According to the Cambridge dictionary, tokenize data is "to replace a private piece of data with a token (= a different piece of data that represents the first one), in order to prevent private information being seen by someone who is not allowed to do so" (https://dictionary.cambridge.org/pt/dicionario/ingles/tokenize). Today, several companies, especially in the financial and healthcare sectors, are tokenizing their data as an important strategy to meet cybersecurity and data privacy (GDPR, CCPA, HIPAA and LGPD) requirements. But, why not use encryptation? The tokenization process to protect

Hi folks!

When I launch IRIS as a docker container instance, e.g. like this one:

docker run --name iris-sql -d --publish 9091:1972 --publish 9092:52773 intersystemsdc/iris-community

And then try to connect to it e.g. via irissqlcli it says I need to change the password:

irissqlcli iris://_SYSTEM:SYS@localhost:9091/USER

Password change required

I know that I can open Management portal http://localhost:9092/csp/sys/UtilHome.csp and change password manually, but is there a programmatic way?

Say if I have a password in a file and I can just provide it to docker instance for the change?

I know it is possible get the user using ##class(Security.Users).Get("username"), but I need to get a user by your email. How Can I get a user by email?

Hi guys, I defined a subclass to %CSP.Login and assigned csp/sys login page to this subclass:

But did not work, I get this error:

And more, the default %CSP.Login continues to be called to login when the user not logged yet
So, how can I do to replace the default %CSP.Login by my subclass?

Hi folks!

Lately (maybe last 2-3 years) I develop with IRIS exclusively in docker - so iris instance I use for compiling and running IRIS apps is local.

And most every time I enter password for management portal and web-apps. The same password every time. Sounds familiar?

Is there an easy way to have a parameter in docker build  for a "dev-mode" that will not ask me a password?

Foreword

InterSystems IRIS versions 2022.2 and newer feature a redesigned functionality for JSON web tokens (JWTs). Once housed under the %OAuth2 class package, the JWT class, along with other JSON web classes (JWCs), now live under %Net.JSON. This migration occured in order to modularize the JWCs. Before, they were closely intertwined with the implementation for the OAuth 2.0 framework. Now, they can be maintained and used separately from OAuth2.

Note: For backwards compatibility, the classes still exist under %OAuth2 package, but the codebase now uses %Net.JSON.

Hey Developers,

Enjoy watching the new video on InterSystems Developers YouTube:

⏯ InterSystems Security Development Lifecycle @ Global Summit 2022

Hi! recently I have to apply api-key validation to a web app with a lot of endpoints and I'm going to tell you how I did it in a centralized way.

I'm going to explain you how we can apply in a generic way (or not) api-key validation to all the endpoints of our web app.

For this feature I take as a template the class Base.cls of this repository iris-rest-api-template

I modified a bit this class to be able to check api-key security. The idea is that in your features you copy this class in your projects and you extend it for your own implementations.

I've been trying for a while now to get OS authentication working on IRIS running on Ubuntu 20.04 and subsequently 22.04. I have the following authentication methods enabled for %Service_Terminal:

• Operating System
• Password
• Operating System Delegated Authorization

And i have these options selected in Authentication/Web Session Options:

But when logging in via iris session <instancename> I am always prompted for a username and password. I am logged into the operating system with a username that matches my IRIS username, and the same configuration and login method works fine on Red Hat 8.5.

Recently i've been using Restforms2 to create a CRUD API for a project. But it lacks some advanced functionality that we need, so we have created a production with a REST WS which handles those advanced methods. That works great but there's a drawback, it does not have authentication. I would want to use the same authentication method as Restforms2 which is a basic auth using IRIS users and passwords. Searching for this, i have found a similar topic. It uses $SYSTEM.Security.Login(user, pass) in a similar manner to create a token. This works flawlessly if you use an account with all

Hi Community,

I am configuring new SSL Configuration for Gmail (For sending errors to gmail in ensemble production) by following the below steps.

Step1:

Step2:Giving the server address smtp.gmail.com

Step3:Giving the port number , I have tried giving 465,587,25 as port number still is not connecting 

Can anyone please tell me where i am doing wrong on configuration?

Thanks,

Saroja.A

At InterSystems, we believe in the responsible disclosure of recently discovered security vulnerabilities.  We provide timely information to our customers, while keeping it out of the hands of people that may misuse it. We also understand each customer has different requirements related to the resolution of security issues.

As we start 2023, we have made two significant changes to our approach to security vulnerability corrections that I’d like to highlight:

1. Security vulnerability patches will be included in every release
2. Improved customer notification

Hey Community,

Join this session to learn more about security-related topics, starting with the change to the OpenSSL libraries and the general distribution of third-party libraries with InterSystems products (e.g., Web Server):

⏯ Updates in Security @ Global Summit 2022

When creating a PRA (Privileged Routine Application; which by the way is not relevant just for Routines but also for Classes/Methods), it is important to make sure you include a new $ROLES, before calling AddRoles(). For example:

new$ROLESset status=$System.Security.AddRoles("MyPrivilegedRoutineApplication")

This way you ensure that indeed the added (elevated) roles "evaporate" for the User running this code, once the User is out of the scope of that routine/method.

[Thank you @Andreas Dieckow for validating this]

In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well. 

When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?

Good morning,

We have been investigating how to activate a Server to Generate Tokens and an associated Resource Server to Validate the Token. This step, actually we have found out with the invaluable support of @Alberto Fuentes from Intersystems.

Is there a way to add specific table permissions to a security role programmatically? I'm working on scripting some of the initial setup work when we sell certain add-ons to our software, and I see how I can assign resources to a role and give it a description, but I don't see how I tell it that this role gives the user, for example, SELECT privileges only on the invoices table, or SELECT, INSERT, UPDATE, and DELETE.

I have recently come across a problem saving TrakCare reports as PDF files while using the MS Edge browser on a Windows 10 PC. Whenever a user selected the Save to PDF option the window Tab would crash and reset. The event was trapped and viewable in the Windows Events Viewer and showed a Fault in the AcroPDFImpl64.dll. Even a little research on the Internet showed me that this has been an issue for many and for quite some time – not just in TrakCare, but many other non-InterSystems applications.

Hurray for security!

If you're connecting to a local server and doing isolated development with a throwaway account, just store your password in plain text in the settings.json configuration file. But if you're working with a shared server using a "real" user account, it's a good idea to protect that information.

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

We are looking for a 3rd party application that can scan our IRIS based Cache Object Script code for vulnerabilities or coding weaknesses.  There are many, many applications/vendors out there that do code scanning but none seem to support Cache Object Script or scanning the IRIS environment.   If anyone is aware of a company/product that can scan our code / IRIS environment, I would love to hear about it.

Thanks in advance for the help.

Mike

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

The InterSystems IRIS has excellent support for encryption, decryption and hashing operations. Inside the class %SYSTEM.Encryption (https://docs.intersystems.com/iris20212/csp/documatic/%25CSP.Documatic…) there are class methods for the main algorithms on the market.

IRIS Algorithms and Encrypt/Decrypt types

As you can see, the operations are based on keys and include 3 options:

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

Hey Developers, 

Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:

⏯ InterSystems IRIS Container Updates

You have read about OAuth2 / OpenID Connect but you don't know how to use it? Have you ever needed to implement Single Sign-On (SSO) or secure web services based on tokens? Did you have to add authentication / authorization to your web applications or services and you didn't know how to start?

What about a step by step example where you can set up an authorization server, a client and a resource server? Here you can find an example where you will configure InterSystems IRIS instances to act as each one of these OAuth2 roles.

A brief introduction

Hello IRIS Community,

Hey Developers,

In the second part, you will learn how to build a FHIR Application with OAuth 2.0 and OKTA:

⏯ Securing FHIR Applications with OAuth 2.0 (Part 2)

I am sure I came across this in the past with Cache and just saw this again in IRIS.

When rebuilding or swapping a DAT file for a database it retains the Resource of the DAT file, not the Resource of the Database it is being used for.

For instance, if I have a local Database called APP with a resource %DB_APP and I want to refresh the data from another Database called TEST that has a Resource %DB_TEST I can just copy the DAT file from the TEST folder to the APP folder.

No Database settings are changed and it is all done with either IRIS down or the databases dismounted.