#Security

Hurray for security!

If you're connecting to a local server and doing isolated development with a throwaway account, just store your password in plain text in the settings.json configuration file. But if you're working with a shared server using a "real" user account, it's a good idea to protect that information.

That's why this is a great day for security-conscious ObjectScript developers. Version 3 of Server Manager comes out of pre-release state with the first public release of version 3.2.1.

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

We are looking for a 3rd party application that can scan our IRIS based Cache Object Script code for vulnerabilities or coding weaknesses.  There are many, many applications/vendors out there that do code scanning but none seem to support Cache Object Script or scanning the IRIS environment.   If anyone is aware of a company/product that can scan our code / IRIS environment, I would love to hear about it.

Thanks in advance for the help.

Mike

Question:

What version of Caché supports TLS v1.2? 

Answer:

Caché 2015.2 announced support for TLS v1.1 and v1.2.  In this version, the SSL/TLS configuration page provides checkboxes for TLS v1.1 and v1.2, which allows the versions to be configured individually.  This allows sites to, for example, require TLS v1.2 only.

Additionally, some earlier versions of Caché provide undocumented support for TLS v1.1 and v1.2, specifically Caché 2014.1.3 and above and 2015.1, on Windows, Linux and Unix.

Here’s why:  Caché uses the openssl library for SSL/TLS.  TLS v1.1 and v1.

The InterSystems IRIS has excellent support for encryption, decryption and hashing operations. Inside the class %SYSTEM.Encryption (https://docs.intersystems.com/iris20212/csp/documatic/%25CSP.Documatic…) there are class methods for the main algorithms on the market.

IRIS Algorithms and Encrypt/Decrypt types

As you can see, the operations are based on keys and include 3 options:

• Symmetric Keys: the parts running encrypt and decrypt operations share the same secret key.

Is there a way for us to restrict user's ODBC permissions based on what program they're running on a client?

For example, we have some older Windows apps (.exe) that are a regular part of our software package which require the user to be able to select, insert, update, and delete. Some of our users are also using other third-party apps to connect (mostly reporting tools) but we only want them to be able to select unless we've approved the exe. Is there a way to do that?

These are not applications that were developed using CacheDirect.

Hey Developers, 

Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:

⏯ InterSystems IRIS Container Updates

You have read about OAuth2 / OpenID Connect but you don't know how to use it? Have you ever needed to implement Single Sign-On (SSO) or secure web services based on tokens? Did you have to add authentication / authorization to your web applications or services and you didn't know how to start?

What about a step by step example where you can set up an authorization server, a client and a resource server? Here you can find an example where you will configure InterSystems IRIS instances to act as each one of these OAuth2 roles.

Hello IRIS Community,

InterSystems Certification is developing a certification exam for IRIS system administrators and, if you match the exam candidate description given below, we would like you to beta test the exam. The exam will be available for beta testing on June 20-23, 2022 at InterSystems Global Summit 2022, but only for Summit registrants (visit this page to learn more about Certification at GS22) . Beta testing will open for all other interested beta testers on July 18, 2022. However, interested beta testers should sign up now by emailing certification@intersystems.com

Hey Developers,

In the second part, you will learn how to build a FHIR Application with OAuth 2.0 and OKTA:

⏯ Securing FHIR Applications with OAuth 2.0 (Part 2)

I am sure I came across this in the past with Cache and just saw this again in IRIS.

When rebuilding or swapping a DAT file for a database it retains the Resource of the DAT file, not the Resource of the Database it is being used for.

For instance, if I have a local Database called APP with a resource %DB_APP and I want to refresh the data from another Database called TEST that has a Resource %DB_TEST I can just copy the DAT file from the TEST folder to the APP folder.

No Database settings are changed and it is all done with either IRIS down or the databases dismounted.

Hi Community, 

Join us for this introduction to the terminology and workflow of using OAuth 2.0 with an HL7 FHIR server:

⏯ Securing FHIR Applications with OAuth 2.0 (Part 1)

How to Configure and implement X509 users to allow login into cache without password.

Hi,

Working on integrating with O365 Sharepoint REST API. I would want to know if anyone can share their experience with integration with Sharepoint REST API and how they implemented security?

Thanks
Kiran Kumar

I'm VERY novice on all things "OpenAM", and beyond knowing that Caché supports working with OpenAM, I have nothing else to go on.

The documentation doesn't seem to be very deep on the nature of how this works beyond a single paragraph saying it's supported for Single Sign On (SSO).

For Caché to use this, I get that there is an environment variable (REMOTE_USER) which is set to "something", but it's not clear to me how this ends up mapping to a provisioned caché user (or LDAP provisioned user for that matter) and ultimately to the %Roles in effect and subsequent system access.

How to check if the password is strong enough, so it will not be cracked very fast? And how to make a strong password?

I've developed a tool that may help with this. You can find it on OpenExchange. Install it with zpm

zpm "install passwords-tool"

This module will install just one class caretdev.Passwords, which contains a few helpful methods in it

Secure Password

To get a secure password it's usually enough to use letters in upper and lower case, digits, and special symbols, and it should be at least 8 symbols long.

I was wondering if there was a certain procedure or documentation on securing (Https://) the Web Portal into IRIS/Ensemble?

Currently we are using LDAP Delegated Authentication to access the Web Portal using LDAP. However as more and more emphasis is put on securing applications within networks, I can see Management/Security asking us to make sure that the web portal is more secure.

Maybe I am not looking at the right place for documentation, but is there a Best Practice guide, set of instructions, or Online learning that can help guide me in trying to make our environment more secure?

Hey Community, 

Learn about the changes we've made to InterSystems IRIS Containers, including security updates and the new web gateway container:

⏯ InterSystems IRIS Container Updates

The XData (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GOBJ_XDATA) is a powerful feature to set documentation and metadata information for classes and methods. The %CSP.REST class uses XDATA to mapping REST calls (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GREST_csprest), so in this article you will see how to use XData into your apps as code, not only as documentation.

When you write XData comments/definitions, the IRIS store it into %Dictionary.ClassDefinition (for classes) %Dictionary.MethodDefinition (for methods).

Hi Community, 

New video is already on InterSystems Developers YouTube:

⏯ Updates on Security: OpenSSL and a New "Security" Database

What about having your IRIS REST APIs scanned every push you did and being reported on possible vulnerabilities? This is what I am going to show you in this article.

Recently, we had the Security Contest with amazing applications and examples showing how to improve security on your IRIS solutions. One of such examples was the zap-api-scan-sample, made by me and my colleague Henrique Dias. Our application shows how to use the OWASP ZAP API scanner to perform security tests on your REST APIs OpenAPI definitions generated by IRIS.

In my previous post I described how to install the pre-release of the Server Manager 3 extension and benefit from enhanced security for your stored credentials.

Now by upgrading to the latest release (1.2.7) of the InterSystems Language Server and opting in to the 1.3 pre-release of the ObjectScript extension you get the additional reassurance of being notified whenever either of those extensions try to access stored credentials for the first time.

Hi Community,

We're pleased to invite you to the online meetup with the winners of the InterSystems Security contest!

Date & Time: Friday, December 10, 2021 – 11:00 EDT

What awaits you at this virtual meetup? 

• Our winners' bios.
• Short demos on their applications.
• An open discussion about technologies being used. Q&A. Plans for the next contests.

Hey Developers,

The InterSystems Security contest is over. Thank you all for participating in our coding competition!

So it's time to announce the winners! 

A storm of applause goes to these developers and their applications:

Hey Community,

We want to hear from you! Give us your feedback on the past InterSystems Security programming contest! Please answer some questions to help us improve our contests.

👉 Quick survey: InterSystems Security Programming Contest Survey

I need to store an equivalent of the SNN (Social Security number). I need it to be encrypted and I'll have to be able to search for it once stored.

For what I've seen my options are: 

- SHAHash from the %system.encryption library. Simple and easy to implement. My question is, might collisions be a problem? We are talking about a 10 millions entry.

- AES encryption. In this case I'd like to know if there is a standard way for key management in the InterSystems environment.

I can eventually get a certificate for this project to use other encryption function as well.

Open to suggestions.

Hey Developers,

This week is a voting week for the InterSystems Security contest! So, it's time to give your vote to the best solutions built with InterSystems IRIS.

🔥 You decide: VOTING IS HERE 🔥

How to vote? Details below.

Hi contestants!

We've introduced a set of bonuses for the projects for the Interoperability Contest 2021!

Here are projects that scored it:

Please apply with your comments here in the posts or in Discord.

The InterSystems IRIS has a great audit system. It is responsible for auditing system events, but you can use it to audit your applications (great feature).

The audit system is based into event concept. The events can occur with IRIS or in an application. So, we have two type of events to the audit system:

1. System events: events occured into the InterSystems IRIS components (database, interoperability, analytics and core);

2.