We are planning to use Caché users on a SOAP web-service, so the WS-security tokens will be used.
It will be username and password only for now.
The passwords should expire on a regular basis and this will be configured in the system-wide security settings.
The consumer of the web-service should be able to change their password on-demand or when it has expired, via a web-service call.

For the on-demand change, I can create a service method which can be called by the consumer to change the password.

0 5
0 1,844

I have multiple namespaces in a Cache environment say NS1 & NS2. I want to add some restriction so that a routine running in the NS1 should not access any resource(global/routine) belongs to namespace NS2.

The above restriction need for few of the clients only, so we do not want to write any custom logic in code.

We are looking for some solution provided by Cache where we can restrict the namespace access.

Can somebody please help me on this.

0 1
0 281

We are using Cache in our application. We are using default username/password for connecting to the Cache Database through Cache Manege Provider. Can we limit the permission of the user _SYSTEM to access only limited database/namespace.

Can we create new user for ODBC connection? Is there any API provided for creating user with limited access so that the user creation process can be automated.

0 1
0 611
David Shambroom · Feb 24, 2017 1m read
Collision for SHA-1 hash algorithm

The recent announcement of a collision for the SHA-1 hash algorithm has caused some consternation:


Here is some background to help put this in perspective.

Cryptographic hash functions can have a variety of properties. The property at issue here is:

"Collision resistance - it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x')."

(Menezes, van Oorchot, and Vanstone, "Handbook of Applied Cryptography", section 9.2.2)

2 0
0 457

I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL. Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.

0 5
0 446

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

1 3
0 500

I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.

Let us look at the facts and figures involved...

1) Active Directory's (AD) date 0 (zero) is 1601-01-01 00:00:00.000 or January 1st, 1601 at midnight (00:00:00)

2) AD timestamps are calculated as the number of 100 nanosecond intervals from date 0

3) 864000000000 is the number of 100 nanosecond intervals per day

5 0
0 855

This post is meant to provide a quick possible explanation for a very perplexing problem.

Scenario: You’ve just created your own administrative user in your 2014.1 (or later) instance of Caché. You gave it every possible security role (including %All), so it should in theory be able to do anything within the instance.

You’ve written a very advanced routine with a break command in it for debugging:

7 1
0 401

I have a list of about 100 MPI IDs that I would like to run a report on. I want to list times that any data for these patients were accessed. Currently in "Managed Reports" we have a "Disclosure Report" which I think was a custom development effort, but it is per-patient.

I have a SQL query for the ATNA log but I'm not confident in its accuracy, so I thought I'd reach out and see how other Information Exchange's might get this data.

0 7
0 404

I know %CSP.Daemon is supposed to clean up old CSP sessions (?). In my management portal, under System/ License Usage, I see 33 "Units" used (and there are 33 licenses in use), but usernames from old IP address and that are not being used. Their active times are often in the millions of seconds. They are not "on" the system right now.

At most, only 3 users are on the system right now.

Are these supposed to be cleaned up? Can I clean them up programmactially, and how would I know if they're not active?



0 8
0 710

We had a major problem recently where a participant was sending unexpected data. It was not enough to throw an error or warning in the actual trace, but when examining the message in the viewer it did show the following:

Build Map Status = 'ERROR <EnsEDI>ErrMapSegUnrecog: Unrecognized Segment 4:'CON' found after segment 3 (CON)'

How can I query for these or be notified of them? This caused major ramifications but we did not notice it. I have Managed Services investigating but I want to cover all my bases.

0 4
0 373


Assume an architecture where an ECP Database Server is connected to by one or more ECP Application Servers inside a firewall.The application server hosts the web application that web users connect to.

The Web servers are outside the firewall, and, (using the CSP gateway/server mechanism) issue requests over the SuperServer port and into the application server.

I know that the traffic between the Web Server and the ECP application server can be encrypted using HTTPS, and access to the CSPServer on the Application server is username/password secured.

1 2
0 4,255


I am trying to create a %Installer script and I noticed from our documentation that %Installer's <CSPAuthentication> will only accept:

Optional; within <Namespace>. Defines one or more CSP applications; the supported authentication flags are 4 (Kerberos), 32 (Password), and 64 (Unauthenticated).

Is "Delegated" authentication supported? What is it's code?

Kind regards,

Amir Samary

0 2
0 353

Presenter: Rich Taylor
Task: Use an LDAP schema that differs from the provided default
Approach: Give examples of customized LDAP schema development, using LDAP APIs and ZAUTHORIZE

In this session we explore the various options of for working with LDAP as an authentication and authorization framework. We will look beyond the simple LDAP schemas into working with more complex LDAP configurations that incorporate application level security information.

Content related to this session, including slides, video and additional learning content can be found here.

0 1
0 377

Presenter: Andreas Dieckow
Task: Securely store sensitive information
Approach: Give examples of data-at-rest encryption and data element encryption

Description: In this session, InterSystems will showcase how to use API calls to programmatically do everything using your own scripts. This approach is highly effective if you have recipe based settings and configurations that you would like to roll out in a controlled and fast fashion.

Problem: Implement Security relevant information correctly and how. Examples are Credit Card information, Sensitive information (e.g. SSN, Classified Information)

Solution: Data-at-rest encryption and data element encryption

Content related to this session, including slides, video and additional learning content can be found here.

0 1
0 213

Presenter: Andreas Dieckow
Task: Apply SQL security to multiple servers in a distributed system
Approach: Provide code samples for using new API calls to apply SQL security statements to multiple instances of our products

Description: The requirement that started at all. See examples on how to use this new feature and integrate it into your application by discuss code examples.

Problem: SQL Security is local to the instance and most of time driven by customer application code. That it is only local to the instance and is not automatically going to other instances requires a solution.

Solution: With application code use new API calls to issue SQL security statements that is applied to multiple instances.

Content related to this session, including slides, video and additional learning content can be found here.

0 1
0 193

Presenter: Saurav Gupta
Task: Provide customized authentication support for biometrics, smart cards, etc.
Approach: Provide code samples and concept examples to illustrate various custom authentication mechanisms

Description: In this session we will discuss customized way to solve various authentication mechanism and show case some sample code.

Problem: Using custom Authentication mechanism to support devices like biometrics, smart cards, or create an authentication front end for existing applications.

Solution: Code samples and concept examples.

Content related to this session, including slides, video and additional learning content can be found here.

0 0
0 254
InterSystems Official
Andreas Dieckow · Jan 27, 2016 1m read
OpenSSL 1.0.2

At the end of this year support for OpenSSL 1.0.1 will end. InterSystems has started the process to move to OpenSSL 1.0.2 and use the 1/28/2016 release (1.0.2f) for verification and product inclusion. I will update this post once InterSystems decided which versions will receive support for OpenSSL 1.0.2.

0 1
0 402

In preparation for a presentation I need a real-world LDAP schema that has been customized a bit beyond the basics. Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation.

If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com

Thanks in advance.

Rich Taylor

0 1
0 274