GetCredentials() from the documentation to the existing ZAUTHENTICATE.mac but I am getting an error
GetCredentials(ServiceName,Namespace,Username,Password,Credentials) Public {
// For console sessions, authenticate as _SYSTEM.If
ERROR: ZAUTHENTICATE.int(74) #1044: PUBLIC label not allowed : 'Public' : Offset:74 [GetCredentials^ZAUTHENTICATE]