Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
In part 1 we started working on a security model for DeepSee and create a user type having privileges typical of end users. In this part we are going to create a second user type with ability to edit and create DeepSee pivot tables and dashboards.
InterSystems continuously monitors our systems for any evidence of attempts to exploit vulnerabilities such as the newly announced Meltdown and Spectre attack vectors.
At this time we have seen no indications of attempts to target InterSystems systems or technology using these vulnerabilities.
· InterSystems is aware of recently reported cybersecurity vulnerabilities known as Meltdown and Spectre that affect a wide range of computer processors (See US-CERT Alert TA 18-004A, Meltdown and Spectre Side-Channel Vulnerability Guidance, https://www.us-cert.gov/ncas/alerts/TA18-004A).
Apart from the database server itself, the standard bundle of the Caché DBMS includes DeepSee, a real-time business intelligence tool. DeepSee is the quickest and the simplest way of adding OLAP functionality to your Caché application.
Another standard component is an Audit subsystem with a web interface, which has the options for expanding with your own event types and an API for using in an application code.
Below is a small example of the joint use of these subsystems that answers the following questions: who did what and when in an information system?
Hi community ,
i worked this last time on the access token generate method , now it's ok, i want use the received access token to have access for asking the resources server.
i found the [%SYS.OAuth2.AccessToken] class which describes how add access token in the http request header , but i don't know how use it in my project.
Do me take only this class or the full package %SYS.OAuth2.
Thank you for helping .
I am trying to find documentation on how Cache Studio locks a Routine/Class a developer is editing.
On the flip side, I am looking for documentation on how Atelier does the same.
Ultimately I am looking for the differences and what happens if both Studio and Atelier through different developers go after the same Routine/Class.
I am not asking for an answer (however that would be nice), I am looking for pointers to documentation.
Hi all, This is a bit embarrassing, and not that critical. I have a local instance of Caché 2016 on my computer, for playing around with. I was attempting to set up two-factor authentication on this instance, and I thought I simply disabled all users except for my own user and enabled two-factor for this user. The next time I tried to login to the Management portal, I received a Server Availability Error:
http://localhost:57772/csp/sys/UtilHome.csp
Caché Server Pages Version 2016.1.1.107.
I tried to implement the Oauth2 in google,
I got authentication, But I unable to read response class.
I got an error as:
I unable to change response Class.
Anyone help me to Change response Class in Client Configuration
or
Is there any option to define response URL manually?
Thanks
I've seen a few reports of issues for Mac users where every relaunch of Atelier throws errors related to Secure Storage . Trying to save a server connection displays the error:
Secure storage may be corrupted: see Help section on troubleshooting.
The server connection also has a red X with a corresponding message in the Error Log:
Secure storage was unable to retrieve the master password from the OS keyring. Make sure that this application has access to the OS keyring. If the error persists, the password recovery feature could be used, or secure storage can be deleted and re-created.
Hi, folks!
When you deploy DeepSee solutions you often do not want grant a User %All Role to work with a particular Dashboard.
Consider a Dashboard 'Dash' with a few widgets where listings are being used.
If you manage a Role to get access to the Dash you need to grant access to %DB_DBNAME resource to have a database access, grant access to a Dashboard resource (if any) and ... grant SELECT accesses to all the tables involved in SQL queries being used in all the listings of widgets.
Hi, Community!
Consider I have ResourceA which is used by role RoleA in dev environment and want to deploy it with the solution on a target system.
Would you please share the best practices to make it?
Thank you in advance!
Hi!
I am not system admin. But it used to be very simple to install CSP Gateway on an apache system on Linux with Apache installed. I used to run the CSP Gateway installation program and after it was done, all I had to do was fine tune some configurations on CSP Gateway portal on http://<ip>/csp/bin/Systems/Module.cxw and I was up and running.
Hi Everybody
Question , I need to define a user that will be limited to only to one namespace.
I defined the start up namespace in the user's definition , but it doesn't limit the user.
Any advice would be appreciated.
Thank you Simcha
Hi,
we´re looking for a way to determine, if the System Management Portal (SMP) is only accessible through ssl/tls -> https. One of our applications send daily reports via email and places some dynamically created links within it. The application runs on the instance being monitorred (Ensemble-Productions).
Since we migrate some of our customers systems to use https for the SMP connection, we need to generate those links with https:// instead of http://. Our application is characterized as kind of a lib so we use it for many of our clients systems.
Hi, Community!
Check the new video of the week on the InterSystems Developers YouTube Channel:
LDAP - Beyond the Simple Schema
This is a translation of the following article. Thanks [@Evgeny Shvarov] for the help in translation.
Someone posted a question on DC asking whether it was possible to determine access rights for a particular table row always at runtime, and if it was, how could one do that?
Answer: it is possible and it’s not hard at all.
Hi, Community!
Suppose I have class A with properties P1 and P2.
I want to introduce class B, which would have same records as Class A, but only one property - P2.
What is the easiest way to manage it assuming that I would like to use Class A to add records and be available for any operations to Users with Role A.
And I would like to introduce class B for Users with role B for read-only access. Preferably they shouldn't even be aware of Class A and P1 existence .
What is the easiest way to introduce it and manage it?
Use some proxy-classes? Property-level security?
Hi Community!
If you need to help maintain and monitor your system, you could give additional users access to the Management Portal.
Are you interested? So, check the new Developer Video of the week:
Webinar: Securing the Management Portal
Hi,
I'm unable to locate a set of instructions that would allow me to encrypt the traffic to/from the Cache' Management Portal (that is - run it over HTTPS)
I am referring to the Management portal as hosted by the private Apache Web server instance installed with Cache. (I know how to do this for regular web sites hosted on, for example, IIS).
I would imagine the steps would involve, (a) enable SSL on that apache instance and (b) deploy certificates into the Apache web server.
Does anyone have a step-by-step guide on how this is accomplished ?
Thanks in advance -
Steve
Do you need to give additional users access to the Management Portal to help maintain and monitor your system? You may be wondering what’s the best way to:
- Ensure all users have access to the information they need, when they need it.
- Prevent certain users from seeing sensitive information.
- Prevent users from editing something they shouldn’t.
Watch the webinar titled Securing the Management Portal delivered by Shane Rose, a technical trainer with InterSystems.
Today I helped someone solve a mystery. He had been trying to use the -U namespace argument of a csession command to specify the namespace in which to run a particular routine, and was puzzled when the routine could not be found.
Wanna Cry
Most of you should be aware that the Wanna Cry virus is massively infecting un-patched windows machines all around the world. It's particularly affecting the NHS, one of my main clients.
Wanna Cry is one of a line of Viruses that exploit SMBv1 over ports 135 and 445.
A kill switch has been enabled, but this won't protect machines sitting behind http proxies, and there are already reports of new versions without a kill switch.
All windows machines should be isolated and updated a.s.a.p.
If automatic updates is not on, a patch can be dowloaded from here...
How is the security handled in intersystems for GUI and web services testing part ? Does it have inbuilt security handling packages ? what are the limitations ? Please enlighten.
It's almost a year since I have published a series of articles explaining how to configure Cache instance as a client / resource server / authorization server. By that time, the implementation of OAuth 2.0 was still a pre-release software.
With the advent of Cache version 2017.1 a lot has changed. OAuth 2.0 implementation is fully completed and supported. Numerous new features were added (e.g. dynamic client registration) - see release notes here for full details - and configuration pages have been redesigned to a great extent as well.
Take this online course to learn the basics of SAML (Security Assertion Markup Language), the ways in which it can be used within Caché security features, and some use cases that can be applied to HealthShare productions.
Created by Daniel Kutac, Sales Engineer, InterSystems
Part 3. Appendix
InterSystems IRIS OAUTH classes explained
In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.
The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.
Have you ever thought about leveraging IIS (Internet Information Services for Windows) to improve performance and security for your Caché web applications?
Are you worried about the complexity of properly setting up IIS?
See the webinar Configuring a Web Server presented by @Kyle Baxter, InterSystems Senior Support Specialist. Learn how to install IIS, set up it up to work with the CSP Gateway, and configure the CSP Gateway to talk to Caché.
If you have not subscribed to our Developer Community YouTube Channel yet, let's get started right now.
Enjoy!
With the recent release of Caché and Ensemble 2017.1, InterSystems customers can now create configurations where the data-at-rest cryptographic library used is compliant with FIPS 140-2.
Caché and Ensemble now provides you with the option to enable FIPS mode on RedHat 6.6, 7.1 on x86-64. This means is, that InterSystems products will no longer use the supplied crypto libraries that come with the kit, but will use the FIPS validated libraries provided by the Operating Systems vendor.
To configure your system, RedHat must operating in FIPS mode.
Has anyone created Delegated Authentication using the Windows Certificate Store? Thank you for any feedback.