Security

Syndicate content 15 

I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL.  Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.  

Last answer 5 January 2017 Last comment 5 January 2017
0   0 2
286

views

0

rating

When using Studio, ODBC or a terminal connection to Caché or Ensemble, you may have wondered how to secure the connection. One option is to add TLS (aka SSL) to your connection. The Caché client applications - TELNET, ODBC and Studio - all understand how to add TLS to the connection. They just need to be configured to do it.

Configuring these clients is easier in 2015.1 and later. I'm going to be discussing this new method. If you're already using the old method, it will continue to work, but I would recommend you consider switching to the new one.

+ 16   0 5
0

comments

2430

views

+ 16

rating

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

Last answer 24 November 2016 Last comment 28 November 2016
+ 1   0 3
311

views

+ 1

rating

I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.

Let us look at the facts and figures involved...

1) Active Directory's (AD) date 0 (zero) is 1601-01-01 00:00:00.000 or January 1st, 1601 at midnight (00:00:00)

2) AD timestamps are calculated as the number of 100 nanosecond intervals from date 0

3) 864000000000 is the number of 100 nanosecond intervals per day

+ 5   0 2
0

comments

487

views

+ 5

rating

This post is meant to provide a quick possible explanation for a very perplexing problem.

 

Scenario:  You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché.  You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.

You’ve written a very advanced routine with a break command in it for debugging:

 

Last comment 1 November 2016
+ 7   0 2
290

views

+ 7

rating

I have a list of about 100 MPI IDs that I would like to run a report on.  I want to list times that any data for these patients were accessed.  Currently in "Managed Reports" we have a "Disclosure Report" which I think was a custom development effort, but it is per-patient.

I have a SQL query for the ATNA log but I'm not confident in its accuracy, so I thought I'd reach out and see how other Information Exchange's might get this data.

Last answer 11 October 2016 Last comment 12 October 2016
0   0 1
259

views

0

rating

I know %CSP.Daemon is supposed to clean up old CSP sessions (?).  In my management portal, under System/ License Usage, I see 33 "Units" used (and there are 33 licenses  in use), but usernames from old IP address and that are not being  used.  Their active times are often in the millions of seconds.  They are not "on" the system right now.  

 

At most, only 3 users are on the system right now.

 

Are these supposed to be cleaned up?  Can I clean them up programmactially, and how would I know if they're not active?

Thanks,

Laura

 

 

Last answer 9 September 2016 Last comment 9 September 2016
0   0 1
397

views

0

rating

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

+ 5   0 0
0

comments

1153

views

+ 5

rating

We had a major problem recently where a participant was sending unexpected data. It was not enough to throw an error or warning in the actual trace, but when examining the message in the viewer it did show the following:

Build Map Status = 'ERROR <EnsEDI>ErrMapSegUnrecog: Unrecognized Segment 4:'CON' found after segment 3 (CON)'

How can I query for these or be notified of them?  This caused major ramifications but we did not notice it.  I have Managed Services investigating but I want to cover all my bases.

Last answer 14 July 2016 Last comment 13 July 2016
0   0 1
256

views

0

rating

I am in need of a routine or class method to generate an Oauth 1.0 signature.  I was about to code this myself, but thought to check first to see if anyone has already done this and is willing to share.

Thanks in advance for any help.

[UPDATE  06/28/2016]

0   0 1
0

answers

0

comments

234

views

0

rating

Hi,

Assume an architecture where an ECP Database Server is connected to by one or more ECP Application Servers inside a firewall.The application server hosts the web application that web users connect to.

The Web servers are outside the firewall, and, (using the CSP gateway/server mechanism) issue requests over the SuperServer port and into the application server.

I know that the traffic between the Web Server and the ECP application server can be encrypted using HTTPS, and access to the CSPServer on the Application server is username/password secured.

Last answer 31 May 2016
+ 1   0 1
0

comments

2672

views

+ 1

rating

Hi!

I am trying to create a %Installer script and I noticed from our documentation that %Installer's <CSPAuthentication> will only accept:

<CSPApplication>
Optional; within <Namespace>. Defines one or more CSP applications; the supported authentication flags are 4 (Kerberos), 32 (Password), and 64 (Unauthenticated).

 

Is "Delegated" authentication supported? What is it's code?

 

Kind regards,

Amir Samary

Last answer 24 May 2016 Last comment 24 May 2016
0   0 2
250

views

0

rating

Presenter: Rich Taylor
Task: Use an LDAP schema that differs from the provided default
Approach: Give examples of customized LDAP schema development, using LDAP APIs and ZAUTHORIZE
 

In this session we explore the various options of for working with LDAP as an authentication and authorization framework. We will look beyond the simple LDAP schemas into working with more complex LDAP configurations that incorporate application level security information.

 

Content related to this session, including slides, video and additional learning content can be found here.

Last comment 14 April 2016
0   0 3
256

views

0

rating

Presenter: Andreas Dieckow
Task: Securely store sensitive information
Approach: Give examples of data-at-rest encryption and data element encryption
 

Description: In this session, InterSystems will showcase how to use API calls to programmatically do everything using your own scripts. This approach is highly effective if you have recipe based settings and configurations that you would like to roll out in a controlled and fast fashion.

Problem: Implement Security relevant information correctly and how. Examples are Credit Card information, Sensitive information (e.g. SSN, Classified Information)

Solution: Data-at-rest encryption and data element encryption

 

Content related to this session, including slides, video and additional learning content can be found here.

Last comment 14 April 2016
0   0 2
143

views

0

rating

Presenter: Andreas Dieckow
Task: Apply SQL security to multiple servers in a distributed system
Approach: Provide code samples for using new API calls to apply SQL security statements to multiple instances of our products
 

Description: The requirement that started at all. See examples on how to use this new feature and integrate it into your application by discuss code examples.

Problem: SQL Security is local to the instance and most of time driven by customer application code. That it is only local to the instance and is not automatically going to other instances requires a solution.

Solution: With application code use new API calls to issue SQL security statements that is applied to multiple instances.

 

Content related to this session, including slides, video and additional learning content can be found here.

Last comment 14 April 2016
0   0 2
142

views

0

rating

Presenter: Saurav Gupta
Task: Provide customized authentication support for biometrics, smart cards, etc.
Approach: Provide code samples and concept examples to illustrate various custom authentication mechanisms
 

Description: In this session we will discuss customized way to solve various authentication mechanism and show case some sample code.

Problem: Using custom Authentication mechanism to support devices like biometrics, smart cards, or create an authentication front end for existing applications.

Solution: Code samples and concept examples.

Content related to this session, including slides, video and additional learning content can be found here.

0   0 1
0

comments

196

views

0

rating

In preparation for a presentation I need a  real-world LDAP schema that has been customized a bit beyond the basics.   Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation. 

 

If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com

Thanks in advance.

Rich Taylor

Last comment 17 February 2016
0   0 1
0

answers

185

views

0

rating