Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Hi,
I have a client who is considering encryption options in order to comply with a tendering requirement.
Were they to encrypt the production database then what would be a reasonable expectation forthe impact on message throughput. Or possibly more easily answered: what would be the expected impact be on I/O rate and CPU utilization. Are there any benchmarks to which could support an estimate ?
How would this compare with plan B: to use disk encryption ?
Thanks
Is there a way to make the system users like _SYSTEM and ensadm bypass the Delegated sign-on and not cause it to fill up the Audit trail with "Programmer mode login failure"?? I figured I still had to leave password login enabled for the background users to run. How would I script if username = "_SYSTEM" then don't do the Delegated sign on?
Here is my ZAUTHENTICATE
s $zt="Error"
s Status = 0
i Password="" {
s Status= $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
g Error
}
i $$$WindowsLDAPServer {
s AdminDN=$Get(^OSUMCLDAP("User"))
s AdminPW=$Get(^OSUMCLDAP("Pass"))
}
//Connect to the LDAP server
s LD=##Class(%SYS.LDAP).Init($$$LDAPServer)
i LD=0 {
s Status=##Class(%SYS.LDAP).GetLastError()
s Status="Init error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
//Authenticate the passed in user by using the Binds command
//s Domain="OSUMC.EDU"
#; Begin Binding Process"
s Status=##Class(%SYS.LDAP).SimpleBinds(LD,AdminDN,AdminPW)
i Status'=$$$LDAPSUCCESS {
s Status = Status_", ldap_Simple_Bind(AdminDN) - "_##Class(%SYS.LDAP).Err2String(Status)
#;w !,Status
g Error
}
i $$$WindowsLDAPServer {
s Filter=$$$WindowsFilter_"="_Username
}
i $$$WindowsLDAPServer {
s AttributeList=$$$WindowsAttributeList
}
i $$$WindowsLDAPServer {
s BaseDN=$$$WindowsBaseDN
}
s SearchScope=$$$LDAPSCOPESUBTREE
s Timeout=30
s SizeLimit=1
s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,SearchScope,Filter,AttributeList,0,"","",Timeout,"",.SearchResult)
i Status'=$$$LDAPSUCCESS {
i Status=$$$XLDAPFILTERERROR {
s Status="1,User "_Username_" does not exist"
w !,Status
} else {
s Status=Status_",ldap_Search_Ext - "_##Class(%SYS.LDAP).Err2String(Status)
}
g Error
}
s NumEntries=##Class(%SYS.LDAP).CountEntries(LD,SearchResult)
i NumEntries=-1 {
s Status=##Class(%SYS.LDAP).GetError(LD)
s Status=Status_",ldap_Count_Entries - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
i NumEntries=0 {
s Status="1,User "_Username_" does not exist"
g Error
}
i NumEntries>1 {
s Status="1,LDAP Filter is not unique"
g Error
}
s CurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,SearchResult)
i CurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
s Status=Status_",ldap_FirstEntry - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s DN=##Class(%SYS.LDAP).GetDN(LD,CurrentEntry)
i Password="" {
s Status="1,ldap_Simple_Bind("_DN_") - password cannot be null"
g Error
}
s Status=##Class(%SYS.LDAP).SimpleBinds(LD,DN,Password)
i Status'=$$$LDAPSUCCESS {
s Status=Status_",ldap_Simple_Bind("_DN_") - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s Attribute=##Class(%SYS.LDAP).FirstAttribute(LD,CurrentEntry,.Ptr)
while (Attribute'="") {
s Values=##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute)
#;Values:"_Values
s Properties("Attributes",Attribute)=Values
s Attribute=##Class(%SYS.LDAP).NextAttribute(LD,CurrentEntry,.Ptr)
}
s Properties("Username")=Username
s Properties("FullName")=$li(Properties("Attributes","displayName"))
k Properties("Attributes","displayName")
s Properties("Comment")=$li(Properties("Attributes","department"))
k Properties("Attributes","department")
s Properties("EmailAddress")=$li(Properties("Attributes","mail"))
k Properties("Attributes","mail")
s GroupFilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:="_DN_"))"
s GroupAttributes=""
s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,GroupFilter,GroupAttributes,0,"","",10,0,.GroupSearchResult)
#;GroupSearch Status: "_Status
i Status'=$$$LDAPSUCCESS {
w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s GroupNumEntries=##Class(%SYS.LDAP).CountEntries(LD,GroupSearchResult)
i GroupNumEntries=-1 {
s Status=##Class(%SYS.LDAP).GetError(LD)
s Status=##Class(%SYS.LDAP).Err2String(Status)
g Error
}
w !
i GroupNumEntries=0 {
w !,"No nested groups for "_Username_" found"
g Done
}
i GroupNumEntries>0 {
}
s GroupCurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,GroupSearchResult)
i GroupCurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s Groups=""
While (GroupCurrentEntry'=0) {
s GroupDN=##Class(%SYS.LDAP).GetDN(LD,GroupCurrentEntry)
i GroupDN="" {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"GetDN Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s CN=$p(GroupDN,",",1)
s AD=$p(CN,"=",2)
s AD=$zcvt(AD,"L")
s exists=''$d(^|"%SYS"|SYS("Security","RolesD",AD))
i exists{
s Properties("Roles") = AD
#;w !,Properties("Roles")
}
s GroupCurrentEntry=##Class(%SYS.LDAP).NextEntry(LD,GroupCurrentEntry)
}
Done
i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
i +$d(LD) d ##Class(%SYS.LDAP).UnBinds(LD)
q $SYSTEM.Status.OK()
Error s $zt=""
i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
i +$d(LD) s Status=##class(%SYS.LDAP).UnBinds(LD)
i $ze'=""{
q $SYSTEM.Status.Error($$$CacheError,$ze)
} else {
q $SYSTEM.Status.Error($$$GeneralError,"LDAP error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status))
}I need to offer new users on our system a temporary password that is valid for only 48 hours. This is different than a 60-day password expiration window for existing users' passwords (where a password needs to be changed every 60 days), and is different than a "user expiration date", where you can set a date where the user's account expires and is disabled on that date, and different than the inactivity expiration date where a user becomes active if his account is not used within, say, 30 days.
Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.
Thanks
Scott
I was running the %File:FileSet class query, with my development user, but I am unable to run this query for an application user. Does anyone know what resource or service is needed to run this query? Assume the user has access to a certain directory on the file system needed for the query.
On second though, having tried almost all the available resources and services, perhaps the user doesn't have access to the directory. How to tell when the error is this:
set ok=st.%PrepareClassQuery("%File","FileSet")
d $system.Status.DisplayError(ok)
ERROR #5540: SQLCODE: -99 Message: User Laura_Test_DEV is not privileged for the operationHi,
I need list all available Windows AD groups .
How I do it?
I need to change the attributes of Windows Users of AD, adding and remove groups.
Note: I was able to make the connection to LDAP, and I listed the groups that a user.
I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.
Thanks
Scott Roth
Cache for Windows (x86-64) 2015.1 (Build 429U) Fri Feb 13 2015 14:37:23 EST [HealthShare Modules:Core:12.07.3703 + Linkage Engine:13.04.3703]
Use case: Search an LDAP database from Caché over TLS using Mutual Authentication.
Extract from the %SYS.LDAP documentation:
Hi community ,
i work actually on the access token generation method , i want know where the generated access token are saved ?
My [OAuth2.AccessToken] tabe is empty , it's logical?
thank's for helping .
Best regards
Hi, Community!
Please welcome a new session recording from Global Summit 2017:
Migrating Apps to the Cloud : The Basics
Hi community ,
i use postman for testing my request , i need to extract access token from it (i put it inside the "Get url" using post man before sending my request).
i use the GetAccessTokenFromRequest of (%SYS.OAuth2.AccessToken) class , but in my rest code party , when i send request from post man , i can't extract my access token, it's empty.
can please give me help?
thank you
InterSystems has performed various system and application benchmarks to determine the potential performance impact after the corrections for Meltdown have been applied.
Overall our tests have shown at worst a performance degradation of less than 2% and in some cases slightly better performance, but within the margin of error of testing. All tests confirm that the specific performance impact to a deployed application is directly related to how this application is using system resources. Specifically, this means that in certain cases (e.g. a query) a larger performance impact is possible.
In part 1, part 2, and part 3 parts of this series we set up three user types. In part 4 we saw how to secure model elements and DeepSee items. In this last part of the tutorial we conclude with some remarks on DeepSee security and troubleshooting tips. In particular, we see how pivot tables in User Portal can be "hidden".
In part 1 we started working on a security model for DeepSee and create a user type having privileges typical of end users. In this part we are going to create a second user type with ability to edit and create DeepSee pivot tables and dashboards.
Apart from the database server itself, the standard bundle of the Caché DBMS includes DeepSee, a real-time business intelligence tool. DeepSee is the quickest and the simplest way of adding OLAP functionality to your Caché application.
Another standard component is an Audit subsystem with a web interface, which has the options for expanding with your own event types and an API for using in an application code.
Below is a small example of the joint use of these subsystems that answers the following questions: who did what and when in an information system?
Hi community ,
i worked this last time on the access token generate method , now it's ok, i want use the received access token to have access for asking the resources server.
i found the [%SYS.OAuth2.AccessToken] class which describes how add access token in the http request header , but i don't know how use it in my project.
Do me take only this class or the full package %SYS.OAuth2.
Thank you for helping .
I am trying to find documentation on how Cache Studio locks a Routine/Class a developer is editing.
On the flip side, I am looking for documentation on how Atelier does the same.
Ultimately I am looking for the differences and what happens if both Studio and Atelier through different developers go after the same Routine/Class.
I am not asking for an answer (however that would be nice), I am looking for pointers to documentation.
Hi all, This is a bit embarrassing, and not that critical. I have a local instance of Caché 2016 on my computer, for playing around with. I was attempting to set up two-factor authentication on this instance, and I thought I simply disabled all users except for my own user and enabled two-factor for this user. The next time I tried to login to the Management portal, I received a Server Availability Error:
http://localhost:57772/csp/sys/UtilHome.csp
Caché Server Pages Version 2016.1.1.107.
I tried to implement the Oauth2 in google,
I got authentication, But I unable to read response class.
I got an error as:
I unable to change response Class.
Anyone help me to Change response Class in Client Configuration
or
Is there any option to define response URL manually?
Thanks
I'm trying to write an installer manifest that can create a namespace, resources (%DB_namespace) and a role (with the resource, above), based on the namespace. So you could pass in "ABC", or "XYZ", and it would create the %DB_ABC resource and the ABC role with %DB_ABC:RW permissions; or it will create the %DB_XYZ resource and the XYZ role with %DB_XYZ:RW permissions, accordingly.
I've seen a few reports of issues for Mac users where every relaunch of Atelier throws errors related to Secure Storage . Trying to save a server connection displays the error:
Secure storage may be corrupted: see Help section on troubleshooting.
The server connection also has a red X with a corresponding message in the Error Log:
Secure storage was unable to retrieve the master password from the OS keyring. Make sure that this application has access to the OS keyring. If the error persists, the password recovery feature could be used, or secure storage can be deleted and re-created.
Hi, folks!
When you deploy DeepSee solutions you often do not want grant a User %All Role to work with a particular Dashboard.
Consider a Dashboard 'Dash' with a few widgets where listings are being used.
If you manage a Role to get access to the Dash you need to grant access to %DB_DBNAME resource to have a database access, grant access to a Dashboard resource (if any) and ... grant SELECT accesses to all the tables involved in SQL queries being used in all the listings of widgets.
Hi, Community!
Consider I have ResourceA which is used by role RoleA in dev environment and want to deploy it with the solution on a target system.
Would you please share the best practices to make it?
Thank you in advance!
Hi!
I am not system admin. But it used to be very simple to install CSP Gateway on an apache system on Linux with Apache installed. I used to run the CSP Gateway installation program and after it was done, all I had to do was fine tune some configurations on CSP Gateway portal on http://<ip>/csp/bin/Systems/Module.cxw and I was up and running.
Hi Everybody
Question , I need to define a user that will be limited to only to one namespace.
I defined the start up namespace in the user's definition , but it doesn't limit the user.
Any advice would be appreciated.
Thank you Simcha
Hi,
we´re looking for a way to determine, if the System Management Portal (SMP) is only accessible through ssl/tls -> https. One of our applications send daily reports via email and places some dynamically created links within it. The application runs on the instance being monitorred (Ensemble-Productions).
Since we migrate some of our customers systems to use https for the SMP connection, we need to generate those links with https:// instead of http://. Our application is characterized as kind of a lib so we use it for many of our clients systems.
Hi, Community!
Check the new video of the week on the InterSystems Developers YouTube Channel:
LDAP - Beyond the Simple Schema
