#Security

Hi All,

I want to implement SOAP authentication and Security. Please let me know what are all the  best ways to Implement it.

Advance thanks,

Presenter: Dan Kutac
Task: Use a common login identity and a central mechanism of authentication across environments from multiple entities
Approach: Provide examples and code samples of an application environment using OpenID Connect and OAuth 2.0
 

Description: In this session we will demonstrate an application environment using OpenID Connect and OAuth 2.0. Hear how this is done and what options you have; and yes, you get to keep the code.

Problem: How to use a a common login identity (e.g. Facebook credentials) and a central mechanism of authorization cross environments from multiple entities.

Solution: Create awareness and interest in using OAuth 2.0

Content related to this session, including slides, video and additional learning content can be found here.

Hello,

I have a very simple web service that I'd like to secure via SAML Authorization with X.509 Certificates. I am, however struggling with documentation and my lack of cryptographic skills. (I do this just for educational purposes now, but need to use it in the future)

Does anyone have an example that shows how to construct a SOAP Client with adding all necessary security headers manually or point me to a decent learning resource?

Thank you very much!

Hello experts,

I'm new to InterSystems software and still not so familiar with it. Therefore I do apologize in front if this question is irrelevant, not making sense or answer is commonly known.
 

I've did my best in search for answer, but unfortunately i haven't found anything helpfull. So I decided to ask for help here.

My problem is repetitive error which occure in CSP Gateway event log : 

Error Condition: Failed to read posted content from the client (Content-Length: 1404; Data Actually Read: 0; Read Error: 70007)

It occure approximately 40 times a day.

Hello everyone

I have a server configuration in a CSP Gateway installed on a PC (let's call it S2) different from the main one (let's call it S1). This configuration allows me to access a web application that is installed on S1, from a client C asking S2 for this webapp. But for now it works only in HTTP between C and S2, and we would like to use HTTPS (as it already works between S2 and S1).

First here are the tutos found in the doc:

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…

https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?

Hi,

I am trying to create a user role which shall allow users the access to only one specific namespace in an Ensemble system. I´ve startet creating the namespace with a database (with own ressource and no public access). In the second step I´ve created a role by copying it from the predefined role %Developer and assigned the ressource of the created database. After that i´ve created a user and assign him to the created role.

When trying to login to ensemble - the management portal comes up but the Ensemble tab is showed deactived.

I have a few cubes and numerous dashboards and I am ready to deploy them to our end users and administrators. How to configure DeepSee so that users don’t disrupt each other’s areas and are restricted from using functionalities specific to developers?

Hello everyone,

I'm using Atelier 1.3. When we configure a server and use HTTP to connect, works fine. But when we activate the Secure connection option I get the Unregonized SSL message, plaintext connection?

Do I need to perform any configuration on my server so that Atelier can access a secure connection?

Hi All,

Can someone help me getting the security features & standards which InterSystmes Cache adheres to ISO 27001 & other security & privacy standards.

Also if you can tell me the algorithm used for database encryption & key strength by default.

This is required for a security audit.

Thanks in advance. Ashish

Hi Community!

New video is already on InterSystems Developers YouTube Channel:

Certificate Revocation, OCSP Stapling and KMIP

Hi Community!

Please welcome a new video onInterSystems Developers YouTube Channel:

Building Powerful LDAP Configurations

I need to automate the handling of usernames passwords, serverNames etc for use in the sending and receiving  of emails, logging into SFTP servers etc etc for use within COS code
To manage external passwords we could use LastPass or any other proprietary password loggers, but I need to be able to call them as part of the automation (COS code) and occasionally visually look them up to "remind" the staff of their passwords.

any suggestions as to the best class data constructs to handle this scenario. Should the whole table be encrypted, only the passwords etc.

This article was written as an attempt to share the experience of installing the InterSystems Caché DBMS for production environment. We all know that the development configuration of a DBMS is very different from real-life conditions. As a rule, development is carried out in “hothouse conditions” with a bare minimum of security measures, but when we publish our project online, we must ensure its reliable and uninterrupted operation in a very aggressive environment.

I am currently using InterSystems for patients data management related to intake treatment planning and delivery of dose.

should I create a new attribute to track Patient ID or using an existing attribute within Audit log ? what are the good practices guidelines?

If I use Event Data field to record Patient_ID is it possible out of the box to search entries for a specific Patient_ID ?

My administrator was wondering where %SYS/ZAUTHENICATE.mac is stored?

He preforms a nightly backup, and would like to include the custom ZAUTHENTICATE.mac that was written for our Delegated/LDAP configuration.

Thanks

Scott Roth

The Ohio State University Wexner Medical Center

I have created some roles, and would like to know if there is a way to export the Roles and save them off to a file? I want to create a backup file of these roles for DR purpose, and in case I ever get hit by the preverbal bus.

Thanks

Scott Roth

The Ohio State University Wexner Medical Center

I have a class (to be deployed) and I want to forbid anyone from extending it.

Is there any way to do that?

We have a new requirement being push down by our Data Security to no longer use Local SQL Accounts to access our Databases. So they asked me to create a Service Account that is on the Domain for our connections to each database.

I tried just changing my JDBC connection to using this Service Account and Password but I am not having any luck trying to connect to the database.

" Connection failed.
Login failed for user 'osumc\CPD.Intr.Service'.

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along.

hi

when I logon linux with a not root user, and then call ccontrol start/stop cache,    show no permisson .

 how to grant start/stop/restore privilege to user who is not root .

thanks

In old Caché versions it was possible to create a new role based on predefined %Developer by copying it and adding some resources as needed. It was true at least from 2010.1 to 2015.1.

After upgrade from 2015.1.4 to 2017.2.1 it turned that it's only partially true now. User with a "New-Developer" role can enter Studio and open existing cls/mac/etc for editing and everything is OK unless he tries to create something new (Ctrl-N), than he gets a pop-up with %msg: <User xxx does not have enough privilege to execute stored procedure %CSP.

Hi,

I have a client who is considering encryption options in order to comply with a tendering requirement.

Were they to encrypt the production database then what would be a reasonable expectation forthe impact on message throughput. Or possibly more easily answered: what would be the expected impact be on I/O rate and CPU utilization. Are there any benchmarks to which could support an estimate ?

How would this compare with plan B: to use disk encryption ?

Thanks

Is there a way to make the system users like _SYSTEM and ensadm bypass the Delegated sign-on and not cause it to fill up the Audit trail with "Programmer mode login failure"?? I figured I still had to leave password login enabled for the background users to run. How would I script if username = "_SYSTEM" then don't do the Delegated sign on?

Here is my ZAUTHENTICATE

s $zt="Error"
  s Status = 0
  i Password="" {
    s Status= $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
    g Error
  }
  i $$$WindowsLDAPServer {
    s AdminDN=$Get(^OSUMCLDAP("User"))
    s AdminPW=$Get(^OSUMCLDAP("Pass"))
  }
  //Connect to the LDAP server
  s LD=##Class(%SYS.LDAP).Init($$$LDAPServer)
  i LD=0 {
    s Status=##Class(%SYS.LDAP).GetLastError()
    s Status="Init error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status) 
    g Error
  }
  //Authenticate the passed in user by using the Binds command 
  //s Domain="OSUMC.EDU"
  #; Begin Binding Process"
  s Status=##Class(%SYS.LDAP).SimpleBinds(LD,AdminDN,AdminPW)
  i Status'=$$$LDAPSUCCESS  {
    s Status = Status_", ldap_Simple_Bind(AdminDN) - "_##Class(%SYS.LDAP).Err2String(Status) 
    #;w !,Status
    g Error
  }
  i $$$WindowsLDAPServer {
    s Filter=$$$WindowsFilter_"="_Username
  }
  i $$$WindowsLDAPServer {
    s AttributeList=$$$WindowsAttributeList
  } 
  i $$$WindowsLDAPServer {
    s BaseDN=$$$WindowsBaseDN
  } 
  s SearchScope=$$$LDAPSCOPESUBTREE
  s Timeout=30
  s SizeLimit=1
  s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,SearchScope,Filter,AttributeList,0,"","",Timeout,"",.SearchResult)
  i Status'=$$$LDAPSUCCESS {
    i Status=$$$XLDAPFILTERERROR {
      s Status="1,User "_Username_" does not exist"
      w !,Status
    } else {
      s Status=Status_",ldap_Search_Ext - "_##Class(%SYS.LDAP).Err2String(Status)
    }
    g Error
  }
  s NumEntries=##Class(%SYS.LDAP).CountEntries(LD,SearchResult)
  i NumEntries=-1 {
    s Status=##Class(%SYS.LDAP).GetError(LD)
    s Status=Status_",ldap_Count_Entries - "_##Class(%SYS.LDAP).Err2String(Status)
    g Error
  }
  i NumEntries=0 {
    s Status="1,User "_Username_" does not exist"
    g Error
  }
  i NumEntries>1 {
    s Status="1,LDAP Filter is not unique"
    g Error
  }
  s CurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,SearchResult)
  i CurrentEntry=0 {
    s Status=##Class(%SYS.LDAP).GetError(LD) 
    s Status=Status_",ldap_FirstEntry - "_##Class(%SYS.LDAP).Err2String(Status)
    g Error
  }
  s DN=##Class(%SYS.LDAP).GetDN(LD,CurrentEntry) 
  i Password="" {
    s Status="1,ldap_Simple_Bind("_DN_") - password cannot be null"
    g Error
  }
  s Status=##Class(%SYS.LDAP).SimpleBinds(LD,DN,Password)
  i Status'=$$$LDAPSUCCESS {
    s Status=Status_",ldap_Simple_Bind("_DN_") - "_##Class(%SYS.LDAP).Err2String(Status)
    g Error
  }
  s Attribute=##Class(%SYS.LDAP).FirstAttribute(LD,CurrentEntry,.Ptr)
  while (Attribute'="") {
    s Values=##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute)
    #;Values:"_Values
    s Properties("Attributes",Attribute)=Values
    s Attribute=##Class(%SYS.LDAP).NextAttribute(LD,CurrentEntry,.Ptr)
  }
  s Properties("Username")=Username
  s Properties("FullName")=$li(Properties("Attributes","displayName"))
  k Properties("Attributes","displayName")
  s Properties("Comment")=$li(Properties("Attributes","department"))
  k Properties("Attributes","department")
  s Properties("EmailAddress")=$li(Properties("Attributes","mail"))
  k Properties("Attributes","mail")
  s GroupFilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:="_DN_"))"
  s GroupAttributes=""
  s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,GroupFilter,GroupAttributes,0,"","",10,0,.GroupSearchResult)
  #;GroupSearch Status: "_Status
  i Status'=$$$LDAPSUCCESS {
    w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
    g Error
  }
  s GroupNumEntries=##Class(%SYS.LDAP).CountEntries(LD,GroupSearchResult)
  i GroupNumEntries=-1 {
    s Status=##Class(%SYS.LDAP).GetError(LD)
    s Status=##Class(%SYS.LDAP).Err2String(Status)
    g Error
  }
  w !
  i GroupNumEntries=0 {
    w !,"No nested groups for "_Username_" found"
    g Done
  }
  i GroupNumEntries>0 {
  }
  s GroupCurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,GroupSearchResult)
  i GroupCurrentEntry=0 {
    s Status=##Class(%SYS.LDAP).GetError(LD)
    w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
    g Error
  }
  s Groups=""
  While (GroupCurrentEntry'=0) {
    s GroupDN=##Class(%SYS.LDAP).GetDN(LD,GroupCurrentEntry)
    i GroupDN="" {
      s Status=##Class(%SYS.LDAP).GetError(LD)
      w !,"GetDN Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
      g Error
    }
    s CN=$p(GroupDN,",",1)
    s AD=$p(CN,"=",2)
    s AD=$zcvt(AD,"L") 
    s exists=''$d(^|"%SYS"|SYS("Security","RolesD",AD))
    i exists{
      s Properties("Roles") = AD
      #;w !,Properties("Roles")
    }
    s GroupCurrentEntry=##Class(%SYS.LDAP).NextEntry(LD,GroupCurrentEntry)
  }
Done
  i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
  i +$d(LD) d ##Class(%SYS.LDAP).UnBinds(LD)
  q $SYSTEM.Status.OK()
Error s $zt=""
  i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
  i +$d(LD) s Status=##class(%SYS.LDAP).UnBinds(LD)
  i $ze'=""{
    q $SYSTEM.Status.Error($$$CacheError,$ze)
  } else {  
    q $SYSTEM.Status.Error($$$GeneralError,"LDAP error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status))
  }

I need to offer new users on our system a temporary password that is valid for only 48 hours.  This is different than a 60-day password expiration window for existing users' passwords (where a password needs to be changed every 60 days), and is different than a "user expiration date", where you can set a date where the user's account expires and is disabled on that date, and different than the inactivity expiration date where a user becomes active if his account is not used within, say, 30 days.

Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.

Thanks

Scott

I was running the %File:FileSet class query, with my development user, but I am unable to run this query for an application user.  Does anyone know what resource or service is needed to run this query?  Assume the user has access to a certain directory on the file system needed for the query.

On second though, having tried almost all the available resources and services, perhaps the user doesn't have access to the directory.  How to tell when the error is this: 

set ok=st.%PrepareClassQuery("%File","FileSet")

d $system.Status.DisplayError(ok)
 
ERROR #5540: SQLCODE: -99 Message: User Laura_Test_DEV is not privileged for the operation

Hi,

I need list all available Windows AD groups .

How I do it?

I need to change the attributes of Windows Users of AD, adding and remove groups.

Note: I was able to make the connection to LDAP, and I listed the groups that a user.

I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.

Thanks

Scott Roth

Cache for Windows (x86-64) 2015.1 (Build 429U) Fri Feb 13 2015 14:37:23 EST [HealthShare Modules:Core:12.07.3703 + Linkage Engine:13.04.3703]

Use case: Search an LDAP database from Caché over TLS using Mutual Authentication.

Extract from the %SYS.LDAP documentation:

Hi community ,

i work actually on the access token generation method , i want know where the generated access token are saved ?

My [OAuth2.AccessToken]  tabe is empty , it's logical?

thank's for helping .

Best regards