#Security

6

Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.

See the InterSystems Documentation on Security.

Article
· Nov 28, 2021 3m read
Leveraging the Audit database

The InterSystems IRIS has a great audit system. It is responsible for auditing system events, but you can use it to audit your applications (great feature).

The audit system is based into event concept. The events can occur with IRIS or in an application. So, we have two type of events to the audit system:

1. System events: events occured into the InterSystems IRIS components (database, interoperability, analytics and core);

Open Exchange app
2 4
1 877

Recently i've been using Restforms2 to create a CRUD API for a project. But it lacks some advanced functionality that we need, so we have created a production with a REST WS which handles those advanced methods. That works great but there's a drawback, it does not have authentication.

I would want to use the same authentication method as Restforms2 which is a basic auth using IRIS users and passwords.

0 4
0 875
Question
· Jan 15, 2018
Access token storage

Hi community ,

i work actually on the access token generation method , i want know where the generated access token are saved ?

My [OAuth2.AccessToken] tabe is empty , it's logical?

thank's for helping .

Best regards

0 5
0 848

About this article:

In InterSystems IRIS, the default form of access to the management portal is HTTP, which means that if the client is in the office and the server is in the cloud, many clients probably desire to encrypt their traffic in some way.

Thus, we would like to show you some ways to encrypt your traffic to and from the IRIS management portal (or various REST services) running on AWS.

2 0
2 807

We are using Cache in our application. We are using default username/password for connecting to the Cache Database through Cache Manege Provider. Can we limit the permission of the user _SYSTEM to access only limited database/namespace.

Can we create new user for ODBC connection? Is there any API provided for creating user with limited access so that the user creation process can be automated.

0 1
0 803
Article
· May 15, 2017 2m read
Security Alerts

Wanna Cry

Most of you should be aware that the Wanna Cry virus is massively infecting un-patched windows machines all around the world. It's particularly affecting the NHS, one of my main clients.

Wanna Cry is one of a line of Viruses that exploit SMBv1 over ports 135 and 445.

A kill switch has been enabled, but this won't protect machines sitting behind http proxies, and there are already reports of new versions without a kill switch.

All windows machines should be isolated and updated a.s.a.p.

3 1
0 801
Question
· Nov 14, 2022
SSL Configuration for Gmail

Hi Community,

I am configuring new SSL Configuration for Gmail (For sending errors to gmail in ensemble production) by following the below steps.

Step1:

Step2:Giving the server address smtp.gmail.com

Step3:Giving the port number , I have tried giving 465,587,25 as port number still is not connecting

Can anyone please tell me where i am doing wrong on configuration?

Thanks,

Saroja.A

0 7
0 787

Hi,

we´re looking for a way to determine, if the System Management Portal (SMP) is only accessible through ssl/tls -> https. One of our applications send daily reports via email and places some dynamically created links within it. The application runs on the instance being monitorred (Ensemble-Productions).

Since we migrate some of our customers systems to use https for the SMP connection, we need to generate those links with https:// instead of http://. Our application is characterized as kind of a lib so we use it for many of our clients systems.

0 4
0 777

Hi, Community!

Suppose I have class A with properties P1 and P2.

I want to introduce class B, which would have same records as Class A, but only one property - P2.

What is the easiest way to manage it assuming that I would like to use Class A to add records and be available for any operations to Users with Role A.

And I would like to introduce class B for Users with role B for read-only access. Preferably they shouldn't even be aware of Class A and P1 existence .

What is the easiest way to introduce it and manage it?

0 10
0 760

I was running the %File:FileSet class query, with my development user, but I am unable to run this query for an application user. Does anyone know what resource or service is needed to run this query? Assume the user has access to a certain directory on the file system needed for the query.

On second though, having tried almost all the available resources and services, perhaps the user doesn't have access to the directory. How to tell when the error is this:

0 13
0 757
Article
· Jul 31, 2019 2m read
Anti CSRF Methods

IRIS provides us with anti login CSRF attack mitigation, however this is not the same as a CSRF attack, as login attacks only occur on the login form. There are currently no built-in tools to mitigate CSRF attacks on api calls and other forms, so this is a step in mitigating these attacks.

See the following link from OWASP for the definition of a CSRF attack:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Open Exchange app
4 5
1 748

Presenter: Dan Kutac
Task: Use a common login identity and a central mechanism of authentication across environments from multiple entities
Approach: Provide examples and code samples of an application environment using OpenID Connect and OAuth 2.0

Description: In this session we will demonstrate an application environment using OpenID Connect and OAuth 2.0. Hear how this is done and what options you have; and yes, you get to keep the code.

Problem: How to use a a common login identity (e.g. Facebook credentials) and a central mechanism of authorization cross environments from multiple entities.

Solution: Create awareness and interest in using OAuth 2.0

Content related to this session, including slides, video and additional learning content can be found here.

0 2
0 741
Article
· Jan 29, 2024 12m read
Creating custom login pages with %CSP.Login

The %CSP.Login class is the utility class provided by InterSystems IRIS to do custom login pages. If you want to control your IRIS application authentication UI, you must extend %CSP.Login and override some methods according to your needs. This article is going to detail those methods and what you can do with them. In addition to that, you will get an explanation of the delegated authentication mechanism provided by ZAUTHENTICATE.mac routine.

Open Exchange app
6 2
4 734
Article
· Jan 4, 2018 5m read
Caché audit & DeepSee

Apart from the database server itself, the standard bundle of the Caché DBMS includes DeepSee, a real-time business intelligence tool. DeepSee is the quickest and the simplest way of adding OLAP functionality to your Caché application.

Another standard component is an Audit subsystem with a web interface, which has the options for expanding with your own event types and an API for using in an application code.

Below is a small example of the joint use of these subsystems that answers the following questions: who did what and when in an information system?

1 2
1 718
Article
· Feb 8, 2018 1m read
Atelier security quirk

When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.

2 6
0 715

I am trying to find documentation on how Cache Studio locks a Routine/Class a developer is editing.

On the flip side, I am looking for documentation on how Atelier does the same.

Ultimately I am looking for the differences and what happens if both Studio and Atelier through different developers go after the same Routine/Class.

I am not asking for an answer (however that would be nice), I am looking for pointers to documentation.

4 7
0 709

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

1 3
0 703
Article
· Feb 14, 2017 1m read
Can you keep a secret?

If you are developing applications that use CSP or Zen, or potentially any of the other InterSystems web-related stuff that's built on top of CSP, then it's important to know how to keep one particular secret.

A central part of the CSP security architecture is a server-side session key. "Server-side" because its value should never be revealed to the client that is issuing the web requests. If it is revealed, a malicious client might be able to use it to bypass your security and make your server do things you don't want it to.

7 1
0 701
Question
· Jun 15, 2016
Oauth 1.0 library

I am in need of a routine or class method to generate an Oauth 1.0 signature. I was about to code this myself, but thought to check first to see if anyone has already done this and is willing to share.

Thanks in advance for any help.

[UPDATE 06/28/2016]

1 3
0 655

Have you ever thought about leveraging IIS (Internet Information Services for Windows) to improve performance and security for your Caché web applications?
Are you worried about the complexity of properly setting up IIS?

See the webinar Configuring a Web Server presented by @Kyle.Baxter, InterSystems Senior Support Specialist. Learn how to install IIS, set up it up to work with the CSP Gateway, and configure the CSP Gateway to talk to Caché.

4 0
0 653
Article
· Nov 29, 2021 3m read
Previewing Server Manager 3.0 for VS Code

The InterSystems Server Manager extension for Visual Studio Code lets you define connections to your servers, list their namespaces and edit or view code there. You can also launch Portal for a server.

Server Manager 3.0 improves security by becoming a VS Code Authentication Provider. It is my entry for the November 2021 InterSystems Security Contest. Click here to visit the contest page where you may decide to vote for this entry. Please ignore the clickable "Contestant" label on this article header above, as it relates to a different contest for new DC articles. If you want to support me in that contest, simply "like" this post.

Open Exchange app
7 0
1 647
Article
· Mar 7, 2023 10m read
Reference for the JSON Web Classes

Foreword

InterSystems IRIS versions 2022.2 and newer feature a redesigned functionality for JSON web tokens (JWTs). Once housed under the %OAuth2 class package, the JWT class, along with other JSON web classes (JWCs), now live under %Net.JSON. This migration occured in order to modularize the JWCs. Before, they were closely intertwined with the implementation for the OAuth 2.0 framework. Now, they can be maintained and used separately from OAuth2.

2 0
0 637