We are very eager to learn what kind of feedback you might have for InterSystems.

We hope you had a chance to download and install one of the kits that show how the new process works. If not, you still can do it, following the instructions on these posts:

• https://community.intersystems.com/post/how-do-i-apply-nopws-early-acce…
• https://community.intersystems.com/post/discontinue-apache-web-server-installations-aka-private-web-server-pws

Our target release is InterSystems IRIS 2023.2 (and InterSystems IRIS for Health 2023.2) and will be available in a few months.

Several steps should be done in order to secure the connection through xDBC clients to an IRIS Server instance using TLS. Most of the information can be obtained from the documentation about TLS on IRIS here, about configuring the security layer for encrypted connections. In the next paragraphs we will cover an step-by-step guide on how to configure and test the connection using SQL Clients apps using ODBC and JDBC.

Be in touch with InterSystems and receive alerts, advisories and product news quickly. The process is really simple:

• Click in this link: https://www.intersystems.com/support/product-alerts-advisories/ 
• Fill in the form with your contact information and
• You're all set!

As you can see, it takes less than a minute to keep informed about the news!

It is a recommended security practice to login into sensitive Administrator Portals without any input passwords. Thus, it is necessary to identify and authenticate the users correctly. A common technique employed by web portals and mobile applications is to use Google social login. Today, Google Gmail has 2 billion users (source:https://www.usesignhouse.com/blog/gmail-stats). Therefore, it is a perfect shared login service to utilize to login InterSystems IRIS users when they need to manage their instances. This article will detail all the steps to embed Google Login into your InterSystems Management Portal.

Register your InterSystems instance in the Google Console

1. Go to https://console.cloud.google.com and log in with your Google user account.
2. On the header click Select a project:

When you install an IRIS or Caché instance on Windows Server, you'll usually need to install it under a specific user account that has network access permissions. This is very handy when you needs to access network resources for creating files or directly accessing printers.

TL;DR: see key takeaways at the bottom!

When you need to change the Windows user account the IRIS/Caché service is running as, you can configure (after installation):

• for IRIS (also see the docs): 
  

  <install-dir>\bin\IRISinstall.

According to the Cambridge dictionary, tokenize data is "to replace a private piece of data with a token (= a different piece of data that represents the first one), in order to prevent private information being seen by someone who is not allowed to do so" (https://dictionary.cambridge.org/pt/dicionario/ingles/tokenize). Today, several companies, especially in the financial and healthcare sectors, are tokenizing their data as an important strategy to meet cybersecurity and data privacy (GDPR, CCPA, HIPAA and LGPD) requirements. But, why not use encryptation?

Hi folks!

When I launch IRIS as a docker container instance, e.g. like this one:

docker run --name iris-sql -d --publish 9091:1972 --publish 9092:52773 intersystemsdc/iris-community

And then try to connect to it e.g. via irissqlcli it says I need to change the password:

irissqlcli iris://_SYSTEM:SYS@localhost:9091/USER

Password change required

I know that I can open Management portal http://localhost:9092/csp/sys/UtilHome.csp and change password manually, but is there a programmatic way?

Say if I have a password in a file and I can just provide it to docker instance for the change?

I know it is possible get the user using ##class(Security.Users).Get("username"), but I need to get a user by your email. How Can I get a user by email?

Hi guys, I defined a subclass to %CSP.Login and assigned csp/sys login page to this subclass:

But did not work, I get this error:

And more, the default %CSP.Login continues to be called to login when the user not logged yet
So, how can I do to replace the default %CSP.Login by my subclass?

Hi folks!

Lately (maybe last 2-3 years) I develop with IRIS exclusively in docker - so iris instance I use for compiling and running IRIS apps is local.

And most every time I enter password for management portal and web-apps. The same password every time. Sounds familiar?

Is there an easy way to have a parameter in docker build for a "dev-mode" that will not ask me a password?

Foreword

InterSystems IRIS versions 2022.2 and newer feature a redesigned functionality for JSON web tokens (JWTs). Once housed under the %OAuth2 class package, the JWT class, along with other JSON web classes (JWCs), now live under %Net.JSON. This migration occured in order to modularize the JWCs. Before, they were closely intertwined with the implementation for the OAuth 2.0 framework. Now, they can be maintained and used separately from OAuth2.

Note: For backwards compatibility, the classes still exist under %OAuth2 package, but the codebase now uses %Net.JSON.

Hey Developers,

Enjoy watching the new video on InterSystems Developers YouTube:

⏯ InterSystems Security Development Lifecycle @ Global Summit 2022

Hi! recently I have to apply api-key validation to a web app with a lot of endpoints and I'm going to tell you how I did it in a centralized way.

I'm going to explain you how we can apply in a generic way (or not) api-key validation to all the endpoints of our web app.

For this feature I take as a template the class Base.cls of this repository iris-rest-api-template

I modified a bit this class to be able to check api-key security. The idea is that in your features you copy this class in your projects and you extend it for your own implementations.

I've been trying for a while now to get OS authentication working on IRIS running on Ubuntu 20.04 and subsequently 22.04. I have the following authentication methods enabled for %Service_Terminal:

• Operating System
• Password
• Operating System Delegated Authorization

And i have these options selected in Authentication/Web Session Options:

But when logging in via iris session <instancename> I am always prompted for a username and password. I am logged into the operating system with a username that matches my IRIS username, and the same configuration and login method works fine on Red Hat 8.5.

Recently i've been using Restforms2 to create a CRUD API for a project. But it lacks some advanced functionality that we need, so we have created a production with a REST WS which handles those advanced methods. That works great but there's a drawback, it does not have authentication. 
I would want to use the same authentication method as Restforms2 which is a basic auth using IRIS users and passwords. 
Searching for this, i have found a similar topic. It uses $SYSTEM.Security.Login(user, pass) in a similar manner to create a token.

Hi Community,

I am configuring new SSL Configuration for Gmail (For sending errors to gmail in ensemble production) by following the below steps.

Step1:

Step2:Giving the server address smtp.gmail.com

Step3:Giving the port number , I have tried giving 465,587,25 as port number still is not connecting 

Can anyone please tell me where i am doing wrong on configuration?

Thanks,

Saroja.A

At InterSystems, we believe in the responsible disclosure of recently discovered security vulnerabilities.  We provide timely information to our customers, while keeping it out of the hands of people that may misuse it. We also understand each customer has different requirements related to the resolution of security issues.

Hey Community,

Join this session to learn more about security-related topics, starting with the change to the OpenSSL libraries and the general distribution of third-party libraries with InterSystems products (e.g., Web Server):

⏯ Updates in Security @ Global Summit 2022

When creating a PRA (Privileged Routine Application; which by the way is not relevant just for Routines but also for Classes/Methods), it is important to make sure you include a new $ROLES, before calling AddRoles(). For example:

 new $ROLES
 set status=$System.Security.AddRoles("MyPrivilegedRoutineApplication")

This way you ensure that indeed the added (elevated) roles "evaporate" for the User running this code, once the User is out of the scope of that routine/method.

[Thank you @Andreas Dieckow for validating this]

In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well. 

When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?

Good morning,

We have been investigating how to activate a Server to Generate Tokens and an associated Resource Server to Validate the Token. This step, actually we have found out with the invaluable support of @Alberto Fuentes from Intersystems.

Is there a way to add specific table permissions to a security role programmatically? I'm working on scripting some of the initial setup work when we sell certain add-ons to our software, and I see how I can assign resources to a role and give it a description, but I don't see how I tell it that this role gives the user, for example, SELECT privileges only on the invoices table, or SELECT, INSERT, UPDATE, and DELETE.

I have recently come across a problem saving TrakCare reports as PDF files while using the MS Edge browser on a Windows 10 PC. Whenever a user selected the Save to PDF option the window Tab would crash and reset. The event was trapped and viewable in the Windows Events Viewer and showed a Fault in the AcroPDFImpl64.dll. Even a little research on the Internet showed me that this has been an issue for many and for quite some time – not just in TrakCare, but many other non-InterSystems applications.

Hurray for security!

If you're connecting to a local server and doing isolated development with a throwaway account, just store your password in plain text in the settings.json configuration file. But if you're working with a shared server using a "real" user account, it's a good idea to protect that information.

That's why this is a great day for security-conscious ObjectScript developers. Version 3 of Server Manager comes out of pre-release state with the first public release of version 3.2.1.

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

We are looking for a 3rd party application that can scan our IRIS based Cache Object Script code for vulnerabilities or coding weaknesses.  There are many, many applications/vendors out there that do code scanning but none seem to support Cache Object Script or scanning the IRIS environment.   If anyone is aware of a company/product that can scan our code / IRIS environment, I would love to hear about it.

Thanks in advance for the help.

Mike

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

Here’s why:  Caché uses the openssl library for SSL/TLS.  TLS v1.1 and v1.

The InterSystems IRIS has excellent support for encryption, decryption and hashing operations. Inside the class %SYSTEM.Encryption (https://docs.intersystems.com/iris20212/csp/documatic/%25CSP.Documatic…) there are class methods for the main algorithms on the market.

IRIS Algorithms and Encrypt/Decrypt types

As you can see, the operations are based on keys and include 3 options:

• Symmetric Keys: the parts running encrypt and decrypt operations share the same secret key.

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

Hey Developers, 

Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:

⏯ InterSystems IRIS Container Updates