Cach Security Administration Guide

Version 2012.1 01 February 2012

InterSystems Corporation 1 Memorial Drive Cambridge MA 02142 www.intersystems.com

Cach Security Administration Guide Cach Version 2012.1 01 February 2012 Copyright 2011 InterSystems Corporation All rights reserved. This book was assembled and formatted in Adobe Page Description Format (PDF) using tools and information from the following sources: Sun Microsystems, RenderX, Inc., Adobe Systems, and the World Wide Web Consortium at www.w3c.org.The primary document development tools were special-purpose XML-processing applications built by InterSystems using Cach and Java.

Cach WEBLINK, Distributed Cache Protocol, M/SQL, M/NET, and M/PACT are registered trademarks of InterSystems Corporation.

InterSystems Jalapeo Technology, Enterprise Cache Protocol, ECP, and InterSystems Zen are trademarks of InterSystems Corporation. All other brand or product names used herein are trademarks or registered trademarks of their respective companies or organizations. This document contains trade secret and confidential information which is the property of InterSystems Corporation, One Memorial Drive, Cambridge, MA 02142, or its affiliates, and is furnished for the sole purpose of the operation and maintenance of the products of InterSystems Corporation. No part of this publication is to be used for any other purpose, and this publication is not to be reproduced, copied, disclosed, transmitted, stored in a retrieval system or translated into any human or computer language, in any form, by any means, in whole or in part, without the express prior written consent of InterSystems Corporation. The copying, use and disposition of this document and the software programs described herein is prohibited except to the limited extent set forth in the standard software license agreement(s) of InterSystems Corporation covering such programs and related documentation. InterSystems Corporation makes no representations and warranties concerning such software programs other than those set forth in such standard software license agreement(s). In addition, the liability of InterSystems Corporation for any losses or damages relating to or arising out of the use of such software programs is limited in the manner set forth in such standard software license agreement(s). THE FOREGOING IS A GENERAL SUMMARY OF THE RESTRICTIONS AND LIMITATIONS IMPOSED BY INTERSYSTEMS CORPORATION ON THE USE OF, AND LIABILITY ARISING FROM, ITS COMPUTER SOFTWARE. FOR COMPLETE INFORMATION REFERENCE SHOULD BE MADE TO THE STANDARD SOFTWARE LICENSE AGREEMENT(S) OF INTERSYSTEMS CORPORATION, COPIES OF WHICH WILL BE MADE AVAILABLE UPON REQUEST. InterSystems Corporation disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document. For Support questions about any InterSystems products, contact: InterSystems Worldwide Customer Support Tel: +1 617 621-0700 Fax: +1 617 374-9391 Email: [email protected]

Table of Contents
About This Book .................................................................................................................................... 1 1 About Cach Security ......................................................................................................................... 3 1.1 Authentication: Establishing Identity ......................................................................................... 4 1.1.1 About Kerberos ................................................................................................................ 4 1.1.2 About Operating-SystemBased Authentication ............................................................. 5 1.1.3 About LDAP Authentication ............................................................................................ 5 1.1.4 About Cach Login .......................................................................................................... 5 1.1.5 About Delegated Authentication ...................................................................................... 5 1.2 Authorization: Controlling User Access ..................................................................................... 6 1.2.1 Authorization Basics ........................................................................................................ 6 1.2.2 Resources and What They Protect .................................................................................... 7 1.2.3 For More Information on Authorization ........................................................................ 10 1.3 Auditing: Knowing What Happened ........................................................................................ 10 1.4 Managed Key Encryption: Protecting Data on Disk ................................................................ 11 1.5 Managing Security with the Management Portal ..................................................................... 11 1.6 Notes on Technology, Policy, and Action ................................................................................. 12 1.7 A Note on Certification ............................................................................................................ 12 2 Authentication ................................................................................................................................... 13 2.1 Authentication Basics ............................................................................................................... 13 2.2 About the Different Authentication Mechanisms ..................................................................... 14 2.2.1 Kerberos Authentication ................................................................................................. 15 2.2.2 Operating-SystemBased Authentication ...................................................................... 15 2.2.3 Cach Login ................................................................................................................... 15 2.2.4 LDAP Authentication ..................................................................................................... 16 2.2.5 Delegated Authentication ............................................................................................... 16 2.2.6 Unauthenticated Access ................................................................................................. 16 2.3 About the Different Access Modes ........................................................................................... 16 2.3.1 About Local Access ........................................................................................................ 16 2.3.2 About Client/Server Access ............................................................................................ 17 2.3.3 About Web Access .......................................................................................................... 17 2.4 Configuring for Kerberos Authentication ................................................................................. 18 2.4.1 About Kerberos and the Access Modes .......................................................................... 18 2.4.2 Specifying Connection Security Levels ......................................................................... 20 2.4.3 Setting Up a Client ......................................................................................................... 21 2.4.4 Obtaining User Credentials ............................................................................................ 23 2.4.5 Setting Up a Secure Channel for a Web Connection ..................................................... 26 2.5 Configuring for Operating-Systembased Authentication ....................................................... 27 2.5.1 A Note on %Service_Console ........................................................................................ 28 2.5.2 A Note on %Service_Callin ........................................................................................... 28 2.6 Configuring for Authentication with Cach Login .................................................................. 28 2.6.1 Web ................................................................................................................................. 29 2.6.2 ODBC ............................................................................................................................. 30 2.6.3 Telnet and Cach Direct ................................................................................................. 30 2.7 Configuring for Two-factor Authentication .............................................................................. 31 2.7.1 Configuring the Server for Two-factor Authentication .................................................. 31 2.7.2 Configuring Web Applications for Two-factor Authentication ...................................... 34

Cach Security Administration Guide iii

2.7.3 Configuring Bindings Clients for Two-factor Authentication ........................................ 34 2.8 Other Topics ............................................................................................................................. 39 2.8.1 System Variables and Authentication ............................................................................. 39 2.8.2 Using Multiple Authentication Mechanisms .................................................................. 39 2.8.3 Cascading Authentication .............................................................................................. 40 2.8.4 Establishing Connections with the UnknownUser Account .......................................... 40 2.8.5 Programmatic Logins ..................................................................................................... 41 2.8.6 The JOB Command and Establishing a New User Identity ........................................... 41 3 Assets and Resources ........................................................................................................................ 43 3.1 About Resources ....................................................................................................................... 43 3.2 System Resources ..................................................................................................................... 44 3.2.1 Administrative Resources ............................................................................................... 44 3.2.2 The %Development Resource ........................................................................................ 46 3.3 Database Resources .................................................................................................................. 46 3.3.1 Database Resource Privileges ........................................................................................ 46 3.3.2 Shared Database Resources ........................................................................................... 47 3.3.3 Default Database Resource ............................................................................................ 47 3.3.4 Unknown or Non-Valid Resource Names ...................................................................... 47 3.3.5 Namespaces .................................................................................................................... 48 3.3.6 Databases that Ship with Cach ..................................................................................... 48 3.4 Application Resources .............................................................................................................. 49 3.5 Creating or Editing a Resource ................................................................................................ 50 3.5.1 Resource Naming Conventions ...................................................................................... 50 3.6 Using Custom Resources with the Management Portal ........................................................... 51 3.6.1 Defining and Applying a Custom Resource to a Page ................................................... 51 3.6.2 Removing a Custom Resource from a Page ................................................................... 51 4 Privileges and Permissions ............................................................................................................... 53 4.1 How Privileges Work ................................................................................................................ 53 4.2 Public Permissions ................................................................................................................... 53 4.3 Checking Privileges .................................................................................................................. 54 4.4 When Changes in Privileges Take Effect .................................................................................. 54 5 Roles ................................................................................................................................................... 55 5.1 About Roles .............................................................................................................................. 55 5.2 Roles, Users, Members, and Assignments ............................................................................... 56 5.2.1 An Example of Multiple Role Assignment .................................................................... 57 5.3 Creating a Role ......................................................................................................................... 58 5.3.1 Naming Conventions ...................................................................................................... 59 5.4 Managing Roles ........................................................................................................................ 59 5.4.1 Viewing Existing Roles .................................................................................................. 59 5.4.2 Deleting a Role ............................................................................................................... 60 5.4.3 Giving New Privileges to a Role .................................................................................... 60 5.4.4 Modifying Privileges for a Role ..................................................................................... 60 5.4.5 Removing Privileges from a Role .................................................................................. 60 5.4.6 Assigning Users or Roles to the Current Role ............................................................... 61 5.4.7 Removing Users or Roles from the Current Role .......................................................... 61 5.4.8 Assigning the Current Role to Another Role ................................................................. 61 5.4.9 Removing the Current Role from Another Role ............................................................ 62 5.4.10 Modifying a Roles SQL-Related Options ................................................................... 62 5.5 Predefined Roles ...................................................................................................................... 65

iv Cach Security Administration Guide

5.5.1 %All ............................................................................................................................... 66 5.5.2 Default Database Resource Roles .................................................................................. 66 5.6 Login Roles and Added Roles .................................................................................................. 66 5.7 Programmatically Managing Roles .......................................................................................... 67 6 Users ................................................................................................................................................... 69 6.1 Properties of Users ................................................................................................................... 69 6.1.1 About User Types ........................................................................................................... 70 6.2 Creating and Editing Users ...................................................................................................... 71 6.2.1 Creating a New User ...................................................................................................... 71 6.2.2 Editing an Existing User ................................................................................................ 72 6.3 Viewing and Managing Existing Users .................................................................................... 75 6.3.1 Deleting a User ............................................................................................................... 76 6.3.2 Viewing a User Profile ................................................................................................... 76 6.4 Predefined User Accounts ........................................................................................................ 76 6.4.1 Default Predefined Account Behavior ............................................................................ 77 6.4.2 Notes on Various Accounts ............................................................................................ 78 6.5 Validating User Accounts ......................................................................................................... 78 7 Services .............................................................................................................................................. 81 7.1 Available Services .................................................................................................................... 81 7.1.1 Notes on Individual Services ......................................................................................... 82 7.2 Service Properties ..................................................................................................................... 84 7.3 Services and Authentication ..................................................................................................... 85 7.4 Services and Their Resources ................................................................................................... 86 8 Applications ....................................................................................................................................... 87 8.1 Applications, Their Properties, and Their Privileges ................................................................ 87 8.1.1 Applications and Their Properties .................................................................................. 88 8.1.2 Associating Applications with Resources ...................................................................... 89 8.1.3 Applications and Privilege Escalation ............................................................................ 89 8.1.4 Checking for Privileges Programmatically .................................................................... 91 8.2 Application Types ..................................................................................................................... 92 8.2.1 Web Applications ........................................................................................................... 92 8.2.2 Privileged Routine Applications ..................................................................................... 93 8.2.3 Client Applications ......................................................................................................... 95 8.3 Creating and Editing Applications ........................................................................................... 95 8.3.1 Creating and Editing an Application: The General Tab ................................................. 96 8.3.2 Editing an Application: The Application Roles Tab ....................................................... 96 8.3.3 Editing an Application: The Matching Roles Tab .......................................................... 97 8.3.4 Editing an Application: The Routines Tab ..................................................................... 97 8.4 System Applications ................................................................................................................. 98 9 Auditing ............................................................................................................................................. 99 9.1 Basic Auditing Concepts .......................................................................................................... 99 9.1.1 Enabling or Disabling Auditing ..................................................................................... 99 9.2 About Audit Events ................................................................................................................ 100 9.2.1 Elements of an Audit Event .......................................................................................... 100 9.2.2 About System Audit Events ......................................................................................... 102 9.2.3 Enabling and Disabling System Events ....................................................................... 105 9.2.4 About User Events ........................................................................................................ 105 9.3 Managing Auditing and the Audit Database .......................................................................... 107 9.3.1 Viewing the Audit Database ......................................................................................... 107

Cach Security Administration Guide v

9.3.2 Copying, Exporting, and Purging the Audit Database ................................................. 108 9.3.3 Encrypting the Audit Database .................................................................................... 110 9.3.4 General Management Functions .................................................................................. 110 9.4 Other Auditing Issues ............................................................................................................. 110 9.4.1 Freezing Cach If There Can Be No Audit Log Writes ............................................... 110 9.4.2 About Counters ............................................................................................................ 111 10 Managed Key Encryption ............................................................................................................ 113 10.1 Managing Keys and Key Files .............................................................................................. 114 10.1.1 Managing Keys .......................................................................................................... 114 10.1.2 Managing Key Files ................................................................................................... 118 10.1.3 Recommended Policies for Managing Keys and Key Files ....................................... 121 10.2 Using Encrypted Databases .................................................................................................. 122 10.2.1 Creating an Encrypted Database ................................................................................ 122 10.2.2 Establishing Access to an Encrypted Database .......................................................... 123 10.2.3 Closing the Connection to an Encrypted Database .................................................... 123 10.2.4 Moving an Encrypted Database Between Instances .................................................. 123 10.2.5 Configuring Cach Database Encryption Startup Settings ........................................ 123 10.2.6 Using Encrypted Databases with Mirroring ............................................................... 127 10.2.7 About Encrypting the Databases that Ship with Cach .............................................. 128 10.3 Using Data Element Encryption ........................................................................................... 128 10.3.1 Programmatically Managing Keys ............................................................................. 128 10.3.2 Data Element Encryption Calls .................................................................................. 129 10.3.3 Support for Re-Keying Data in Real Time ................................................................. 130 10.4 Emergency Situations ........................................................................................................... 131 10.4.1 If the File Containing an Activated Key is Damaged or Missing ............................... 131 10.4.2 If the Database-Encryption Key File Is Required at Startup and Is Not Present ....... 135 10.5 Other Information ................................................................................................................. 136 10.5.1 Performance Information ........................................................................................... 136 10.5.2 Key File Encryption Information ............................................................................... 137 10.5.3 Encryption and Database-Related Cach Facilities ................................................... 137 11 SQL Security ................................................................................................................................. 139 11.1 SQL Privileges and System Privileges ................................................................................. 139 11.2 The SQL Service .................................................................................................................. 140 11.2.1 CREATE USER ......................................................................................................... 140 11.2.2 Effect of Changes ....................................................................................................... 140 11.2.3 Required Privileges for Working with Tables ............................................................ 140 12 System Management and Security .............................................................................................. 143 12.1 System Security Settings Page ............................................................................................. 143 12.2 System-wide Security Parameters ........................................................................................ 143 12.2.1 Protecting Sensitive Data in Memory Images ............................................................ 145 12.3 Authentication Options ......................................................................................................... 145 12.4 Password Strength and Password Policies ........................................................................... 146 12.4.1 Suggested Administrator Password Strength ............................................................. 146 12.5 Protecting Cach Configuration Information ....................................................................... 147 12.6 Managing Cach Security Domains ..................................................................................... 147 12.6.1 Single and Multiple Domains .................................................................................... 147 12.6.2 The Default Security Domain .................................................................................... 148 12.6.3 Listing, Editing, and Creating Domains ..................................................................... 148 12.7 Security Advisor ................................................................................................................... 148

vi Cach Security Administration Guide

12.7.1 Auditing ...................................................................................................................... 149 12.7.2 Services ...................................................................................................................... 149 12.7.3 Roles ........................................................................................................................... 149 12.7.4 Users ........................................................................................................................... 150 12.7.5 CSP, Privileged Routine, and Client Applications ..................................................... 150 12.8 Effect of Changes ................................................................................................................. 150 12.9 Emergency Access ................................................................................................................ 151 12.9.1 Invoking Emergency Access Mode ............................................................................ 151 12.9.2 Emergency Access Mode Behavior ............................................................................ 153 13 Using SSL/TLS with Cach ......................................................................................................... 155 13.1 About SSL/TLS .................................................................................................................... 156 13.2 About Configurations ........................................................................................................... 156 13.2.1 Creating or Editing an SSL/TLS Configuration ........................................................ 157 13.2.2 Deleting a Configuration ............................................................................................ 159 13.2.3 Reserved Configuration Names ................................................................................. 160 13.3 Configuring the Cach Superserver to Use SSL/TLS .......................................................... 160 13.4 Configuring the Cach Telnet Service to Use SSL/TLS ...................................................... 160 13.4.1 Configuring the Cach Telnet Server for SSL/TLS ................................................... 161 13.4.2 Configuring Telnet Clients for SSL/TLS ................................................................... 161 13.5 Configuring .NET Clients to Use SSL/TLS with Cach ...................................................... 162 13.6 Configuring Java Clients to Use SSL/TLS with Cach ........................................................ 162 13.6.1 Determining the Need for a Keystore and a Truststore .............................................. 163 13.6.2 Creating a Client Configuration ................................................................................. 163 13.6.3 Specifying the Use of the Client Configuration ......................................................... 165 13.7 Configuring Cach to Use SSL/TLS with Mirroring ........................................................... 167 13.7.1 About Mirroring and SSL/TLS .................................................................................. 167 13.7.2 Creating and Editing SSL/TLS Configurations for a Mirror ..................................... 168 13.8 Configuring Cach to Use SSL/TLS with TCP Devices ...................................................... 170 13.8.1 Configuring a Client to Use SSL/TLS with a TCP Connection ................................. 170 13.8.2 Configuring a Server to Use SSL/TLS with a TCP Socket ........................................ 172 13.9 Configuring the CSP Gateway to Connect to Cach Using SSL/TLS ................................. 173 13.10 Establishing the Required Certificate Chain ...................................................................... 174 14 Using Delegated Authentication .................................................................................................. 177 14.1 Overview of Delegated Authentication ................................................................................ 177 14.1.1 How Delegated Authentication Works ....................................................................... 177 14.2 Creating Delegated (User-Defined) Authentication Code .................................................... 178 14.2.1 Authentication Code Fundamentals ........................................................................... 178 14.2.2 Signature .................................................................................................................... 179 14.2.3 Authentication Code ................................................................................................... 179 14.2.4 Setting Values for Roles and Other User Characteristics ........................................... 180 14.2.5 Return Value and Error Messages .............................................................................. 183 14.3 Setting Up Delegated Authentication ................................................................................... 184 14.4 After Delegated Authentication Succeeds ............................................................................ 184 14.4.1 The State of the System .............................................................................................. 185 14.4.2 Changing Passwords .................................................................................................. 185 15 Using LDAP Authentication ........................................................................................................ 187 15.1 Configuring Cach to Use an LDAP Server ......................................................................... 188 15.1.1 Specifying a Certificate File on Windows .................................................................. 189 15.1.2 Searching the LDAP Database ................................................................................... 189

Cach Security Administration Guide vii

15.2 Configuring the LDAP Server to Use Registered LDAP Properties .................................... 190 15.3 Setting Up LDAP-based Authentication .............................................................................. 191 15.4 After Authentication The State of the System ................................................................. 192 16 Using Delegated Authorization .................................................................................................... 193 16.1 Overview of Delegated Authorization .................................................................................. 193 16.2 Creating Delegated (User-defined) Authorization Code ...................................................... 193 16.2.1 Working from the ZAUTHORIZE.int Template ........................................................ 194 16.2.2 ZAUTHORIZE Signature .......................................................................................... 194 16.2.3 Authorization Code with ZAUTHORIZE .................................................................. 195 16.2.4 ZAUTHORIZE Return Value and Error Messages .................................................... 197 16.3 Configuring an Instance to Use Delegated Authorization .................................................... 198 16.3.1 Delegated Authorization and User Types ................................................................... 199 16.4 After Authorization The State of the System ................................................................... 199 Appendix A:Tightening Security for a Cach Instance .................................................................. 201 A.1 Enabling Auditing .................................................................................................................. 201 A.2 Changing the Authentication Mechanism for an Application ............................................... 202 A.2.1 Giving the %Service_CSP:Use Privilege to the CSPSystem User ............................. 203 A.2.2 Changing the Password of the CSPSystem User ........................................................ 204 A.2.3 Configuring the CSP Gateway to Provide a Username and Password ........................ 204 A.2.4 Configuring %Service_CSP to Require Password Authentication ............................. 205 A.2.5 Removing the Public Status of the %Service_CSP:Use Privilege .............................. 205 A.2.6 Configuring the Management Portal to Accept Password Authentication Only ......... 205 A.2.7 Specifying the Appropriate Privilege Level for the Instances Users .......................... 206 A.2.8 Making the Documentation or Samples Available ...................................................... 207 A.2.9 Beginning Enforcement of New Policies .................................................................... 208 A.3 Limiting the Number of Public Resources ............................................................................ 208 A.4 Restricting Access to Services ............................................................................................... 209 A.4.1 Limiting the Number of Enabled Services .................................................................. 209 A.4.2 Limiting the Number of Public Services ..................................................................... 210 A.4.3 Restricting Access to Services by IP Address or Machine Name ............................... 210 A.5 Restricting Public Privileges ................................................................................................. 211 A.6 Limiting the Number of Privileged Users ............................................................................. 211 A.7 Disabling the _SYSTEM User .............................................................................................. 212 A.8 Restricting Access for UnknownUser ................................................................................... 212 A.8.1 Potential Lockout Issue with the UnknownUser Account When Increasing Security . 213 Appendix B:Using the cvencrypt Utility .......................................................................................... 215 B.1 Converting an Unencrypted Database to be Encrypted ......................................................... 215 B.2 Converting an Encrypted Database to be Unencrypted ......................................................... 217 B.3 Converting an Encrypted Database to Use a New Key .......................................................... 218 B.4 Using Command-line Options with cvencrypt ...................................................................... 220 B.5 Using cvencrypt in Batch Mode on OpenVMS ..................................................................... 221 Appendix C:Frequently Asked Questions about Cach Security .................................................. 223 Appendix D:Relevant Cryptographic Standards and RFCs ......................................................... 225 Appendix E:Using Character-based Security Management Routines ......................................... 227 E.1 ^SECURITY .......................................................................................................................... 228 E.2 ^EncryptionKey ..................................................................................................................... 229 E.3 ^DATABASE ......................................................................................................................... 230 E.4 ^%AUDIT .............................................................................................................................. 231

viii Cach Security Administration Guide

List of Figures
Figure 11: Cach Security and Different Levels of the Computing Environment ................................ 3 Figure 12: Cach Auditing System ...................................................................................................... 10 Figure 21: Architecture of a Web Connection ..................................................................................... 17 Figure 22: Architecture of a Kerberos-Protected Web Connection ..................................................... 20

Cach Security Administration Guide ix

List of Tables
Table 21: Connection Tools, Their Access Modes, and Their Services ............................................... 19 Table 31: Database Privileges .............................................................................................................. 47 Table 32: %DB_%DEFAULT Privileges ............................................................................................. 47 Table 41: Default Public Privileges ..................................................................................................... 53 Table 51: Role Properties .................................................................................................................... 56 Table 52: Predefined Roles and Their Privileges ................................................................................. 65 Table 61: User Account Properties ...................................................................................................... 69 Table 62: User Profile Properties ......................................................................................................... 76 Table 63: Predefined Users .................................................................................................................. 77 Table 71: Services with Authentication Mechanisms .......................................................................... 85 Table 81: Protection/Escalation Matrix for Secured Applications ...................................................... 90 Table 82: Cach System Web Applications ......................................................................................... 98 Table 91: System Audit Events .......................................................................................................... 103 Table 131: Valid Certificate Distribution Schemes ............................................................................ 175 Table I1: Required Public Resources and Their Permissions ............................................................ 209

x Cach Security Administration Guide

About This Book

This book describes the functionality for securing Cach applications and deployed instances. This book covers the following fundamental topics: About Cach Security provides an overview of the available security features. Authentication explains of the theory and practice of configuring Cach to authenticate its users. Assets and Resources begins the authorization chapters by describing the data and activities Cach protects called assets and how they are represented within Cach as what are called resources. Privileges and Permissions continues the authorization chapters by describing the mechanism for granting access to those resources. Roles continues the authorization chapters by describing how privileges are aggregated into the logical form called roles and how users can be associated with roles. Users continues the authorization chapters by describing the representation of those entities called users within Cach. Services continues the authorization chapters by describing how Cach protects the various means by which users and programs can connect to it, which are called services. Applications concludes the authorization chapters by describing how to create and use application-based security with Cach Auditing describes how to configure Cach to log various activities. Managed Key Encryption explains how to encrypt data on disk.

This books advanced topics are: SQL Security System Management and Security Using SSL/TLS with Cach Using Delegated Authentication Using LDAP Authentication Using Delegated Authorization

The books appendices are: Tightening Security for a Cach Instance Using the cvencrypt Utility Frequently Asked Questions about Cach Security Relevant Cryptographic Standards and RFCs Using Character-based Security Management Routines

For a detailed outline, see the Table of Contents. Other related topics in the Cach documentation set are:

Cach Security Administration Guide 1

About This Book

The Cach Installation Guide, the Preparing for Cach Security appendix provides preliminary setup information for an instance that will use security. Using Cach Server Pages (CSP), the CSP Architecture chapter describes how to configure CSP applications, including security-related properties. Using Cach SQL, the Users, Roles, and Privileges chapter provides the SQL perspective on Cach security.

For general information, see Using InterSystems Documentation.

2 Cach Security Administration Guide

1
About Cach Security
Cach provides a simple, unified security architecture with the following features: It offers a strong, consistent, and high-performance security infrastructure for applications. It meets certification standards. It makes it easy for developers to build security features into applications. It places a minimal burden on performance and operations. It ensures that Cach can operate effectively as part of a secure environment and that other applications and Cach can work together well. It provides infrastructure for policy management and enforcement.

Figure 11: Cach Security and Different Levels of the Computing Environment

Cach security is based on authentication, authorization, auditing, and database encryption: Authentication verifies the identity of all users. It is described in the section Authentication: Establishing Identity. Authorization ensures that users can access the resources that they need, and no others. It is described in the section Authorization: Controlling User Access. Auditing keeps a log of pre-defined system and application-specific events. It is described in the section Auditing: Knowing What Happened. Managed key encryption protects information against unauthorized viewing. It is described in the section Managed Key Encryption: Protecting Data on Disk.

Cach Security Administration Guide 3

About Cach Security

Note:

Cach SQL security uses the Cach authentication infrastructure. The tools for Cach security authorization are described in this book, while the Cach SQL security authorization system is described in the Users, Roles, and Privileges chapter of the Using Cach SQL book.

1.1 Authentication: Establishing Identity

Authentication is how you prove to Cach that you are who you say you are. Without trustworthy authentication, authorization mechanisms are moot one user can impersonate another and then take advantage of the fraudulently-obtained privileges. The authentication mechanisms available depend on how you are accessing Cach. Cach has a number of available authentication mechanisms: Kerberos The most secure means of authentication. The Kerberos Authentication System provides mathematically proven strong authentication over a network. Operating-systembased OS-based authentication uses the operating systems identity for each user to identify that user for Cach purposes. LDAP With the Lightweight Directory Access Protocol (LDAP), Cach authenticates the user based on information in a central repository, known as the LDAP server. Cach login With Cach login, Cach prompts the user for a password and compares a hash of the provided password against a value it has stored. Delegated authentication Delegated authentication provides a means for creating customized authentication mechanisms. The application developer entirely controls the content of delegated authentication code.

You can also allow all users to connect to Cach without performing any authentication. This option is appropriate for organizations with strongly protected perimeters or in which neither the application nor its data are an attractive target for attackers.

1.1.1 About Kerberos

For maximally secure connections, Cach supports the Kerberos authentication system, which provides a highly secure and effective means of verifying user identities. Kerberos was developed at the Massachusetts Institute of Technology (MIT) to provide authentication over an unsecured network, and protects communications using it against sophisticated attacks. The most evident aspect of this protection is that a users password is never transmitted over the network even encrypted. Kerberos is what is called a trusted-third-party system: the Kerberos server holds all sensitive authentication information (such as passwords) and is itself kept in a physically secure location. Kerberos is also: Time-tested Kerberos was originally developed in the late nineteen-eighties. Its principal architecture and design have been used for over a decade at many sites; subsequent revisions have addressed issues that have been discovered over the years. Available on all supported Cach platforms Originally developed for UNIX, Kerberos is available on OpenVMS and all Cach-supported variants of UNIX; Microsoft has integrated Kerberos into Windows 2000 and subsequent versions of Windows. (Note that because the Microsoft .NET framework does not include direct Kerberos support, Cach does not support Kerberos for the Cach Managed Provider for .NET.) Flexibly configurable It accommodates heterogeneous networks.

4 Cach Security Administration Guide

Authentication: Establishing Identity

Scalable The Kerberos protocol minimizes the number of interactions with its Key Distribution Center (KDC); this prevents such interactions from becoming a bottleneck on larger systems. Fast As an open-source product, the Kerberos code has been scrutinized and optimized extensively over the years.

Underlying Kerberos authentication is the AES encryption algorithm. AES the Advanced Encryption Standard is a royalty-free, publicly-defined symmetric block cipher that supports key sizes of 128, 192, and 256 bits. It is part of the US Federal Information Processing Standard (FIPS), as chosen by United States National Institute of Standards and Technology (NIST). For detailed content, see Configuring for Kerberos Authentication in the Authentication chapter.

1.1.2 About Operating-SystemBased Authentication

Cach supports what is called operating-systembased (or OS-based) authentication. With operating system authentication, Cach uses the operating systems user identity to identify the user for Cach. When operating system authentication is enabled, the user authenticates to the operating system using whatever the native mechanism is. For example, on UNIX, this is traditionally a login prompt where the operating system compares a hash of the password to the value stored in the /etc/passwd file. When the user first attempts to connect to Cach, Cach obtains the process operating system level user identity. If this identity matches a Cach username, then that user is authenticated. This capability only applies to server-side processes, such as terminal-based applications (for example, connecting through the Cach terminal) or batch processes started from the operating system. It is not available for an application that is connecting to Cach from another machine, such as when a copy of Cach Studio on one machine is connecting to a Cach server on another. This mechanism is typically used for UNIX and OpenVMS systems, in addition to the Windows console. For detailed content, see Configuring for Operating-SystemBased Authentication in the Authentication chapter.

1.1.3 About LDAP Authentication

Cach supports authentication through the Lightweight Directory Access Protocol (LDAP). In this case, Cach contacts an LDAP server to authenticate users, relying on its database of users and their associated information to perform authentication. The LDAP server also controls all aspects of password management, password policies, and so on. For detailed content, see the Using LDAP Authentication chapter.

1.1.4 About Cach Login

Cach itself can provide a login mechanism. Specifically, Cach maintains a password value for each user account and compares that value to the one provided by the user at each login. (As with traditional OS-based authentication, Cach stores a hashed version of the password. When the user logs in, the password value entered is hashed and the two hashed versions are compared.) The system manager can configure certain password criteria, such as minimum length, to ensure a desired degree of robustness in the passwords selected by users. For detailed content, see Configuring for Authentication with Cach Login in the Authentication chapter.

1.1.5 About Delegated Authentication

Cach supports delegated authentication, so that there is a means for creating customized authentication mechanisms. In this case, the application developer entirely controls the content of delegated authentication code. Cach includes a routine, ZAUTHENTICATE.int, that serves as a template for creating custom authentication code. For detailed content, see the Using Delegated Authentication chapter.

Cach Security Administration Guide 5

About Cach Security

1.2 Authorization: Controlling User Access

Once a user is authenticated, the next security-related question to answer is what that person is allowed to use, view, or alter. This determination and control of access is known as authorization. Authorization manages the relationships of users and resources entities being protected. Resources are as diverse as databases, Cach services (such as for controlling web access), and user-created applications. Note: Cach provides authorization functionality independent of authentication functionality. This means that any authenticated user regardless of the means of authentication can then be authorized to use various resources.

1.2.1 Authorization Basics

The fundamental purpose of Cach security is to establish the relationships between users and the resources that they attempt to use.

1.2.1.1 Resources, Permissions, and Privileges

The primary goal of security is the protection of resources information or capabilities in one form or another. With Cach, resources can be databases, services, applications, tools, and even administrative actions. The system administrator grants access to these by assigning permissions. Together, a resource and an associated, assigned permission are known as a privilege. This is often described using the following shorthand:
Resource-Name:Permission

where Resource-Name is the specific resource for which permissions are being granted and Permission is one or more permissions being associated with the resource. For example, the granting of read and write permissions on the EmployeeInfo database is represented as:
%DB_EmployeeInfo:Read,Write

or
%DB_EmployeeInfo:RW

For most resource types, the relevant permission is Use; for databases, the permissions are Read and Write. Granting or revoking this permission enables or disables access to the resources action(s). For most resources, the name of a resource is <resource-type>_<specific-resource>, such as %Admin_Operate, %Service_SQL, or the %DB_SAMPLES database.

Differences between Resources and Assets

Resources differ from assets as follows: Assets are the items being protected while resources are their logical representation within the Cach security system. A single resource can protect multiple assets.

1.2.1.2 Users and Roles

Cach uses Role-Based Access Control (RBAC) for its authorization model. With this type of model, a user gains the ability to manipulate resources as follows: 1. 2. Resources are associated with permissions to establish privileges. Privileges are assigned to roles.

6 Cach Security Administration Guide

Authorization: Controlling User Access

3.

Roles have members, such as users.

A user connects to Cach to perform some set of tasks. A role describes a set of privileges that a user holds. Roles provide an intermediary between users and privileges. Instead of creating as many sets of privileges as there are users, roles allow you to create sets of task-specific privileges. You can grant, alter, or remove the privileges held by a role; this automatically propagates to all the users associated with that role. Instead of managing a separate set of privileges for each and every user, you instead manage a far smaller number of roles. For example, an application for a hospital might have roles for both a doctor making rounds (RoundsDoctor) and a doctor in the emergency room (ERDoctor), where each role would have the appropriate privileges. An individual user could be a member of just one of the two roles, or of both of them. Cach comes with a set of pre-defined roles: %Manager, %Operator, %Developer, %SQL, and a role for each of the initially-installed databases; the database-related roles have names of the form %DB_<database-name>. Cach also comes with a role called %All, which holds all privileges that is, all permissions on all resources. There is no way to reduce this roles privileges, and at least one user must always belong to this role. Each user has an associated $Roles variable, which contains the list of roles held. Once Cach authenticates a user (using one of the mechanisms described in the section Authentication: Establishing Identity ), it grants that user all associated roles. This set of initially granted roles is known as login roles. A users login roles establishes a default value for the $Roles variable. Once logged in, a user may temporarily be a member of additional roles either from a Cach application or from some part of the Cach system itself; these are reflected in the value of the $Roles variable. The set of roles that a user has at any particular moment is called that users active roles. If, at any point, a call sets the value of $Roles to NULL (""), then the value of $Roles reverts to the login roles. When Cach adds new items to the list of roles in the $Roles variable, this is known as escalating roles. The removal of roles from the list is known as role de-escalation.

About Role Assignment

How users are assigned to roles depends on the authentication mechanism: For Kerberos and OS-based authentication, role assignment occurs within Cach unless there is delegated that is, custom authorization code (see the chapter Using Delegated Authorization for details). For Cach login, role assignment occurs within Cach. For LDAP, role assignment uses the roles specified in the LDAP database. For delegated authentication, role assignment depends on the code in ZAUTHENTICATE. For an instance that supports unauthenticated access, all users hold the privileges associated with the UnknownUser and _PUBLIC accounts; these accounts are described in the sections The UnknownUser Account and The _PUBLIC Account, both of which are in the Users chapter. Regardless of how role assignment occurs, role management that is, associating particular privileges with particular roles occurs within Cach.

Note:

1.2.2 Resources and What They Protect

At the foundation of any security system is that which it protects. With Cach, resources are being protected. There are a number of kinds of resources and each governs a different key aspect of Cach: System resources The ability to perform various tasks for system management, security administration, or application development. See the section System Resources for more information. Database resources Cach databases, which can be altered or read, and which have executable code that can also be altered or run. See Database Resources for more information.

Cach Security Administration Guide 7

About Cach Security

Service resources Tools for connecting to or among Cach servers. See the section Service Resources for more information. Application resources User-defined applications, applications that come with Cach, an action in code, or a page in the Management Portal. See the section Application Resources for more information.

1.2.2.1 System Resources

There are several predefined administrative resources:
%Admin_Operate Controls a set of tasks for system operators. These include:

Starting and stopping (but not configuring) Cach Performing backups

%Admin_Secure Controls a set of tasks for security administrators. These include:

User account management Role management Resource management Starting and stopping services Database encryption tasks

%Admin_Manage Controls a set of tasks related to managing a Cach instance. In addition to those listed for %Admin_Operate and %Admin_Secure, these include

Configuration management Adding, modifying, and deleting databases Modifying namespace mappings Managing backup definition Performing database restores Performing journal restores

%Development Controls development tasks and tools, including:

Using direct mode (the programmer prompt) Establishing Studio connections to a server Using the global, routine, class, table, or SQL capabilities of the Cach Management Portal. Access to global, routine, class, table, or SQL capabilities programmatically Cach debugging facilities

For each system resource, the Use permission enables access.

1.2.2.2 Service Resources

A service controls a users ability to connect to Cach. For example, Telnet and ECP each have associated services. Each service can be enabled or disabled. If disabled, no one, regardless of privilege level, can use the service. If enabled, the services specified authentication mechanism is used to authenticate the user; once authenticated, the service grants access

8 Cach Security Administration Guide

Authorization: Controlling User Access

according to the privilege level specified by the users roles. (For services that support multiple authentication mechanisms, these are used in a pre-determined order.) There are a large number of services available as part of Cach. These include: Client/server services, such as for SQL Console, Telnet, and Terminal (for various kinds of terminal connections) A CSP connection service (for CSP and Zen web applications) Networking services, such as ECP

To use a service, you must hold the Use permission on the services resource.

1.2.2.3 Database Resources

A database refers to a physical file that resides in a particular location. A database resource governs one or more Cach databases. Note: Cach security does not directly control access to namespaces. Since a namespace can be mapped to multiple databases, there can be different security settings for its different underlying parts.

For database resources, there are two permissions available: Read Allows viewing but not modification of content, and also running of routines Write Allows view and modification of content

In each database, all routines that begin with the % character are visible to all users of the entire Cach instance, regardless of their roles. Further, all these routines have read-write privileges on all globals in the database.

The Managers Database

For each Cach instance (that is, each separately installed copy of Cach), there is a database called CACHESYS, which contains routines and globals required to administer the instance. This database is also known as the managers database. Because of the powerful tools available in the managers database, it is necessary to carefully control access to it. Data and routines in it can affect the operation of Cach itself; therefore, to protect the instance as a whole, access to it should be carefully restricted.

1.2.2.4 Application Resources

Application resources can protect a number of different kinds of assets, all of which are associated with either user-defined applications or applications that come with Cach, and can include entire applications, individual actions in code, or pages in the Management Portal. For the purposes of Cach security, an application is a software program or group of Cach routines. To protect applications, Cach supports what is called an application definition. You can associate an application definition with an Application resource (that is, a resource of type Application); this allows you to establish a privilege that regulates its use. Any role that holds the privilege is entitled to run the application. There are three types of application definitions: A privileged routine application definition is associated with one or more Cach routines. A web application definition is associated with a specific Cach Server Pages (CSP) or Zen application. A client application definition is associated with one or more specific executable programs, which have been created as clients for a Cach server.

Cach Security Administration Guide 9

About Cach Security

For example, Cach comes with the DocBook web application for displaying documentation; if you are reading this in a browser, then you are using the DocBook application right now. For more information on applications, see the Applications chapter. In addition to using Application resources to protect the application as a whole, you can also use these resources to perform authorization for a particular piece of code or with a particular Portal page. For more information on adding authorization code into an application, see the section Checking Privileges in the Privileges and Permissions chapter; for more information on authorization checks for a particular Portal page, see the section Using Custom Resources with the Management Portal in the Resources chapter.

1.2.3 For More Information on Authorization

For more information on authorization, see the following chapters in this book: Assets and Resources, Privileges and Permissions, Roles, and Users.

1.3 Auditing: Knowing What Happened

Auditing provides a verifiable and trustworthy trail of actions related to the system. Auditing serves multiple security functions: It provides proof the proverbial paper trail recording the actions of the authentication and authorization systems in Cach and its applications. It provides the basis for reconstructing the sequence of events after any security-related incident. Knowledge of its existence can serve as a deterrent for attackers (since they know they will reveal information about themselves during their attack).

The auditing facility allows you to enable logging for various system events, as well as user-defined events. Authorized users can then create reports based on this audit log, using tools that are part of Cach. Because the audit log can contain sensitive information, running an audit report itself generates an entry for the audit log. The included Cach tools support archiving the audit log and other tasks.

Figure 12: Cach Auditing System

Different environments require different actions if the audit log becomes full. This is why Cach makes this behavior fully configurable. If it becomes impossible to write to the audit database, you can choose to either: Halt Cach

10 Cach Security Administration Guide

Managed Key Encryption: Protecting Data on Disk

Overwrite the oldest existing records

For example, in a critical-care medical environment, a doctor may need to get a medical history in a life-threatening situation. Here, it may be necessary to overwrite the oldest existing records. Otherwise, if this action is supposed to generate an audit entry and the audit database is full, the action will fail. No medical history will be available, with potentially disastrous results. (It is crucial to establish a protocol for unaudited operation, to ensure that an attacker does not intentionally generate a full audit database in order to penetrate a system without being noticed.) Alternatively, a system at a bank may consider auditing itself critical. Here, when the audit log becomes full and it becomes impossible to write to the audit database, then Cach halts. In this case, there can be no further transactions until logging is restored. In either case, it is incumbent on the local system administrator to make a reasonable estimation of how long it will take to fill the audit databases available space and perform maintenance operations in a timely manner.

1.4 Managed Key Encryption: Protecting Data on Disk

The purpose of authentication is to ensure that Cach users are who they say they are. The purpose of authorization is to control access to data through Cach. The purpose of auditing is to keep a record of what has happened during interactions with Cach and its data. In addition to this, there is the need to prevent unauthorized access to data on disk. To protect against such access, Cach provides managed key encryption, a suite of technologies that protects data at rest. This suite includes block-level database encryption, data element encryption for applications, and encryption key management. The tools protect data at rest that is, they secure information stored on disk by preventing unauthorized users from viewing this information. Cach implements encryption using the AES (Advanced Encryption Standard) algorithm. Database encryption and decryption occur when Cach writes to or reads from disk, and the information handled includes the data itself, indices, bitmaps, pointers, allocation maps, and incremental backup maps. Data element encryption is supported by a set of methods that allow an application to encrypt and decrypt content as desired. And, underlying the encryption tools are key management tools that allow for simple creation and management of data encryption keys and the key files that contain them. Those experienced with encryption systems for databases may have concerns about encryption having dire effects on performance, but, with Cach, these concerns are unfounded. Encryption and decryption have been optimized, and their effects are both deterministic and small for any Cach platform; in fact, there is no added time at all for writing to the database. For those requiring more specific information about time for reading the database, an algorithm is available to calculate the overhead. For more information on these tools, see the chapter Managed Key Encryption.

1.5 Managing Security with the Management Portal

To manage security for a Cach instance, use the Management Portal. From the Management Portal home page, the System Administration menu includes submenus for Security and Encryption. The Security submenu contains choices for managing the Cach instance as a whole, including users, roles, services, resources, auditing, and the security properties of any applications defined for the Cach instance. The Encryption submenu contains choices related to the technologies of managed key encryption: database encryption, data element encryption, and encryption key management.

Cach Security Administration Guide 11

About Cach Security

1.6 Notes on Technology, Policy, and Action

Cach can play a significant role in providing security. However, it constitutes only part of a computing environment. To properly and fully secure that environment, Cach must be part of a solution that employs other security products and tools (such as firewalls and the security features of operating systems). This is why the security features in Cach are designed to successfully interoperate with those of other products. Also, although Cach can do much to prevent attacks and misuse of data, it cannot do the entire job. If a user goes to lunch with a Terminal window open, your organizations data is vulnerable to attack. And while technology can solve many security problems, it cannot teach users to behave responsibly. An organization must define clear policies that specify what can, cannot, and must be done. Further, it must educate its members in how to follow these policies and why. Without such an action, all the security in Cach and other products will do no good; with such an action, Cach can be part of a secure and productive environment.

1.7 A Note on Certification

Security certifications are a frequent requirement for government purchases, and are increasingly requested for private sector purchases. Effective February 15, 2007, Cach received certification according to the Common Criteria standard (EAL 3). Common Criteria standard provides a set of common security standards for a wide and growing number of nations around the globe. It provides an evaluation assurance scale with levels from 1 to 4 (EAL), where a products rating indicates the rigor of evaluation to which it has been subjected; commercially available products are rated from one (least rigorous) to four (most rigorous). Cach is certified at EAL 3. Such a level indicates that Cach can effectively serve as part of a highly secure operational environment.

12 Cach Security Administration Guide

2
Authentication
Authentication Basics About the Different Authentication Mechanisms About the Different Access Modes Configuring for Kerberos Authentication Configuring for Operating-Systembased Authentication Configuring for Authentication with Cach Login Configuring for Two-factor Authentication Other Topics

2.1 Authentication Basics

Authentication verifies the identity of any user attempting to connect to Cach. Once authenticated, a user has established communications with Cach, so that its data and tools are available. There are a number of different ways that a user can be authenticated; each is known as an authentication mechanism. Cach is typically configured to use only one of them. The supported authentication mechanisms are: Kerberos Operating-systembased Cach login LDAP authentication Delegated authentication

Cach supports authentication using user-defined code, which is known as delegated authentication. It also supports authentication using LDAP, the Lightweight Directory Access Protocol. Finally, for those sites that prefer no authentication at all, Cach supports unauthenticated access. The authentication mechanism is used by what are called connection tools. These specify the means by which users establish their connection with Cach. Each connection tool (such as the Cach Terminal, Java, or CSP) uses a Cach service that allows the administrator to specify the supported authentication mechanism(s). (A Cach service is a gatekeeper for connecting to Cach; for more information on services, see the chapter Services.)

Cach Security Administration Guide 13

Authentication

There are three categories of connection tools, each of which is known as an access mode. Each access mode has its own characteristics and has its own supported services. The access modes are: Local The user interacts directly with the Cach executable on the machine where that executable is running. Client/Server The user is operating a separate executable that connects to Cach. Web The user has a Web browser and is interacting with Cach through a Web-based application.

An end-user uses a connection tool to interact with Cach in a particular access mode using a particular authentication mechanism. Remember that the processes described in this chapter do not themselves establish authenticated access. Rather, they establish the infrastructure that an application uses when authenticating users via a particular mechanism in a particular access mode. It is recommended that each instance of Cach use only one authentication mechanism and that you choose the instances authentication mechanism prior to installing Cach. Once installation has occurred, you can then begin configuring Cach to use the selected mechanism. This involves several steps: With Kerberos, ensure that all Cach users are listed in the Kerberos KDC (Key Distribution Center) or Windows Domain Controller. With operating-systembased authentication, ensure that all Cach users appear in the operating system list. For all authentication mechanisms, configure all supported services to use only the selected authentication mechanism. For all authentication mechanisms, disable all unsupported services. For all authentication mechanisms, configure all applications to use only the selected authentication mechanism. Regardless of the selected authentication mechanism, during start-up and shut-down, operating system authentication is always used.

Note:

Heres how to use this chapter: 1. If you have already chosen an authentication mechanism, read about it; if you have not chosen an authentication mechanism, read about them all and choose one. The relevant section for this is About the Different Authentication Mechanisms. Read about those access modes that are relevant for your situation in the section About the Different Access Modes. Configure your environment according to the instructions in Configuring for Kerberos Authentication, Configuring for Operating-SystemBased Authentication, or Configuring for Authentication with Cach Login. To use an external mechanism for authentication, Cach includes support for LDAP authentication and delegated (user-defined) authentication. For all authentication mechanisms, Cach supports two-factor authentication. If you want to implement two-factor authentication, configure the instance according to the instructions in the section Configuring Two-factor Authentication.

2. 3.

4.

2.2 About the Different Authentication Mechanisms

Cach has several ways in which it can authenticate a user, that is, verify the identity of a user. These are: Kerberos Authentication Operating-SystemBased Authentication Cach Login

14 Cach Security Administration Guide

About the Different Authentication Mechanisms

LDAP Authentication Delegated Authentication

A site may also be configured for unauthenticated access.

2.2.1 Kerberos Authentication

Where strong authentication is required, Cach can use the Kerberos protocol to enable users and Cach itself to identify each other and to ensure the validity of communications within a session. For a brief overview of Kerberos, see the About Kerberos section in the Introduction chapter of this book; for more detailed information, see the MIT Kerberos Web site and its list of available documentation. In the Kerberos model, there are several different actors. All the different programs and people being authenticated by Kerberos are known as principals. The Kerberos system is administered by a Kerberos Key Distribution Center (KDC); on Windows, the Windows Domain Controller performs the tasks of a KDC. The KDC issues tickets to users so that they can interact with programs, which are themselves represented by service principals. Once a user has authenticated and has a service ticket, it can then use a program. Specifically, Kerberos authentication involves two separate transactions. In the first, the user is authenticated to the Kerberos server and receives what is called a ticket-granting ticket or TGT. In the second, the TGT is used to authenticate the user to Cach, which also leads to authenticating Cach to the user. (Aside from a possible initial password prompt, this is designed to be invisible to the user.) In order for strong authentication to be meaningful, all Cach services that support it must have Kerberos enabled and those that dont support it must be disabled. The exception to this is that services intended to operate within the Cach security perimeter, such as ECP, do not support Kerberos; you can simply enable or disable these services, since they are designed for use in an externally secured environment.

2.2.2 Operating-SystemBased Authentication

With operating-systembased authentication, Cach uses the operating systems user identity to identify the user for Cach purposes. Specifically, the process is: 1. 2. Cach obtains the process operating-system user identity. Cach checks if the operating system identity matches a Cach username. If so, then the user is automatically authenticated for Cach as well.

2.2.3 Cach Login

Cach has its own algorithms for providing password-based authentication. This mechanism is listed in the Management Portal as Password authentication. Since Kerberos and OS-based authentication both typically use passwords, this documentation refers to the native Cach mechanism as Cach login. For password authentication, Cach maintains a password value for each user account and compares that value to the one provided by the user at each log in. (In actuality, Cach does not store the password value itself but a hashed version of it. When the user logs in, that entered password value is hashed and the two hashed versions are compared.) The system manager can establish certain password criteria, such as minimum length, to ensure a certain degree of robustness in the passwords selected by users; the criteria are described in the section Password Strength and Password Policies in the chapter System Management and Security. Note: The password hash function used in Cach security starting with version 5.1 is more robust than those used in prior versions. To take advantage of this, users need to enter new passwords.

Cach Security Administration Guide 15

Authentication

2.2.4 LDAP Authentication

Cach supports authentication based on LDAP (the Lightweight Directory Access Protocol). With LDAP authentication, Cach retrieves user information from a central LDAP repository. Because an environment may already support LDAP authentication, such as with Windows Active Directory, an instance of Cach may be able to use LDAP for its authentication and simply fit into this larger infrastructure. For more details about LDAP authentication, see the chapter Using LDAP Authentication.

2.2.5 Delegated Authentication

Cach supports the use of custom authentication mechanisms through what is known as delegated authentication. Delegated authentication occurs if an instance of Cach has a ZAUTHENTICATE routine in its %SYS namespace. If such a routine exists, Cach uses it to authenticate users, either with calls to new or existing code. For more details about delegated authentication, see the chapter Using Delegated Authentication.

2.2.6 Unauthenticated Access

You can configure any Cach service to operate without any authentication mechanism. This is known as unauthenticated access. Generally, if you configure Cach services to allow unauthenticated access, it is recommended there be unauthenticated access exclusively. If there is support for an authentication mechanism and then unauthenticated access if authentication fails, this is what is called cascading authentication, which is described in the section Cascading Authentication ; the circumstances for using more than one authentication mechanism are described in the section Using Multiple Authentication Mechanisms.

2.3 About the Different Access Modes

Cach supports three access modes: Local Client/Server Web

2.3.1 About Local Access

With local access, the end-user is on the same machine as the Cach server. To gain access to the data, the user runs a private image of Cach that is reading from and writing to shared memory. If there are multiple local users, each has an individual copy of the Cach executable and all the executables point to the same shared memory. Because the user and the executable are on the same machine, there is no need to protect or encrypt communications between the two, since nothing is being passed from one executable to another. Because communications between the user and Cach go on within a single process, this is also known as in-process authentication. Local access is available for: The terminal The Cach terminal uses the %Service_Console service on Windows and the %Service_Terminal service on other operating systems. Callin Callin uses the %Service_CallIn service.

16 Cach Security Administration Guide

About the Different Access Modes

2.3.2 About Client/Server Access

With client/server access, the Cach executable is the server and there is a client executable that can reside on a separate machine. Cach accepts a connection, possibly over a wire, from the client. This connection can use any language or protocol that Cach supports. These include: ActiveX Uses %Service_Bindings C++ Uses %Service_Bindings Cach Direct Uses %Service_CacheDirect ComPort Uses %Service_ComPort Java Uses %Service_Bindings JDBC Uses %Service_Bindings ODBC Uses %Service_Bindings Perl Uses %Service_Bindings Python Uses %Service_Bindings Telnet Uses %Service_Telnet

All connection tools support authentication through Kerberos or Cach login except %Service_ComPort, which only supports authentication through Cach login. In each case, the server specifies the supported authentication type(s). When the client initiates contact with the server, it must attempt to use one of these supported types; otherwise, the connection attempt is rejected. Not all authentication types are available for all connection tools.

2.3.3 About Web Access

The web access mode supports connections of the following form:

Figure 21: Architecture of a Web Connection

1. 2. 3. 4.

A user requests content or an action in a Web browser. The Web browser passes along the request to the Web server. The Web server is co-located with the CSP Gateway and passes the request to the Gateway. The Gateway passes the request to the Cach server.

When the Cach server provides content for or performs an action relating to the user, the entire process happens in the other direction.

Cach Security Administration Guide 17

Authentication

For the user to authenticate to Cach, a username and password must be passed down the line. Hence, this access mode is also known as a proxy mode or proxy connection. Once the information reaches the Cach machine, the arrangement between user and server is similar to that in the local access mode. In fact, the web access mode also uses in-process authentication.

2.4 Configuring for Kerberos Authentication

To configure a Cach instance for Kerberos authentication, the process is: 1. Ensure that Cach is set up to run as a Kerberos service. The procedure varies, depending on the operating system of the Cach server and the type of environment; see the Preparing the Security Environment for Kerberos section of the Preparing for Cach Security appendix of the Cach Installation Guide for more information. 2. 3. 4. Enable the relevant Kerberos mechanisms on the Authentication Options page ([System] > [Security Management] > [Authentication Options]). Determine which services will be used to connect to Cach and disable all other services. For a list of which services are used by what connection tools, see the table Connection Tools, Their Access Modes, and Their Services. For client/server connections, specify what Kerberos connection security level the server requires. This is how you determine which Kerberos features are to be part of connections that use the service. See the section Specifying Connection Security Levels for more information. For client/server connections, perform client-side setup. This ensures that the application has access to the information it needs at runtime. This information includes: The name of the service principal representing Cach. The allowed connection security levels.

5.

Setting up this information may involve configuring a Windows preferred server or some other configuration mechanism. See the section Setting Up a Client for more information. 6. Specify how the authentication process obtains user credentials. This is either by checking the users Kerberos credentials cache or by providing a Kerberos password prompt for the user. See the section Obtaining User Credentials for more information. To maximally secure web connections, set up secure channels for the following connections: Web browser to Web server CSP Gateway to Cach server On Windows, when logged in using a domain account, OS-based and Kerberos authentication are the same. When logged on locally, Kerberos is subject to a KDC spoofing attack and is therefore neither secure nor recommended.

7.

Important:

2.4.1 About Kerberos and the Access Modes

Each connection tool uses a service to establish communications with Cach. It also uses a particular access mode. To ensure maximum protection, determine which services you need, based on which connection tools you are using. If you are not using a service, disable it.

18 Cach Security Administration Guide

Configuring for Kerberos Authentication

The following is a list of connection tools, their access modes, and their services:

Table 21: Connection Tools,Their Access Modes, and Their Services

Connection Tool ActiveX C++ Cach Telnet CallIn Console CSP Java JDBC ODBC Terminal Zen Access Mode Client/Server Client/Server Client/Server Local Local Web Client/Server Client/Server Client/Server Local Web Service
%Service_Bindings %Service_Bindings %Service_Telnet %Service_CallIn %Service_Console %Service_CSP %Service_Bindings %Service_Bindings %Service_Bindings %Service_Terminal %Service_CSP

2.4.1.1 Local
Kerberos authentication for a local service establishes that the user and Cach are both valid Kerberos principals. There is only one machine in use and only one process on that machine; hence, the configuration pages for these services in the Portal allow you to specify whether to use Kerberos prompting (labeled simply as Kerberos in the Management Portal) or Kerberos credentials cache. In this scenario, there is no connection between the user and Cach, since both are using the same process on the same machine. Because the two are sharing a process, there is no information being passed through an insecure medium and therefore no need to offer special protections for this data. (This situation is known as in-process authentication.)

2.4.1.2 Client/Server
Client/server applications include connections from ActiveX, C++, Java, JDBC, ODBC, Perl, Python, and through Cach Direct and Telnet. For a client/server application using Kerberos authentication, the user needs credentials to interact with Cach via the application. The server and client each require configuration. Server configuration specifies which type of connections are accepted; client configuration specifies what type of connection is attempted and may also specify how to obtain the users credentials. With client/server connections, Kerberos supports various connection security levels, which are configured on the Cach server machine: Kerberos Kerberos manages the initial authentication between the user and Cach. Subsequent communications are not protected. Kerberos with Packet Integrity Kerberos manages the initial authentication between the user and Cach; each subsequent message has a hash that provides source and content validation. This provides verification that each message in each direction is actually from its purported sender; it also provides verification that the message has not been altered in transit from sender to receiver. Kerberos with Encryption Kerberos manages initial authentication, ensures the integrity of all communications, and also encrypts all communications. This involves end-to-end encryption for all messages in each direction between the user and Cach.

Cach Security Administration Guide 19

Authentication

2.4.1.3 Web
When running a web application (using either CSP or Zen), the user does not interact directly with the Cach server. To protect all information from monitoring, you need to encrypt the connections between the user and Cach as follows: Configure the Web server so that it uses SSL to secure browser connections to it. Co-locate the Web server and the CSP Gateway, so there is no need to secure the connection between them. Configure the CSP Gateway to use Kerberos authentication and encryption. Use the Gateways Kerberos principal to establish such a connection.

This applies to both CSP and Zen, since Zen uses CSP for its underlying connection. The architecture is:

Figure 22: Architecture of a Kerberos-Protected Web Connection

Any communications between the end-user and Cach occurs through SSL-encrypted or Kerberos-encrypted pipes. For Kerberos-secured connections, this includes the end-users Kerberos authentication. Because the Cach server cannot prompt the end-user for a password, it invokes an API that sends HTML content to the browser to prompt. The user completes this form that has been sent; it travels back to the Web server, which hands it to the CSP Gateway, which then hands it to the CSP server (which is part of Cach itself). The CSP server acts as a proxy on behalf of the user at the browser; this is why this kind of a connection is known as a proxy connection. At the same time, all information related to the user resides on the server machine (as with the local access mode); hence a web connection is also a form of in-process authentication.

2.4.2 Specifying Connection Security Levels

Client/server connections to Cach use one of the following services:
%Service_Bindings ActiveX, C++, Java, JDBC, ODBC, Perl, Python %Service_CacheDirect Cach Direct %Service_Telnet Telnet

For any Kerberos connection using one of these services, you must specify the connection security levels which the server accepts. To configure the services supported connection security levels, the procedure is: 1. On the Authentication Options page ([System] > [Security Management] > [System Security Settings] > [Authentication Options]), specify which connection security levels to enable for the entire Cach instance, where these can be:
Kerberos

Initial authentication only Initial authentication and packet integrity

Kerberos with Packet Integrity

20 Cach Security Administration Guide

Configuring for Kerberos Authentication

Kerberos with Encryption

Initial authentication, packet integrity, and encrypting all messages

For more information on the Authentication Options page, see the section Authentication Options in the chapter System Management and Security. 2. 3. On the Services page ([System] > [Security Management] > [Services]), click the service name (in the Name column); this displays the Edit Service page for the service. On the Edit Service page, specify which connection security levels to require as part of a Kerberos connection. After making this selection, click Save.

If a client attempts to connect to the server using a lower level of security than that which is specified for the server, then the connection is not accepted. If a client attempts to connect to the server using a higher level of security than that which is specified for the server, then the server connection attempts to perform authentication using the level of security that it specified.

2.4.3 Setting Up a Client

When using the client/server access mode, you need to configure the client. The particulars of this process depend on the connection technology being used.

2.4.3.1 Telnet and Cach Direct: Setting Up the Preferred Server for Use with Kerberos
With a Windows client, when establishing a connection using Cach Direct or Cach telnet for Windows, the client uses configuration information that has been stored as part of a remote server. Important: Cach has its own telnet server for Windows. When connecting to a non-Windows machine, there is no Cach telnet server available you simply use the telnet server that comes with the operating system. Once you have established the connection to the server machine, you can then start Cach using the %Service_Terminal service.

To configure a client connection coming in through telnet or Cach Direct, go to the client machine. On that machine, the procedure is: 1. 2. 3. 4. 5. Click on the Cach cube and select Preferred Server from the menu (the Preferred Server choice also displays the name of the current preferred server). From the submenu that appears, choose Add/Edit. To create a new remote server, click the Add button; to configure an already-existing server, choose the Cach server to which you are connecting and click the Edit button. This displays the Add Connection dialog. In the Authentication Method area on that dialog, click Kerberos. This expands the dialog to display a number of additional fields. If you are editing the values for an already-existing server, there should be no need to change or add values for the more general fields in this dialog, as they are determined by the server that you chose to edit. If you are adding a new server, the fields to complete are described in the section Define a Remote Server Connection of the Connecting to Remote Servers chapter of the Cach System Administration Guide. 6. In the dialogs Kerberos-related fields, specify values for the following fields: The connection security level, where the choices are Kerberos authentication only; Kerberos authentication with packet integrity; or Kerberos authentication, packet integrity, and encryption The service principal name. For information on setting up service principal names, see the section Names and Naming Conventions in the appendix Preparing for Cach Security of the Cach Installation Guide.

Cach Security Administration Guide 21

Authentication

If you are configuring a telnet connection to a Windows machine, check the box specifying that the connection use the Windows Cach Telnet server.

7.

Click OK to save the specified values and dismiss the dialog.

2.4.3.2 Setting Up an ODBC DSN for Use with Kerberos

Cach supports Kerberized ODBC connections from clients on Windows, UNIX, and Mac to DSNs (Data Source Nodes) on all platforms. The ways of configuring client behavior vary by platform: On non-Windows platforms, use the Cach ODBC initialization file to specify name-value pairs that provide connection information. This file is described generally in Using Cach ODBC. The file has the following Kerberos-related variables: Authentication Method Specifies how the ODBC client authenticates to the DSN. 0 specifies Cach login; 1 specifies Kerberos. Security Level For Kerberos connections, specifies which functionality is used to protect the connection. 1 specifies that Kerberos is used for authentication only; 2 specifies that Kerberos is used for authentication and to ensure the integrity of all packets passed between client and server; and 3 specifies that Kerberos is used for authentication, packet integrity, and to encrypt all messages. Service Principal Name Specifies the name of Cach service that is serving as the DSN. For example, the service principal might have cache/localhost.domain.com as its name.

The names of these variables must have spaces between the words. They are not case-sensitive. On a Windows client, you can specify connection information either through a GUI or programmatically: Through a GUI, there is an ODBC DSN configuration dialog. Cach provides options on the System DSN tab. This screen has associated help that describes its fields. The path on the Windows Start menu to display this screen varies by version of Windows; it may be listed under Administrative Tools. Important: On 64-bit Windows, there are two versions of odbcad32.exe: one is located in the C:\Windows\System32\ directory and the other is located in the C:\Windows\SysWOW64\ directory. If you are running 64-bit Windows, configure DSNs through the one in C:\Windows\SysWOW64\.

Programmatically, the SQLDriverConnect function is available, which accepts a set of name-value pairs. SQLDriverConnect is a C call that is part of the ODBC API and is documented at the Microsoft Web site. Its name-value pairs are the same as those for the initialization file available on non-Windows platforms.

2.4.3.3 Setting Up a Java or JDBC Client for Use with Kerberos

Cach provides a Java class that serves as a utility to assist with Java client configuration. Run it when you are ready to configure the client. The procedure is: 1. Make sure that the path to CacheJDBC.jar and CacheDB.jar is available to the CLASSPATH variable on the client. By default, this file is in the <cache-install-dir>/dev/java/lib/JDK16 directory. (For general information on setting up Java clients, see the Installation and Configuration section of The Cach Java Binding chapter of Using Java with Cach; for a description of the jar files, see The Cach Java Class Packages in the same chapter.) To configure the client, issue the Java Configure command:
> java com.intersys.jgss.Configure

2.

Note:

This command is case-sensitive.

This program uses Java Generic Security Services (JGSS) to perform the following actions:

22 Cach Security Administration Guide

Configuring for Kerberos Authentication

If necessary, modifies the java.security file. Creates or modifies the isclogin.conf file. Note: The parameters to the login module that appear in the isclogin.conf file depend on whether the server is using the Sun Java implementation or the IBM Java implementation. AIX and SUSE Linux use the IBM implementation; all other supported Cach platforms use the Sun implementation.

3.

The program then prompts you to create and configure the krb5.conf file. If the file exists, the command prompts if you wish to use the existing krb5.conf or replace it; if you choose to replace it, it prompts for the following information: a. b. c. Kerberos realm It offers the local domain in lowercase as a default value for the domain. Primary KDC You only need include the local machine name, as the program appends the Kerberos realm name to the machine name for you. Secondary KDC(s) You can specify the names of zero or more KDCs to replicate the content of the primary KDC.

4. 5.

After receiving this information, run the command a second time. (It instructs you to do this.) When prompted to replace krb5.conf, choose to leave the existing file. The command then tests the connection by prompting for the username and password of a principal in the specified Kerberos realm.

If this succeeds, then client configuration is complete.

2.4.3.4 Setting Up a Client on C++, Perl, Python, and ActiveX for Use with Kerberos
To be able to establish a Kerberized connections through these bindings, you need only configure the Cach server to accept Kerberos connections. Once the server is properly configured, the application then can establish the connection by using the appropriate calls. For information on the appropriate language-specific calls, see the Cach Language Bindings books.

2.4.4 Obtaining User Credentials

For all access modes, you need to specify whether the application obtains the users credentials from an existing credentials cache or by prompting for a username and password.

2.4.4.1 Obtaining Credentials for Local Access Mode

For the local access mode, the users credentials reside on the same machine as Cach. In this situation, the application is using a service to connect to Cach. This includes the following services:
%Service_CallIn %Service_Console %Service_Terminal

To specify how to get credentials, the procedure is: 1. 2. On to the Services page ([System] > [Security Management] > [Services]) and select the service from the Name column. This displays the Edit Service page for the service. On the Edit Service page, specify how to get credentials. Either select prompting (the Kerberos check box) or by using a credentials cache (the Kerberos Credentials Cache check box). Do not mark both. Click Save to use the settings.

Cach Security Administration Guide 23

Authentication

Note:

If you enable both Kerberos (prompting) and Kerberos credentials cache authentication for the service, then the credentials cache authentication takes precedence. This is behavior specified by Kerberos, not Cach.

On Windows with a Domain Controller (the likely configuration for Windows), logging in establishes a Kerberos credentials cache. On UNIX, OpenVMS, and Mac, the typical default condition is to have no Kerberos credentials, so that Cach is then configured to use Kerberos prompting; on these systems, the user can obtain credentials in either of the following ways: Running kinit before invoking the Cach Terminal Logging in to a system where the login process performs Kerberos authentication for the user

In these situations, Cach can be configured to use the credentials cache.

2.4.4.2 Obtaining Credentials for Client/Server Access Mode

For client/server access mode, the users credentials reside on the machine that hosts the client application. In this case, the manner in which you specify how to obtain credentials varies according to how the client is connecting: ActiveX, Cach Direct, C++, ODBC, Perl, Python, and Telnet Java and JDBC

ActiveX, Cach Direct, C++, ODBC, Perl, Python, and Telnet

The underlying Cach code used by these connection tools assumes that end-users already have their credentials; no prompting is necessary. On Windows, every user logged on in the domain has a credentials cache. On other operating systems, a user has a credentials cache if the operating system has performed Kerberos authentication for the user, or if the user has explicitly run kinit. Otherwise, the user has no credentials in the cache and the connection tool fails authentication. Note: Not all connection tools are available on all operating systems.

Java and JDBC

When using Java and JDBC, there are two different implementations of Java available either Sun or IBM. These have several common behaviors and several differing behaviors. Both implementations store information about a connection in properties of an instance of the java.util.Properties class. These properties are: user The name of the user who is connecting to the Cach server. This value is only set for certain connection behaviors. password That users password. This value is only set for certain connection behaviors. service principal name The Kerberos principal name for the Cach server. This value is set for all connection behaviors. connection security level The type of protection that Kerberos provides for this connection. 1 specifies that Kerberos is used for authentication only; 2 specifies that Kerberos is used for authentication and to ensure the integrity of all packets passed between client and server; and 3 specifies that Kerberos is used for authentication, packet integrity, and to encrypt all messages. This value is set for all connection behaviors.

In the following discussions, the instance of the java.util.Properties class is referred to as the connection_properties object, where the value of each of its properties is set with a call to the connection_properties.put method, such as

24 Cach Security Administration Guide

Configuring for Kerberos Authentication

String principalName = "MyCacheServer"; connection_properties.put("service principal name",principalName);

For both implementations, credentials-related behavior is determined by the value of a parameter in the isclogin.conf file (see Setting Up a Java or JDBC Client for Use with Kerberos for more information on this file). There are two differences between the behavior of the two Java implementations: To specify credentials-related behavior, the parameter name to set in the isclogin.conf file differs for each implementation: For IBM, it is useDefaultCcache. For Sun, it is useTicketCache.

There are different behaviors available on each implementation. These are described in the following sections.

Specifying Behavior on a Client Using the IBM Implementation The options are: To use a credentials cache, set the value of the useDefaultCcache parameter to TRUE and do not set the values of the user or password properties. Note that if no credentials cache is available, then an exception is thrown. To use a username and password that are passed in programmatically, set the value of the useDefaultCcache parameter to FALSE and set the values of the user and password properties. To prompt for a username and password, set the value of the useDefaultCcache parameter to FALSE and do not set the values of the user or password properties. Because these properties do not have values set, classes from libraries supplied with Cach can be used to generate prompts for them.

Specifying Behavior on a Client Using the Sun Implementation The options are: To exclusively use a username and password that are passed in programmatically, set the value of the useTicketCache parameter to FALSE and set the values of the user and password properties. To exclusively prompt for a username and password, set the value of the useTicketCache parameter to FALSE and do not set the values of the user or password properties. Because these properties do not have values set, classes from libraries supplied with Cach can be used to generate prompts for them. To exclusively use a credentials cache, set the value of the useTicketCache parameter to TRUE. To prevent any further action, set the values of the user and password properties to bogus values; this prevents prompting from occurring and ensures the failure of any authentication attempt based on the properties values. To attempt to use a credentials cache and then fall through to using a username and password that are passed in programmatically, set the value of the useTicketCache parameter to TRUE and set the values of the user and password properties. If there is no credentials cache, then the properties values are used. To attempt to use a credentials cache and then fall through to prompting for a username and password, set the value of the useTicketCache parameter to TRUE and do not set the values of the user or password properties. If there is no credentials cache, then classes from libraries supplied with Cach can be used to generate prompts for them.

2.4.4.3 Obtaining Credentials for Web Access Mode

With a Web-based connection that uses Kerberos, there is always a username and password prompt. If these result in authentication, the users credentials are placed in memory and then discarded when no longer needed.

Cach Security Administration Guide 25

Authentication

2.4.5 Setting Up a Secure Channel for a Web Connection

To maximally secure a web connection, it is recommended that the two legs of communication both between the browser and the Web server and then between the CSP Gateway and Cach use secure channels. This ensures that any information, such as Kerberos usernames and passwords, be protected in transmission from one point to another. To secure each communications channel, the procedure is: Between the Web browser and Web server Between the CSP Gateway and Cach

2.4.5.1 Securing the Connection between a Web Browser and Web Server
The typical means of securing a connection between a Web browser and a Web server is to use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), its successor. While Cach does not provide implementations of these technologies to accomplish this, various third-party products provide this capability.

2.4.5.2 Setting Up a Kerberized Connection from the CSP Gateway to Cach

To set up a secure, encrypted channel between the CSP Gateway and the Cach server, you need a Kerberos principal that represents the Gateway. This principal establishes an encrypted connection to Cach, and all information is transmitted through the connection. This allows an end-user to authenticate to Cach and prevents any snooping during that process. Note: For information on setting up a connection between the CSP Gateway and the Cach server that is protected by SSL/TLS, see the Configuring the CSP Gateway to Connect to Cach Using SSL/TLS section of the Using SSL/TLS with Cach chapter.

The procedure is: 1. Determine or choose the name of the Kerberos principal that represents the Gateway. For Windows, this is the principal name representing the Gateway hosts network service session (that is, the name of the machine hosting the Gateway with the $ appended to it machine_name$, , such as Athens$). For other platforms, this is any valid principal name entered as the username in the Gateway configuration screen; this identifies the appropriate key in the key table file. 2. 3. 4. 5. Create a user in Cach with the same name as the Gateways Kerberos principal. To do this, follow the instructions in the section Creating a New User in the Users chapter. Give that user permissions to use, read, or write any required resources (these are also known as privileges). This is done by associating those privileges with a role and then associating the user with the role. Configure the %Service_CSP service. To do this, complete the fields described in the section Service Properties in the Services chapter. Configure the Gateway so that it can contact the server. The procedure is: a. b. c. From the Management Portal home page, select Configuration >> CSP Gateway Management. This displays the Web Gateway management page. On the Web Gateway management page, there are a set of choices on the left. Under Configuration, click Server Access. This displays the Server Access page. On the Server Access page, you can add a new configuration or edit an existing one. To add a new configuration, click the Add Server button; to edit an existing one, select it from the list on the left, select the Edit Server radio button, and click Submit. This displays the page for editing or configuring server access parameters. In addition to the general parameters on this page (described on its help screen), this page allows you to specify securityrelated parameters for the Gateway. For Kerberos connections, these are:

26 Cach Security Administration Guide

Configuring for Operating-Systembased Authentication

Connection Security Level Choose the kind of protection that you would like Kerberos to attempt to provide

this connection. (Note that this must match or exceed the type of security specified for the CSP service in the previous step.) The name of the Kerberos principal that represents the Gateway. (This must be the same principal as was used in the first step of this process.)
User Name

Do not specify a value for this. (This field is used when configuring the Gateway for use with Cach login.)
Password Product

Cach or Ensemble, depending on which product you are using.

The name of the principal that represents the Cach server. This is typically a standard Kerberos principal name, of the form cache/machine.domain , where cache is a fixed string indicating that the service is for Cach, machine is the machine name, and domain is the domain name, such as intersystems.com .
Service Principal Name Key Table When connecting to an instance of Cach on Windows, leave this field blank; for other operating

systems, provide the name of the keytab file containing the permanent key belonging to the CSP Gateway, including the full path. After entering all these values, click the Save Configuration button to save them. The CSP service is now ready to configured. This means that it can now provide the necessary underlying infrastructure to support a web application. When creating a secured web application, the application developer needs to: 1. 2. 3. Choose an authentication method. Configure the roles for the application. If required, make sure the browser-to-Web server connection uses SSL.

2.5 Configuring for Operating-Systembased Authentication

Operating-systembased authentication (sometimes called OS-based authentication) is only available for local processes, namely: Callin (%Service_Callin) Console (%Service_Console) Terminal (%Service_Terminal)

To set up the use of this type of authentication, the procedure is: 1. 2. 3. On the Authentication Options page ([System] > [Security Management] > [Authentication Options]), select Allow Operating System authentication. On to the Services page ([System] > [Security Management] > [Services]) and select the service from the Name column. This displays the Edit Service page for the service. On the Edit Service page, choose operating-systembased (the Operating System check box).

Cach Security Administration Guide 27

Authentication

Click Save to use the settings. This type of authentication requires no other configuration actions. Note: On Windows, when logged in using a domain account, OS-based and Kerberos authentication are the same.

2.5.1 A Note on %Service_Console

Since the console (%Service_Console) is a Windows-based service and Windows domain logins typically use Kerberos, consoles OS-based authentication provides authentication for local logins.

2.5.2 A Note on %Service_Callin

With callin (%Service_Callin), OS-based authentication is only available from an OS-level prompt. When using callin programmatically, OS-based authentication is not supported only unauthenticated access is available.

2.6 Configuring for Authentication with Cach Login

The services available for authentication with Cach login are:
%Service_Binding %Service_CSP %Service_CacheDirect %Service_CallIn %Service_ComPort %Service_Console %Service_Telnet %Service_Terminal

For a service to use Cach login, you must configure it as follows: 1. 2. 3. 4. 5. On the Authentication Options page ([System] > [Security Management] > [Authentication Options]), enable authentication with Cach login by selecting Allow Password authentication). For the particular service, go to the Services page ([System] > [Security Management] > [Services]) and select that service, such as %Service_Bindings, in the Name column; this displays the Edit Service page for the service. On this page, choose Cach login, listed simply as Password from the list of authentication types. Click Save to save this setting. In addition to this basic procedure, certain services require further configuration. This is described in the following sections: Web ODBC Telnet and Cach Direct

28 Cach Security Administration Guide

Configuring for Authentication with Cach Login

2.6.1 Web
For web access, you can optionally require that the CSP Gateway authenticate itself to the Cach server through Cach login. To perform this configuration, the procedure is: 1. 2. 3. From the Management Portal home page, select System Administration >> Configuration >> CSP Gateway Management. This displays the Web Gateway management page. On the Web Gateway management page, there are a set of choices on the left. Under Configuration, click Server Access. This displays the Server Access page. On the Server Access page, you can add a new configuration or edit an existing one. To add a new configuration, click the Add Server button; to edit an existing one, select it from the list on the left, select the Edit Server radio button, and click Submit. This displays the page for editing or configuring server access parameters. In addition to the general parameters on this page (described on its help screen), this page allows you to specify security-related parameters for the Gateway. For Cach login connections, these are:
Connection Security Level

Choose Password from the drop-down list to use Cach login.

User Name The user name under which the Gateway service runs (the installation process creates the CSPSystem

user for this purpose). This user (CSPSystem or any other) should have no expiration date; that is, its Expiration Date property should have a value of 0.
Password Product

The password associated with the user account just entered.

Cach or Ensemble, depending on which product you are using. Do not specify a value for this. (This field is used when configuring the Gateway for

Service Principal Name

use with Kerberos.)

Key Table

Do not specify a value for this. (This field is used when configuring the Gateway for use with Ker-

beros.) After entering all these values, click the Save Configuration button to save them. It is important to remember that the authentication requirements for the Gateway are not directly related to those for an application that uses the Gateway. For example, you can require Cach login as the authentication mechanism for a web application, while configuring the Gateway to use Kerberos authentication or no authentication at all. In fact, choosing a particular authentication mechanism for the Gateway itself makes no technical requirement for the web application, and vice versa. At the same time, some pairings are more likely to occur than others. If a web application uses Kerberos authentication, then using any other form of authentication for the Gateway means that Kerberos authentication information will be flowing through an unencrypted channel, thereby potentially reducing its effectiveness. With a web application that uses Cach login, the username and password of the end-user are passed from the browser to the Web server, which then hands them to the co-located CSP Gateway. Since the Gateway has its own connection to the Cach server, it then passes the username and password to the Cach server. To establish its connection to the Cach server, the Gateway uses the CSPSystem account, which is one of the Cach pre-defined accounts. By default, all these transactions are unencrypted. You can use SSL to encrypt messages from the browser to the Web server. You can use Kerberos to encrypt messages from the Gateway to the the Cach server as described in the section Setting Up a Secure Channel for a CSP Connection; if you are not using Kerberos, you may prefer to physically secure the connection between the host machines, such as by co-locating the Gateway and Cach server machines in a locked area with a direct physical connection between them.

Cach Security Administration Guide 29

Authentication

2.6.2 ODBC
Cach supports Cach login for ODBC connections among all its supported platforms. This requires client-side configuration. The ways of configuring client behavior vary by platform: On non-Windows platforms, use the Cach ODBC initialization file to specify name-value pairs that provide connection information . This file is described generally in Using Cach ODBC. The file has the following variables relevant to Cach login: Authentication Method Specifies how the ODBC client authenticates to the DSN. 0 specifies Cach login; 1 specifies Kerberos. UID Specifies the name for the default user account for connecting to the DSN. At runtime, depending on application behavior, the end-user may be permitted to override this value with a different user account. Password Specifies the password associated with the default user account. If the end-user has been permitted to override the UID value, the application will accept a value for the newly specified users password.

On a Windows client, you can specify connection information either through a GUI or programmatically: Through a GUI, there is an ODBC DSN configuration dialog. Cach provides options on the System DSN tab. This screen has associated help that describes its fields. The path from the Windows Start menu to display this screen varies by version of Windows; it may be listed in the Windows Control Panel, under Administrative Tools, on the screen for Data Sources (ODBC). Programmatically, the SQLDriverConnect function is available, which accepts a set of name-value pairs. SQLDriverConnect is a C call that is part of the ODBC API and is documented at the Microsoft Web site. Its name-value pairs are the same as those for the initialization file available on non-Windows platforms, except that the password is identified with the PWD keyword.

2.6.3 Telnet and Cach Direct

When establishing a connection using Cach Direct and the Cach Telnet server for Windows, the client uses configuration information that has been stored as part of a Cach remote server. To configure a remote server, go to the client machine. On that machine, the procedure is: 1. 2. 3. 4. 5. Click on the Cach cube and select Preferred Server from the menu (the Preferred Server choice also displays the name of the current preferred server). From the submenu that appears, choose Add/Edit. To create a new remote server, click the Add button; to configure an already-existing server, choose the Cach server to which you are connecting and click the Edit button. This displays the Add Connection dialog. In the Authentication Method area on that dialog, click Password for Cach login. If you are editing the values for an already-existing server, there should be no need to change or add values for the more general fields in this dialog, as they are determined by the server that you chose to edit. If you are adding a new server, the fields to complete are described in the section Define a Remote Server Connection of the Connecting to Remote Servers chapter of the Cach System Administration Guide. 6. Click OK to save the specified values and dismiss the dialog.

30 Cach Security Administration Guide

Configuring for Two-factor Authentication

Important:

When connecting to a non-Windows machine using telnet, there is no Cach telnet server available you simply use the telnet server that comes with the operating system. Once you have established the connection to the server machine, you can then connect to Cach using the %Service_Terminal service.

2.7 Configuring for Two-factor Authentication

In addition to the authentication mechanism in use, Cach supports the use of two-factor authentication. This means that Cach authentication can require that the user possess two separate elements or factors. The first is an authentication token (usually a password, as is typically required for most authentication mechanisms). The second factor is the users mobile phone; Cach challenges the user to demonstrate possession of the mobile phone by sending a randomly generated eight-digit one-time security token to the phone and challenging the user to enter that code via the computer within a specified amount of time. Two-factor authentication is enabled on a per-service basis and, if enabled, is required for all of a services users. Twofactor authentication is available for the %Service_Bindings, %Service_Console, %Service_CSP, and %Service_Terminal services; for more information about services, see the Services chapter. The major steps to using two-factor authentication are: 1. 2. For an instance to support two-factor authentication, you must configure the server to use it; this is an administrative task that uses the Management Portal. For web applications and client/server applications, there is an additional step, which depends on the service in use: a. For web applications (those that use %Service_CSP), there is a separate step of configuring each application to support it. (Web applications are either CSP applications or Zen applications, which themselves use CSP for their underlying technology.) For client/server applications (those that use %Service_Bindings), there is a separate step of adding the appropriate calls into the client application to support it; this is a programming task that varies according to the client-side component in use (for example, ODBC, JDBC, C++, Java, .NET, Python, or Perl).. For the Cach Terminal, which uses the %Service_Console service on Windows and the %Service_Terminal service on other operating systems, there is no configuration required other than server-side setup; since Cach controls the prompting in these, it simply follows the standard prompt (regardless of the authentication mechanism) with the two-factor authentication prompt and processes user input accordingly.

b.

Note:

2.7.1 Configuring the Server for Two-factor Authentication

The steps in configuring the Cach server for two-factor authentication are: 1. 2. Enabling and configuring two-factor authentication for the instance as a whole. Configuring the mobile phone service provider(s), if necessary. This includes: 3. Adding any mobile phone service providers if any are required and are not included in the list of default providers. Changing configuration information as necessary for any existing providers (default or added).

Configuring each user to include a mobile phone number and mobile phone service provider. This is the phone number at which the user receives a text message containing the one-time security token.

Cach Security Administration Guide 31

Authentication

Important:

Configure users prior to configuring services. If a service uses two-factor authentication and a user does not have a mobile phone or cannot receive text messages on that phone, then it is impossible for that user to authenticate.

4.

Enabling two-factor authentication for each service that is going to use it. Services that support two-factor authentication are:
%Service_Bindings Connections that use language bindings, such as Java, C++, .NET, and xDBC. All

bindings connections require client-side configuration as described in the section Configuring Bindings Clients for Two-factor Authentication.
%Service_Console and %Service_Terminal Terminal connections (though the console or terminal,

depending on the operating system). For the Cach terminal or console,all that is required is server configuration.
%Service_CSP Web (CSP or Zen) connections. Web applications must be configured to support two-factor

authentication; this is described in the section Configuring Web Applications for Two-factor Authentcation.

2.7.1.1 Enabling and Configuring Two-factor Authentication for an Instance

To enable two-factor authentication for an instance, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Authentication Options page ([System] > [Security Management] > [Authentication Options]). On that page, select the Enable two-factor authentication check box. This displays the Two-factor Authentication area of the page. In the Two-factor Authentication area, complete the following fields:
DNS name of SMTP server The DNS (Domain Name Service) name of the SMTP (Simple Mail Transfer Protocol)

server that is in use for the instance of Cach, such as smtp.example.com (required).
From (address)

Address to appear in the From field of message (required).

Optional timeout in seconds for entering the one-time security token. A negative value for this property is equivalent to having a value of zero.
Timeout (in seconds) SMTP username Password

Optional username for SMTP authentication (if the SMTP server requires it).

Password options of: Allows for entering and confirming a new password

4.

Enter new password Clear password Leave as is

Removes any entry for the password

Leaves in password entry with its current value

Click Save.

2.7.1.2 Configuring Mobile Phone Service Providers

The topics related to configuring mobile phone service providers are: Creating or Editing a Mobile Phone Service Provider Deleting a Mobile Phone Service Provider Predefined Mobile Phone Service Providers

32 Cach Security Administration Guide

Configuring for Two-factor Authentication

Creating or Editing a Mobile Phone Service Provider

To create or edit a mobile phone service provider, the procedure is: 1. From the Management Portal home page, go to the Mobile Phone Service Providers page ([System] > [Security Management] > [Mobile Phone Service Providers]): To create a new provider, click Create New Provider. To edit an existing provider, click Edit on the providers row in the table of providers.

This displays the Edit Phone Provider page for the selected mobile phone service provider. 2. On the Edit Phone Provider page, enter or change the value for each of the following fields:
Service Provider SMS Gateway

The name of the mobile phone service provider (typically, its company name).

The address of the server that the mobile phone service provider uses to dispatch SMS (short message service) messages.

You can also create a mobile phone service provider when editing a user, as described in the section Configuring a User for Two-factor Authentication.

Deleting a Mobile Phone Service Provider

To delete a mobile phone service provider, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Mobile Phone Service Providers page ([System] > [Security Management] > [Mobile Phone Service Providers]). On the Mobile Phone Service Providers page, in the row of the provider, click Delete. When prompted to confirm the deletion, click OK.

Predefined Mobile Phone Service Providers

Cach ships with a predefined list of mobile phone service providers, each with its SMS (short message service) gateway preset. These are: AT&T Wireless txt.att.net Alltel message.alltel.com Cellular One mobile.celloneusa.com Nextel messaging.nextel.com Sprint PCS messaging.sprintpcs.com T-Mobile tmomail.net Verizon vtext.com

2.7.1.3 Configuring a User for Two-factor Authentication

To configure a user to receive a one-time security token for two-factor authentication, the procedure is: 1. 2. From the Management Portal home page, go to the Users page ([System] > [Security Management] > [Users]): For an existing user, click Edit in the row of the user to edit; for a new user, begin creating the user by clicking Create New User (for details about creating a new user, see the Creating a New User section of the Users chapter). Either of these actions displays the Edit User page. On the Edit User page, provide values for the following fields:

3.

Cach Security Administration Guide 33

Authentication

The company that provides mobile phone service for the user. Either select a provider from those listed or, if the provider does not appear in the list, click Create new provider to add a new provider for the Cach instance. (Clicking Create new provider displays the Add Phone Provider window, which has fields for the Service Provider and the SMS Gateway, the purpose of which are identical to those described in the section Creating or Editing a Mobile Phone Service Provider.)
Mobile phone service provider Mobile phone number The users mobile phone number. This is the second factor, and is where the user receives

the text message containing the one-time security token. 4. Click Save to save these values for the user. Before enabling two-factor authentication for a service, you must configure the services users to be able to receive the one-time security tokens. Enabling it for the service requires that the instance have the mobile phone numbers and service providers for all authenticating users, so that the instance can send the onetime security tokens during the second phase of authentication.

Important:

2.7.1.4 Enabling or Disabling Two-factor Authentication for a Service

To enable or disable two-factor authentication for a service, the procedure is: 1. 2. 3. 4. From the Management Portal home page, go to the Services page ([System] > [Security Management] > [Services]). On the Services page, click the name of the service for which you wish to enable two-factor authentication. This displays the Edit Service page for the service. On the services Edit Service page, select or clear the Two-Factor Authentication Enabled check box. (Note that this check box only appears if two-factor authentication is enabled for the instance.) Click Save.

2.7.2 Configuring Web Applications for Two-factor Authentication

Once you have enabled two-factor authentication for an instance and for the CSP service, you must enable it for all web applications that will use it. The procedure to enable it for an application is: 1. 2. 3. From the Management Portal home page, go to the Web Applications page ([System] > [Security Management] > [Web Applications]). On the Web Applications page, for the application you wish to enable two-factor authentication, click Edit in its row, which displays the Edit Web Application page for it. On the Edit Web Application page, select the Two Factor Enabled check box and click Save.

For general information about the Edit Web Application page, see the CSP Application Options section of the CSP Architecture chapter of the Using Cach Server Pages (CSP) book.

2.7.3 Configuring Bindings Clients for Two-factor Authentication

Client/server connections use %Service_Bindings. For these connections, the code required to use two-factor authentication varies by programming language. (Note that Console, Terminal, and web applications do not require any client-side configuration.) Supported languages include: C++ Java and JDBC .NET

34 Cach Security Administration Guide

Configuring for Two-factor Authentication

ODBC Perl Python

Client-side code performs three operations: 1. 2. 3. After establishing a connection to the Cach server, it checks if two-factor authentication is enabled on the server. Typically, this uses a method of the clients connection object. It gets the one-time security token from the user. This generally involves user-interface code that is not specifically related to Cach. It provides the one-time security token to the Cach server. This also typically uses a connection object method. Studio, which connects to the Cach server using %Service_Bindings, does not support two-factor authentication.

Important:

2.7.3.1 C++
With C++, support for two-factor authentication uses two methods of the tcp_conn class:
bool tcp_conn::is_two_factor_enabled()

This method checks if two-factor authentication is enabled on the server. It returns a boolean; true means that twofactor authentication is enabled.
bool tcp_conn::send_two_factor_token(const wchar_t* token, Conn_err* err)

This method provides the two-factor authentication token to the server. It returns a boolean; true means that the user has been authenticated. It takes two arguments: token, the two-factor authentication token that the user has received. Note that the client application is responsible for obtaining the value of the token from the user. err, an error that the method throws if the user does not successfully authenticate. If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

Important:

The following example uses an instance of a connection called conn: 1. 2. It uses that instances methods to check if two-factor authentication is enabled. It attempts to provide the token to the server and performs error processing if this fails. Note that the sample code here assumes that the application code has stored the one-time security token in a variable of type std::string; it then uses the c_str method of the string class to extract the one-time security token as a null-terminated string to pass to the server.

// Given a connection called "conn" if (conn->is_two_factor_enabled()) { // Prompt the user for the one-time security token. // Store the token in the "token" variable of type std::string. Conn_err err; if (!conn->send_two_factor_token(token.c_str(), &err;)) // Process the error from a invalid authentication token here. }

Note:

The light C++ binding does not support two-factor authentication.

Cach Security Administration Guide 35

Authentication

2.7.3.2 Java and JDBC

With Java, support for two-factor authentication uses two methods of the CacheConnection class:
public boolean isTwoFactorEnabled() throws Exception

This method checks if two-factor authentication is enabled on the server. It returns a boolean; true means that twofactor authentication is enabled.
public void sendTwoFactorToken(String token) throws Exception

This method provides the one-time security token to the server. It takes one argument, token, the one-time security token that the user has received. The following example uses an instance of a connection called conn: 1. 2. It uses that instances methods to check if two-factor authentication is enabled. It attempts to provide the token to the server and performs error processing if this fails. If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

Important:

// Given a connection called "conn" if (conn.isTwoFactorEnabled()) { // Prompt the user for the two-factor authentication token. // Store the token in the "token" variable. try { conn.sendTwoFactorToken(token); } catch (Exception ex) { // Process the error from a invalid authentication token here. } }

2.7.3.3 .NET
For .NET, Cach supports connections with two-factor authentication with the managed provider and with ADO.NET. Support for two-factor authentication uses two methods of the tcp_conn class:
bool CacheConnection.isTwoFactorEnabledOpen()

This method opens a connection to the Cach server and checks if two-factor authentication is enabled there. It returns a boolean; true means that two-factor authentication is enabled.
void CacheConnection.sendTwoFactorToken(token)

This method provides the one-time security token to the server. It has no return value. It takes one argument, token, the one-time security token that the user has received. If there is a problem with either the token (such as if it is not valid) or the connection, then the method throws an exception. Important: A client application makes a call to isTwoFactorEnabledOpen instead of a call to CacheConnection.Open. The isTwoFactorEnabledOpen method requires a subsequent call to sendTwoFactorToken. Also, if two-factor authentication is enabled on the server and the client code does not implement twofactor authentication calls, then the server will drop the connection with the client. The following example uses an instance of a connection called conn: 1. 2. It uses that instances methods to check if two-factor authentication is enabled. It attempts to provide the token to the server and performs error processing if this fails.

36 Cach Security Administration Guide

Configuring for Two-factor Authentication

// Given a connection called "conn" try { if (conn.isTwoFactorEnabledOpen()) { // Prompt the user for the two-factor authentication token. // Store the token in the "token" variable. conn.sendTwoFactorToken(token); } } catch (Exception ex) { // Process exception }

2.7.3.4 ODBC
With ODBC, support for two-factor authentication uses two standard ODBC function calls (which are documented in the Microsoft ODBC API Reference):
SQLRETURN rc = SQLGetConnectAttr(conn, 1002, &attr, sizeof(attr), &stringLengthPtr);

The SQLGetConnectAttr function, part of the Microsoft ODBC API, returns the current value of a specified connection attribute. The Cach ODBC client uses this function to determine if the server supports two-factor authentication. The value of the first argument is a handle to the connection from the client to the server; the value of the second argument is 1002, the ODBC attribute that specifies whether or not two-factor authentication is supported; the values of the subsequent arguments are for the string containing the value of attribute 1002, as well as relevant variable sizes.
SQLRETURN rc = SQLSetConnectAttr(conn, 1002, unicodeToken, SQL_NTS);

The SQLSetConnectAttr function, also part of the Microsoft ODBC API, sets the value of a specified connection attribute. The Cach ODBC client uses this function to send the value of the two-factor authentication token to the server. The values of the four arguments are, respectively: The connection from the client to the server.
1002, the ODBC attribute that specifies whether or not two-factor authentication is supported.

The value of the one-time security token.

SQLNTS, which indicates that the one-time security token is stored in a string.

Important:

If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn: 1. 2. It uses SQLGetConnectAttr to check if two-factor authentication is enabled. It attempts to provide the token to the server with the SQLSetConnectAttr call and performs error processing if this fails. If SQLSetConnectAttr fails, the server drops the connection, so you need to reestablish the connection before you can attempt authentication again.

// Given a connection called "conn" SQLINTEGER stringLengthPtr; SQLINTEGER attr; SQLRETURN rc = SQLGetConnectAttr(conn, 1002, &attr, sizeof(attr), &stringLengthPtr); if attr { // Prompt the user for the two-factor authentication token. wstring token; SQLRETURN rc = SQLSetConnectAttr(conn, 1002, token, SQL_NTS); if !rc { // Process the error from a invalid authentication token. } }

2.7.3.5 Perl
With Perl, support for two-factor authentication uses two methods of the Intersys::PERLBIND::Connection class:

Cach Security Administration Guide 37

Authentication

is_two_factor_enabled()

This method checks if two-factor authentication is enabled on the server. It returns a integer; 1 means that two-factor authentication is enabled and 0 means that it is disabled.
send_two_factor_token($token)

This method provides the two-factor authentication token to the server. It returns a integer; 1 indicates success and 0 indicates failure. Its argument, $token, is the two-factor authentication token that the user has received and then entered at the client prompt. Note that the client application is responsible for obtaining the value of the token from the user. Important: If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn: 1. 2. It uses that instances methods to check if two-factor authentication is enabled. It attempts to provide the token to the server and performs error processing if this fails.

// Given a connection called "conn" if ($conn->is_two_factor_enabled()) { # Prompt the user for the one-time security token. # Store the token in the "token" variable of type std::string. if (!$conn->send_two_factor_token($token)) { # Process the error from a invalid authentication token here. } else { # two-factor authentication succeeded } else { # Handle if two-factor authentication is not enabled on the server. }

Cach comes with sample programs that demonstrate two-factor authentication with Perl. These programs are in the install-dir\dev\perl\ directory, and are samples\two_factor.pl. For more information on Perl sample programs for use with Cach, see the Sample Programs section of the Cach Perl Binding chapter of Using Perl with Cach.

2.7.3.6 Python
With Python, support for two-factor authentication uses two methods of the intersys.pythonbind.connection class:
is_two_factor_enabled()

This method checks if two-factor authentication is enabled on the server. It returns a boolean; true means that twofactor authentication is enabled.
send_two_factor_token(token)

This method provides the two-factor authentication token to the server. It returns a boolean; true means that the user has been authenticated. It takes one argument, token, the two-factor authentication token that the user has received. Note that the client application is responsible for obtaining the value of the token from the user. Note: Python leaves carriage returns in input. This means that, when processing the one-time security token, it is necessary to strip any carriage returns out of it. If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

Important:

The following example uses an instance of a connection called conn: 1. It uses that instances methods to check if two-factor authentication is enabled.

38 Cach Security Administration Guide

Other Topics

2.

It attempts to provide the token to the server and performs error processing if this fails.

// Given a connection called "conn" if conn.is_two_factor_enabled(): # Prompt the user for the one-time security token. # Store the token in the "token" variable of type std::string. # Make sure that the carriage returns are stripped from the string. if !conn.send_two_factor_token(token): # Process the error from a invalid authentication token here. else: # two-factor authentication succeeded else: # Handle if two-factor authentication is not enabled on the server.

Cach comes with sample programs that demonstrate two-factor authentication with Python. These programs are in the install-dir\dev\Python\ directory; they are samples\two_factor.py for Python 2.6 and samples3\two_factor.py for Python 3.0. For more information on Python sample programs for use with Cach, see the Sample Programs section of the Cach Python Binding chapter of Using Python with Cach.

2.8 Other Topics

Areas covered in this section are: System Variables and Authentication Using Multiple Authentication Mechanisms Cascading Authentication Establishing Connections with the UnknownUser Account Programmatic Logins The JOB Command and Establishing a New User Identity

2.8.1 System Variables and Authentication

After authentication, two variables have values: $USERNAME contains the username $ROLES contains a comma-delimited list of the roles held by the user

The $ROLES variable allows you to manage roles programmatically. For more information on this, see the section Programmatically Managing Roles in the Roles chapter.

2.8.2 Using Multiple Authentication Mechanisms

The one situation in which InterSystems recommends the use of multiple authentication mechanisms is when moving from a less rigorous mechanism to a more rigorous one. For example, if an instance has been using no authentication and plans to make a transition to Kerberos, the following scenario might occur: 1. 2. 3. For the transition period, configure all supported services to allow both unauthenticated and Kerberos-authenticated access. Users can then connect using either mechanism. If appropriate, install new client software (which uses Kerberos for authentication). Once the list of Cach users has been synchronized with that in the Kerberos database, shut off unauthenticated access for all services.

Cach Security Administration Guide 39

Authentication

The use of multiple authentication mechanisms is often in conjunction with cascading authentication, described in the next section.

2.8.3 Cascading Authentication

While Cach supports for a number of different authentication mechanisms, InterSystems recommends that you do not use any other password-based authentication mechanism along with Kerberos. Also, there are limited sets of circumstances when it is advisable for an instance to have multiple authentication mechanisms in use. If a service supports multiple authentication mechanisms, Cach uses what is called cascading authentication to manage user access. With cascading authentication, Cach attempts to authenticate users via the specified mechanisms in the following order: Kerberos cache (includes Kerberos with or without integrity-checking or encryption) OS-based LDAP (with checking the LDAP credentials cache second) Delegated Cach login Unauthenticated If a service specifies Kerberos prompting and this fails, there is no cascading authentication. If a service specifies both Kerberos prompting and Kerberos cache, then Cach uses Kerberos cache only.

Note:

For example, if a service supports authentication through: 1. 2. 3. Kerberos cache OS-based Unauthenticated

If a user attempts to connect to Cach, then there is a check if the user has a Kerberos ticket-granting ticket; if there is such a ticket, there is an attempt to obtain a service ticket for Cach. If this succeeds, the user gets in. If either there is no initial TGT or a Cach service cannot be obtained, authentication fails and, so, cascades downward. If the user has an OS-based identity that is in the Cach list of users, then the user gets in. If the users OS-based identity is not in the Cach list of users, then authentication fails and cascades downward again. When the final option in cascading authentication is unauthenticated access, then all users who reach this level gain access to Cach. Note: If an instance supports cascading authentication and a user is authenticated with the second or subsequent authentication mechanism, then there have been login failures with any mechanisms attempted prior to the successful one. If the %System/%Login/LoginFailure audit event is enabled, these login failures will appear in the instances audit log.

2.8.4 Establishing Connections with the UnknownUser Account

If Cach login and unauthenticated mode are both enabled, then a user can simply press Enter at the Username and Password prompts to connect to the service in unauthenticated mode, using the UnknownUser account. If only Cach login is enabled, then pressing Enter at the Username and Password prompts denies access to the service; Cach treats this as a user attempting to log in as the UnknownUser account and providing the wrong password.

40 Cach Security Administration Guide

Other Topics

2.8.5 Programmatic Logins

In some situations, it may be necessary for a user to log in after execution of an application has begun. For example, an application may offer some functionality for unauthenticated users and later request the user to log in before some protected functionality is provided. An application can call the Cach log in functionality through the Login method of the $SYSTEM.Security class with the following syntax:
set success = $SYSTEM.Security.Login(username,password)

where success is a boolean where 1 indicates success and 0 indicates failure username is a string holding the name of the account logging in password is a string holding the password for the username account

If the username and password are valid and the user account is enabled and its expiration date has not been reached, then the user is logged in, $USERNAME and $ROLES are updated accordingly, and the function returns 1. Otherwise, $USERNAME and $ROLES are unchanged and the function returns 0. No checking of privileges occurs as a result of executing $SYSTEM.Security.Login. As a result, it is possible that the process has lost privileges that were previously held. There is also a one-argument form of $SYSTEM.Security.Login:
set success = $SYSTEM.Security.Login(username)

It behaves exactly the same as the two-argument form except that no password checking is performed. The single-argument form of $SYSTEM.Security.Login is useful when applications have performed their own authentication and want to set the Cach user identity accordingly. It can also be used in situations where a process is executing on behalf of a specific user but is not started by that user. Note: The single-argument Login method is a restricted system capability as described in the section Special Capabilities in the Resources chapter.

2.8.6 The JOB Command and Establishing a New User Identity

When a process is created using the JOB command, it inherits the security characteristics (that is, the values of $USERNAME and $ROLES) of the process that created it. Note that all roles held by the parent process, User as well as Added, are inherited. In some cases, it is desirable for the newly created process to have $USERNAME and $ROLES values that are different from its parents values. For example, a task manager might be created to start certain tasks at certain times on behalf of certain users. While the task manager itself would likely have significant privileges, the tasks should run with the privileges of the users on whose behalf they are executing, not with the task managers privileges. The following pseudocode illustrates how this can be done:

Cach Security Administration Guide 41

Authentication
WHILE ConditionToTest { IF SomeThingToStart { DO Start(Routine, User) } } Start(Routine, User) { NEW $ROLES // Preserve $USERNAME and $ROLES // Try to change username and roles IF $SYSTEM.Security.Login(User) { JOB ... QUIT $TEST } QUIT 0 // Login call failed }

42 Cach Security Administration Guide

3
Assets and Resources
Once a user has authenticated, the available resources are determined by the authorization facilities in Cach security. Authorization protects Cach components from inappropriate use, and involves the following concepts: 1. 2. An asset is something that is protected. For instance, a Cach database is an asset, the ability to connect to Cach using SQL is an asset, and the ability to perform a backup is an asset. Assets are protected via resources. Sometimes there is a one-to-one correspondence between assets and resources, that is a single asset (such as a database) is protected by one resource. In other cases, multiple assets are protected by a single resource, in order to simplify security management. For instance, a variety of system management functions are protected by a single resource. A privilege grants permission to do something with one or more assets protected by a resource, such as being able to read the orders database. A privilege is written as a resource name followed by a permission separated by a colon, such as:
%DB_Sales:Read

3.

For more information on privileges, see the chapter Privileges and Permissions. Cach includes a set of resources for assets that it protects that is, to which it provides access for users based on the rights that they hold. You can also define your own resources. This chapter addresses issues related to resources and the assets that they protect. Topics include: About Resources System Resources Database Resources Application Resources Creating or Editing a Resource Using Custom Resources with the Management Portal

3.1 About Resources

There are multiple resource types: System Resources For controlling the ability to perform various actions for a Cach instance. For more information on these resources, see the System Resources section of this chapter.

Cach Security Administration Guide 43

Assets and Resources

These resources are %Admin_Journal, %Admin_Manage, %Admin_Operate, %Admin_Secure, %Admin_Task, %Development, and %System_Callout. Database Resources For controlling read and write access to Cach databases. For more information on these resources, see the Database Resources section of this chapter. The database resources for a newly installed Cach instance are %DB_CACHE, %DB_CACHEAUDIT, %DB_CACHELIB, %DB_CACHESYS, %DB_CACHETEMP, %DB_DOCBOOK, %DB_SAMPLES, %DB_USER, and %DB_%DEFAULT. Service Resources For controlling the ability to connect to Cach using various Cach connection technologies. For more information on these resources and the functionality that they control, see the chapter Services. Not all services have associated privileges only those services for which Cach provides user-based access; other services, such as database shadowing, are not user-based and, as a result, do not have associated security resources. For more information on managing services, see the chapter Services. The service resources are %Service_CSP, %Service_CacheDirect, %Service_Callin, %Service_ComPort, %Service_Console, %Service_Login, %Service_Object, %Service_SQL, %Service_Telnet, and %Service_Terminal. DeepSee Resources For controlling the ability to use various aspects of DeepSee. For more information on these resources, see the Setting Up Security chapter in the DeepSee II Implementation Guide. Application Resources Either for controlling the whole of a user-defined application or for perform authorization checks anywhere in user code. For information on these resources generally, see the Application Resources section of this chapter. For information on creating these resources, see the Creating or Editing a Resource section of this chapter.

3.2 System Resources

Cach comes with a set of built-in resources that govern actions in relation to the installed Cach instance. (These were formerly known collectively as the administrative and development resources.) System resources include the %System_Callout resource, which is described in the Services. chapter.

3.2.1 Administrative Resources

If you receive privileges involving an administrative resource, then you can perform designated Cach systems administration tasks. Their associated permission is Use Read and Write are not relevant for them. %Admin_Journal Having the Use permission on this resource allows users to set and clear the no-journaling process flag via the ENABLE^%SYS.NOJRN and DISABLE^%SYS.NOJRN entry points, respectively, in programmer mode in the Cach Terminal. This resource allows you to establish users who can perform this action without having to give them the Use permission on the %Admin_Manage resource, which might give them more privileges than necessary or desired. %Admin_Manage Most visibly, this resource controls access to various pages in the Management Portal. Specifically, it controls the ability to: Create, modify, and delete Cach configurations. Create, modify, and delete backup definitions.

44 Cach Security Administration Guide

System Resources

Add databases, modify database characteristics, and delete databases. Modify namespace map. Perform database and journal restores. Set and clear the no-journaling process flag via the ENABLE^%SYS.NOJRN and DISABLE^%SYS.NOJRN entry points, respectively, in programmer mode in the Cach Terminal. Note that if you wish for a user to be able to perform this task without other managerial privileges, use the %Admin_Journal resource.

%Admin_Operate Most visibly, this resource controls access to various pages in the Management Portal. Specifically, it controls the ability to: Start and stop Cach. Examine and terminate processes. Mount and dismount databases. Perform integrity checks. Start, stop, and switch journals. Perform database backups. Examine and delete locks. Examine logs. Start and stop services.

The %Admin_Operate:Use privilege is required to mount a database, either explicitly (such as when using a Cach utility) or implicitly (such as when making a global reference to an un-mounted database). %Admin_Secure Most visibly, this resource controls access to various pages in the Management Portal. Specifically, it controls the ability to: Create, modify, delete users. Create, modify, delete roles. Create, modify, delete application definitions and application resources. Modify audit settings. Modify services.

%Admin_Tasks Most visibly, this resource controls the ability to create, modify, or run a task, such as through the Management Portals Task Manager ([Home] > [Task Manager]). Note that users holding privileges on %Admin_* resources can carry out administrative functions without having any database privileges (%DB_<database-name>:R/W). For example, a user (presumably a system operator) holding the %Admin_Operate:Use privilege can perform backups without holding privileges on any of the databases being backed up. This is as it should be, since there is no reason for an operator to have access to the contents of databases other than through applications such as the Cach database backup system.

Cach Security Administration Guide 45

Assets and Resources

3.2.2 The %Development Resource

The %Development resource controls access to Cach development facilities and various pages in the Management Portal. Specifically, it controls the ability to: Enter direct mode. Use Cach Studio. The %Development:Use privilege is checked whenever the Studio connects to a server. Use the global, routine, class, table, or SQL capabilities of the Cach system manager utility. (This privilege is also required to call any APIs that provide programmatic access to this functionality.) Use the debugging facilities of Cach, including the BREAK and ZBREAK commands and the debug option of the process display in the Cach system manager utility.

The %Development:Use privilege works in conjunction with database privileges to control developer access to Cach as follows: For Cach Studio, the %Development:Use privilege is checked whenever the Studio connects to a server. In order to connect, the user must have the %Development:Use privilege for the server and be able to read the default global database for the namespace (that is, have the %DB_<database-name>:R privilege for it). In order to open a routine, class or other definition, the user must have the Read privilege for the database in which it is stored (which may or may not be the default routine database). In order to compile or save a definition, the user must have the Write privilege for that database. For the global, routine, or class capabilities of the Cach system manager utility, the user must have the Read or Write privileges for the database to access or modify globals. For the SQL capabilities of the Cach system manager utility, the user must have the appropriate SQL privileges for the tables, views, stored procedures, or other SQL assets. If you have some form of SQL access to a table in a database, you are also granted Read or Write access to that database.

To debug a Cach application, you need no specific database privileges. If you hold the %Development:Use privilege for the system, you can set a breakpoint in any routine stored in any database on that system. However, you must have the Read privilege for a database to: View routine source via the debugger Execute a routine

3.3 Database Resources

Database resources control access to the contents of Cach databases. The name of the database resource that governs access to a database is stored in the label block of that database. All database resource names must start with the string %DB_ and, for custom resources, the first character after the underscore should not be the percent sign. The default database resource name is %DB_<database-name>. You can change the resource name assigned to a database by using the Management Portal.

3.3.1 Database Resource Privileges

The available database privileges are:

46 Cach Security Administration Guide

Database Resources

Table 31: Database Privileges

Permission Read Write Enables Data access and routine execution Modification and deletion of data (including executable code)

Read and Write permissions provide access to all contents of a database, including source and executable code as well as data. Cach security management utilities automatically grant the Read permission for any database resource where there is Write access. Database privileges do not enable protection of individual items, such as routines or globals, within a database. Rather, the same protection is applied to all items of a resource within a database. You can establish higher granularity of protection by storing globals and routines in separate databases. Cach namespace mapping allows you to do this without any application-level modifications. Note: SQL security grants table-level access, specifying which particular action can be performed, such as SELECT or UPDATE. For more information on SQL and security, see the chapter SQL Security.

3.3.2 Shared Database Resources

Often, there is a one-to-one correspondence between databases and the resources used to protect them. For instance, protection for the CACHESYS database is specified using the %DB_CACHESYS resource and protection for the SAMPLES database is specified using the %DB_SAMPLES resource. However, this is not a requirement and, when several databases share the same security definitions they can share the same security resource. Consider a sales application with three databases. Rather than define access for each of these individually, the system manager has the choice option to: 1. 2. 3. Create a new database resource, such as %DB_SALES. Assign this resource to the three databases. Specify suitable access to %DB_SALES which then governs access to all three databases.

3.3.3 Default Database Resource

When mounting an existing database that has no database resource name, Cach assigns the default resource, %DB_%DEFAULT, to the database. By default, %DB_%DEFAULT has the following permissions:

Table 32: %DB_%DEFAULT Privileges

Role
%Developer %Manager

Permissions Read, Write Read, Write

While you can change the privileges associated with %DB_%DEFAULT resource, you cannot delete the %DB_%DEFAULT resource itself, since it must be available if an unnamed database is mounted.

3.3.4 Unknown or Non-Valid Resource Names

If you attempt to mount a database that has an unknown or invalid database resource name, the attempt fails. (This might occur if a database were moved from one Cach instance to another.) An automatic mount attempt fails with an error and

Cach Security Administration Guide 47

Assets and Resources

an explicit mount attempt prompts you with the choice of creating the resource named in the database label or changing the database to use a valid resource.

3.3.5 Namespaces
Users and applications interact with Cach databases through namespaces. While there are no privileges associated with namespaces, access to a namespace is granted or denied based on the privileges associated with the underlying databases. More specifically, to access a namespace, you must hold the Read privilege on the default globals database associated with that namespace. This requirement is checked when: A process attempts to change to a different namespace, such as by using the $NAMESPACE special variable, the ZNSPACE command, or the %CD utility There is an attempt to connect to Cach using any service that connects to a namespace, such as an SQL connection or an object connection This requirement is not checked when a global or routine reference is made, implicitly or explicitly, to a namespace.

Note:

The fact that namespace privileges depend on privileges for the underlying databases can lead to unexpected behavior. For example, suppose that namespace NSCust refers to data in three databases: DBCust1, DBCust2, and DBCust3. Suppose also that the role AverageUser has the privileges %DB_DBCust1:R and %DB_DBCust3:R. Because the role has no privilege associated with DBCust2, any attempt to access data in that database fails (including if it is through the namespace).

3.3.6 Databases that Ship with Cach

A number of databases ship with Cach. Some of these have special characteristics, where described in the following sections. These include: CACHESYS SAMPLES

3.3.6.1 CACHESYS, the Managers Database

Cach ships with a database that provides a repository for administrative routines and globals. This is the CACHESYS database, and is sometimes known as the managers database. Within this database, there are groups of globals and routines whose names begin with the percent sign (these are often known as percent globals or percent routines ). These globals and routines have a special role in the management of a Cach site and have special rules that apply to them: All users have Read permission for percent routines and percent globals. All percent routines have Write permission for all globals located in the same database (percent as well as non-percent). For instance, percent routines in the CACHESYS database have Write access to globals stored in that database, but not to globals in any other database. Simultaneously, percent routines in any other database have implicit Write access to globals stored in that same database but not to percent globals in CACHESYS. This implicit Write permission is only available during normal routine execution. It is disabled if the routine has been modified and it is not available in XECUTE commands or through argument indirection. You can control Write access to percent globals from non-percent routines with the Enable writing to percent globals field on the System-wide Security Parameters page ([System] > [Security Management] > [System Security Settings] > [System-wide Security Parameters]); this page is described in the System-wide Security Parameters section of the System Management and Security chapter.

48 Cach Security Administration Guide

Application Resources

Special Capabilities
There are special capabilities available to code located in the CACHESYS database. These capabilities are sometimes called restricted system capabilities. They are: Invoking protected VIEW commands and $VIEW functions Using protected class methods Modifying the roles of a process with SET $ROLES = ... Invoking the single-argument form of the $SYSTEM.Security.Login function (which is the Login method of the %SYSTEM.Security class) Invoking the two-argument form of the $SYSTEM.Security.ChangePassword function (which is the ChangePassword method of the %SYSTEM.Security class) You need no database privileges to read or write database blocks with the VIEW command.

Note:

The only code that can perform these actions is: Routines stored in the CACHESYS database, but only during normal routine execution. They are disabled if a ZINSERT into the current routine has modified the routine, and they are also not available in XECUTE commands or through argument indirection. Processes with the Write permission on the %DB_CACHESYS resource.

3.3.6.2 The SAMPLES Database

Cach ships with a database of example data, called the SAMPLES database. By default, all users are granted SQL access to this database. Further, if a user has any SQL system privileges in the namespace (or if a user has any SQL privileges for any table, view, or procedure in a namespace), then the user is granted the %SQL role and the database role. For this reason, all users can connect to the SAMPLES database.

3.4 Application Resources

Cach supports several forms of custom authorization, all of which depend on user-defined resources, known as Application resources. These include: Supplementary authorization checking for a Portal page for more information, see the section Using Custom Resources with the Management Portal. Authorization checking at a particular point in an application for more information, see the next section, Creating or Editing a Resource. Authorization for the whole of an application

For the whole of an application, Cach allows you to create an application definition associated with a user-defined application (which itself is defined as a named entity composed of executable code). Application resources then allow you to perform authorization checking for the application. There are three types of applications: Web application definitions These are associated with a specific CSP or Zen application. Privileged Routine application definitions These are associated with one or more routines. Client application definitions These are associated with one or more Cach Direct executables.

Cach Security Administration Guide 49

Assets and Resources

Application resources provide a means of controlling access to applications. To use this feature, create a custom resource as described in the next section, Creating or Editing a Resource and use it in association with the application as described in the Creating and Editing an Application: The General Tab section of the Applications chapter. For example, if a Zen application has an associated resource, then users can only run the application if they have Use permission on the resource. If an application uses other resource-regulated entities, such as databases, then users must also have appropriate permissions on those resources in order to operate the application effectively. For more information on applications, consult the Applications chapter.

3.5 Creating or Editing a Resource

To create a new resource, on the Resources page ([System] > [Security Management] > [Resources]), click Create New Resource. To edit an existing resource, on the Resources page ([System] > [Security Management] > [Resources]), click the Edit button to the right of the resource you wish to edit. This displays the Edit Resource page. The Edit Resource page has fields for the following: Resource Name The string by which the resource is identified. For more information on resource names, see the section Resource Naming Conventions. When creating a resource, this is an editable field; when editing an existing resource, this is a non-editable, displayed string. Description Optional text related to the resource. Public Permission Read When selected, specifies that all users can view this resource. Write When selected, specifies that all users can view or change this resource. Use When selected, specifies that all users can run or otherwise employ this resource.

Once you have added a resource, it appears in the table of resources and is of type Application. You can then use it as part of application-specific authorization. See the section Checking Privileges in the Privileges and Permissions chapter for more information.

3.5.1 Resource Naming Conventions

The names of Cach resources begin with a percent sign character. The names of application-defined resources should not begin with a percent sign character. Resource names are not case-sensitive. This means that: Names are defined using mixed case and the name is preserved exactly as it is entered. Names that differ only by case are prohibited. When a name is looked up, Cach ignores differences in case.

For example, if there is a resource named Accounting . An attempt to create another resource named ACCOUNTING will fail. References to the resource using name values of Accounting , accounting , and ACCOUNTING will all succeed.

50 Cach Security Administration Guide

Using Custom Resources with the Management Portal

3.6 Using Custom Resources with the Management Portal

By default, the %Admin_Manage, %Admin_Operate, %Admin_Secure, and %Development system resources control access to the Management Portal. As a supplement to these that allows for more granular Portal security, you can associate an additional custom resource with each Portal page. If a Portal page has an associated custom resource, then the user must hold both the system and custom resource for the page in order to view that page. For example, access to the Lock Table page requires the %Operator role. You can also associate a custom resource (for example, called MyLockTable) with the Lock Table page; once you have created this association, a user must both be a member of the %Operator role and also have the MyLockTable:Use privilege in order to view the Lock Table page. With this arrangement, the %Operator role grants access to fewer pages than in an instance with default settings, and you can define a new role that can view the Lock Table page and all the other pages to which %Operator role grants access. You can also create multiple custom resources, so that various roles would have access to various subsets of what a predefined role would have available by default. This section describes: Defining and Applying a Custom Resource to a Page Removing a Custom Resource from a Page Because there can be complex interactions among the various pages, resources, and roles, system administrators should plan carefully before implementing custom resources for the Management Portal.

Important:

3.6.1 Defining and Applying a Custom Resource to a Page

To define and apply a custom resource, the procedure is: 1. 2. Log in as a user who holds the %Admin_Secure:Use privilege, holds the %Admin_Manage:Use privilege, or is a member of the %All role. Create the custom resource. To do this, on the Resources page ([System] > [Security Management] > [Resources]), click Create New Resource. When creating the resource, make sure that you properly set its public permissions according to the instances needs. Associate the privilege to use the custom resource with a role. For an existing role, on the Roles page ([System] > [Security Management] > [Roles], simply add the privilege to the role; alternately, (also on the Roles page), create a new role and then add the privilege to it immediately after creating it. Either way, the privilege consists of the custom resource and the Use permission. Assign the custom resource to the page. To do this: a. b. c. Use the finder feature of the Portal to select the page. Note that clicking on the name of the page takes you directly to that page; click inside the box (but not on the name itself) to display the pages action pane. At the very bottom of the pages action pane, click Assign. This displays the Assign Custom Resource dialog. In that dialog, select the desired resource from the Custom Resource Name list and click OK.

3.

4.

3.6.2 Removing a Custom Resource from a Page

To disassociate a custom resource from a page, the procedure is: 1. Log in as a user who holds the %Admin_Secure:Use privilege, holds the %Admin_Manage:Use privilege, or is a member of the %All role.

Cach Security Administration Guide 51

Assets and Resources

2. 3. 4.

Use the finder feature of the Portal to select the page. Note that clicking on the name of the page takes you directly to that page; click inside the box (but not on the name itself) to display the pages action pane. At the very bottom of the pages action pane, click Assign. This displays the Assign Custom Resource dialog. In that dialog, select the empty item from the Custom Resource Name list and click OK.

52 Cach Security Administration Guide

4
Privileges and Permissions
Permissions allow you to perform some action, such as reading or writing data, or using a tool. Permissions are associated with resources, forming privileges. This model allows a user to perform a particular action in relation to a particular resource.

4.1 How Privileges Work

A privilege associates a resource with a permission, so that a role that holds the privilege can perform a particular action, such as read or write to a database or use an application. The possible permissions are: Read View (but not change) the contents of a resource, such as in a database Write View or change the contents of a resource, such as in a database Use Run or otherwise employ an executable program or tool, such as an application or a Cach service

The meaning of each permission depends on the resource with which it is used. Permission names can appear as the full word or the first letter of the word; their names are not case-sensitive.

4.2 Public Permissions

For each resource, permissions can be designated as Public. Effectively, this is equivalent to all users holding that permission on the resource. For example, if the %Service_CacheDirect:Use privilege is Public, then any user can connect to Cach using the Cach Direct technology. Similarly, if the %DB_SALES:Read privilege is Public, then any user can read from any database protected by the %DB_SALES resource. This does not, however, enable all users to write those databases because (in this example) the %DB_SALES:Write privilege is not Public. The following database privileges are Public by default:

Table 41: Default Public Privileges

Resource %DB_CACHE %DB_CACHELIB %DB_CACHETEMP %DB_DOCBOOK Permission Read Read Read, Write Read

Cach Security Administration Guide 53

Privileges and Permissions

4.3 Checking Privileges

Cach provides a method, $SYSTEM.Security.Check, to check on privileges held by the current process. Its one-argument form lists what privileges the process holds on a particular resource; its two-argument form returns whether or not the process holds privileges for a particular resource. The one-argument form returns a comma-delimited list of the permissions held by the process on a resource. For example:
$SYSTEM.Security.Check("%DB_Samples")

returns READ,WRITE if the process holds Read and Write permissions for %DB_Samples. The permission names are always returned as full words in uppercase letters. The function returns an empty string if the process holds no permissions on the resource. The two-argument form returns True or False (1 or 0) to indicate whether the process holds a specific privilege. For example:
$SYSTEM.Security.Check("%DB_Samples", "WRITE")

returns 1 if the process holds the Write permission on the %DB_Samples resource. You can also call the function with a list of permissions, such as:
$SYSTEM.Security.Check("%DB_Samples", "WRITE,READ")

It returns 1 if the process holds all of the requested permissions and 0 otherwise. You can also simply use the first letter of the privileges to be checked:
$SYSTEM.Security.Check("%DB_Samples", "W,R")

The method has the following general behaviors: The method always returns 1 for a public resource privilege, whether or not the process explicitly holds that privilege. Permission names are not case-sensitive. Permission names can be fully spelled out, as in the example above, or abbreviated by their first character. Also, permission names are not case-sensitive. Thus, WRITE,READ, W,R, and R,Write are equivalent.

4.4 When Changes in Privileges Take Effect

Cach maintains a persistent database of the security settings. When Cach starts, it extracts this information and places it into a segment of shared memory that allows quick access to the consolidated settings. While a process is executing, it maintains its own per-process cache of the privileges it has been granted. This is updated as new privileges are needed (and authorized). Editing roles, privileges, and so on makes changes to the persistent copy of the information. This becomes visible to users or applications the next time they are subsequently authenticated.

54 Cach Security Administration Guide

5
Roles
A role is a named collection of privileges. Roles are useful because multiple users often need the same set of privileges. For example, all users of an application or all developers working on a particular project might need a common set of privileges. By using a role, such sets of privileges can be defined once (which makes future modification much easier) and shared by the relevant users. Privileges are assigned exclusively to roles; privileges are not assigned directly to users. To assign some privileges to a single user, create a role for that purpose. Major topics related to roles include: About roles Roles, users, members, and assignments Creating roles Managing roles Predefined roles Login roles and added roles Programmatically managing roles For SQL access to data in tables, Cach supports row-level security. For information on setting this up, see the section Using Row-level Security in the chapter Objects and SQL in the book Using Cach Objects.

Note:

5.1 About Roles

Every role has the following properties:

Cach Security Administration Guide 55

Roles

Table 51: Role Properties

Property Name Name Description Privileges Members Property Description Unique role identifier. See the section Naming Conventions for more information on valid names. Any text. Resource-permission pair(s) associated with the role. A role can hold zero or more privileges. Users or roles that have been assigned to the role (listed on the Members tab of the Edit Role page).

These are displayed on the General tab of the Edit Role page, which is accessible by selecting Edit in the row for any role in the table on the Roles page ([System] > [Security Management] > [Roles]). Each role also may have members that are assigned to it or other roles to which it is assigned. These relations are described in the next section.

5.2 Roles, Users, Members, and Assignments

A role is a container that holds one or more privileges. If a user is associated with a role, then that user is able to exercise the roles privileges. The terminology for the association of a user and role is: The user is assigned to the role. The user is a member of the role. The role includes the user.

These phrases are all equivalent in meaning to each other. Each user can be assigned to multiple roles and each role can have multiple users as its members. Similarly, each role can also be assigned to multiple roles and can also have multiple roles as its members. A role can have both users and roles as its members. Suppose one role is assigned to another role. In this case, if role A is assigned to role B, then role A is described as a member of role B; this is equivalent to saying that role A is assigned to role B or that role B includes role A. If one role is assigned to another, that first role holds the privileges associated with the second role. This is analogous to the relationship of assigning a user to role, whereby the user then holds the privileges associated with the role. Hence, if a user is a member of one role and that role is a member of another role, then the user holds privileges associated with both the roles. For example, suppose a university has three roles available for its students: UndergraduateStudent, GraduateStudent, and GeneralStudent. Each student is assigned to either UndergraduateStudent or GraduateStudent, and these two roles are both assigned to GeneralStudent. If Elizabeth is assigned to GraduateStudent, she holds the privileges associated with both GraduateStudent and GeneralStudent; if James is assigned to UndergraduateStudent, he holds the privileges associated with both UndergraduateStudent and GeneralStudent. A roles members are listed on the Edit Role pages Members tab; on this tab, you can also assign new members to a role. If a role has been assigned to other roles, these are listed on the Assigned To tab of the Edit Role page; you can also assign a role to additional roles on that tab.

56 Cach Security Administration Guide

Roles, Users, Members, and Assignments

5.2.1 An Example of Multiple Role Assignment

This section provides an example of how users and roles interact in Cach. Suppose there is a user named Lee, a role named FirstRole, and a role named SecondRole. FirstRole protects a resource called FirstResource and SecondRole protects a resource called SecondResource. When first created, Lee is not a member of any roles. This is reflected in Lees profile:

When Lee is assigned to the role FirstRole, this changes Lees profile:

When the role FirstRole is assigned to the role SecondRole, this also changes Lees profile:

Cach Security Administration Guide 57

Roles

The list of Lees privileges specifies which privileges originate with which roles:

5.3 Creating a Role

You can define roles for use by developers, operators, system managers and other classes of users, either by modifying the predefined roles or creating new ones. Once created, there are various features available to edit a role. To create a new role: 1. 2. 3. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Create New Role. This displays the Edit Role page. On the Edit Role page, the General tab is visible. Here, enter values for the following properties: (required) Specifies the name of the new role. See the following section, Naming Conventions, for naming rules.
Name Description

(optional) Specifies descriptive information about the role.

The roles resources are listed, but empty, as a role cannot receive resources until it has been created, except under the conditions described in the next step. 4. As a shortcut, if you wish to create multiple roles with similar characteristics, you can use the Copy from field on the Role page to begin the process of creating a new role. When you select an existing role from this fields drop-down menu, all its privileges appear in the list of resources; you can then add or delete privileges as desired, and modify its Description property. Click Save to create the role.

5.

Once a role exists, you can edit it as described in the section Managing Roles. For example, the Resources table allows you to add new privileges to the role; do this by clicking Add.

58 Cach Security Administration Guide

Managing Roles

5.3.1 Naming Conventions

The names of user-defined roles cannot begin with the percent-sign character, which is reserved for Cach predefined roles. Also, roles names are not case-sensitive. This means that: For names that are defined using mixed case, the name is preserved exactly as it is entered. Names that differ only by case are prohibited. When a name is looked up, Cach ignores differences in case.

For example, if there is a role named BasicUser, any attempt to create another resource named BASICUSER will fail. References to the resource using name values of BasicUser, basicuser, and BASICUSER will all succeed.

5.4 Managing Roles

Once you have created a role, you modify it in a number of different ways, each of which is described in one of the following sections. The actions fall into several categories: General tasks. This includes: Viewing Existing Roles Deleting a Role

Creating, modifying, and removing a roles privileges. This includes: Giving a Role New Privileges Modifying Privileges for a Role Removing Privileges from a Role

Creating and removing assignments among roles and users. This includes: Assigning Users or Roles to the Current Role Removing Users or Roles from the Current Role Assigning the Current Role to Another Role Removing the Current Role from Another Role

Modifying a Roles SQL-related Options

5.4.1 Viewing Existing Roles

To view a list of the currently existing roles, see the Roles page in the Portal ([System] > [Security Management] > [Roles]). This page displays information on the following fields: Name The roles name (cannot be edited) Description Any text that has been provided to describe the role Created By What user created the role

For each role, you can

Cach Security Administration Guide 59

Roles

Edit the roles properties, which includes all actions for privilege management, assignment management, and SQLrelated options. Delete the role

5.4.2 Deleting a Role

To delete a role: 1. 2. On the Roles page ([System] > [Security Management] > [Roles]), for the role you wish to delete, click Delete in that roles row. Cach displays a confirmation dialog. Click OK to delete the role and Cancel otherwise.

5.4.3 Giving New Privileges to a Role

To give a role new privileges: 1. 2. 3. On the Edit Role page ([System] > [Security Management] > [Roles] > [Edit Role]) for an existing role, click Add in the Privileges table. This displays a page listing all resources. To select a resource to assign to the role, click it. You can select multiple resources simultaneously using the Ctrl or Shift keys. To add the selected resources to the role, click Save. This gives the role all possible permissions on the resource; you can then modify the available permissions for the resource (such as changing permissions on a database from ReadWrite to just Read).

5.4.4 Modifying Privileges for a Role

To modify the privileges that a role holds: 1. 2. 3. 4. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Edit for the role you wish to modify. This displays the Edit Role page. On the Edit Role page, in the Resources table, click Edit for the resource whose privileges you wish to modify. This displays the page for editing the permissions on the selected resource. Check or clear the boxes for each permission as appropriate. Note: This page does not let you clear all permissions for an individual resource. This is because eliminating all a roles permissions for a resource is equivalent to deleting the roles privileges for the resource.

5.

Click Save to save the privileges in their new state.

These changes should be reflected in the Resources table on the Role page.

5.4.5 Removing Privileges from a Role

To remove privileges from a role: 1. 2. 3. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Edit for the role you wish to modify. This displays the Edit Role page. On the Edit Role page, in the Resources table, click Delete. This removes the privileges for the resource from the role.

60 Cach Security Administration Guide

Managing Roles

4.

Click Save to save the privileges in their new state.

5.4.6 Assigning Users or Roles to the Current Role

A role can have users or other roles as members that are assigned to it. If a user is assigned to a role, then that user holds the privileges associated with that role. If one role is assigned to another role, then a user assigned to the first role holds the privileges associated with both roles. The role being edited is known as the current role. The users and roles that are assigned to the current role are listed on the Members tab of the Edit Role page (these users and roles are known as its members). To assign a user or role to the current role, the procedure is: 1. 2. 3. 4. 5. 6. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Edit for the role you wish to modify. This displays the Edit Role page. On the Edit Role page, select the Members tab. On the Members tab, choose either the Users or Roles option to specify whether to assign users or roles to the role. (Users is the default.) The list of users or roles that can be assigned to the current role appears in the Available list. You can move them to and from the Selected list using the arrow buttons between the lists. When you have the final list of users or roles to add, click Assign or Assign with Grant Option. Clicking Assign simply assigns the new members (users or roles) to the role being edited. Clicking Assign with Grant Option also gives the new members the ability to assign other users or roles to the current role when using SQL commands.

5.4.7 Removing Users or Roles from the Current Role

If a user or role has been assigned to the current role, it is known as a member of that role. The procedure to remove a member from a role is: 1. 2. 3. 4. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Edit for the role you wish to modify. This displays the Edit Role page. On the Edit Role page, select the Members tab. On the Members tab, there is a table of users and roles assigned to the current role. For the specified members, click the 5. button in the right-most column of the members row.

A prompt appears to confirm the removal. Click OK.

The user or role has now been removed from the current role.

5.4.8 Assigning the Current Role to Another Role

One role can be assigned to another role. If one role is assigned to another role, then a user assigned to the first role holds the privileges associated with both roles. The role being edited is known as the current role. The roles to which the current is assigned are listed on the Assigned To tab of the Edit Role page. To assign the current role to another role, the procedure is: 1. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]).

Cach Security Administration Guide 61

Roles

2. 3. 4. 5.

On the Roles page, click Edit for the role you wish to modify. This displays the Edit Role page. On the Edit Role page, select the Assigned To tab. The list of roles that the current role can be assigned to appears in the Available list. You can move them to and from the Selected list using the arrow buttons between the lists. When you have the final list of roles, click Assign or Assign with Grant Option. Clicking Assign simply assigns the current role to the selected roles. Clicking Assign with Grant Option also gives the current role the ability to assign other users or roles to the selected role(s) when using SQL commands.

5.4.9 Removing the Current Role from Another Role

If the current role has been assigned to another role, it is known as a member of that role. The procedure to remove the current role from another role is: 1. 2. 3. 4. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Edit for the role you wish to modify. This displays the Edit Role page. On the Edit Role page, select the Assigned To tab. On the Assigned To tab, there is a table of roles to which the current role is assigned. To remove the current role from one of these roles, select the 5. button in the right-most column of that roles row.

A prompt appears to confirm the removal. Click OK.

The current role has now been removed from that role.

5.4.10 Modifying a Roles SQL-Related Options

For every role, you can grant or remove the following SQL-related characteristics: General SQL Privileges Privileges for Tables Privileges on Views Privileges for Stored Procedures

5.4.10.1 General SQL Privileges

On the SQL Privileges tab of the Edit Role page, you can add or remove SQL privileges for a role: To add a privilege to a role, first move the privilege from the Available list to the Selected list (either double-click it or select it and then click the single right-arrow); click Assign to give the privilege to the role. To also add the privilege of being able to grant the added privilege to other roles, select the relevant check box below the Available list. To add all privileges to a role, click the double-arrow pointing from the Available list to the Selected list; click Assign to give the privileges to the role. To also add the privileges of being able to grant the added privileges to other roles, select the relevant check box below the Available list. To remove a privilege from a role, click Remove to the right of privilege name. To remove all privileges from a role, click Remove All below the table listing the currently assigned privileges.

The following privileges are available: %ALTER_TABLE For a given namespace, allow the member of the role to run the ALTER TABLE command.

62 Cach Security Administration Guide

Managing Roles

%ALTER_VIEW For a given namespace, allow the member of the role to run the ALTER VIEW command. %CREATE_FUNCTION For a given namespace, allow the member of the role to run the CREATE FUNCTION command. %CREATE_METHOD For a given namespace, allow the member of the role to run the CREATE METHOD command. %CREATE_PROCEDURE For a given namespace, allow the member of the role to run the CREATE PROCEDURE command. %CREATE_QUERY For a given namespace, allow the member of the role to run the CREATE QUERY command. %CREATE_TABLE For a given namespace, allow the member of the role to run the CREATE TABLE command. %CREATE_TRIGGER For a given namespace, allow the member of the role to run the CREATE TRIGGER command. %CREATE_VIEW For a given namespace, allow the member of the role to run the CREATE VIEW command. %DROP_FUNCTION For a given namespace, allow the member of the role to run the DROP FUNCTION command. %DROP_METHOD For a given namespace, allow the member of the role to run the DROP METHOD command. %DROP_PROCEDURE For a given namespace, allow the member of the role to run the DROP PROCEDURE command. %DROP_QUERY For a given namespace, allow the member of the role to run the DROP QUERY command. %DROP_TABLE For a given namespace, allow the member of the role to run the DROP TABLE command. %DROP_TRIGGER For a given namespace, allow the member of the role to run the DROP TRIGGER command. %DROP_VIEW For a given namespace, allow the member of the role to run the DROP VIEWcommand.

5.4.10.2 Privileges for Tables

On the SQL Tables tab of the Edit Role page, you can add or remove table-related SQL privileges for a role: 1. 2. 3. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces tables appears. To change privileges for a table, click Edit in that tables row. This displays a window for altering privileges. In this window, you can check or clear any of the following items: 4. ALTER DELETE INSERT REFERENCES SELECT UPDATE Give the GRANT option to the role

After making your selection(s), click Apply to establish the new privileges for the table.

If a role has privileges for a table, it is listed in a table on this page. To revoke the roles privileges for a table, click Revoke at the far right of the roles row. Clicking this displays a message containing the namespace and the full name of the table (including the schema), such as the SAMPLES Sample.Company namespace and table.

Cach Security Administration Guide 63

Roles

5.4.10.3 Privileges on Views

On the SQL Views tab of the Edit Role page, you can add or remove view-related SQL privileges for a role. To add privileges for the view: 1. 2. 3. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces views will appear. To change privileges for a view, click Edit in that views row. This displays a window for altering privileges. In this window, you can check or clear any of the following items: 4. ALTER DELETE INSERT REFERENCES SELECT UPDATE Give the GRANT option to the role

After making your selection(s), click Apply to establish the new privileges for the table.

If a role has privileges for a view, it is listed in a table on this page. To revoke the roles privileges for a view, click Revoke at the far right of the roles row. Clicking this displays a message containing the namespace and the full name of the view (including the schema).

5.4.10.4 Privileges for Stored Procedures

On the SQL Procedures tab of the Edit Role page, you can add or remove a roles SQL privileges related to stored procedures. To add privileges for a stored procedure: 1. 2. 3. 4. 5. 6. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces stored procedures then appears. Below this window, click Add, which displays the Grant procedure privilege... dialog. In this dialog, near the top, select the schema from the drop-down that contains the procedure that you wish to add. This displays a list of the schemas procedures in the Available window on the left part of the page. Move one or more procedures into the Selected window. Make sure the EXECUTE box is checked, so that the role has the privilege to execute the stored procedure. Optionally, you can grant the roles the ability to grant this privilege on other roles; to do this, click the Grant privilege box near the bottom of the page. Click Apply to grant the privilege(s) to the role.

If a role has privileges for a stored procedure, it is listed in a table on this page. To revoke the roles privileges for a stored procedure, click Revoke at the far right of the roles row. Clicking this displays a message containing the namespace and the full name of the stored procedure (including the schema).

64 Cach Security Administration Guide

Predefined Roles

5.5 Predefined Roles

Cach includes a number of predefined roles. These include:
%All The ability to perform all operations. %Developer The privileges typically associated with application development. These are roughly the privileges

associated with the Portals System Exploration menu.

%Manager The privileges typically associated with system management. These are roughly the privileges associated

with the Portals System Administration and System Operation menus.

%Operator The privileges typically associated with system operation. These are roughly the privileges associated

with the Portals System Operation menu.

%SQL The privileges typically associated with SQL-related tasks.

The following table has a column for each role. Each row of the table lists a system-defined resource and the privilege, if any, that the role holds on it.

Table 52: Predefined Roles and Their Privileges

Resource
%Admin_Manage %Admin_Operate %Admin_Secure %Admin_Task %DB_CACHE %DB_CACHEAUDIT %DB_CACHELIB %DB_CACHESYS %DB_CACHETEMP %DB_DOCBOOK %DB_SAMPLES %DB_USER %DB_%DEFAULT %Development %Service_Console %Service_CSP %Service_Object %Service_SQL %Service_Telnet %Service_Terminal

%Developer

%Manager Use Use Use Use

%Operator

%SQL

Use

Read

Read Read

Read

Read

Read, Write Read, Write Read, Write Read, Write Read

Read, Write Read Read, Write Read, Write Read, Write Use

Read, Write Read, Write Read, Write Read, Write Read, Write Use

Use Use Use Use Use

Use Use Use Use Use

Use

Use

Cach Security Administration Guide 65

Roles

The definitions of these predefined roles are set during a new Cach installation and are not modified during an upgrade installation. With the exception of %All, the use of predefined roles is optional. The %Admin_Secure resource is designed to make all the necessary security assets available or restricted as a single unit. This makes it easy to separate these resources for use by the security administrator. Note: The %Operator role does not hold the %Admin_Task:Use privilege by default; if you wish for members of that role to be able to manage tasks, include %Admin_Task:Use among the roles privileges. Further, any custom roles based on %Operator must add the %DB_CACHESYS:RW privilege in order to use the Portals Operator menu. They may also add the %Admin_Task:Use privilege so that they can manage tasks.

5.5.1 %All
The predefined role, %All, always holds all privileges for all resources on the system. This role cannot be deleted or modified, and there must always be at least one user account holding the %All role. If there is only one such account, it cannot be deleted or disabled. This is designed to protect a sole Cach system administrator from being inadvertently locked out of the system. Important: A user who is assigned to the %All role does not automatically have access to rows in a table that are protected with row-level security. The application must explicitly provide the %All role with access to such a row. For detailed information about how to do this, see the section Setting Up Row-level Security in the chapter Objects and SQL in the book Using Cach Objects.

5.5.2 Default Database Resource Roles

When you create a database resource, Cach automatically creates a role with the name %DB_<database-resource-name> that has Read and Write permissions for that resource.

5.6 Login Roles and Added Roles

Each Cach process has, at any point in time, a set of roles that determine the current privileges for that process. The set of roles includes both login roles, which come from the definition of the user (received at login time) and added roles, which come from the currently running application (received by application role escalation). From a security standpoint, the origin of a role is immaterial: a process either has a required privilege or it does not. When an application is started, each role currently held by the process is looked up in a table and any associated application roles are added. For example, suppose there is an order entry application with two classes of users: normal users, who are assigned the OrderEntryUser role, and managers, who are assigned the OrderEntryManager role. Both of these roles allow someone to run the order entry application (that is, both are assigned the %Application_OrderEntry:Use privilege.) But, when the application does role escalation, different roles are used (OrderEntryAppNormal versus OrderEntryAppSpecial and OrderEntryAppReporting) to enable the application to perform different functions on behalf of these user classes. Matching Role
OrderEntryUser OrderEntryManager

Added Roles
OrderEntryAppNormal OrderEntryAppSpecial, OrderEntryAppReporting

66 Cach Security Administration Guide

Programmatically Managing Roles

During the matching sequence, each role held by the process is considered, even if a match has already been found. In other words, multiple roles may match and multiple sets of new roles may be added. However, this process is not recursive: roles added as a result of the matching process are not considered for further matches. Note: There is no way to restrict a users roles to fewer than the login roles.

5.7 Programmatically Managing Roles

Certain routines can directly modify the application roles of a running process by setting the $ROLES system variable, such as
SET $ROLES = "Payroll"

$ROLES contains a comma-separated list of the role names assigned to the current process. The union of all the privileges granted to all roles in the list determines the privileges that the process possesses. $ROLES initially contains the roles assigned at authentication (that is, login roles). This command can only be invoked either from a routine that is part of the CACHESYS database or if the current privileges held include Write permission for the CACHESYS database (%DB_CACHESYS:W). Note that setting $ROLES only alters a processs added roles, not its login roles. Thus if a process currently has the login roles Employee and Manager and the added role Payroll, after the statement
SET $ROLES = "Accounting"

$ROLES has the value Employee,Manager,Payroll,Accounting. A role can be added to the processs current roles by concatenating it to the current roles, with a call such as:
SET $ROLES = $ROLES _ ",Payroll"

The statement
SET $ROLES = ""

removes all added roles. The NEW command can be used with $ROLES to stack the current set of roles (Login and Added) and the current value of $USERNAME. This allows code to modify the list and, whether control leaves the containing block normally or abnormally, the changes are undone upon exit. With the exception of a null string argument, SET $ROLES = <role_name> is a system capability. NEW $ROLES and SET $ROLES = "" can be executed by any code.

Cach Security Administration Guide 67

6
Users
This chapter includes the following sections: Properties of Users Creating and Editing Users Viewing and Managing Existing Users Predefined User Accounts Validating User Accounts

6.1 Properties of Users

Each Cach user account has a number of properties. The following are listed on the General tab for the user:

Table 61: User Account Properties

Property Name Name Full Name Comment Password Property Description Unique user identifier that is up to 128 characters long. This can include any character except @ or * . The users displayable name. Any text. New password value. This value is never visible, regardless of the privileges of user viewing this page; a user either with the %Admin_Secure:Use privilege or assigned to the %All role can change another users password, such as if that users password has been forgotten or lost. Confirmation of new password value. A check box specifying whether or not the user is required to change the password at the next login. A check box specifying whether or not the account is currently enabled. The last date on which the account can be used.

Confirm Password Change Password on Next Login User Enabled Expiration Date

Cach Security Administration Guide 69

Users

Property Name Startup Namespace

Property Description The namespace in which to begin execution following login from a terminal-type service. This property overrides any namespace value provided via the command invoking Cach. The routine to execute automatically following login from a terminal-type service. This property overrides any routine value provided via the command invoking Cach. For two-factor authentication, the users mobile phone service provider. For two-factor authentication, the mobile phone number at which the user receives a text message containing the second authentication token (factor). The kind of user, which is determined by the authentication and authorization mechanisms in use. Values can be Cach password user, Delegated user, Kerberos user, LDAP user, or OS user. For more information on user types, see the following section, About User Types.

Startup Tag^Routine

Mobile Phone Service Provider Mobile Phone Number

Type (only displayed on the Users page)

6.1.1 About User Types

Among a users properties is the users Type. There are multiple possible types: Cach password user This type is authenticated through Cach login, Kerberos (without delegated authorization), or the operating system (without delegated authorization). The Cach tools for editing or otherwise altering users are for use with Cach password users. Delegated user This type is authenticated through a user-defined authentication mechanism. The Cach tools are available only for viewing this type of users properties; the users properties must be edited through external means. Kerberos user This type is authenticated using Kerberos when delegated authorization is in use; with delegated authorization, Cach tools are available only for viewing this type of users properties; the users properties must be edited through external means and specified by the ZAUTHORIZE routine, as described in the chapter Delegated Authorization. If a user is authenticated through Kerberos without using delegated authorization, then the user is of type Cach Password User. LDAP user This type is authenticated through LDAP. The Cach tools are available only for viewing this type of users properties; the users properties must be edited through external means. OS user This type is authenticated through the operating system (OS) when delegated authorization is in use; with delegated authorization, Cach tools are available only for viewing this type of users properties; the users properties must be edited through external means and specified by the ZAUTHORIZE routine, as described in the chapter Delegated Authorization. If a user is authenticated through the operating system without using delegated authorization, then the user is of type Cach Password User. A user can only have one type. A user of one type cannot log in using mechanisms associated with another type.

Important:

70 Cach Security Administration Guide

Creating and Editing Users

6.2 Creating and Editing Users

To either create or edit a user, the Management Portal provides the Edit User page, which is off the Users page ([System] > [Security Management] > [Users]) for each user being created or edited. This page differs for creating and editing users as follows: When creating a new user, the Name field accepts a value. When editing an existing user, the Name field is not writable.

6.2.1 Creating a New User

To create a new user: 1. 2. 3. From the Management Portal home page, go to the Users page ([System] > [Security Management] > [Users]). On the Users page, select Create New User. This displays the General tab of the Edit User page for creating and configuring users. On the Edit User page, set values for the following user properties, which are described in the Properties of Users section:
Name

(required) Unique user identifier.

Copy from (optional) The name of another user, the settings of which are to serve as the basis for the new user.

See the next step for details.

Full Name Comment Password

(optional) The accounts displayable name. (optional) Any text. (required) New password value. (required) Confirmation of new password value. (optional) Whether or not a password change is required at the next login.

Confirm Password

Change Password on Next Login User Enabled

(required) Whether or not the account is available for use. (optional) The last date on which the account is available for use. (optional) The namespace in which to begin execution following login from a terminal-

Expiration Date

Startup Namespace

type service.
Startup Tag^Routine (optional) The routine to execute automatically following login from a terminal-type service.

For two-factor authentication, the users mobile phone service provider. (If the users mobile phone service provide does not appear in the list, you can add a new provide by clicking Create new provider; this displays fields for adding a new mobile phone service provider, which will then be visible.
Mobile phone service provider

For two-factor authentication, the mobile phone number at which the user receives the text message containing the second authentication token (factor).
Mobile phone number

4.

As a shortcut, if you wish to create multiple users with similar characteristics, you can use the Copy from field on the Edit User screen to begin the process of creating a new user. When you select an existing user from this fields dropdown menu, the following properties of the selected user receive values for the user being created: Full Name Expiration Date Default Namespace

Cach Security Administration Guide 71

Users

5.

Default Tag^Routine

Click the Save button to create the new user.

Once you have created a user account, you can then edit its characteristics.

6.2.2 Editing an Existing User

Once you have created a user account, you can alter any of its basic properties (on the General tab of the Edit User page): 1. 2. 3. From the Management Portal home page, go to the Users page ([System] > [Security Management] > [Users]). On the Users page, there is a table of users. In the row for each user, there is an Edit button select this button to edit an existing user. This displays the General tab of the Edit User page for creating and configuring users. On the Edit User page, you can alter values for the following properties, which are described in the Properties of Users section: Full Name Comment Password If you use this page to set a new password, the password must conform to the pattern (types of characters and length) specified in the Password Pattern field on the System Security Settings page ([System] > [Security Management] > [System-wide Security Parameters]). Change password on next login User Enabled Expiration Date Startup Namespace This refers to the Terminal Namespace property. Startup Tag^Routine This refers to the Terminal Routine property. Mobile phone service provider Mobile phone number

4.

Click the Save button to save the new values for the user.

You can also modify other aspects of the user account on this pages other tabs: Roles Lists the roles that the user currently holds. You can also give a user new roles (or take them away) on this page. SQL Properties This includes:
SQL Privileges Lists all the SQL privileges that a user currently holds, on a per-namespace basis. You can also

assign or revoke SQL privileges on this page.

SQL Tables Lists, by namespace, the tables for which a user has been granted privileges (%ALTER, DELETE,

INSERT, REFERENCES, SELECT, and UPDATE). You can also assign or revoke SQL table privileges on this page. Lists, by namespace, the views for which a user has been granted privileges (%ALTER, DELETE, INSERT, REFERENCES, SELECT, and UPDATE). You can also assign or revoke SQL view privileges on this page.
SQL Views SQL Procedures Lists, by namespace, the stored procedures which a user can run. You can also assign or revoke

the right to run procedures on this page.

72 Cach Security Administration Guide

Creating and Editing Users

Note:

A change to a user account only takes effect after the user logs out and then logs back in.

6.2.2.1 Modifying a Users Roles

On the Roles tab of the Edit User page, you can assign a user to a role or remove it from a role: To assign a user to a role, first move the role from the Available list to the Selected list (either double-click it or select it and then click the single right-arrow); click the Assign button to assign the user to the role. To assign a user to all roles, click the double-arrow pointing from the Available list to the Selected list; click the Assign button to assign the user to all the roles. To remove a user from a role, click the button to the right of role name.

To remove a user from all roles, click Remove All below the table listing the currently assigned roles. (This button is only present if a user is assigned to two or more roles.)

6.2.2.2 Modifying a Users SQL-Related Options

For every user, you can grant or remove the following SQL-related characteristics: General privileges Privileges for tables Privileges on views Privileges for stored procedures

General SQL Privileges

On the SQL Privileges tab of the Edit User page, you can add or remove SQL privilege for a user: To add a privilege to a user, first move the privilege from the Available list to the Selected list (either double-click it or select it and then click the single right-arrow); click the Assign button to give the privilege to the user. To also add the privilege of being able to grant the added privilege to other users, click the relevant button below the Available list. To add all privileges to a user, click the double-arrow pointing from the Available list to the Selected list; click the Assign button to give the privileges to the user. To also add the privileges of being able to grant the added privileges to other users, click the relevant button below the Available list. To remove a privilege from a user, click the Remove link to the right of privilege name. To remove all privileges from a user, click the Remove All button below the table listing the currently assigned privileges.

The following privileges are available: %ALTER _TABLE For a given namespace, allow the user to run the ALTER TABLE command. %ALTER_VIEW For a given namespace, allow the user to run the ALTER VIEW command. %CREATE_FUNCTION For a given namespace, allow the user to run the CREATE FUNCTION command. %CREATE_METHOD For a given namespace, allow the user to run the CREATE METHOD command. %CREATE_PROCEDURE For a given namespace, allow the user to run the CREATE PROCEDURE command. %CREATE_QUERY For a given namespace, allow the user to run the CREATE QUERY command. %CREATE_TABLE For a given namespace, allow the user to run the CREATE TABLE command. %CREATE_TRIGGER For a given namespace, allow the user to run the CREATE TRIGGER command. %CREATE_VIEW For a given namespace, allow the user to run the CREATE VIEW command.

Cach Security Administration Guide 73

Users

%DROP_FUNCTION For a given namespace, allow the user to run the DROP FUNCTION command. %DROP_METHOD For a given namespace, allow the user to run the DROP METHOD command. %DROP_PROCEDURE For a given namespace, allow the user to run the DROP PROCEDURE command. %DROP_QUERY For a given namespace, allow the user to run the DROP QUERY command. %DROP_TABLE For a given namespace, allow the user to run the DROP TABLE command. %DROP_TRIGGER For a given namespace, allow the user to run the DROP TRIGGER command. %DROP_VIEW For a given namespace, allow the user to run the DROP VIEW command.

Privileges for Tables

On the SQL Tables tab of the Edit User page, you can add or remove table-related SQL privileges for a user: 1. 2. 3. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces tables will appear. To change privileges for a table, select the Edit button in that tables row. This displays a window for altering privileges. In this window, you can check or uncheck any of the following items: 4. ALTER SELECT INSERT UPDATE DELETE REFERENCES

After making your selection(s), click the Apply button to establish the new privileges for the table.

Privileges on Views
On the SQL Views tab of the Edit User page, you can add or remove view-related SQL privileges for a user. To add privileges for the view: 1. 2. 3. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces views will appear. To change privileges for a view, select the Edit button in that views row. This displays a window for altering privileges. In this window, you can check or uncheck any of the following items: 4. ALTER SELECT INSERT UPDATE DELETE REFERENCES

After making your selection(s), click the Apply button to establish the new privileges for the table.

74 Cach Security Administration Guide

Viewing and Managing Existing Users

Privileges for Stored Procedures

On the SQL Procedures tab of the Edit User page, you can add or remove a users SQL privileges related to stored procedures. To add privileges for a stored procedure: 1. 2. 3. 4. 5. 6. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces stored procedures will appear. Below this window, click the Add button, which displays the Grant procedure privilege... dialog. In this dialog, near the top, select the Schema from the drop-down that contains the procedure that you wish to add. This displays a list of the schemas procedures in the Available window on the left part of the page. Move one or more procedures into the Selected window. Make sure the EXECUTE box is checked, so that the user has the privilege to execute the stored procedure. Optionally, you can grant the users the ability to grant this privilege on other users; to do this, click the Grant privilege box near the bottom of the page. Click the Apply button to grant the privilege(s) to the user.

To remove a users stored procedure privileges: 1. 2. 3. 4. Choose the relevant namespace from the drop-down near the top of the page. A list of the namespaces stored procedures will appear. To change privileges for a stored procedure, select the Edit button in that tables row. This displays a page for altering privileges. On the page that appears, uncheck the EXECUTE check box and the GRANT privilege check box as appropriate. Click the Apply button to change the privilege(s) for the user.

6.3 Viewing and Managing Existing Users

To view a list of the currently existing users, see the Users page in the Portal ([System] > [Security Management] > [Users]). This page displays information on the following fields (as described in more detail in the Properties of Users section): User A unique identifier for the user Full Name The users displayable name Enabled Whether or not the user is currently enabled Namespace (default namespace) The initial namespace for a terminal-type connection Routine (default routine) The initial routine executed for a terminal-type connection Type The kind of user, which is determined by the authentication and authorization mechanisms in use

For each user, you can Edit the users properties Delete the user View the user profile

Cach Security Administration Guide 75

Users

6.3.1 Deleting a User

To delete a user: 1. 2. 3. From the Management Portal home page, go to the Users page ([System] > [Security Management] > [Users]). On the Users page, for the user you wish to delete, select the Delete button in that users row. Cach displays a confirmation dialog. Select OK to delete the user and Cancel otherwise.

6.3.2 Viewing a User Profile

A user profile provides security information about a user account, such as the roles to which the user is assigned and the time of the users last login. To view a users profile, the procedure is: 1. 2. From the Management Portal home page, go to the Users page ([System] > [Security Management] > [Users]). On the Users page, in the row for the user, click Profile. This displays the users profile.

Alternately, if the Edit User page is visible for a user, click Profile in the upper-left corner of the page. The following properties are listed as part of the user profile.

Table 62: User Profile Properties

Property Name Name Full Name Roles Last Password Change Last Login Invalid Login Attempts Last Invalid Login Reason for Failing to Login Property Description Unique user identifier. This can include any characters except the @, which is used to identify a domain. This is editable on the Edit User page. The users displayable name. This is editable on the Edit User page. A comma-separated list of roles assigned to user. These are editable on the Roles tab of the Edit User page. The date and time of users most recent password change. The date and time of most recent successful login or 0 if there has not yet been a successful login. Read-only. The number of invalid login attempts since the most recent successful login. Read-only. The date and time of most recent invalid login attempt. Read-only. The error thrown for the most recent invalid login attempt. Read-only.

6.4 Predefined User Accounts

Every instance of Cach automatically includes the following accounts:

76 Cach Security Administration Guide

Predefined User Accounts

Table 63: Predefined Users

Username Admin CSPSystem SuperUser UnknownUser Assigned Roles %Manager (None) %All %All (Minimal security) or None (Normal or Locked-Down security) (None) %All Purpose Default administrator account. Default account representing the CSP gateway when connecting via Cach login (Normal and Locked down installations). Default account with all privileges available. Default account for a non-logged in user

_PUBLIC _SYSTEM

Set of privileges given to all users (not a login account). Default account to support SQL access.

There is also an account called a privileged user account, which is created during Normal and Locked Down installations and for which you supply a username and password. You can delete these predefined user accounts at any time subject to the requirement that there be at least one user with the %All role.

CAUTION:

If the _SYSTEM account is available with its default password of SYS on deployed systems, this is a security vulnerability. To address this issue, you can disable the account or change its password. InterSystems recommends disabling the account.

6.4.1 Default Predefined Account Behavior

The predefined accounts have different defaults and behavior depending on whether an installation uses Minimal security, Normal security, or Locked Down security.

6.4.1.1 Minimal Security Defaults

For an installation with Minimal security, all the created accounts except _PUBLIC have an initial default password of SYS. With the exception of UnknownUser, you should change the account passwords after installation in order to prevent unauthorized access to your Cach instance. The _PUBLIC account has no password by default and should never be given a password, since it is never enabled.

6.4.1.2 Normal Security Defaults

For an installation with Normal security, all the created accounts except _PUBLIC receive the same password as is chosen for the privileged user account. It is recommended that you change these passwords after installation, so that each account has its own password. The _PUBLIC account has no password by default and should never be given a password, since it is never enabled.

6.4.1.3 Locked Down Security Defaults

For an installation with Locked Down security, all the created accounts except _PUBLIC receive the same password as is chosen for the privileged user account. It is recommended that you change these passwords after installation, so that each account has its own password.

Cach Security Administration Guide 77

Users

The _PUBLIC account has no password by default and should never be given a password, since it is never enabled. In Locked-Down installations, the _SYSTEM account is also disabled.

6.4.2 Notes on Various Accounts

6.4.2.1 The UnknownUser Account
For certain applications, or certain parts of an application, unauthenticated users may have a legitimate reason to use Cach, such as for a retail system to display availability of products, prior to the user initiating a purchase. For this type of situation, Cach supports the UnknownUser account. When an unauthenticated user connects, a special name, UnknownUser, is assigned to $USERNAME and the roles defined for that user are assigned to $ROLES. Unauthenticated access is not used when authentication fails. For example, suppose that a user attempts to connect to Cach via terminal and supplies a username and password that fails authentication. Here, the user is not connected to Cach, even if unauthenticated access is permitted; on the other hand, if unauthenticated access is permitted and that same user connects to Cach without supplying a username (such as by pressing the Enter key at the username prompt), then that user is connected as UnknownUser, the unauthenticated user. Similarly, if an ODBC client attempts to connect with null strings for username and password, that connection will be accepted if unauthenticated access is permitted for the service; if the same ODBC client provides a non-empty username and password values that fail authentication, that client is not connected even if unauthenticated access is permitted.

6.4.2.2 The _PUBLIC Account

The predefined user, _PUBLIC, is a special account that does not exist for logins. Rather, it holds a set of roles. These roles are specified as the default roles for any user who connects to the system. This ensures a minimum set of roles for any user. For example, if you associate the %Operator role with the _PUBLIC user, then the value of $Roles for any user will always include %Operator.

6.5 Validating User Accounts

If you need to validate user accounts in application code, you can do this by creating a simple routine that attempts to log the user in with the one-argument form of the $SYSTEM.Security.Login method. If the login succeeds, the user is valid; if the login fails, the user is not valid. When the routine exits (regardless of the logins success or failure), the current user will be the user who invoked the routine. Here is a sample routine to perform this task, called ValidateUser:
ValidateUser(TestUser) { Write "Validating ",TestUser,"...",! New $Roles Set sc = $SYSTEM.Security.Login(TestUser) If sc = 1 { Write $Username," is a valid user.",! Write $Username," belongs to the following login roles: ",$Roles,! } Else { Write TestUser," is not a valid user.",! } Quit sc }

This routine takes as its single argument, a string that is the name of the user to be validated. It then performs the following actions: 1. The call of New $Roles stacks both the $Roles variable and the $Username variable. For more information on $Roles, see the $Roles reference page.

78 Cach Security Administration Guide

Validating User Accounts

2.

It then invokes the one-argument form of the $SYSTEM.Security.Login method, which attempts to log the user in and does not require the users password. If the login succeeds, the method returns 1; this determines the information that the routine displays and the routines return value. When the routine exits, this implicitly logs out the user, if there has been a successful login. This routine uses the one-argument form of the $SYSTEM.Security.Login method. To successfully invoke the one-argument form of $SYSTEM.Security.Login, a user must have the CACHESYS:Write and %Service_Login:Use privileges. For more information on $SYSTEM.Security.Login, see the reference page for the %SYSTEM.Security class.

3.

Important:

Here is a sample routine that demonstrates invoking ValidateUser, called VUTest. It is hard-coded to test two users, one called ValidUser and one called NonexistentUser:
VUTest() { Write $Username," is the current user.",!,! Set sc = $$^ValidateUser("ValidUser") Write ! Write "Exited validation code. ",$Username," is the current user.",!,! Set sc = $$^ValidateUser("NonexistentUser") Write ! Write "Testing complete.",! Write $Username," is the current user." Quit 1 }

Suppose the VUTest routine were created in the User namespace of a Cach instance, the PrivilegedUser account were a member of the %All role, and only the ValidUser were to exist. Here are the results of invoking VUTest at a Cach Terminal prompt:
Username: PrivilegedUser Password: *********** USER>d ^VUTest PrivilegedUser is the current user. Validating ValidUser... ValidUser is a valid user. ValidUser belongs to the following login roles: %Manager Exited validation code. PrivilegedUser is the current user. Validating NonexistentUser... NonexistentUser is not a valid user. Testing complete. PrivilegedUser is the current user. USER>

Cach Security Administration Guide 79

7
Services
There are various pathways for connecting to a Cach instance for users, applications, and even other Cach instances. These pathways are managed by Cach services, which serve as gatekeepers for connecting to Cach. Because Cach services are the primary means by which users and computers connect to Cach, their management is an essential part of security administration. Topics in this chapter are: Available services Service properties Services and authentication Services and their resources

7.1 Available Services

The Services page ([System] > [Security Management] > [Services]) provides a list of services that Cach provides. There are two groups of services: Resource-based Services These are services that provide user access to Cach. This kind of service needs the authentication and authorization infrastructure of Cach security, so it has an associated resource and uses the various available authentication mechanisms. Basic Services These are services that provide connections between a Cach server and a Cach application. These do not have associated resources, so they provide little more than the basic security functionality of being turned on or off. Enabling or disabling them controls all forms of access.

The following lists the available services, what each controls, and what kind of service it is:
%Service_Bindings SQL or Objects; use of Studio [resource-based] %Service_CSP Web application pages (CSP or Zen) [resource-based] %Service_CacheDirect Cache Direct [resource-based] %Service_CallIn The CallIn interface [resource-based] %Service_ComPort COMM ports attached to a Windows system [resource-based]

Cach Security Administration Guide 81

Services

%Service_Console Cach Terminal from a Windows console (analogous to %Service_Terminal for Mac,

UNIX, and OpenVMS) [resource-based]

%Service_DataCheck The DataCheck [basic] %Service_ECP Enterprise Cache Protocol (ECP) [basic] %Service_Login Use of $SYSTEM.Security.Login [resource-based] %Service_MSMActivate MSM Activate protocol [basic] %Service_Mirror Cach database mirroring [basic] %Service_Monitor SNMP and remote Monitor commands [basic] %Service_Shadow Access to this instance from shadow destinations [basic] %Service_Telnet Telnet sessions on a Windows server [resource-based] %Service_Terminal Cach Terminal from a Mac, UNIX, and OpenVMS console (analogous to %Service_Console for Windows) [resource-based] %Service_Weblink WebLink [basic]

The table of services includes a column for each service property.

7.1.1 Notes on Individual Services

7.1.1.1 %Service_Bindings
For the %Service_Bindings service, there are a pair of resources that manage access: the %Service_Object resource and the %Service_SQL resource. Once a user has authenticated, these two resources control whether data is accessible to the user as either objects or SQL respectively. (If a user has table-level SQL privileges on data, then Cach automatically grants an authenticated user the %Service_SQL:Use privilege for the duration of the connection.) This service also controls access to Studio. For more information about Studio and security, see the section Integration with Cach Security in the Introduction to Cach Studio chapter of Using Cach Studio.

7.1.1.2 %Service_CacheDirect
This service authenticates connections to Cach through the Cach Direct server. The Cach Direct server is available on any supported platform; clients for this service can only be on Windows.
%Service_CacheDirect manages access for two types of client-side applications:

Client applications that use the Cach Direct client software. These have all authentication mechanisms available. Client applications that use the legacy CacheObject.dll library. These have no security features available; for these legacy applications, the %Service_CacheDirect service must enable the Unauthenticated mechanism only.

Since legacy applications can only support unauthenticated access and both types of client applications use the same service, Kerberos authentication is not available for Cach Direct clients if Cach is configured to accept connections from a legacy application; similarly, if a Cach instance is configured to accept Kerberos-authenticated connections from Cach Direct clients, legacy clients cannot connect to it. Note:
CacheObject.dll is supported for legacy applications only. New development should use either the Cach Direct client or the CacheActiveX.dll and the %Service_Bindings service.

82 Cach Security Administration Guide

Available Services

7.1.1.3 %Service_Console and %Service_Terminal

These two services both provide console or terminal-style access to Cach. This functionality is analogous for both Windows and non-Windows systems; %Service_Console provides this functionality for Windows and %Service_Terminal provides this functionality for UNIX, OpenVMS, and Mac.

CAUTION:

Terminal or console access is one of the most sensitive aspects of Cach security. If an attacker gains access to Cach in one of these ways, it can be possible to read or destroy sensitive data.

7.1.1.4 %Service_CSP
This service manages connections that serve up CSP pages. Specifically, it manages connections between the CSP Gateway and the Cach server. If there is no unauthenticated access for the service and the CSP Gateway has no valid authentication information, then there is no access to the server via CSP. Hence, if you disable unauthenticated access through this service, then you must ensure that the CSP Gateway has the information it needs to authenticate to the Cach server. For Cach login (password) access, this is a valid username-password pair; for Kerberos access, this is a valid service principal name and key table location. To specify these values use the CSP Gateway Web Management interface; for a standard installation, the URL for this is http://localhost:57772/csp/bin/systems/module.cxw, where localhost represents 127.0.0.1 for IPv4 and ::1 for IPv6. Because %Service_CSP regulates the use of the Portal and its subapplications, disabling %Service_CSP does not disable any system applications (/csp/broker, /csp/docbook, /csp/documatic, /csp/sys, /csp/sys/exp, /csp/sys/mgr, /csp/sys/op, /csp/sys/sec, /isc/studio/rules, and /isc/studio/templates). For more information on system applications, see the section System Applications in the Applications chapter. Important: If you inadvertently lock yourself out of the Portal, you can use emergency access emergency access mode to reach the Portal and correct the problem; this is described in the section Emergency Access in the chapter System Management and Security.

7.1.1.5 %Service_DataCheck
This service regulates the use of the DataCheck utility, which provides a mechanism to compare the state of data on two systems. For more details, see the Data Consistency on Multiple Systems chapter of the Cach Data Integrity Guide, and, for security issues, particularly the section Enabling the DataCheck Service.

7.1.1.6 %Service_ECP
A resource does not govern the use of ECP. Rather, you either enable or disable the service (this makes ECP what is called a basic service ). This means that all the instances in an ECP configuration need to be within the secured Cach perimeter. See the Specifying ECP Privileges and Roles section of the Configuring Distributed Systems chapter of the Cach Distributed Data Management Guide for details on how privileges work within an ECP configuration.

7.1.1.7 %Service_Login
This service controls the ability to explicitly invoke the Login method of the %SYSTEM.Security class. Calls to this method are of the form:
Set Success = $SYSTEM.Security.Login(username, password)

where username is the user being logged in and password is that users password.

Cach Security Administration Guide 83

Services

7.1.1.8 %Service_Mirror
This service regulates the use of the Cach database mirroring, which provides automatic failover between two systems. For more details about mirroring generally, see the Mirroring chapter of the Cach High Availability Guide; for more details about security for mirroring (though the use of SSL/TLS), see the Configuring Cach to Use SSL/TLS with Mirroring section in the Configuring Cach to Use SSL/TLS with Mirroring chapter.

7.1.1.9 %Service_Shadow
This service regulates the use of a Cach instance as a shadow source. For more details, see Configuring the Source Database Server in the Shadow Journaling chapter of the Cach Data Integrity Guide.

7.1.1.10 %Service_Telnet
This service is only valid on a Windows Cach server and only accepts connections from a Windows client.

7.1.1.11 Legacy Services

Cach includes support for a number of legacy services. These are all basic services, and can simply be enabled or disabled. They include %Service_MSMActivate and %Service_Weblink.

7.2 Service Properties

Each service has a set of properties that control its behavior. These can include:
Service Name Description

Specifies the identifier for the service.

Provides an optional description of the service.

Controls whether a service is on or off. When enabled, a service allows connections to Cach, subject to user authentication and authorization; when disabled, a service does not permit any connections to Cach.
Service Enabled

At system start up, each service has the same state (enabled or disabled) that it had when Cach was shut down. Note that enabling or disabling a service is not simply a security setting. It determines whether or not a certain capability is provided by Cach and may, for instance, determine whether certain daemon processes are started or memory structures are allocated.
Two-Factor Authentication Enabled Controls whether a service supports two-factor authentication. (This check box

only appears when an instance has enabled two-factor authentication on its Authentication Options page [System] > [Security Management] > [Authentication Options].) With two-factor authentication, a Cach users mobile phone serves as a second authentication factor ; Cach sends a eight-digit security token to the phone, which the user must then enter at a prompt as part of the authentication process. For more details, see the section Configuring Two-factor Authentication in the Authentication chapter. Note: If two-factor authentication is enabled for an instance, this check box appears on the Edit Service page for all its services. However, two-factor authentication is only available for %Service_Bindings, %Service_Console, and %Service_Terminal (and only when it is enabled for the instance).

Specifies the available authentication mechanisms for connecting to the service; if multiple mechanisms are selected, the user or client can attempt to connect using any of these. The mechanisms available depend on what is selected on the Authentication Options page ([System] > [Security Management] > [Authentication Options]). If a service supports multiple authentication mechanisms, these are used according to the Cach rules of cascading authentication.
Allowed Authentication Methods

84 Cach Security Administration Guide

Services and Authentication

Specifies a list of IP addresses or machine names from which the service accepts connections; if a service has no associated addresses or machine names, then it accepts connections from any machine. This capability can be very useful with multi-tier configurations; for example, with the CSP service, it can be used to limit the set of Web servers that can connect to Cach. The Allowed Incoming Connections facility for ECP has additional features described in the Restricting ECP Application Server Access section of the Cach Distributed Data Management Guide.
Allowed Incoming Connections

For a resource-based service, the service can be specified as public. Public services are available to all authenticated users, while non-public services are available only to those users with Use permission on the services resource. This value is displayed on the main Services page ([System] > [Security Management] > [Services]) and is set on the Edit Resource page for the services resource. Possible values are: N/A The service has no associated resource; this means that service can simply be turned on or off. NO Access is available to any user holding a role that has the Use permission on the services resource. This is checked after authentication. YES Access is available to any user. A change to a service only takes effect after the service is restarted.

Note:

7.3 Services and Authentication

Basic services do not support authentication for Cach security. They are simply turned on and off. For those services, enabling the service ensures that it accepts all connections. For these services, the assumption is made that all instances or machines using the service are within a secure perimeter and can only be accessed by valid users. This includes %Service_ECP, %Service_MSMActivate, %Service_Monitor, %Service_Shadow, and %Service_Weblink. To enable an authentication mechanism for a resource-based service, you must first enable it for the Cach instance on the Authentication Options page ([System] > [Security Management] > [Authentication Options]). Resource-based services support authentication mechanisms as listed in the table below. If a service has more than one authentication mechanism enabled, Cach supports cascading authentication.

Table 71: Services with Authentication Mechanisms

Service Name
%Service_Bindings %Service_CSP %Service_CacheDirect %Service_CallIn %Service_ComPort %Service_Console %Service_Login %Service_Telnet %Service_Terminal

KRB Cache N N N N N Y N N Y

KRB Login Y Y Y N N Y N Y Y

Del Y Y Y Y Y Y Y Y Y

LDAP Y Y Y Y Y Y Y Y Y

OS N N N Y N Y Y N Y

Cach Y Y Y N Y Y Y Y Y

Un Y Y Y Y Y Y Y Y Y

Cach Security Administration Guide 85

Services

Key: KRB Cache Kerberos Cache KRB Login Kerberos Login Del Delegated authentication LDAP LDAP authentication OS Operating-Systembased authentication Cach Cach Login Un Unauthenticated access

For each resource-based service, if there are multiple enabled authentication mechanisms, then Cach attempts to authenticate users going from the strongest enabled form of authentication to allowing unauthenticated access (if that is enabled). This is process is described in the section Cascading Authentication in the Authentication chapter.

7.4 Services and Their Resources

For resource-based services, the properties of the service itself govern access to Cach; at the same time, the properties of the services resource govern access to and behavior of the service. For all resource-based services except %Service_Bindings, the services associated resource has the same name as the service itself; hence the %Service_CSP resource manages access for the %Service_CSP service. (The %Service_SQL and %Service_Object resources manage access for %Service_Bindings.) A resource itself has only two related properties: whether or not it is public and, if it is public, what its public permissions are; for a service resource, the only relevant permission is Use. If it is public, then all users have Use permission on the service. For more information on resources, see the chapter Resources. Independent of privileges for other resources, service privileges provide little to the user. For example, for the %Service_CacheDirect:Use privilege to be useful, the user must also hold the %DB_<database-name>:Write privilege for the database where updates are to occur.

86 Cach Security Administration Guide

8
Applications
Almost all users interact with Cach using applications. Because of this, application security can provide a key set of tools for regulating user actions. Application security uses Cach authorization tools to ensure that only the appropriate users can use an application. An application also has features that allow it to escalate its users privileges. This chapter covers the following topics: Applications, their properties, and their privileges Application types Creating and editing applications System applications

8.1 Applications,Their Properties, and Their Privileges

From a security standpoint, an application: is an entity that allows users to perform actions is associated with one or more resources has properties that govern its behavior can enhance its users privileges while they are running it can include programmatic privilege checks

All these characteristics and capabilities are part of the Cach authorization tools. If an application is formally defined with Cach, then it can use this functionality. There are three kinds of applications web applications, privileged routine applications, and client applications. This section covers: Applications and Their Properties Associating Applications with Resources Applications and Privilege Escalation Checking for Privileges Programmatically

Cach Security Administration Guide 87

Applications

8.1.1 Applications and Their Properties

Applications allow you to establish a limited set of permitted actions, such as reading from and writing to databases or using other assets. To do this, Cach supports what is called an application definition, which is a set of information that represents the application within Cach. (The relationship of an application definition to an application is analogous to that of the relationship of a resource to an asset.) By establishing an application definition, you can control and manage the application. Important: Applications and application definitions are frequently referred to interchangeably. The distinction is only important in settings where the executable code or user experience of that code differs from the representation of that code within Cach. The former is the application itself and the latter is the application definition.

Each application, through its application definition, has the following properties: Name The name of the application. This must start with an alphabetic character and must be followed by alphabetic, numeric, or underscore characters. The application definitions name is independent of the name of any resource. Description A description of the application. Enabled A switch that specifies if the application is available for use. If the application is not enabled, no one can run the application not even a member of the %All role. For more details on how this property governs each kind of application, see the appropriate section: web applications, privileged routine applications, or client applications. Resource A resource that manages application behavior. The resource has different effects for different application types: for web applications and client applications, it controls whether or not users have access to the application; for privileged routine applications, it controls the applications privilege escalation. If a web or client application has no resource, then any user can run the application; if a privileged routine application has no resource, then the application escalates privileges for any user. Each application definition can only be associated with a single resource. For more details on how this property affects each kind of application, see the appropriate section: web applications, privileged routine applications, or client applications. For more information on how applications interact with resources, see Associating Applications with Resources. Application Roles One or more roles to which application users are assigned. While running the application, the user is assigned to its application roles by appending these roles to the list of roles in the $Roles variable. For more information on using application roles, see the section Applications and Privilege Escalation . Matching Roles One or more roles that cause the user be assigned to some additional roles (called target roles ) while running the application. If users are assigned to a matching role, then, while using the application, they are also assigned to any target roles. This is done by appending these roles to the list of roles in the $Roles variable. For example,

88 Cach Security Administration Guide

Applications, Their Properties, and Their Privileges

if %Admin_Manage is a matching role, then being a member of that role might cause the application user to also become a member of the target role of %Admin_Secure. For more information on using matching roles, see the section Applications and Privilege Escalation . All applications have these properties. There are three application types and each has its own other, unique characteristics.

8.1.2 Associating Applications with Resources

When an application (and therefore its application definition) is a single, unitary whole, it has a single resource a oneto-one relationship. You can also specify that multiple applications (and therefore multiple application definitions) are associated with a single resource a many-to-one relationship. For any number of applications, the situation reduces to some combination of these two conditions. A more complex case is when an application is composed of separate parts, which can be referred to as sub-applications. The sub-applications are designed to behave as a single, unitary whole, but different sub-applications require different kinds of or levels of security. In this situation, it is useful to give each sub-application its own application definition and to associate it with a separate resource. This way, each sub-application can have its own independent security-related behavior. While, from the application perspective, there are multiple of sub-applications that compose the larger application, from the Cach security perspective, there are simply multiple, individual applications each with its own application definition and users pass among them. Again, this reduces to the one-to-one and many-to-one cases, except that the multiple application definitions represent what appears to the end-user as a single application. Because the users have already authenticated and by that process have established their roles, then passing from one sub-application to another requires no authentication. For example, suppose there is an expense-reporting application where all employees can enter expense reports, but only accounting officers can generate checks. In this case, the application might appear as a single whole and the functionality to generate checks would be grayed out for all employees except the accounting officers. To accomplish this, there would be two separate sub-applications, one for entering reports and another for generating checks. All users would be able to use the former and only accounting officers would be able to use the latter. For them, there would be no visible difference between what might simply appear as two separate screens in a single application.

8.1.3 Applications and Privilege Escalation

Since application resources can be used to enhance a users roles, they provide a mechanism for meeting dynamically shifting authorization needs. To take advantage of this functionality, the process is: 1. 2. 3. 4. 5. 6. Given an existing application, create a resource and then associate the application with the resource. Create one or more roles that hold the Use permission for the resource. Determine the list of privileges that the application requires in order to run. If the application has sub-applications, there may be more than one such list. Associate each list of privileges with a particular role. Establish each role as an application role for the application or sub-application. Establish any matching roles for the application or sub-application. Each matching role has one or more target roles associated with it. When a user successfully invokes an application, Cach performs two actions: For the duration of application use, it assigns the user to any application roles. (For privileged routine applications, this depends on successfully invoking the AddRoles method, as described in the section Privileged Routine Applications. )

Cach Security Administration Guide 89

Applications

If the user is assigned to any matching role, the application assigns the user to any target roles for the duration of application use. (Again, for privileged routine applications, this depends on successfully invoking the AddRoles method, as described in the section Privileged Routine Applications.)

For example, suppose that an application has its own resource, called AppRsrc. Two roles hold the AppRsrc:Use privilege; these are AppUser and AppOperator. AppOperator is also a matching role, where the target role is %Manager. In this scenario, when a user belonging to the AppUser role invokes the application, the value of $Roles does not change; when a user belonging to AppOperator invokes the application, the value of $Roles expands to include %Manager. If the application has an application role of AppExtra, then a user belonging to the AppUser role receives the AppExtra role when invoking the application. In the first scenario (matching role only), belonging to the AppOperator role causes privilege escalation; in the second scenario (matching role and application role), belonging to either role results in privilege escalation.

8.1.3.1 User-Based and Application-Based Security

The Cach security model allows for flexible privilege assignment that can be user-based, application-based, or both. The use of an application can be limited to specific users or open to any users. For those users authorized to use the application, there can be several behaviors: The application can run with the users privileges alone. The application can escalate privileges for only some users (using matching and target roles). The application can escalate privileges for all users (using application roles). The application can escalate some privileges for all users and only escalate other privileges for certain users (using a combination of matching/target roles and application roles).

Hence, you have control of whether application use is limited to specific users or open to any users; simultaneously, you also have control of whether an application runs with the users privileges or with its own privileges. This enables Cach to provide a very flexible model:

Table 81: Protection/Escalation Matrix for Secured Applications

Privilege Level / Protection Level With User-Dependent Privileges With Privilege Escalation Public Application 1. Any user can run the application. Application runs with user privileges. 3. Any user can run the application. Application runs with (expanded) application privileges through application roles and matching roles. Restricted Application 2. Only specified users can run the application. Application runs with user privileges. 4. Only specified users can run the application. Application runs with (expanded) application privileges through application roles and matching roles.

Each of the scenarios described in the previous table is commonly used for a different authorization model:

1. Public Application with User-Dependent Privileges

This describes an application available to any authenticated user; when run, the application grants no additional privileges. For example, for a companys contact database, any user belonging to the company-wide role can get the office phone number and email address for any employee; managers hold greater privileges, which entitle them to view employee home phone numbers; HR staff hold even greater privileges, which entitle them to view and update full records. The application is accessible to all employees, and its behavior depends on privileges that each user already has when invoking it the application itself grants no roles.

90 Cach Security Administration Guide

Applications, Their Properties, and Their Privileges

2. Restricted Application with User-Dependent Privileges

This describes an application available only to a user who belongs to a specified role; when run, the application grants no additional privileges. For example, a company may have a payroll application for its hourly employees, which displays the number of hours worked, pay rate, and so on. To run the application, a user has to be a member of either the HourlyEmployee role or the HourlyManager role. Once running, the application checks which role was present: members of HourlyEmployee can see and not edit their own data, while members of HourlyManager can see and edit data for their own reports. An employee who is a member of the HourlyEmployee role can run the application to check the accuracy of personal data; any other employee (such as one on a salary and who is not a member of the required role) cannot even run the application.

3. Public Application with Privilege Escalation

This describes an application available to any authenticated user; when run, the application escalates privileges based on the roles to which the user belongs. (The application can also escalate privileges only for certain roles.) For example, suppose a university has an application where students can review and update their records. Here, any student is an authenticated user and can edit his or her own contact information. To support this functionality, the application includes code for editing an entry; this code checks that the entry being edited matches the authenticated user and, if so, escalates its own privileges to update the record, and then restores the privileges to their previous state. If one student attempts to update anothers record, then the check fails, there is no privilege escalation, and the update does not occur. The application might also check if the user is a member of the registrars office role, in which case it would be possible to update information more widely.

4. Restricted Application with Privilege Escalation

This describes an application available only to a user who belongs to a specified role; when run, the application escalates privileges based on the roles to which the user belongs. (The application can also escalate privileges only for certain roles.) For example, a hospitals emergency room might have an application that grants the attending doctor special, wider privileges for viewing the records of patients currently admitted for emergency care. Because of the potentially critical nature of emergency-room cases, the doctor needs to be able to view more information in this setting than while simply making rounds; hence, the privileges are escalated.

8.1.4 Checking for Privileges Programmatically

An application can also include code to check if its users have privileges required to perform a particular action. To do this, use the $SYSTEM.Security.Check method. The syntax of this call is:
Set status = $SYSTEM.Security.Check(app_resource, app_permission)

where app_resource is the resource for which the user must hold a permission app_permission is the permission that must be held. status is the methods return value of TRUE or FALSE (1 or 0).

For example, if an application required that a user have Write permission on the Application_Order_Customer resource, then the check call would be
Set status = $SYSTEM.Security.Check("Application_Order_Customer", "WRITE")

Note:

No privilege is required to call $SYSTEM.Security.Check.

Cach Security Administration Guide 91

Applications

8.2 Application Types

There are three types of applications: Web applications Privileged routine applications Client applications

8.2.1 Web Applications

These are applications built with CSP and Zen (which itself uses CSP). They connect to Cach using the %Service_CSP service. For web applications, security information is maintained as part of the CSP session. That is, the values of $USERNAME and $ROLES are preserved across page requests. (More specifically, when processing begins for a page, $ROLES contains the users roles as well as roles defined for the application. It does not contain roles that have been dynamically added during processing of a previous page via SET $ROLES or $SYSTEM.Security.AddRoles. This is true for both stateless and state-full sessions. With Web applications (whether they are built with Cach Server Pages, Zen, or with some other technology), the client (the browser) typically does not send a username and password to the server when it connects. Instead, the user requests a page and the server responds with a login page that must be completed before the rest of the application can be accessed. If two-factor authentication is enabled, then, once the user has provided a username and password, the server displays a page for entering the security code; if authentication succeeds, the user has access to the application. Note: With two-factor authentication, the server always displays the page for entering the one-time security token even if the username-password pair is not valid. After the user enters the one-time security token, the server displays a message that access is denied, and provides a minimum of information that could be used against the system.

CSP security processing occurs as follows: 1. 2. 3. 4. As each page request is received, its application is determined from the URL. If the application is not enabled, there is no connection. If the application is the same as the application for the last page processed for the CSP session, then there is already a connection, so no further security checking is required. If the Use permission for %Service_CSP is not public and the user does not hold this permission, there is no connection. If the application or the CSP service require authentication and the user has not already been authenticated, then Cach checks if the request includes CacheUserName and CachePassword parameters: a. b. If CacheUserName and CachePassword are present, the CSP server attempts to log in; if the login succeeds, it checks if the user has the Use permission for the application resource. If either of these fail, there is no connection. If CacheUserName and CachePassword are not present, CSP displays an application-specific login page, if one is defined in the web application configuration. (This is the only page in a secure application that can be used prior to login.) If there is no application-specific login page, the username and password fail authentication, or the user does not have the Use permission on the application resource, there is no connection.

To edit a web application, the Portal provides the following pages: Creating and editing an application: the General tab Editing an application: the Application Roles tab

92 Cach Security Administration Guide

Application Types

Editing an application: the Matching Roles tab

8.2.2 Privileged Routine Applications

A privileged routine application grants one or more routines the privilege to escalate roles for their users. The routines in a privileged routine application are written in Cach ObjectScript, Cach Basic, or MVBasic. These routines are registered with Cach on the Routines tab of the application editing page for such an application, as described in the section Editing an Application: The Routines Tab. The routines that are registered have the ability to execute the AddRoles method for this application definition. The AddRoles call refers to the AddRoles method of the %SYSTEM.Security class. A call to AddRoles is of the form:
Set sc = $SYSTEM.Security.AddRoles("AppDefName")

where AppDefName is the name of the application definition and sc is a status code. If a routine is part of an application definition and the user is appropriately privileged, then calling AddRoles from that routine escalates privileges to include any application roles (as described in Editing an Application: The Application Roles Tab) and any relevant matching roles (as described in Editing an Application: The Matching Roles Tab). Important: If a routine does not curly braces to delimit code in its entry points, then control can pass from one entry point to another, possibly resulting in overprivileged users and unintended levels of access. For more information on structuring routines, see the User-defined Code chapter of Using Cach ObjectScript,

Processing occurs as follows: 1. 2. 3. If the call is not from a privileged routine, it fails. If the privilege specified in the application definition is not public and the user invoking the routine does not hold this privilege, then the call fails. Otherwise, the call succeeds.

Once a user has additional roles from a call to AddRoles, the user retains these roles unless there is an action that removes them. To explicitly remove any added roles, issue the following command:
Set $Roles = ""

You can also cause the user to give up any application roles and to revert to login roles when control passes out of scope for the routine that escalated privileges. To do this, include the following command prior to the call to AddRoles:
New $Roles

To edit a privileged routine application, the Portal provides the following pages: Creating and editing an application: the General tab Editing an application: the Application Roles tab Editing an application: the Matching Roles tab Editing an application: the Routines tab

8.2.2.1 An Example of Using a Privileged Routine Application

Suppose there is a need to have a routine for which only certain users can escalate privileges. This routine is called PRATestRtn (for Privileged Routine Application) and the privilege to be added is associated with the role PRATestAddedRole. To enable users to receive PRATestAddedRole as a role while running PRATestRtn, the following entities and items must exist:

Cach Security Administration Guide 93

Applications

The PRATestRtn routine. A resource associated called PRATestRsrc. It is best for this resource to have no public permissions. A role called PRATestRole, whose sole privilege is PRATestRsrc:Use. A role called PRATestAddedRole. A privileged routine application called PRATestApp, where: The PRATestRsrc is required to run the application (that is, users must have the PRATestRsrc:Use privilege, which they can get through the PRATestRole). The PRATestRtn routine is included as part of the application (on the Routines tab of the Edit Routine Application page). The PRATestAddedRole is an application role.

Two users: PRATestUser and NonPRATestUser. PRATestUser is a member of the PRATestRole and %Developer. NonPRATestUser is a member of %Developer only.

Here is the content of PRATestRtn:

PRATestRtn Write "This routine is a part of the privileged routine application ",! Write "called PRATestApp.",! Write "The user invoking this routine is ",$Username,! Write "The current value of $Roles is ",$Roles,!,! Write "Calling the AddRoles method...",!,! Set sc = $SYSTEM.Security.AddRoles("PRATestApp") If sc = 1 { Write "Application roles have been added.",! Write "$Roles now is ",$Roles,!,! Write "Removing PRATestAddedRole from $Roles...",! Set $Roles = "" Write "The current value of $Roles is now ",$Roles,!,! } Else { Write "The call to AddRoles has failed.",! Do $system.Status.DecomposeStatus(sc,.Err) Write Err(Err),! }

Here is the terminal session where PRATestUser runs this routine:

Username: PRATestUser Password: **** USER>Do ^PRATestRtn This routine is a part of the privileged routine application called PRATestApp. The user invoking this routine is PRATestUser The current value of $Roles is %Developer,PRATestRole Calling the AddRoles method... Application roles have been added. The current value of $Roles is now %Developer,PRATestRole,PRATestAddedRole Removing PRATestAddedRole from $Roles... $Roles now is %Developer,PRATestRole USER>

Here is the terminal session where NonPRATestUser runs this routine:

94 Cach Security Administration Guide

Creating and Editing Applications

Username: NonPRATestUser Password: **** USER>d ^PRATestRtn This routine is a part of the privileged routine application called PRATestApp. The user invoking this routine is NonPRATestUser The current value of $Roles is %Developer Calling the AddRoles method... The call to AddRoles has failed. ERROR #862: User is restricted from running privileged application PRATestApp -- cannot execute. USER>

8.2.3 Client Applications

These are applications that use Cach Direct to connect to Cach. Important: Client application security is available only for applications using Cach Direct. Any client/server application using other technology, such as Jalapeo or ActiveX, cannot use application security. For these applications, use the authentication tools described in chapter Authentication.

Cach enables executables built using Cach Direct to be identified to the system. When such an executable attempts to connect to the server, Cach performs the following processing: 1. 2. 3. 4. 5. If the %Service_CacheDirect is not enabled, there is no connection. If %Service_CacheDirect is enabled, the attempt to connect proceeds. If the Use permission for the %Service_CacheDirect service is not public and the user does not hold the permission on the service, then the connection is rejected. If the Use permission for a resource specified in the application definition is not public and the user does not hold the permission on the application, then the connection is rejected. If the process has Read or Write permission on the namespace to which the connection is being made, the connection is accepted; otherwise, the connection is rejected. Once the connection is accepted, application roles are added. Similarly, if the user is a member of any matching roles, then the appropriate target roles are added.

To edit a client application, the Portal provides the following pages: Creating and editing an application: the General tab Editing an application: the Application Roles tab Editing an application: the Matching Roles tab

8.3 Creating and Editing Applications

This section describes several topics: Creating and editing an application: the General tab Editing an application: the Application Roles tab Editing an application: the Matching Roles tab Editing an application: the Routines tab

Cach Security Administration Guide 95

Applications

8.3.1 Creating and Editing an Application:The General Tab

For creating and editing an application, the General tab holds fields that specify information needed for basic operation of the application.

8.3.1.1 Creating an Application

To create an application, the procedure is: 1. In the Management Portal menu, select System Administration >> Security >> Applications, which makes available choices of various application types. Choose Web Applications, Privileged Routine Applications, or Client Applications. This displays the page for the selected application type. In the upper-left corner of the applications page, click the button to create a new application. Depending on the application you are attempting to create, select Create New Web Application, Create New Privileged Routine Application, or Create New Client Application. This displays the application editing page for the selected application type. You can then edit the application as if it already existed using the information in the next section.

2.

8.3.1.2 Editing an Application

Important: For web applications, many of the fields on General tab control application properties that are not related to security; because of this, this tab is described in the CSP Application Options section of the CSP Architecture chapter of the Using Cach Server Pages (CSP) book.

To perform general editing on a privileged routine application or a client application, the procedure is: 1. In the Management Portal menu, select System Administration >> Security >> Applications, which makes available choices of various application types. Choose Web Applications, Privileged Routine Applications, or Client Applications. This displays the page for the selected application type. On the applications page, there is a list of applications that can be edited. Click Edit in the row of the relevant application. This displays an editing page for the application. The General tab is initially displayed for this page. For privileged routine applications and client applications, the pages fields are:
Privileged routine application name Description Enabled

2. 3.

or Application path and name An identifier for the application

A description of the application

Whether or not the application is available. When enabled, an application is available, subject to user authentication and authorization; when disabled, it is not available.
Resource required to run the application A resource for which users must have the Use permission (enabled as

part of a privilege in a role) in order to perform certain actions. For web and client applications, this resource is required in order to simply operate the application; for privileged routine applications, this resource is required to invoke the AddRoles method, which gives the application its ability to escalate roles.

8.3.2 Editing an Application:The Application Roles Tab

You can configure an application so all its users are given certain roles. These roles are known as application roles. To establish any application roles for an application, the procedure is:

96 Cach Security Administration Guide

Creating and Editing Applications

1.

In the Management Portal menu, select System Administration >> Security >> Applications, which makes available choices of various application types. Choose Web Applications, Privileged Routine Applications, or Client Applications. This displays the page for the selected application type. On the applications page, there is a list of applications that can be edited. Click Edit in the row for the relevant application. This displays an editing page for the application. On the application editing page, go to the Application Roles tab. To specify one or more application roles, click on the roles listed in the Available list. Move them into the Selected list with the arrows. Click Assign to establish the application role(s).

2. 3. 4. 5.

8.3.3 Editing an Application:The Matching Roles Tab

An application can support what are called matching roles and target roles. If a user is assigned to a matching role, then running the application causes Cach to assign the user to any associated target roles. There can be multiple matching roles and multiple target roles for each matching role. To establish a matching role and its target roles for an application, the procedure is: 1. In the Management Portal menu, select System Administration >> Security >> Applications, which makes available choices of various application types. Choose Web Applications, Privileged Routine Applications, or Client Applications. This displays the page for the selected application type. On the applications page, there is a list of applications that can be edited. Click Edit in the row for the relevant application. This displays an editing page for the application. On the application editing page, go to the Matching Roles tab. On the Matching Roles tab, choose the role to be a matching role from the Select a matching role drop-down. To select the accompanying target role(s), click on the roles listed in the Available list. Move them into the Selected list with the arrows. Click Assign to establish the matching role and its target role(s).

2. 3. 4. 5. 6.

8.3.4 Editing an Application:The Routines Tab

This tab is for privileged routine applications only. On this tab, you can specify the routines that are part of a privileged routine application. To add a routine to privileged routine application, the procedure is: 1. 2. 3. 4. 5. 6. In the Management Portal menu, go to the Privileged Routine Applications page ([System] > [Privileged Routine Applications]). On the Privileged Routine Applications page, there is a list of applications that can be edited. Click Edit in the row for the relevant application. This displays the Edit Routine Application for the application. On the Edit Routine Application page, go to the Routines tab. On the Routines tab, choose the database that contains the relevant routine from the Routine location drop-down. In the Enter a routine name field, enter the name of the routine to be added to the application. Click Assign to establish add the routine to the application.

Cach Security Administration Guide 97

Applications

8.4 System Applications

Each Cach instance comes with a number of system applications. There is always access to these applications, even if the %Service_CSP service is disabled. The system applications are:

Table 82: Cach System Web Applications

Name /csp/broker /csp/docbook /csp/documatic /csp/sys /csp/sys/exp /csp/sys/mgr /csp/sys/op /csp/sys/sec /isc/studio/rules /isc/studio/templates Purpose or Managed Interactions Common static file store. For InterSystems internal use only. InterSystems main documentation (including this book). InterSystems class reference documentation. General Portal access. Data Management options in the Portal. Configuration and Licensing options in the Portal. Operations options in the Portal. Security Management and Encryption options in the Portal. Mapping to the CSP rules files. Mapping to system-defined Studio template files.
%Development %Development %Admin_Manage %Admin_Operate %Admin_Secure %Development

Associated Resource

For more information on the /isc/studio/rules, application, see the chapter Developing Custom Tags in Using Cach Server Pages (CSP). For more information on the /isc/studio/templates application, see the chapter Using Studio Templates in Using Cach Studio.

98 Cach Security Administration Guide

9
Auditing
Logging certain key events in a secure audit database is a major aspect of Cach security. Cach allows you to monitor events and add entries to the audit database when those events occur. These events can be within Cach itself or part of an application. The knowledge that all activities are being monitored and that all logs can be reviewed is often an effective deterrent. This chapter provides information on various topics: Basic Auditing Concepts About Audit Events Managing Auditing and the Audit Database Other Auditing Issues

9.1 Basic Auditing Concepts

Cach allows you to enable or disable auditing for the entire Cach instance. When auditing is enabled, Cach logs all requested events. Auditable events fall into two categories: System events Cach system events that are only logged if they are explicitly enabled. User events Application events, which are only logged if they are explicitly enabled.

Cach system events are built-in events that monitor actions within Cach, such as start-up, shutdown, logins, and so on; system events also monitor security-related events, such as changes to security or audit settings. Cach does not automatically audit database activity, such as inserts, updates, or deletes for a table, because this kind of activity typically generates so many audit entries as to be useless or even counterproductive due to the performance impact on the system. For example, if a medical records application were to log all access to patient medical information, then one such access event might result in hundreds or thousands of database accesses. It is much more efficient to have the application create a single audit entry, rather than have the database manager generate thousands.

9.1.1 Enabling or Disabling Auditing

On the Auditing page ([System] > [Security Management] > [Auditing]), there are selections to enable and disable auditing. If the Enable Auditing choice is available, this means that auditing is disabled; if the Disable Auditing choice is available, this means that auditing is enabled. By default, Cach auditing is disabled.

Cach Security Administration Guide 99

Auditing

Enabling Auditing
To turn on auditing, on the Auditing page ([System] > [Security Management] > [Auditing]), select the Enable Auditing choice.

Disabling Auditing
To turn off auditing, on the Auditing page ([System] > [Security Management] > [Auditing]), select the Disable Auditing choice. If you enable (turn on) auditing, then Cach audits: All system events that are enabled All user events that are enabled

9.2 About Audit Events

The following sections describe different aspects of audit events: Elements of an Audit Event About System Audit Events Enabling and Disabling System Events About User Events This section describes how to manage audit events with the Management Portal. To manage audit events programmatically, use the Security.Events class.

Note:

9.2.1 Elements of an Audit Event

Audit information is available in the CACHEAUDIT database. New entries are added to the end of the log. When you view the audit log, you see the following elements for each entry: Time (also called UTCTimestamp) UTC date/time when the event was logged. Event Source* The component of the Cach instance that is the source of the event. For Cach events, this is always %System . For user-defined events, the name can be any string that includes alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes. Event Type* Categorizing information for the event. This string can include any alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes.

100 Cach Security Administration Guide

About Audit Events

Event* (also called Event Name) Identifier of the event being logged. This string can include any alphanumeric characters or punctuation, except for colons and commas; it can begin with any of these characters except for the percent sign. This can be up to 64 bytes. PID (also known as a Process ID) Operating system ID of the Cach process that logged the event. On Windows and UNIX, Cach uses the OS PID in its native form; on OpenVMS, Cach uses the PID in decimal form, converting it from the operating systems hexadecimal form. CSP Session (search results only) The session ID, if there is one, of the CSP session that caused the event. User (also called Username) Value of $USERNAME for the process that logged the event. Description A short field which can be used by applications to summarize the audit event. This field is intended for display/explanation purposes only. The combination of EventSource, EventType, and Event uniquely define a particular kind of audit event. The Description is a user readable explanation. This can be up to 128 characters. *Each different kind of event is uniquely identified by the combination of its EventSource, its EventType, and the Event itself. When you click Details, you see some of the same elements and the following additional elements: Timestamp Date/time when the event was logged, in local time. JobId ID of the job. IP Address IP address of client associated with the process that logged the event. Executable The client application associated with the process that logged the event, if there is one. System ID The machine and Cach instance that logged the event. For example, for the machine MyMachine and the instance MyInstance, the system ID is MyMachine:MyInstance. Index The index entry in the data structure containing the audit log. Roles For all events except LoginFailure, the value of $ROLES for the process that logged the event. For LoginFailure, a value of , as the user is not logged in.

Cach Security Administration Guide 101

Auditing

Namespace The namespace that was current when the event was logged. Routine The routine or subroutine that was running when the event was logged. User Info User-defined information about the process, added programmatically via the %SYS.ProcessQuery interface. O/S Username Username given to the process by the operating system. When displayed, this is truncated to 16 characters. This is the actual operating system username only for UNIX or VMS systems. For Windows: Status The value of any %Status object that was audited. Event Data A memo field where applications can store up to 16 KB of data associated with the audit event. For example, it can contain a set of application values at the time of the event or can summarize the old and new states of a record or field. For a console process, this is the operating system username. For Telnet, this is the $USERNAME of the process. For client connections, this is the operating system username of the client.

9.2.2 About System Audit Events

System audit events are predefined events that are available for auditing by default. General information about them appears in the table on the Configure System Events page ([System] > [Security Management] > [Configure System Audit Events]), where the columns are: Event Name The Event Source (which is always %SYSTEM), Event Type, and Event proper, all together and concatenated with slashes ( /). Enabled Whether or not the event is enabled (turned on) for auditing. Total The number of events of this type that have occurred since the last startup of Cach. Written The number of events of this type that have been written to the audit log since the last startup of Cach. This number may differ from the total occurrences. Reset Allows you to clear the audit log for this event reset its counter to zero. For more information on counters, see About Counters. Change Status Allows you to enable or disable the event.

They monitor events within the Cach system and are distinguishable by their EventSource value of %SYSTEM:

102 Cach Security Administration Guide

About Audit Events

Table 91: System Audit Events

Event Type and Event %DirectMode/ DirectMode %Login/ Login %Login/ LoginFailure %Login/ Logout %Login/ Terminate %Security/ ApplicationChange %Security/ AuditChange %Security/ AuditReport %Security/ DomainChange %Security/ Protect %Security/ ResourceChange %Security/ RoleChange %Security/ SSLConfigChange %Security/ ServiceChange Definition of a domain created, changed, or deleted A security protection error is given to a process Definition of a resource created, changed, or deleted Definition of a role created, changed, or deleted A change has been made to any SSL configuration Security settings for a service have been changed Action (new, modify, delete), old and new domain data. Error. On A process has been terminated abnormally An application definition is created, changed, or deleted Audit is stopped or started, entries are erased or deleted, or the list of events being audited is changed Any standard audit report is run Varies, as does Description content; see below. Action (create new, modify, or delete), old and new application data. Action (stop, start, erase, delete, or specify), old and new audit settings. Identification of audit report. Off Logout Off Login attempt fails Username. Varies* Occurs When Any command is executed in direct mode Login succeeds EventData Contains Text of command. Default Status Off

Off

On

On

On

Off

Action (new, modify, or delete), old and new resource data. Action (create new, modify, or delete), old and new role data. The changed fields with old and new values. Old and new service security settings.

On

On

On

On

Cach Security Administration Guide 103

Auditing

Event Type and Event %Security/ SystemChange %Security/ UserChange %System/ AuditRecordLost

Occurs When System security settings have been changed A user definition is created, changed, or deleted An audit entry has not been added to the audit database due to resource limitations that constrain the audit system (such as disk or database full) Cach successfully starts with a configuration different than the previous start, or a new configuration is activated while Cach is running Journaling is turned on or off for a database or process A method or routine has been compiled or deleted Cach starts

EventData Contains Old and new security settings.

Default Status On

Action (create new, modify, or delete), old and new user data. None.

On

On

%System/ ConfigurationChange

User name for the user who made the change; previous and new values of the changed element.

On

%System/ JournalChange %System/ RoutineChange %System/ Start %System/ Stop %System/ UserEventOverflow

For database journaling, the name of the database. No content, though the Description depends on the change itself; see notes. Indication of whether recovery was performed.

On

Off

On

Cach is shut down

On

An application has attempted to log an undefined event

The name of the event that the application attempted to log.

On

*The LoginFailure event is off by default for minimal-security installations; it is on by default for normal and locked-down installations. If auditing is enabled, then all enabled events are audited.

9.2.2.1 About the %System/%Login/Logout and %System/%Login/Terminate Events

A process generates a %System/%Login/Logout event if the process ends because of: A HALT command Exiting application mode because of a QUIT command Executing the Terminate method of the SYS.Process class to terminate itself (which is the same as executing HALT).

A process generates a %System/%Login/Terminate event if the process exits for any other reason, including:

104 Cach Security Administration Guide

About Audit Events

The user closes the Terminal window, resulting in a Terminal disconnect. If the process is in application mode, the Description field of the audit record includes the statement ^routinename client disconnect (where routinename is the first routine that the process ran); if the process is in programmer mode, the Description field includes the statement Programmer mode disconnect. A Terminal session is ended by an action in another process, including ^RESJOB, ^JOBEXAM, or the Management Portal. If the process is in application mode, the Description field of the audit record includes the statement ^routinename client disconnect (where routinename is the first routine that the process ran) ; if the process is in programmer mode, the Description field includes the statement Programmer mode disconnect. Note that the event data will contain the pid of the process which terminated them. A core dump or process exception. When a process gets a core dump or exception, it is too late for it to write to the audit file. Therefore, when the clean daemon runs to clean up the state of the process, it writes an audit record to the log with a description Pid <process nunber> Cleaned. A TCP Client disconnect. When a process detects that a client has disconnected, this results in an audit record with a Description field which contains the name of the executable that disconnected, such as <client application> client disconnect .

9.2.2.2 Notes on the %System/%System/RoutineChange Event

The RoutineChange event is an event that records if a routine has been compiled or deleted. When enabled, this event causes a record to be written to the audit log whenever a routine or class is compiled. The Description field of the audit record includes the database directory where the modification took place, what routine or class was modified, and the word Deleted if the routine was deleted.

9.2.3 Enabling and Disabling System Events

To enable or disable system events: 1. 2. From the Management Portal home page, go to the Configure System Audit Events page ([System] > [Security Management] > [Configure System Audit Events]). On the Configure System Audit Events page, locate the event that you wish to enable or disable and select Change Status from the right-most column of the table. This changes the Enabled status from No to Yes, or vice versa.

9.2.4 About User Events

In addition to system events, Cach allows you to create custom events that can be added to the audit database through your application. All currently defined events are listed on the Configure User Events page ([System] > [Security Management] > [Configure User Audit Events]).

9.2.4.1 Creating a User-defined Event

For Cach to audit a user-defined event, it must be added to the list of events and then enabled. The procedure is: 1. 2. 3. 4. 5. In the Management Portal, go to the Create User Audit Events page ([System] > [Security Management] > [Configure User Audit Events]). Click Create New Event. This displays the Edit Audit Event page. On this page, enter values in the Event Source, Event Type, Event Name, and Description fields where these components have the purposes described in Elements of an Audit Log Entry. By default, the Enabled check box on this page is selected. Click it to disable the event. Click the pages Save button to create the event.

Cach Security Administration Guide 105

Auditing

6. 7.

Make sure that auditing is enabled. Once the event is defined and auditing is enabled, you can add the event to the audit log by executing the following command:
Do $SYSTEM.Security.Audit(EventSource,EventType,Event,EventData,Description)

using the EventSource, EventType and Event Name values that you defined in the Portal. For more details, see the section Adding an Entry to the Audit Log.

9.2.4.2 Adding an Entry to the Audit Log

Applications can add their own entries to the audit log with the $SYSTEM.Security.Audit function:
Do $SYSTEM.Security.Audit(EventSource,EventType,Event,EventData,Description)

where EventSource, EventType, Event, EventData, and Description are as described in the section Elements of an Audit Log Entry. Both the EventData and Description arguments can hold variables or literal values (where strings must appear in quotation marks). Cach provides all other elements of the log item automatically. The content of EventData can span multiple lines. Its content is processed in a manner similar to the argument of the Cach ObjectScript Write command, so it uses the following form:
"Line 1"_$Char(13,10)_"Line 2"

In this case, the content listed in the Audit Detail is displayed as Line 1, then $Char(13,10) is a carriage return and line feed, then there is Line 2 . For example, a medical records application from XYZ Software Company might use values such as:
$SYSTEM.Security.Audit( "XYZ Software", "Medical Record", "Patient Record Access", 765432, "Access to medical record for patient 765432" )

Note that the application uses the EventData element to record the ID of the patient whose record was accessed. Further, if there is an XYZ Software/Record Update/Modify Assignment event defined and enabled, then the following code changes the value of a user-selected element of a list and notes the change in the audit database:
For i=1:1:10 { Kill fVal(i) Set fVal(i) = i * i } Read "Which field to change? ",fNum,! Read "What is the new value? ",newVal,! Set oldVal = fVal(fNum) Set fVal(fNum) = newVal Set Data = "Changed field " _ fNum _ " from " _ oldVal _ " to "_ newVal _ "." Set Description = "Record changed by user with an application manager role" Do $SYSTEM.Security.Audit( "XYZ Software", "Record Update", "Modify Assignment", Data, Description ) Write "Field changed; change noted in audit database."

Audit returns 1 or 0 to indicate that the addition succeeded or failed. No privilege is required to add an entry to the audit log.

106 Cach Security Administration Guide

Managing Auditing and the Audit Database

9.2.4.3 Deleting User Events

If you delete a user event, it is no longer available as part of the Cach instance for auditing. To delete a user event: 1. 2. 3. From the Management Portal home page, go to the Configure User Audit Events page ([System] > [Security Management] > [Configure User Audit Events]). On this page, locate the event that you wish to enable or disable and select Delete from the column near the right-hand part of the table. When prompted, confirm that you wish to delete the event.

9.3 Managing Auditing and the Audit Database

When events are logged, they are visible in the audit database, CACHEAUDIT. The audit database also contains general information, including the name of the server, the name of the Cach configuration, when the log was started, and when the log was closed. The following actions are available for managing the audit log: Viewing the Audit Database Copying, Exporting, and Purging the Audit Database Encrypting the Audit Database General Management Functions

9.3.1 Viewing the Audit Database

To view the audit database, select View Audit Database on the Auditing page ([System] > [Security Management] > [Auditing]) page. This displays the View Audit Database page ([System] > [Security Management] > [Auditing] > [View Audit Database]). This page allows you to view the audit database and refine a search based on the following fields: Event Source The component of the Cach instance that is the source of the event, as described in Elements of an Audit Event. Clicking the button to the right of the field displays a list of values in use. The asterisk ( *) chooses all values; no other wildcards are supported. Event Type Any categorizing information for the event, as described in Elements of an Audit Event. Clicking the button to the right of the field displays a list of values in use. The asterisk ( *) chooses all values; no other wildcards are supported. Event Name (also called Event) The identifier of the event being logged, as described in Elements of an Audit Event. Clicking the button to the right of the field displays a list of values in use. The asterisk ( *) chooses all values; no other wildcards are supported. System IDs An identifier for the instance of Cach that appears in each audit log entry. This identifier is of the form machine_name:instance_name, so that if you have an instance of Cach called MyCache running on a machine called MyMachine, then its System ID is MyMachine:MyCache . To search for multiple system IDs, provide a comma-separated list. The asterisk ( *) chooses all values; no other wildcards are supported. PIDs The operating-system ID of the Cach process that logged the event, as described in Elements of an Audit Event. Begin Date & Time The date and time for the first event to be displayed (midnight at the beginning of the current day, by default).

Cach Security Administration Guide 107

Auditing

End Date & Time The date and time for the last (most recent) event to be displayed (the current time, by default) Sort by Orders the results by: Reverse Date From most recent to least recent Events By event name, in alphabetical order Users By user name, in alphabetical order PID By operating-system process ID, from lowest to highest

Maximum Rows The maximum number of rows to display in a listing of the audit log (up to 10,000). Color by The field (if any) that determines how the search results are colored. Fields that can determine search result coloring are Description, Event, Event Source, Event Type, PID, Time Stamp, and Username. Users The user who has caused the event. The asterisk ( *) chooses events causes by all users; no other wildcards are supported.

9.3.2 Copying, Exporting, and Purging the Audit Database

The audit log is stored in the %SYS.Audit table in the %SYS namespace; all audit data is mapped to the CACHEAUDIT database and protected by the %DB_CACHEAUDIT resource. By default, the %Manager role holds the Read permission on this resource and no role holds the Write permission. The audit log database is managed with the same tools other Cach databases. For example, you can use the Management Portal to specify its initial size, growth increment, and location (though its maximum size is always unlimited). The Management Portal provides special management operations for the audit database: Copying Entries for one or more days can be copied to a specified namespace. Exporting Entries for one or more days can be exported from the log to a file. Purging Entries for one or more days can be removed from the log. All these operations act on all entries for one or more days. There are no operations for particular entries.

Note:

9.3.2.1 Copying the Audit Database

Cach allows you to copy all or part of an audit database to a namespace other than CACHEAUDIT. To do this: 1. 2. From the Management Portal home page, go to the Copy Audit Log page ([System] > [Security Management] > [Copy Audit Log]). On the Copy Audit Log page, first select either:
Copy all items from the audit log Copy items that are older than this many days from audit log

In the field here, enter a number of days; any item

older than this is copied to the new namespace. 3. 4. 5. Next, use the drop-down menu to choose the namespace where you wish to copy the audit entries. If you wish to delete the audit items after they are copied, select the check box with that choice. Click OK to copy the entries.

Cach places the selected audit log entries in the ^CacheAuditD global in the selected namespace. To view this data: 1. From the Management Portal home page, go to the Globals page ([System] > [Globals]).

108 Cach Security Administration Guide

Managing Auditing and the Audit Database

2.

From the Globals page, select the following items in the following order: a. b. c. The Databases radio button from the upper left area of the page. The name of the database holding the copied audit log entries. The System check box that appears above the list of globals.

This displays a list of globals in the database, including ^CacheAuditD. Globals are listed without the preceding ^ character that is needed to manipulate them programmatically or in the Cach Terminal. Note: Clicking View Globals on this page refreshes the page but unchecks in the System check box, thereby making ^CacheAuditD unavailable.

3.

Click Data from the CacheAuditD line to display detailed information on the audit log entries.

Once you have copied audit data to another namespace, you can use the queries of the %SYS.Audit class to look at that data.

9.3.2.2 Exporting the Audit Database

Cach allows you to export all or part of an audit database. To do this: 1. 2. From the Management Portal home page, go to the Export Audit Log page ([System] > [Security Management] > [Export Audit Log]). On the Export Audit Log page, first select either:
Export all items from the audit log Export items that are older than this many days from audit log

In the field here, enter a number of days; any item

older than this is exported to the new namespace. 3. Next, in the Export to file field, enter the path of the file where you wish to export the audit entries. If you do not enter a full path, the root for the path provided is cachesys/Mgr/ where cachesysis the default name of the installation directory. If you wish to delete the audit items after they are exported, select the check box with that choice. Click OK to export the entries.

4. 5.

9.3.2.3 Purging the Audit Database

Cach allows you to purge all or part of a database. Important: Purging the database is not a reversible action purged items are permanently removed. You cannot restore items to the audit database once you have purged them.

To do this: 1. 2. From the Management Portal home page, go to the Purge Audit Log page ([System] > [Security Management] > [Purge Audit Log]). On the Purge Audit Log page, first select either:
Purge all items from the audit log Purge items that are older than this many days from audit log

In the field here, enter a number of days; any item

older than this is purged.

Cach Security Administration Guide 109

Auditing

3.

Click OK to purge the entries.

9.3.3 Encrypting the Audit Database

Cach allows you to encrypt the database that holds the audit log. This is described in the section Configuring Cach Database Encryption Startup Settings in the chapter Managed Key Encryption in the Cach Security Administration Guide.

9.3.4 General Management Functions

Because the audit log is stored in a table, you can manage it with standard Cach system management tools and techniques: By default, journaling is turned on for it. You can use standard Cach commands to read it. In addition, its contents are accessible via standard SQL and you can use any standard SQL tool to work with it. You can back it up using standard Cach database backup facilities If it becomes full, a <FILEFULL> error occurs and is handled in the same way as for any other Cach database. All access is subject to standard security restrictions at the database and/or namespace levels, or through SQL for table-based activity.

Note:

The %SYS.Audit table in the %SYS namespace holds the audit log. All audit data is mapped to the CACHEAUDIT database. (You can also copy audit data to any other database using the functionality described in the section Copying the Audit Database ; you can then use the %SYS.Audit class, which is available in every namespace, to query the audit log.)

CAUTION:

If the audit database becomes full, Cach does not record audit entries for actions that cause audit events. Further, in a forensic context, the existence of only a single AuditRecordLost audit entry indicates that at least one record was lost.

9.4 Other Auditing Issues

This section covers the following topics: Freezing Cach If There Can Be No Audit Log Writes About Counters

9.4.1 Freezing Cach If There Can Be No Audit Log Writes

During operations of Cach, it may become impossible to write to the audit database. This can happen due to a filled disk, a failed network connection, or some other reason. If this occurs, Cach can then work in either of two different modes: The default behavior is to generate an error when there is a problem writing to the Audit log. Alternatively, a switch can be set so that the system freezes if there is a problem writing to the Audit log.

To set this switch, use the ^SECURITY routine: 1. In the Cach Terminal, go to the %SYS namespace:

110 Cach Security Administration Guide

Other Auditing Issues

> zn "%SYS"

2.

Start ^SECURITY:
> Do ^SECURITY

3. 4.

Within ^SECURITY, choose option 6 (Auditing Setup); within Auditing Setup, choose option 1 (Enable auditing). When it displays the prompt: Freeze system on audit database error? Enter Yes or Y. Confirm any changes when prompted.

This establishes the behavior of freezing the system. For a disk full error, the way to recover from this is to force down the system, free up space on the audit disk, then restart. For an error caused by database corruption, the audit database must be moved or deleted, and a new one created or copied into its place. Note that a restart of the system will not be enough to clear the error, since the restart may write audit records, and cause the system to freeze again. For example, with the default behavior, if the disk containing the audit database fills up, then the attempt to write to the audit log will generate a <FILEFULL> error (disk full). The audit record is not written to the audit log, and is therefore lost. When the problem is resolved, an entry is written into the audit log that lists how many audit events were lost. When this switch is set, and a write error occurs when writing to the audit log, the process which was trying to write to the audit log receives an error (such as <FILEFULL>). The process then writes the error message to the cconsole.log, and then freezes the system.

9.4.2 About Counters

To facilitate security monitoring, Cach keeps a counter for each audit event type and makes these counters available via the Cach monitoring interface. These counters are maintained even if auditing is not enabled. As an example, a site might monitor the LoginFailure event counter, to help detect break-in attempts.

9.4.2.1 Resetting the Counters for a System Event

To reset the counters for a system event: 1. 2. 3. From the Management Portal home page, go to the Configure System Audit Events page ([System] > [Security Management] > [Configure System Audit Events]). On this page, locate the event that you wish to enable or disable and select Reset from the column near the right-hand part of the table. When prompted, click OK. This resets both the Total and Written counters for the event.

9.4.2.2 Resetting the Counters for a User Event

To reset the counters for a user event: 1. 2. 3. From the Management Portal home page, go to the Configure User Audit Events page ([System] > [Security Management] > [Configure User Audit Events]). On this page, locate the event that you wish to enable or disable and select Reset from the column near the right-hand part of the table. This resets both the Total and Written counters for the event. When prompted, click OK. This resets both the Total and Written counters for the event.

Cach Security Administration Guide 111

10
Managed Key Encryption
Cach includes support for managed key encryption, a suite of technologies that protects data at rest. These technologies are: Block-level database encryption, also known simply as database encryption A set of tools to allow creation and management of databases in which all the data is encrypted. Such databases are managed through the Management Portal. Data element encryption for applications, also known simply as data element encryption A programmatic interface so that applications can include code to encrypt and decrypt individual data elements (such as particular class properties) as they are stored to and retrieved from disk. Encryption key management A set of tools in the Management Portal for creating and managing data-encryption keys and for managing key files. Both database encryption and data element encryption use key files to support their functionality.

Each Cach instance can simultaneously have one data-encryption key activated for database encryption and up to four data-encryption keys activated for data element encryption (activating a key makes it available for encryption and decryption operations); the database-encryption key can be the same key as one of the data-element encryption keys. When you create a data-encryption key, it is in a key file and must be decrypted to be used. Once you create a key, it is imperative that you store the key file in a secure location where it cannot be damaged in any way. When activated, information related to the key (but not the key itself) is in shared memory that is accessible only from the kernel; it is never available unencrypted. When stored on disk, they are in key files, which contain multiple encrypted copies of the data-encryption key. Cach uses AES (the Advanced Encryption Standard) to perform its encryption and decryption when Cach writes to or reads from disk. For databases, Cach writes and reads in 8192-byte blocks, and the information encypted includes the data itself, indices, bitmaps, pointers, allocation maps, and incremental backup maps. For data elements, only the specified data is encrypted, and a unique identifier for the encryption key is included with the encrypted data on disk. Encryption and decryption have been optimized, and their effects are both deterministic and small for any Cach platform; the section Performance Information includes the formula for determining how encryption affects performance. (This chapter also includes a section that addresses how the Cach database encryption facilities affect functionality related to but separate from databases themselves.)

WARNING!

The loss of or damage to all copies of a key file will prevent encrypted data whether data elements or databases from being decrypted.

Topics in this chapter include: Managing Keys and Key Files Using Encrypted Databases

Cach Security Administration Guide 113

Managed Key Encryption

Using Data Element Encryption Emergency Situations Other Information

10.1 Managing Keys and Key Files

A key, short for data-encryption key, is a 128, 196, or 256bit bit string that is used with a cryptographic algorithm to reversibly encrypt or decrypt data. Each key has a unique identifier (sometimes known as a GUID), which Cach displays as part of key management activities. Key management is the set of activities associated with creating encryption keys, activating keys, deactivating keys, and adding and removing administrators. A key file is a file that holds one or more encrypted copies of a data-encryption key. Within a key file, each copy of the data-encryption key is associated with a particular administrator and is stored in an encrypted form along with administrator information; each copy of the data-encryption key is individually encrypted using a unique key-encryption key where each key-encryption key is derived from an individual key administrators password. When an administrator attempts to perform an operation requiring the data-encryption key, Cach uses the administrators password as part of the process to decrypt the copy of the key associated with the administrator. Key file management is the set of activities associated with key files themselves, such as adding administrators to or removing administrators from key files. Topics in this chapter include: Managing Keys Creating a Key Managing Database Encryption Keys Managing Data Element Encryption Keys

Managing Key Files Adding an Administrator to a Key File Deleting an Administrator from a Key File Testing for a Valid Administrator Username-Password Pair Managing Keys and Key Files with Multinode Technologies

Recommended Policies for Managing Keys and Key Files Protection from Accidental Loss of Access to Encrypted Data Protection from Unauthorized Access to Encrypted Data

10.1.1 Managing Keys

Key management tasks include: Creating a Key Managing Database Encryption Keys Managing Data Element Encryption Keys

114 Cach Security Administration Guide

Managing Keys and Key Files

Along with key management, there are tasks associated with key file management taking care of the files that hold encryption keys. For more information on key file management, see the Managing Key Files section.

10.1.1.1 Creating a Key

To create a key, the procedure is: 1. 2. From the Management Portal home page, go to the Create Encryption Key page ([System] > [Encryption] > [Create Encryption Key]). On the Create Encryption Key page, enter values in the following fields:
Key File The name of the file where the encryption key is stored; this can be an absolute or relative path name.

If you enter an absolute file name, the key file is placed in the specified directory on the specified drive; if you enter a relative file name, the key file is placed in the managers directory for the Cach instance (which is below the Cach installation directory that is, in <cache-install-dir>/mgr/). Also, no file suffix is appended to the file name, so that the file MyKey is saved simply with that file name. You can also use the Browse button to the right of this field to choose a directory and file name for the key file.

WARNING!

Any key stored in <cache-install-dir>/Mgr/Temp is deleted when Cach next reboots never store a key in <cache-install-dir>/Mgr/Temp. The name of an administrator who can activate the key. There must be at least one

Administrator Name

administrator. Because the database encryption functionality exists independent of Cach security, this name need not match any user names that are part of Cach security. By default, the initial administrator name value is the current username.
Password A password for this user. Because the database encryption functionality exists independent of Cach

security, this password need not match the password that a user has for Cach security. Note that this password is not stored anywhere on disk; it is the responsibility of the administrator to ensure that this information is not lost. InterSystems suggests that this password follow the administrator password strength guidelines. If someone can successfully guess a valid password, the password policy is too weak.
Confirm Password

The password for this user entered again to confirm its value. The length of the key, where choices are 128bit, 192bit, and 256bit.

Cipher Security Level

Click Save to save the key file to disk. This creates a key file where each copy of the database-encryption key is encrypted using an administrators key-encryption key (KEK). It also displays the ID for the key, which is a string such as 9158980E-AE52-4E12-82FD-AA5A2909D029. The key ID is a unique identifier for the key which Cach displays here and on other pages. It provides a means for you to keep track of the key, regardless of its location. This is important because, once you save the key file, you can move it anywhere you choose; this means that Cach cannot track it by its location. 3. 4. Follow the instructions in the section Protection from Accidental Loss of Access to Encrypted Data to create and store a backup copy of the key file. Refer to the section Protection from Unauthorized Access to Encrypted Data for details about measures to prevent currently or formerly privileged users from gaining unsanctioned access to encrypted data. Each time you create a database-encryption key, it is a unique key that cannot be re-created. Using the same administrator and password for a new key still results in the creation of a different and unique key. If an unactivated key is lost and cannot be recovered, the encrypted database that it protected will be unreadable and its data will be permanently lost.

WARNING!

Cach Security Administration Guide 115

Managed Key Encryption

10.1.1.2 Managing Database Encryption Keys

When managing database encryption keys, actions include: Activating a Key for Database Encryption Deactivating a Database Encryption Key

Activating a Key for Database Encryption

Cach supports a single activated key at a time for database encryption. Once you have created a key, you have the option to activate it. If there is already an activated key, you must deactivate it before activating a new one. Note also that if a database is encrypted with a key that is not activated, then there is no access to that databases data. To activate a key for database encryption, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Database Encryption page ([System] > [Encryption] > [Database Encryption]). On this page, click Activate Key, which displays the fields for activating a key. (If the Activate Encryption Key choice is not available, this means that the instance already has an activated key.) Enter values for the following fields: The name of the file where the encryption key is stored. If you enter an absolute file name, Cach looks for the key file in the specified directory on the specified drive; if you enter a relative file name, Cach looks for the key file starting in the managers directory for the Cach instance (which is below the Cach installation directory that is, in <cache-install-dir>/mgr/).
Key File Administrator Name

The name of an administrator for this key, specified either when the key was created or

edited.
Password

The password specified for the named administrator.

Then click the Activate button. The page indicates success by displaying a confirmation message, such as Activated database encryption key identifier: 5ECC05FE-3167-43EB-9798-B50E2C7E34E6. Because there is now an activated database encryption key, the page displays other options:
Deactivate Key Click to deactivate the currently activated database encryption key. For more details, see the section

Deactivating a Database Encryption Key Click to specify startup behavior related to database encryption. For more details, see the section Configuring Cach Database Encryption Startup Settings.
Configure Startup Settings

Deactivating a Database Encryption Key

To deactivate a database encryption key, the procedure is: 1. 2. 3. 4. From the Management Portal home page, go to the Database Encryption page ([System] > [Encryption] > [Database Encryption]). If there is a currently activated key, Deactive Key is available for selection. Click Deactivate Key, which displays a confirmation page. Click OK to deactivate the key. If successful, the Database Encryption page then displays a confirmation message: No database encryption key is activated. Also, you may now select Activate Key from this page. If it is not possible to deactivate the key, the Portal displays an error message. Cach does not allow you deactivate a key under the following circumstances: There is a currently-mounted encrypted database.

116 Cach Security Administration Guide

Managing Keys and Key Files

The CACHETEMP and CACHE databases are encrypted. The instance is encrypting journal files.

To deactivate the key, each condition requires a different action: For any encrypted database except CACHETEMP and CACHE, dismount the database on the Local Databases page ([System] > [Configuration] > [Local Databases]). You can then deactivate the key. For CACHETEMP and CACHE, specify that the CACHETEMP database is not to be encrypted and then restart Cach; the setting for CACHETEMP determines the behavior of the CACHE database as well. To do this, select Configure Startup Settings on the Database Encryption page; you can either choose to not activate a database encryption key at startup (in which case the option to encrypt CACHETEMP is not available) or you can choose interactive or unattended database encryption key activation at startup (in which cases the choice whether or not to encrypt CACHETEMP becomes available choose No). For encrypted journal files, ensure that no encrypted journal file is required for recovery. This is described in the section Encrypted Journal Files and Configuring Startup without Key Activation.

10.1.1.3 Managing Data Element Encryption Keys

When managing data element encryption keys, actions include: Activating a Key for Data Element Encryption Deactivating a Data Element Encryption Key

Activating a Key for Data Element Encryption

Cach supports up to four activated keys at one time for data element encryption. Once you have created a key, you have the option to activate it. To activate a key for data element encryption, the procedure is: 1. From the Management Portal home page, go to the Data Element Encryption page ([System] > [Encryption] > [Data Element Encryption]). If there are already any activated keys, the page displays a table listing these. If key activation is not available, this is because there are already four activated data element keys. On the [Data Element Encryption] page, select Activate Key, which displays the fields for activating a key. Enter values for the following fields: The name of the file where the encryption key is stored. If you enter an absolute file name, Cach looks for the key file in the specified directory on the specified drive; if you enter a relative file name, Cach looks for the key file starting in the managers directory for the Cach instance (which is below the Cach installation directory that is, in <cache-install-dir>/mgr/).
Key File Administrator Name

2. 3.

The name of an administrator for this key, specified either when the key was created or

edited.
Password

The password specified for the named administrator.

Then click the Activate button. The page then displays its table of activated keys, with the newly activated key added to it and its GUID listed in the Identifier column.

Cach Security Administration Guide 117

Managed Key Encryption

Note:

The table of keys does not display any file or path information. This is because, once the key file is activated, any sufficiently privileged operating system user can move the key; hence, Cach may not have accurate information about the operating system location and can only rely on the accuracy of the GUID for the activated key in memory. If you going to activate a second or subsequent key, make sure that you note the identifiers for the currently activated key(s) first, so that you can identify the new one.

Deactivating a Data Element Encryption Key

To deactivate a data element encryption key, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Data Element Encryption page ([System] > [Encryption] > [Data Element Encryption]) page. If there are any activated keys, the page displays a table listing them. In the table of activated keys, for the key you wish to deactivate, click Deactivate. This displays a confirmation dialog. In the confirmation dialog, click OK.

When the [Data Element Encryption] page appears again, the row in the table for the deactivated key should no longer be present.

10.1.2 Managing Key Files

Key file management tasks include: Adding an Administrator to a Key File Deleting an Administrator from a Key File Testing for a Valid Administrator Username-Password Pair Managing Keys and Key Files with Multinode Technologies

Along with key file management, there are tasks associated with key file taking care of encryption keys themselves. For more information on key management, see the Managing Keys chapter.

10.1.2.1 Adding an Administrator to a Key File

To add an administrator to an existing key file, the procedure is: 1. 2. From the Management Portal home page, go to the Manage Encryption Key File page ([System] > [Encryption] > [Manage Encryption Key File]). In the Key File field, enter the path and filename of the key file to open and click OK; you can also use the Browse button to look for the key. Once the Portal opens the key file, it displays a table with the administrators listed in the file; administrator names appear in all capital letters, regardless of how they were defined. In the table of administrators, click Add to add a new administrator. This displays a page with the following fields:
Existing Administrator Name

3.

The name of an administrator already in the file. The password associated with the already existing administrator in the file.

Existing Administrator Password New Administrator Name

The name of the new administrator to be added to the file. Because the encryption functionality is independent of Cach security, the administrator name need not match any user names that are part of Cach security.
New Administrator Password The password for the new administrator. InterSystems suggests that this password

follow the administrator password strength guidelines. Because the encryption functionality is independent of Cach security, the password need not match the password that a user has for Cach security.
Confirm New Administrator Password

Confirmation of the password for the new administrator.

118 Cach Security Administration Guide

Managing Keys and Key Files

Complete these fields and click OK. You have now added a new administrator to the key file. Once you have added the new administrator to the key file, you may wish to copy the key file, making sure that each copy is in a secure location. Further, InterSystems strongly recommends that you create multiple administrators for each key, one of which has the name and password written down and stored in a secure location, such as in a fireproof safe. However, if copies of the key file are made and later on, as an administrative function, a new administrator is added, only the copy of the key file with the new administrator will be up to date. Note: When you add a new administrator to a key file, that administrators password is permanently associated with the entry for the administrator name created in the file. Once assigned, passwords cannot be changed. If you wish to assign a new password, delete the entry in the key file for that administrator name and then create a new entry with the same name and a new password.

10.1.2.2 Deleting an Administrator from a Key File

To delete an administrator from a key file, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Manage Encryption Key File page ([System] > [Encryption] > [Manage Encryption Key File]). In the Key File field, enter the path and filename of the key and click OK. This displays a table with the administrators listed in the file. On this page, in the Encryption Key Path and File Name field, enter the location of the key file to edit and click Save immediately below the field where you entered the name. Selecting a key causes a table of administrators to appear in the lower part of the page, with a label that reads Administrators Defined in Key File [<key-file-name>]. Administrator names are listed in all capital letters, regardless of how they were defined. In the table of administrators, click Delete next to an administrator to remove that administrator for the key. Clicking Delete displays a confirmation page for the action. (If there is only one administrator in the file, there is no Delete button, as it is not permitted to delete this administrator.) Click OK to delete the administrator.

4.

5.

10.1.2.3 Testing for a Valid Administrator Username-Password Pair

An encryption key file contains one or more encrypted copies of a single database-encryption key, each of which is encrypted with a different password-derived key-encryption key. You can test interactively whether or not a username and password are valid by attempting to activate the key in Cach. You can: Use the Management Portal. For more information, see either Activating a Database Encryption Key or Activating a Data Element Encryption Key. Use the ^DATABASE utility. For more information, see ^DATABASE section of the Using the Character-based Security Management Routines appendix. Run the database encryption conversion utility cvencrypt on an unmounted database (either encrypted with the database encryption key or unencrypted), up to the confirmation prompt:
Continue? [Y/N]:

At this prompt, answer No. For more information on cvencrypt, see the chapter Using the cvencrypt Utility. Do not perform this process programmatically, since it requires storing the password on disk, which is not recommended. (Unattended key activation at startup is a highly restricted special exception to storing a password on disk, as described in the section Configuring Startup with Unattended Key Activation.)

Cach Security Administration Guide 119

Managed Key Encryption

10.1.2.4 Managing Keys and Key Files with Multinode Technologies

If you are using encrypted databases or journal files with any Cach multinode technology (such as clusters), then all nodes must share a single database-encryption key. There are two ways to do this: All the nodes share a single key file, which is located on one node. In this case, changes to the single copy of the key file are then visible to all nodes. However, if the node holding the key file becomes unavailable to the other nodes, then any attempt to read the key from the key file fails; this can prevent instances of Cach from restarting properly. Each node has its own copy of the key file. Here, you propagate copies of the key file (containing the same key) to all the other nodes. This increases the burden of administering the key file (which is typically small), but ensures that each instance of Cach always has a key available at startup. Important: Whether there are single or multiple key files, the database-encryption key itself is the same for all instances.

Using a Single Key File

1. 2. Create a database-encryption key on one node. For more information on this procedure, see the section Creating a Key. Secure this key according to the instructions in the section Protection from Accidental Loss of Access to Encrypted Data.

CAUTION:

Failure to take these precautions can result in a situation where the encrypted database will be unreadable and permanently lost.

3.

Configure each instance of Cach for unattended startup and provide Cach with the path to the key file. For more information on this procedure, see the section Configuring Startup with Unattended Key Activation.

Since all the Cach instances use the same key, they are able to read data encrypted by each other. Any changes to the key file are visible to all instances. Important: Refer to the section Protection from Unauthorized Access to Encrypted Data for details about measures to prevent currently or formerly privileged users from gaining unsanctioned access to encrypted data.

Using Multiple Key Files

If you choose to use multiple copies of the key file: 1. 2. Create a database-encryption key on one node. For more information on this procedure, see the section Creating a Key. Secure this key according to the instructions in the section Protection from Accidental Loss of Access to Encrypted Data.

CAUTION:

Failure to take these precautions can result in a situation where the encrypted database will be unreadable and permanently lost.

3. 4.

Make a copy of the key file for each node. On each node: a. Get a copy of the key file and put it in a secure and stable location on that machine.

120 Cach Security Administration Guide

Managing Keys and Key Files

b.

Configure each instance of Cach for unattended startup. For more information on this procedure, see the section Configuring Startup with Unattended Key Activation.

Since each copy of the key file contains the same key, all the Cach instances are able to read data encrypted by each other. Since each Cach instance has a key file on its machine, the key file should always be available for a Cach restart. If there are any changes to the key file (such as adding or removing administrators), you must propagate new copies of the key file to each machine and reconfigure each instance of Cach for unattended startup using the new copy of the key file (even if that file is in the same location as the old file). Important: Refer to the section Protection from Unauthorized Access to Encrypted Data for details about measures to prevent currently or formerly privileged users from gaining unsanctioned access to encrypted data.

10.1.3 Recommended Policies for Managing Keys and Key Files

The following sections address important topics for managing encrypted databases: Protection from Accidental Loss of Access to Encrypted Data Protection from Unauthorized Access to Encrypted Data

10.1.3.1 Protection from Accidental Loss of Access to Encrypted Data

Once you have created and activated a key, you can encrypt data. However, to ensure that such data is always available, it is strongly suggested that you take the following preventative actions: Create a second copy of a key file (a backup) and place it in a secure location, such as on some removable media that is stored in a fireproof safe. Create an additional administrator, the name and password of which are written down and stored in a secure location, such as in a fireproof safe at a site that is sufficiently far from where the key is in use. Failure to take these precautions can result in a situation where the encrypted data will be permanently inaccessible there will be no way to read it.

CAUTION:

10.1.3.2 Protection from Unauthorized Access to Encrypted Data

To read or alter encrypted data, the appropriate encryption key for the Cach instance must be activated. Key activation requires three separate and separable elements: (1) the encrypted database or database containing the encrypted data elements, (2) the key itself, and (3) someone with a knowledge of a username and password for using the key. The design of the data encryption mechanism allows for the separation of these three factors. This separation allows an organization to keep the key in a secure location, separate from the encrypted data and under the control of authorized individuals who cannot use the key. This prevents those individuals with knowledge of how to use the key from doing so in an unauthorized manner even if they have access to the data. Put another way, Cach makes it possible to secure encryption keys so that those who have the key cannot use it and those who can use the key do not have it. By this arrangement, the key can only be activated when those who have it make it available to those who can use it.

CAUTION:

If administrators have free access to a key file, then it is possible for them to make unauthorized copies of the key file. Such copies might be used by formerly authorized members of an organization, could be lost, and so on.

The degree of secure storage required is a function of the sensitivity of the data. Under the strictest circumstances, activation might occur as follows:

Cach Security Administration Guide 121

Managed Key Encryption

1.

A system administrator (who does not have the key but does have the information to use the key) needs to re-start Cach. After or as part of a Cach re-start, the database encryption key needs to be activated, so that encrypted databases or databases containing encrypted data can be mounted. The system administrator contacts the key holder (who has the key but lacks the information to use it). The key holder may be part of a sites staff that provides physical security; the key itself may even be stored in a safe or vault. The key holder retrieves the key, which may be on a CD, USB drive, or other portable storage device. The key holder then brings the key to where it is used for key activation. The system administrator then performs key activation under the oversight of the key holder, who ensures that the system administrator performs no other actions, such as copying the key file. Once the key has been activated, the key holder returns the device holding the key to its physically secure location until it is needed again.

2. 3. 4. 5.

Implementing this arrangement is for the purpose of preventing the system administrator from obtaining the key. Again, this is because possessing the key would enable the administrator to gain potentially unauthorized access to the encrypted data.

10.2 Using Encrypted Databases

To protect entire databases that contain sensitive information, Cach supports block-level database encryption (or, for short, database encryption). Database encryption is technology that allows you to create and manage databases that, as entire entities, are encrypted; it employs the Cach key management tools to support its activities. When you create a database, you can choose to have it be encrypted; this option is available if there is a currently activated key. Once you have created an encrypted database, you can use it in the same way as an unencrypted database. The encryption technology is transparent and has a small and deterministic performance effect. The database encryption functionality also supports the ability to encrypt the audit log and journal files; for instances that serve as destination shadow servers, enabling journal file encryption also results in the encryption of the journal files it receives from its source production server. Both these features require access to the database encryption key at startup time, as described in the section Configuring Cach Encryption Startup Settings. Management tasks for encrypted databases include: Creating an Encrypted Database Establishing Access to an Encrypted Database Closing an Encrypted Database Moving an Encrypted Database between Instances Configuring Cach Database Encryption Startup Settings Using Encrypted Databases with Mirroring About Encrypting the Databases that Ship with Cach

10.2.1 Creating an Encrypted Database

When creating a new database, you can specify that it is encrypted. However, before you can create an encrypted database, Cach must have an activated database-encryption key. Hence, the procedure is: 1. Create and activate a database-encryption key.

122 Cach Security Administration Guide

Using Encrypted Databases

2. 3. 4.

From the Management Portal home page, go to the Local Databases page ([System] > [Configuration] > [Local Databases]). On the Local Databases page, select the Create New Database menu choice. This displays the Create Database wizard. On the first page of the wizard, select the Encrypt Database? check box. This causes Cach to create an encrypted database. On subsequent pages of the wizard, choose database characteristics as you would when creating any database. (For more information on creating databases, see the Create Local Databases section of the Configuring Cach chapter of the Cach System Administration Guide.) Cach also provides a utility to encrypt unencrypted databases or decrypt encrypted databases, if this is necessary.

Note:

10.2.2 Establishing Access to an Encrypted Database

To perform various operations, such as adding a database to a mirror, the database must be mounted. However, for an encrypted database to be mounted, its key must be activated. Hence, access to the database requires activating the key and mounting the database, and the procedure for this is: 1. 2. 3. Activate the key. From the Management Portal home page, go to the Databases page ([System] > [Databases]. On this page, select the Mount button in the far right column of the table of databases. After selecting Perform Action Now on the confirmation screen, the database is mounted. If the key is not activated, Cach cannot mount the database and displays an error message.

You can now access the data within the database.

10.2.3 Closing the Connection to an Encrypted Database

To close the connection to an encrypted database, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Databases page ([System] > [Databases]. On this page, select the Dismount button on the right in the table of databases. After selecting Perform Action Now on the confirmation screen, the database is dismounted. Deactivate the key.

Because the activated key is used for each read and write to the database, you cannot deactivate the key without first dismounting the database. If you attempt to deactivate the key prior to dismounting the database, Cach displays an error message.

10.2.4 Moving an Encrypted Database Between Instances

If your organization has multiple Cach instances, you may need to use an encrypted database on one instance that was created on another instance using a different key. To move the data from one instance to another, back up and then re-key the database using the cvencrypt utility. For more information on this process, see the section Converting an Encrypted Database to Use a New Key in the Using the cvencrypt Utility appendix of this book.

10.2.5 Configuring Cach Database Encryption Startup Settings

By default, an instance of Cach does not have a database encryption key available at startup time. This means that, by default, there are several features that are not available; to use these features, an encryption key needs to be activated at startup time. Cach can either gather the encryption key file information interactively or without human intervention (called unattended startup ). This section describes how to set up three database-encryption startup options:

Cach Security Administration Guide 123

Managed Key Encryption

Configuring Startup without Key Activation Configuring Startup with Interactive Key Activation Startup with Unattended Key Activation

The features that depend on having a key available at startup time are: Encrypting the Cach audit log. Encrypting the CACHETEMP and CACHE databases. (Either both are encrypted or neither.) Encrypting Cach journal files and, for a destination shadow server, encrypting the journal files received from the source production server. (Either both are encrypted or neither.) Having an encrypted database mounted at startup time.

10.2.5.1 Configuring Startup without Key Activation

This is the default behavior. If you have set up key activation at startup and choose to turn it off: 1. 2. 3. 4. From the Management Portal home page, go to the Database Encryption page ([System] > [Encryption] > [Database Encryption]). Select Configure Startup Settings. This displays the Startup Options dropdown list. In Startup Options, select None. Click Save. Cach may prevent you from performing this action if: Any encrypted databases are required at startup. See Required Encrypted Databases and Configuring Startup without Key Activation for more details. There are any encrypted journal files with open transactions. See Encrypted Journal Files and Configuring Startup without Key Activation for more details. The audit log is encrypted. (The error message for this refers to an encrypted database because Cach stores the audit log in a database called CACHEAUDIT.) See The Cach Audit Log and Configuring Startup without Key Activation for more details.

Address the issue that is preventing the change and then perform this procedure again. Once any issues are corrected, you will be able to successfully change to having startup without key activation.

Required Encrypted Databases and Configuring Startup without Key Activation

If the instance has encrypted databases that are required at startup, the Management Portal displays an error message stating this and indicating that the key activation option cannot be changed. (If the error message refers to the CACHEAUDIT database, this is because the audit log is encrypted.) To configure Cach to start without activating an encryption key, any encrypted databases can only be mounted after startup. You can configure a database to be mounted after startup by selecting No for the Mount Required at Startup? pulldown on the Database Properties page (System, Configuration, Local Databases, Database Properties for the selected database).

Encrypted Journal Files and Configuring Startup without Key Activation

Under certain conditions related to journal files, you may unable to turn off key activation at startup. These conditions are: The instance is configured to encrypt its journal files (either as a source production server or as a destination shadow server) There are open transactions in the journal file (which is fairly likely on a busy system)

124 Cach Security Administration Guide

Using Encrypted Databases

If this occurs, you need to stop using encrypted journal files before you change the startup key activation settings. To do this, the procedure is: 1. 2. On the Encryption Settings page, change the Encrypt journal files setting to No. Leave the Startup Options setting as it is. Switch journal files. To do this, click Switch Journal on the Journals page ([System] > [Journals]).

Once all open transactions within the encrypted journal files have either been committed or rolled back, you can then change the Cach startup configuration.

CAUTION:

Even after there are no open transactions, you may need the encrypted journal files to restore a database. For this reason, it is very important that you maintain copies of the key file containing the key used to encrypt these files.

For more information on journal files generally, see the Journaling chapter of the Cach Data Integrity Guide.

The Cach Audit Log and Configuring Startup without Key Activation
If the instance has an encrypted audit log, Cach displays a message that an encrypted database is required at startup, such as:
ERROR #1217: Can not disable database encryption key activation at startup. Encrypted databases are required at startup: C:\InterSystems\Cache\Mgr\CacheAudit\

The error message refers to encrypted databases because the audit log is stored in the Cach database CACHEAUDIT. The audit log cannot be encrypted if Cach starts without activating an encryption key. To specify that the instance uses an unencrypted audit log, select No for the Encrypt audit log pulldown on the Encryption Settings page. Changing this setting causes Cach to erase any existing audit data and to write an AuditChange event to the audit log.

CAUTION:

If you have not backed up audit data, changing the encryption setting for the audit log results in the loss of that existing audit data.

10.2.5.2 Configuring Startup with Interactive Key Activation

If you want Cach to activate a key at startup, prompting for the location of the key file and its associated information, then: 1. 2. 3. 4. From the Management Portal home page, go to the Database Encryption page ([System] > [Encryption] > [Database Encryption]). Select Configure Startup Settings. This displays the Startup Options dropdown list. In Startup Options, select Interactive. If the previous value for the field was None, then this displays the pages Optionally Encrypted Data area. The fields in this area are: Allows you to specify whether or not the CACHETEMP and CACHE databases are encrypted. To encrypt them, select Yes; to have them be unencrypted, select No.
Encrypt CACHETEMP and CACHE Databases Encrypt Journal Files Allows you to specify whether or not the instance encrypts its own journal files and, if it

is a destination shadow server, if it encrypts the journal files it receives from its source production server. To encrypt journal files, select Yes; to have them be unencrypted, select No. This choice depends on startup options because Cach startup creates a new journal file; if you choose encryption, startup requires a key. Note: This change takes effect the next time that Cach switches journal files. To begin journal file encryption without a restart, switch journal files after completing this page.

Cach Security Administration Guide 125

Managed Key Encryption

Encrypt Audit Log Allows you to specify whether or not Cach encrypts the audit log. To encrypt the audit log,

select Yes; to have it be unencrypted, select No. This choice depends on startup options because the Cach startup procedure records various events in the audit log; if you choose encryption, startup requires a key.

CAUTION:

This change takes effect immediately and deletes any existing audit data. Back up the audit database prior to changing this setting; otherwise, audit data will be lost.

5.

Click Save to save the selected settings. If Cach is configured to Encrypt CACHETEMP and CACHE, journal files, or the audit log Require an encrypted database at startup

Important:

then failure to activate the encryption key causes a Cach startup failure. If this occurs, use Cach emergency startup mode to configure Cach not to require any encrypted facilities at startup.

10.2.5.3 Configuring Startup with Unattended Key Activation

Unattended startup requires that all the elements required to decrypt an encrypted database be available when Cach starts running. This includes the Cach instance itself, the encrypted database, the database-encryption key file, and the username and password used for unattended database encryption key activation. By making all these items available, the security of the data in Cach becomes entirely dependent on the physical security of the machine(s) holding these elements. If your site cannot ensure this physical security, your data will then be subject to the same level of risk as if it were not encrypted; to avoid this situation, either use interactive startup (which prevents the simultaneous exposure of these elements) or ensure the physical security of the relevant machine(s).

CAUTION:

InterSystems recommends that you do not use unattended key activation.

If you want Cach to activate a key at startup without requiring any human intervention, then: 1. 1. 2. 3. 4. 5. Click Save to save the selected settings. You need to have a key currently activated. To activate a key, see the section Activating a Key. From the Management Portal home page, go to the Database Encryption page ([System] > [Encryption] > [Database Encryption]). Select Configure Startup Settings. This displays the Startup Options dropdown list. In Startup Options, select Unattended (NOT RECOMMENDED) If the previous value for the field was None, then this displays the pages other fields. The Startup Options area expands to display three fields. Complete these: The path of the database-encryption key file. This can be an absolute or relative path; if you specify a relative path, it is relative to the Cach installation directory. Click Browse to search for the database-encryption key file on the file system.
Key File Administrator Name Password

6.

An administrator for this key file.

The administrators password.

Complete the fields in the Optionally Encrypted Data area: Allows you to specify whether or not the CACHETEMP and CACHE databases are encrypted. To encrypt them, select Yes; to have them be unencrypted, select No.
Encrypt CACHETEMP and CACHE Databases

126 Cach Security Administration Guide

Using Encrypted Databases

Encrypt Journal Files Allows you to specify whether or not the instance encrypts its own journal files and, if it

is a destination shadow server, if it encrypts the journal files it receives from its source production server. To encrypt journal files, select Yes; to have them be unencrypted, select No. This choice depends on startup options because Cach startup creates a new journal file; if you choose encryption, startup requires a key. Note: This change takes effect the next time that Cach switches journal files. To begin journal file encryption without a restart, switch journal files after completing this page.

Encrypt Audit Log Allows you to specify whether or not Cach encrypts the audit log. To encrypt the audit log,

select Yes; to have it be unencrypted, select No. This choice depends on startup options because the Cach startup procedure records various events in the audit log; if you choose encryption, startup requires a key.

CAUTION:

This change takes effect immediately and deletes any existing audit data. Back up the audit database prior to changing this setting; otherwise, audit data will be lost.

7.

Click Save to save the selected settings.

When you configure Cach for unattended startup, it creates a special entry in the database-encryption key file. It is especially critical to ensure that the database encryption key file is not stored on the same medium as any encrypted databases. Ideally, the key file should be on a medium that can be physically locked in place, such as a lockable CDROM or DVD drive in a rack, and the datacenter facility should be locked and monitored. Important: If Cach is configured to Encrypt CACHETEMP and CACHE, journal files, or the audit log Require an encrypted database at startup

then failure to activate the encryption key causes a Cach startup failure. If this occurs, use Cach emergency startup mode to configure Cach not to require any encrypted facilities at startup.

10.2.6 Using Encrypted Databases with Mirroring

The following database encryption rules are relevant when using mirroring: If a mirrored database is encrypted on one failover member, it must also be encrypted on the other failover member. If the journal file is encrypted on one failover member, it must also be encrypted on the other failover member. If database encryption is enabled, the encryption key must be identical on the two failover members. If database encryption is enabled, SSL is required between the failover members. If both failover members have encrypted journal files, the async member(s) connected to that mirror must also have encrypted journal files. When configuring an async member, it is neither necessary nor recommended to use the same database encryption key on the async member as on the failover members. In fact, because it is possible to configure an async member to receive updates from more than one mirror, it is recommended that each async member have a unique database encryption key. If an encrypted mirrored database is being tracked on an async member, it must also be encrypted on that async member.

For more information about mirroring, see the Mirroring chapter of the Cach High Availability Guide.

Cach Security Administration Guide 127

Managed Key Encryption

10.2.7 About Encrypting the Databases that Ship with Cach

Each instance of Cach ships with a number of databases. The ability to encrypt and the value of encryption depends on the database:
CACHE: Can be encrypted in conjunction with the CACHETEMP database. Encrypting CACHE requires that a key be

available at startup, since the database is required at startup time.

CACHEAUDIT: Can be encrypted. Encrypting CACHEAUDIT requires that a key be available at startup, since the database

is required at startup time.

CACHELIB: Can be encrypted. (Note that all content in CACHELIB is publicly available.) CACHESYS: Do not encrypt. If an instance has an encrypted form of this database, Cach cannot start. CACHETEMP: Can be encrypted in conjunction with the CACHE database. Encrypting CACHETEMP requires that a

key be available at startup, since the database is required at startup time.

DOCBOOK: Can be encrypted. (Note that all content in DOCBOOK is publicly available.) SAMPLES: Can be encrypted. (Note that all content in SAMPLES is publicly available.) USER: Can be encrypted.

10.3 Using Data Element Encryption

Data element encryption provides a means of encrypting application data at a finer level of granularity than the database as a whole; it is for sensitive data elements whose exposure must be prevented. For example, customer records can exclusively encrypt the credit card field; patient records can exclusively encrypt fields that display test results (such as for HIV testing); or a record that includes a social security number can just encrypt that field. Data element encryption is available programmatically (via an API), rather than through the Management Portal. Because it is accessible through an API, you can use it in your application code. You have the option of using data element encryption with database encryption (though there is no requirement to use both). For an application to use data element encryption, the required keys must be available when the application is running. To make a key available, activate it; for details, either see the following section Programmatically Managing Keys or, if using the Portal, see Activating a Key for Data Element Encryption . When a key is activated, Cach displays its unique identifier in the table of activated keys; the application then uses this identifier to refer to the key so that it can be loaded from memory for encryption operations. Since there can be up to four keys simultaneously activated, data element encryption provides the infrastructure for tasks that require multiple keys. When encrypting data for data element encryption, Cach stores the encryption keys unique identifier with the resulting ciphertext. The unique identifier enables the system to identify the key at decryption time using only the ciphertext itself. This section describes: Programmatically Managing Keys Data Element Encryption Calls Support for Re-Keying Data in Real Time

10.3.1 Programmatically Managing Keys

Since data element encryption is available through an API, there are also a set of calls for managing keys:

128 Cach Security Administration Guide

Using Data Element Encryption

$SYSTEM.Encryption.CreateEncryptionKey $SYSTEM.Encryption.ActivateEncryptionKey $SYSTEM.Encryption.DeactivateEncryptionKey $SYSTEM.Encryption.ListEncryptionKeys

These are all methods of the %SYSTEM.Encryption class.

10.3.2 Data Element Encryption Calls

The system methods available for data element encryption are all methods of the %SYSTEM.Encryption class and are: $SYSTEM.Encryption.AESCBCManagedKeyEncrypt $SYSTEM.Encryption.AESCBCManagedKeyDecrypt $SYSTEM.Encryption.AESCBCManagedKeyEncryptStream $SYSTEM.Encryption.AESCBCManagedKeyDecryptStream

These method names all begin with AESCBCManagedKey because the methods use AES (the Advanced Encryption Standard) in cipher block chaining (CBC) mode and are part of the suite of tools for managed key encryption. Important: The AESCBC methods that do not include ManagedKey in their names are older methods and cannot be used for these purposes.

10.3.2.1 $SYSTEM.Encryption.AESCBCManagedKeyEncrypt
The signature of this method as it is usually called is:
$SYSTEM.Encryption.AESCBCManagedKeyEncrypt ( plaintext As %String, keyID As %String, ) As %String

where: plaintext The unencrypted text to be encrypted. keyID The GUID of the data-encryption key to be used to encrypt plaintext. The method returns the encrypted ciphertext.

If the method fails, it throws either the <FUNCTION> or <ILLEGAL VALUE> error. Place calls to this method in a Try-Catch loop; for more information on Try-Catch, see the section The TRY-CATCH Mechanism in the Error Processing chapter of Using Cach ObjectScript. For more details, see the $SYSTEM.Encryption.AESCBCManagedKeyEncrypt class reference content.

10.3.2.2 $SYSTEM.Encryption.AESCBCManagedKeyDecrypt
The signature of this method as it is usually called is:
$SYSTEM.Encryption.AESCBCManagedKeyDecrypt ( ciphertext As %String ) As %String

where:

Cach Security Administration Guide 129

Managed Key Encryption

ciphertext The encrypted text to be decrypted. The method returns the decrypted plaintext.

If the method fails, it throws either the <FUNCTION> or <ILLEGAL VALUE> error. Place calls to this method in a Try-Catch loop; for more information on Try-Catch, see the section The TRY-CATCH Mechanism in the Error Processing chapter of Using Cach ObjectScript. You do not need to include the key ID with this call, as this are stored with and in the ciphertext to be decrypted, respectively. For more details, see the $SYSTEM.Encryption.AESCBCManagedKeyDecrypt class reference content.

10.3.2.3 $SYSTEM.Encryption.AESCBCManagedKeyEncryptStream
The signature of this method as it is usually called is:
$SYSTEM.Encryption.AESCBCManagedKeyEncryptStream ( plaintext As %Stream.Object, ciphertext As %Stream.Object, keyID As %String, ) As %Status

where: plaintext The unencrypted stream to be encrypted. ciphertext The variable to receive the encrypted stream. keyID The GUID of the data-encryption key to be used to encrypt plaintext. The method returns a %Status code.

For more details, see the $SYSTEM.Encryption.AESCBCManagedKeyEncryptStream class reference content.

10.3.2.4 $SYSTEM.Encryption.AESCBCManagedKeyDecryptStream
The signature of this method as it is usually called is:
$SYSTEM.Encryption.AESCBCManagedKeyDecryptStream ( ciphertext As %Stream.Object, plaintext As %Stream.Object ) As %Status

where: ciphertext The encrypted stream to be decrypted. plaintext The variable to receive the unencrypted stream. The method returns a %Status code.

You do not need to include the key ID with this call, as this are stored with and in the ciphertext to be decrypted, respectively. For more details, see the $SYSTEM.Encryption.AESCBCManagedKeyDecryptStream class reference content.

10.3.3 Support for Re-Keying Data in Real Time

Data element encryption allows Cach applications to support re-keying data, which is re-encrypting an encrypted data element with a new key.

130 Cach Security Administration Guide

Emergency Situations

Because an encrypted data element has its encrypting key identifier stored with it, this simplifies the process of re-keying data. Given merely the handle to ciphertext and an activated key, an application can perform re-keying. For example, data element encryption supports the ability to re-key sensitive data without any downtime; this is particularly useful for users required to perform this action for legal reasons, such as those fulfilling PCI DSS (Payment Card Industry Data Security Standard) requirements. If you need to re-key data, create a new key and specify to your application that this is the new encryption key. You can then perform an action such as running a background application to decrypt the elements and encrypt them with the new key. This uses the specified key for encryption and always uses the correct key for decryption, since it is stored with the encrypted data.

10.4 Emergency Situations

This section describes what to do under certain circumstances when you are in danger of losing data. These include: If the File Containing an Activated Key is Damaged or Missing If There Is a Backup Copy of the Key File with a Known Administrator Username and Password If There Is No Backup Copy of the Key File or the Key has No Known Administrator Username and Password

CAUTION:

This is a dire situation. Act immediately.

If the Database-Encryption Key File Is Required at Startup and Is Not Present If You Can Make the Key File Available If a Backup Key File Is Available If No Key File Is Available

10.4.1 If the File Containing an Activated Key is Damaged or Missing

In this situation, the following circumstances have occurred: A database-encryption key has been activated for the Cach instance. Cach is using encrypted data. The key file containing the database-encryption key becomes damaged.

10.4.1.1 If There Is a Backup Copy of the Key File with a Known Administrator Username and Password
CAUTION:
This procedure is for an emergency situation, where encrypted data in Cach databases is in danger of being lost.

If the file containing an activated key becomes inaccessible or damaged, immediately perform the following procedure: 1. 2. Get the backup copy of the key file. This is the copy that you stored as described in the section Protection from Accidental Loss of Access to Encrypted Data. Make a copy of the backup copy.

Cach Security Administration Guide 131

Managed Key Encryption

3. 4.

Re-configure your startup options using the new copy of the key file even if you are setting it up for the same options as before. Make a new backup copy of the key file and store it in a safe place. Follow all the precautions specified in the section Special Cautions to Preserve the Data in Encrypted Databases.

10.4.1.2 If There Is No Backup Copy of the Key File or the Key has No Known Administrator Username and Password
Important: THIS PROCEDURE IS FOR AN EMERGENCY SITUATION, WHERE ENCRYPTED DATA IN CACH DATABASES IS IN DANGER OF BEING LOST.

If the file containing the activated key becomes inaccessible or damaged while Cach is running, immediately perform the following procedure: 1. Do not shut down Cach. Do not deactivate the currently active key.

WARNING!
2. 3.

Shutting down Cach or deactivating the active key will cause the permanent loss of your data.

Contact the InterSystems Worldwide Response Center. Engineers there can help guide you through the following procedure and answer any questions that may arise. Prevent all users from making any changes to the database with encrypted content while copying its data to an unencrypted database. To do this, the procedure is: a. b. c. d. From the Management Portal home page, select the System Operation, then Databases to display the Databases page ([System] > [Databases]). On the Databases page, if the encrypted database is mounted, select the Dismount option in the next-to-last column in that databases row. Then select Perform Action Now on the Dismount database confirmation page. When the Databases page appears again, select the Mount option in the last column in the databases row. On the Mount database confirmation page, check the Read Only box and select Perform Action Now.

It is critical that no one makes any changes to the database during this procedure. Mounting the database read-only prevents any user from changing any data. 4. Copy all data in unencrypted form to another database. If you have multiple encrypted databases, you need to perform this procedure for each database. The procedure for copying the data is: a. In the Cach Terminal, go to the %SYS namespace:
REGULARNAMESPACE> zn "%SYS"

b.

From that namespace, run the ^GBLOCKCOPY command:

%SYS>d ^GBLOCKCOPY This routine will do a fast global copy from a database to another database or to a namespace. If a namespace is the destination, the global will follow any mappings set up for the namespace. 1) Interactive copy 2) Batch copy 3) Exit Option?

c.

At the ^GBLOCKCOPY prompt, specify 1, for an interactive copy:

132 Cach Security Administration Guide

Emergency Situations
Option? 1 1) Copy from Database to Database 2) Copy from Database to Namespace 3) Exit Option?

d.

When ^GBLOCKCOPY prompts for a copy type, select 1, for copying from database to database
Option? 1 Source Directory for Copy (? for List)?

Here, either specify the name of the encrypted database or enter ? to see a numbered list of databases, which includes the encrypted database. If you enter ?, ^GBLOCKCOPY displays a list such as this one:
Source Directory for Copy (? for List)? ? 1) C:\InterSystems\MyCache\mgr\ 2) C:\InterSystems\MyCache\mgr\cache\ 3) C:\InterSystems\MyCache\mgr\cacheaudit\ 4) C:\InterSystems\MyCache\mgr\cachelib\ 5) C:\InterSystems\MyCache\mgr\cachetemp\ 6) C:\InterSystems\MyCache\mgr\docbook\ 7) C:\InterSystems\MyCache\mgr\encrypted1\ 8) C:\InterSystems\MyCache\mgr\encrypted2\ 9) C:\InterSystems\MyCache\mgr\samples\ 10) C:\InterSystems\MyCache\mgr\unencrypted\ 11) C:\InterSystems\MyCache\mgr\user\ Source Directory for Copy (? for List)?

Enter the number of the encrypted database, such as 7 here. e. f. When ^GBLOCKCOPY prompts for a destination directory for copying the data, enter the name of an unencrypted database or ? for a list similar to the one for the source directory. When ^GBLOCKCOPY asks if you wish to copy all globals, enter Yes (can be Yes, Y, y, and so on):
ll Globals? No => y

g.

If there is an empty global in the database, ^GBLOCKCOPY will now ask if you wish to copy it. This will appear something like the following:
All Globals? No => yes ^oddBIND contains no data Include it anyway? No =>

Enter No (can be No, N, n, and so on), which is the default. h. ^GBLOCKCOPY then asks if you wish to skip all the other empty globals. Enter Yes (can be Yes, Y, y, and so on), which is the default:
Exclude any other similar globals without asking again? Yes =>

There then appears a list of all the empty globals that are not being copied:
Exclude any other similar globals without asking again? Yes => Yes ^oddCOM contains no data -- not included ^oddDEP contains no data -- not included ^oddEXT contains no data -- not included ^oddEXTR contains no data -- not included ^oddMAP contains no data -- not included ^oddPKG contains no data -- not included ^oddPROC contains no data -- not included ^oddPROJECT contains no data -- not included ^oddSQL contains no data -- not included ^oddStudioDocument contains no data -- not included ^oddStudioMenu contains no data -- not included ^oddTSQL contains no data -- not included ^oddXML contains no data -- not included ^rBACKUP contains no data -- not included ^rINC contains no data -- not included

Cach Security Administration Guide 133

Managed Key Encryption

^rINCSAVE contains ^rINDEXEXT contains ^rINDEXSQL contains ^rMACSAVE contains 9 items selected from 29 available globals no no no no data data data data ----not not not not included included included included

i.

^GBLOCKCOPY then asks if you wish to disable journaling for this operation:
Turn journaling off for this copy? Yes =>

Enter Yes (can be Yes, Y, y, and so on), which is the default. j. ^GBLOCKCOPY then asks if to confirm that you wish to copy the data:
Confirm copy? Yes =>

Enter Yes (can be Yes, Y, y, and so on), which is the default. Depending on the size of the database and the speed of the processor, you may see the status of the copy as it progresses. When it completes, ^GBLOCKCOPY displays a message such as:
Copy of data has completed

k.

^GBLOCKCOPY then asks if you wish to save statistics associated with the copy. Enter No (can be No, N, n, and so on), which is the default:
Do you want to save statistics for later review? No =>

Control then returns to the main prompt. 5. 6. 7. 8. Test that the copied data is valid. You can do this by examining the classes, tables, or globals in the Management Portals System Explorer for the database into which ^GBLOCKCOPY has copied the data. If the data is valid, perform steps 3 and 4 of this procedure for each encrypted database. Once you have made copies of every encrypted database into an unencrypted database, make a second copy of each database, preferably to a different machine than that which holds the first copy of each. Now and only now you can dismount all encrypted databases and deactivate the active key (that is, the key for which the key file is missing or damaged). Cach requires that you dismount all encrypted databases prior to deactivating their key.

You now have your data in one or more unencrypted databases and there is no activated key. To re-encrypt the formerly encrypted databases, the procedure is: 1. 2. Create a new database-encryption key according to the procedure described in the section Creating a Key. Create a new backup copy of the key file as described in Protection from Accidental Loss of Access to Encrypted Data.

CAUTION:

Make sure you take the precautions described in Protection from Accidental Loss of Access to Encrypted Data; failure to follow these procedures can result in the permanent loss of data.

3. 4.

Create one or more new encrypted databases, using the new key. Import the data exported in the previous procedure into the new encrypted database(s).

Your data is now stored in encrypted databases for which you have a valid key and a backup copy of the key file containing that key.

134 Cach Security Administration Guide

Emergency Situations

10.4.2 If the Database-Encryption Key File Is Required at Startup and Is Not Present
Under certain conditions related to the required use of a database-encryption key file at startup, Cach starts in single-user mode. These conditions are: Cach is configured for either interactive or unattended startup. Startup specifies that journal files and/or the CACHETEMP and CACHE databases are encrypted, or an encrypted database is specified as required at startup. The database-encryption key file is not present.

10.4.2.1 If You Can Make the Key File Available

This situation may have been caused simply by the appropriate key file not being present at Cach startup time such as if the media holding it is not currently available. To correct the condition, after Cach starts running in single-user mode, then the procedure is: 1. Shut down Cach. For example, if the instance of Cach is called MyCache, the command to do this would be:
ccontrol force MyCache

2. 3.

If you know the location where Cach is expecting to find the database-encryption key file, then place the key file there. (Otherwise, you need to run ^STURECOV as specified in the next section.) Start Cach again.

Cach should start in its typical mode (multi-user mode) and operate as expected.

10.4.2.2 If a Backup Key File Is Available

If the appropriate key file is not present at Cach startup time and is not available, you may have a backup key file available. If so, then to correct the condition, after Cach starts running in single-user mode, then the procedure is: 1. 2. Contact InterSystems Worldwide Response Center. Engineers there can help guide you through the following procedure and answer any questions that may arise. Start a Cach Terminal session according to the instructions in the most recent entry in the cconsole.log file. Typically, this specifies starting a Terminal session with the -B flag. For example, at a Windows command line, for an instance of Cach called MyCache that is installed in the default location, the command would be:
C:\MyCache\bin\cache -sC:\MyCache\mgr -B

This connects you with Cach in the operating system terminal window; the prompt in that window changes from the operating system prompt to the Cach %SYS prompt. 3. 4. If you have or can obtain a copy of the database-encryption key file (such as a backup), then place a copy of the key file in a location accessible to Cach. Run the ^STURECOV (startup recovery) routine at the Cach terminal prompt. In that routine, activate the encryption key using an administrator username and password in that file. (You do not need to exit ^STURECOV when you have completed this process.) When you are satisfied that Cach is ready for use, use ^STURECOV to complete the startup procedure. Cach then starts in multi-user mode.

5.

Cach Security Administration Guide 135

Managed Key Encryption

Cach should now operate as expected.

10.4.2.3 If No Key File Is Available

If you do not have any copy of the database-encryption key file, then the procedure is: 1. 2. Contact InterSystems Worldwide Response Center. Engineers there can help guide you through the following procedure and answer any questions that may arise. Start a Cach Terminal session with the -B flag. For example, at a Windows command line, for an instance of Cach called MyCache that is installed in the default location, the command would be:
C:\MyCache\bin\cache -sC:\MyCache\mgr -B

This connects you with Cach in the operating system terminal window; the prompt in that window changes from the OS prompt to the Cach %SYS prompt. 3. 4. If you have encrypted journal files, use ^STURECOV (startup recovery) to deactivate journal file encryption. Run the ^STURECOV routine at the Cach terminal prompt. In that routine, configure Cach database startup options not to require a database encryption key. This means that the CACHETEMP and CACHE databases as well as journal files should now operate as expected; it also means that any encrypted databases cannot be mounted. When you are satisfied that Cach is ready for use, use ^STURECOV to complete the startup procedure. Cach then starts in multi-user mode. If you have not performed the actions described in the section Protection from Accidental Loss of Access to Encrypted Data, then your data may no longer be available in any form. This is a very serious problem, but if you do not have a key, there is no way to retrieve the lost data.

5.

CAUTION:

10.5 Other Information

This section addresses: Performance Information Key File Encryption Information Encryption and Database-Related Cach Facilities

10.5.1 Performance Information

Users familiar with other encryption systems for databases may have concerns about encryption having dire effects on performance. With the Cach database encryption technology, these are unfounded. Cach database encryption has no significant effect on application response time (latency), though it does consume CPU cycles directly in proportion to the disk I/O rate. (Regarding latency, encryption adds a trivial amount for reads and, due to the use of write daemons, none for writes.) For operations requiring a disk read, you can calculate the additional time required according to the following equation:
(# of blocks read) * (8192 bytes / block) * (30 CPU clock ticks / byte) _________________________________________________________________________ # of CPU clock ticks / second

For example, to read a block on a system with a 1 GHz processor, the time required would be:

136 Cach Security Administration Guide

Other Information
1 block * (8192 bytes / block) * (30 CPU clock ticks / byte) _________________________________________________________________________ 1,000,000,000 CPU clock ticks / second

which works out to a cost of 0.24 milliseconds for reading the block, compared to a typical disk read latency of 8 milliseconds.

10.5.2 Key File Encryption Information

Database encryption administrator names are stored in the clear in the key file. Database encryption administrator passwords are not stored; when entered, they are used to derive key-encryption keys. If someone can successfully guess a valid password, the password policy is too weak. Key-encryption keys are derived using the PBKDF2 algorithm with 512 bits of salt and 65,536 iterations, making brute force attacks against the passwords impractical. Nonetheless, database encryption key files should be securely stored separately from the encrypted databases if you want three-factor security (database, key file, password); for details on protecting data in this way, see the section Protection from Unauthorized Access to Encrypted Data.

10.5.3 Encryption and Database-Related Cach Facilities

Cach database encryption protects database files themselves. Regarding related facilities in Cach: Cach online backups are not encrypted. To ensure that the Cach database is encrypted in a backup, it is recommended that you quiesce Cach and then perform a file system backup (as described in the section External Backup in the Backup and Restore chapter of the Cach Data Integrity Guide). In the write image journal (WIJ) file, the blocks for encrypted databases are encrypted. (For clustered systems, the same is true for the PIJ file.) The CACHETEMP and CACHE databases can optionally be encrypted. To provide encryption for CACHETEMP and CACHE, see the section Configuring Cach Encryption Settings. You can optionally encrypt journal files; on a destination shadow server, this switch also encrypts all the journal files that it receives from its source production server. To encrypt journal files, see the section Configuring Cach Encryption Settings.

Cach Security Administration Guide 137

11
SQL Security
Cach has both system-level security, and an additional set of SQL-related security features. The Cach SQL security provides an additional level of security capabilities beyond its database-level protections. Some of the key differences between SQL and system-level security are: SQL protections are more granular than system-level protections. You can define privileges for tables, views, and stored procedures. SQL privileges can be granted to users as well as to roles. System-level privileges are only assigned to roles. Holding an SQL privilege implicitly grants any related system privileges that are required to perform the SQL action. (Conversely, system-level privileges do not imply table-level privileges.) The different types of privileges are described in the SQL Privileges and System Privileges section.

11.1 SQL Privileges and System Privileges

To manipulate tables or other SQL entities through SQL-specific mechanisms, a user must have the appropriate SQL privileges. System-level privileges are not sufficient. Note: Roles are shared by SQL and system level security: a single role can include both system and SQL privileges.

Consider the following example for an instance of Cach on a Windows machine: There is a class in the USER namespace called User.MyPerson. This class is projected to SQL as the SQLUser.MyPerson table. There is a user called Test, who belongs to no roles (and therefore has no system privileges) and who has all privileges on the SQLUser.MyPerson table (and no other SQL privileges). There is a second user, called Test2. This user is assigned to the following roles: %DB_USER (and so can read or write data on the USER database); %SQL (and so has SQL access through the %Service_Bindings service); and, through a custom role, has privileges for using the Console and %Development.

If the Test user attempts to read or write data in the SQLUser.MyPerson table through any SQL-specific mechanism (such as one that uses ODBC), the attempt succeeds. This is because Cach makes the Test user a member of the %DB_USER and %SQL role to establish the connection; this is visible in audit events that the connection generates, such as the %System/%Login/Login event. (If the Test user attempts to use the Cach terminal or Management Portal, these attempts fail, because the user lacks sufficient privilege for these.)

Cach Security Administration Guide 139

SQL Security

If the Test2 user attempts to read or write data in the SQLUser.MyPerson table through any SQL-specific mechanism (such as one that uses ODBC), the attempt fails because the user does not have sufficient privileges for the table. (If the Test2 user attempts to view the same data in the Cach terminal using object mechanisms, the attempt succeeds because the user is sufficiently privileged for this type of connection.)

11.2 The SQL Service

The %Service_SQL:Use privilege controls a users ability to connect using a Cach object or SQL client and then use SQL. When a user attempts to connect to Cach, the server determines whether the user holds any SQL-level privileges for the namespace. If the user holds at least one such privilege, then the server automatically adds two roles: the %SQL role, which has the %Service_SQL:Use privilege, and the implicit database role for the namespaces default database. As a result of this automatic role addition, it is not necessary for SQL users to hold any database privileges, because the server adds them automatically. With the exception of this role addition at connect-time, no automatic role escalation occurs during the processing of an SQL statement. The user must hold the necessary system-level privileges when the SQL statement is executed. Note that the %Service_SQL:Use privilege is only required to use SQL in a client/server configuration. For example, a user running an application that employs server-side embedded SQL requests does not require this permission. The %CREATE_TABLE command is namespace-specific: granting a user this privilege for a specific namespace enables the user to create new tables in that namespace only.

11.2.1 CREATE USER

The SQL CREATE USER statement can be used to create Cach users. The newly created user has no roles. Under some circumstances, a username can be implicitly used as an SQL schema name. This may pose problems if the username contains characters that are forbidden in an SQL identifier. For example, in a multiple domain configuration the username contains the @ character. Cach handles this situation differently depending on the setting of the Delimited Identifiers configuration parameter: If the use of delimited identifiers is enabled, no special processing occurs. If the use of delimited identifiers is disabled, then any forbidden characters are removed from the username to form a schema name. For example, the username [email protected] would become the schema name documentationintersystemscom .

This does not affect the value returned by the SQL CURRENT_USER function. It is always the same as $USERNAME.

11.2.2 Effect of Changes

Setting an SQL security value takes effect when the user next connects, not during that users current session.

11.2.3 Required Privileges for Working with Tables

Creating a user in SQL, with the statement
CREATE USER <username> IDENTIFY BY <password>

is equivalent to performing the same action using the Management Portal. For the user to be able to work with a particular table, privileges for that table must be explicitly granted, such as with the Management Portal.

140 Cach Security Administration Guide

The SQL Service

The minimum privilege required to work with a particular table is: any SQL privilege, like SELECT, on the relevant table. If the user has the right to perform a SELECT command, then this grants the ability to read and use but not write; analogously, INSERT, UPDATE, and DELETE provide those privileges.

Cach Security Administration Guide 141

12
System Management and Security
This chapter covers the following topics: System Security Settings Page System-wide Security Parameters Authentication Options Password Strength and Password Policies Protecting Cach Configuration Information Managing Cach Security Domains Security Advisor Effect of Changes Emergency Access

12.1 System Security Settings Page

The System Security Settings page ([System] > [Security Management] > [System Security Settings]) provides links to pages that configure the entire Cach instance for security. These pages are: System-wide Security Parameters Authentication Options LDAP Options

12.2 System-wide Security Parameters

This section describes security issues that affect an entire Cach instance. This includes the system-wide security parameters and handling sensitive data in memory images. Cach includes a number of system-wide security parameters. You can configure these on the System Security Settings page ([System] > [Security Management] > [System-wide Security Parameters]). These are:

Cach Security Administration Guide 143

System Management and Security

Enable audit

Turns auditing on or off. This check box performs the same action as the Enable Auditing and Disable

Auditing links on the Auditing page ([System] > [Security Management] > [Auditing]). For more information on auditing,

see the chapter Auditing. [Default is off]

Enable configuration security

Specifies whether configuration security is on or off, as described in the section Protecting Cach Configuration Information. [Default is off]

Allows you to choose the instances default security domain. For more information on security domains, see the section Managing Cach Security Domains . [Default is the domain established during installation]
Default security domain

Specifies the maximum number of days that a user account can be inactive, which is defined as the amount of time between successful logins. When this limit is reached, the account is disabled. A value of 0 (zero) means that there is no limit to the number of days between logins. [Default is 0 for minimal-security installations and 90 for normal and locked-down installations]
Inactive limit (0365)

Specifies the maximum number of successive unsuccessful login attempts. After this limit is reached, either the account is disabled or an escalating time delay is imposed on each attempt; the action depends on the value of the Disable account if login limit reached field. A value of 0 (zero) means that there is no limit to the number of invalid logins. [Default is 5]
Invalid login limit (0-64)

If checked, specifies that reaching the number of invalid logins (specified in the previous field) causes the user account to be disabled.
Disable account if login limit reached Password Expiration Days (099999) Specifies how frequently passwords expire and, therefore, how frequently users

must change their passwords (in days). When initially set, specifies the number of days until passwords expire. A value of 0 (zero) means that the password never expires. [Default is 0]

CAUTION:

This setting affects all accounts for the Cach instance, including those used by Cach itself. Until passwords are updated for these accounts, it may impossible for various operations to proceed and this may lead to unexpected results.

Password pattern Specifies the acceptable format of newly created passwords. See

Password Strength and Password Policies for more information. [Default for an instance with Minimal and Normal security is 3.32ANP; default for a locked-down instance is 8.32ANP.] Specifies a user-provided routine (or entry point) for validating a password. See the PasswordValidationRoutine method in the Security.System class for more information.
Password validation routine Role required to connect to this system If set to an existing role, specifies that a user must be a member of this role

(as a login role) in order to log into the system.

Enable writing to percent globals Specifies whether write access to percent globals is implicitly granted to all users;

if not checked, write access is controlled by normal security mechanisms. For more information on the percent globals and CACHESYS (the database that holds them), see the section CACHESYS, the Managers Database in the chapter Assets and Resources. [Default is controlled by normal security mechanisms.] Specifies whether there is support for multiple Cach security domains. For more information on security domains, see the section Managing Cach Security Domains. [Default is a single domain]
Allow multiple security domains Superserver SSL/TLS Support

Specifies if the superserver supports or requires the use of SSL/TLS for client con-

nections. Options are:

Disabled The superserver refuses client connections that use SSL/TLS. (That is, it only accepts client connections

that do not use SSL/TLS.)

Enabled

The superserver accepts but does not require SSL/TLS.

The superserver requires client connections to use SSL/TLS. Not recommended see the following caution for details.
Required

144 Cach Security Administration Guide

Authentication Options

Note:

Before you can configure the superserver to use SSL/TLS, there must be an existing configuration called %SuperServer.

For more information about using SSL/TLS with the Cach superserver, see Configuring the Cach Superserver to Use SSL/TLS.

CAUTION:

Requiring clients to use SSL/TLS for their connections will prevent the proper operation of ECP, the Management Portal, and other web applications. This describes circumstances when an administrator creates an SSL/TLS configuration called %SuperServer , enables this configuration, and then specifies in the Superserver SSL/TLS Support field that the SSL/TLS is required (clicking the Required radio button). The administrator can correct this problem at the Terminal (which still connects) using ^SECURITY as follows: 1. 2. 3. 4. Start ^SECURITY in a terminal session. Select option 9 (Systems parameter setup). Select option 1 (Edit system options). In answer to the question, What type of SSL/TLS connections are allowed for the superserver?, change the setting to Accept or None (equivalent, respectively, to Enabled and Disabled in the Portal).

12.2.1 Protecting Sensitive Data in Memory Images

Certain error conditions can cause the contents of a processs memory to be written to a disk file, known as a core dump. This file contains copies of all data that was in use by the process at the time of the dump, including potentially sensitive application and system data. This can be prevented by disallowing core dumps on a system-wide basis. The method for disallowing core dumps varies according to the operating system in use; for details, consult the documentation of your operating system.

12.3 Authentication Options

The Authentication Options page ([System] > [Security Management] > [Authentication Options]) allows you to enable or disable authentication mechanisms for the entire Cach instance: If an authentication mechanism is disabled for the entire Cach instance, then it is not available for any service. If an authentication mechanism is enabled for the entire Cach instance, then it is available for all the services that support it. To enable the authentication mechanism for a particular service, use the Edit Service page for that property; this page is available by selecting the service from the Services page ([System] > [Security Management] > [Services]). Note: Not all services support all mechanisms.

The authentication options are: Allow Unauthenticated access Users may connect without authenticating. (If login dialog appears, the user can leave the Username and Password fields blank and click OK to log in.) Allow Operating System authentication Cach uses the operating systems user identity to identify the user.

Cach Security Administration Guide 145

System Management and Security

Allow Password authentication Cach uses its own native tools to authenticate a username and password that are registered with it. This mechanism is also known as Cach login. Allow Delegated authentication Cach delegates the process of authentication to a user-defined function. Allow Kerberos authentication Cach performs authentication using Kerberos. Allow LDAP authentication Cach uses an available LDAP database to authenticate users. Allow LDAP cache credentials authentication Cach keeps a cached copy of LDAP credentials so that it can authenticate LDAP users if the LDAP database becomes unavailable. Enable two-factor authentication Cach provides a second authentication token to the user via a mobile phone text message that the user must then enter to complete the authentication process. If selected, the Authentication Options page displays the fields for configuring two-factor authentication.

If there are multiple authentication options, Cach uses cascading authentication. For more information on authentication, see the chapter Authentication.

12.4 Password Strength and Password Policies

Cach allows you to specify requirements for user passwords by supplying a string of the form:
X.Y[ANP]

where X is the minimum number of characters in the password. Y is the maximum number of characters in the password. A, N, and P specify whether Alphabetic characters, Numeric characters, and Punctuation characters are permitted in the password.

These rules are based on the Cach ObjectScript pattern matching functionality. This functionality is described in the Pattern Matching section of the Operators and Expressions chapter of Using Cach ObjectScript. Note: The value for this parameter does not affect existing passwords.

12.4.1 Suggested Administrator Password Strength

Ideally, administrator passwords should be a random mixture of uppercase and lowercase alphabetic characters, numerals, and punctuation. Since passwords like that are difficult to remember, passwords are often based on characters derived from a known or easily remembered phrase. (This does not result in a random set of characters, but does introduce a good mix of character types.) For example, using the phrase I like Cach because its so fast! , a password might be I:)Ce'bcoZ==s0F@$t! InterSystems strongly suggests following these guidelines when setting password values for administering both Cach generally and encrypted databases in particular.

146 Cach Security Administration Guide

Protecting Cach Configuration Information

12.5 Protecting Cach Configuration Information

Cach configuration information is stored in a text file outside of Cach. This file is known as a Cach parameter file and often referred to as a cache.cpf file. Because this file can be modified while Cach is not running, Cach controls the ability to start a system with a modified cache.cpf. To protect your instance against intentional or accidental misconfiguration, check the Configuration Security box to on. If Cach startup detects that the Cach parameter file has been modified outside the control of the Management Portal since the last time Cach was started, Cach startup requests a username and password to validate the changes. The username supplied must have %Admin_Manage:Use privileges. If an appropriate username and password cannot be provided, Cach allows the operator to choose as follows: 1. 2. 3. Re-enter the username and password. Start using the last known good configuration. Abort startup.

If the operator chooses option 2, Cach renames the parameter file that was invoked at startup (file.cpf) with the suffix _rejected (file.cpf_rejected). Cach then overwrites the file.cpf with the last known good configuration (_LastGood_.cpf) and starts up using this configuration. Note: The protections for the cache.cpf file are not a substitute for operating-systemlevel security. It is recommended that you protect the configuration file by strictly limiting the ability of users to modify it, at the operating-system level.

For more information on the configuration file generally, see the Cach Parameter File Reference.

12.6 Managing Cach Security Domains

Cach security domains provide a grouping of users that corresponds to Kerberos realms and Windows domains. If your instance is using Kerberos, its Cach domain corresponds to a Kerberos realm. If you are using a Windows domain, this also corresponds to a Kerberos realm. While a security domain name often takes the form of an Internet domain name, there is no requirement that it do so. A security domain name can contain any character except @ .

12.6.1 Single and Multiple Domains

You can configure Cach for either a single-domain or multiple-domain configuration. For an instance with a single domain: The $USERNAME variable does not include the domain name. System utilities do not show the domain name when displaying usernames. It is prohibited to specify a username from any domain other than the default domain (described in the following section).

For an instance with multiple domains: The $USERNAME variable includes the domain name. System utilities show the domain name when displaying usernames.

Cach Security Administration Guide 147

System Management and Security

In a multiple-domain configuration, a fully-qualified user identifier consists of a username, an at sign ( @ ), and a domain name, such as, [email protected]. To specify support for a single domain or multiple domains, use the Allow multiple security domains field of the Systemwide Security Parameters page of the Management Portal ([System] > [Security Management] > [System-wide Security Parameters]), described in the System-wide Security Parameters section of this chapter.

12.6.2 The Default Security Domain

Each instance has a default security domain. This is the domain assumed for any username where no domain is specified. For example, if the default domain is intersystems.com , the user identifiers info and [email protected] are equivalent. When Cach is installed, it uses the local domain name to provide an initial value for the parameter. For instances with multiple security domains, you can select a new default security domain using the Default Security Domain field of the System-wide Security Parameters page ([System] > [Security Management] > [System-wide Security Parameters]), described in the System-wide Security Parameters section of this chapter.

12.6.3 Listing, Editing, and Creating Domains

The Security Domains page ([System] > [Security Management] > [Security Domains]) provides a table that lists the existing security domains for a Cach instance. For each domain, the table has: The domains name. The domains description. An Edit button, which allows you to edit the domains description (but not its name). Since you cannot change a domains name, create a new domain with the preferred name and then delete the existing domain. A Delete button, which, after prompting, allows you to remove a domain from the instance.

The page also has a Create New Domain button. Selecting this displays the Edit Domain page which accepts a domain name and an optional domain description. After entering this information, select Save to create the domain.

12.7 Security Advisor

To assist system managers in securing a Cach system, Cach includes a Security Advisor. This is a Web page that shows current information related to security in the system configuration. It recommends changes or areas for review, and provides links into other system management Web pages to make the recommended changes. Important: The Security Advisor provides general recommendations, but does not have any knowledge of an instances needs or requirements. It is important to remember that each Cach instance has its own requirements and constraints, so that issues listed in the Security Advisor may not be relevant for your instance; at the same time, the Security Advisor may not list issues that are of high importance for you. For example, the Security Advisor exclusively recommends that services use Kerberos authentication, but, depending on your circumstances, authentication through the operating system, Cach login, or even unauthenticated access may be appropriate.

There are some general features in the Security Advisor:

Details button Each section has a Details button. Selecting this button displays the page for managing that aspect of

Cach regulated by the section.

148 Cach Security Administration Guide

Security Advisor

Name button Each named item in each section is a link. Selecting one of these items displays the page for managing

that item.
Ignore check box Each named item in each section has an associated Ignore check box. Selecting this grays out the

line for the specified item. The line does not appear if Cach is set up according to the Security Advisors recommendations, whether or not the Ignore check box is selected.

12.7.1 Auditing
This section displays recommendations on auditing itself and on particular audit events: Auditing should be enabled Auditing creates a record that can provide forensic information after any notable or unusual system events. Auditing for this event type should be enabled Auditing particular events can provide more specific information about various topics. Specifically, since the events noted when not enabled are: The DirectMode event Auditing this event can provide information about connections to Cach that give users significant privileges. The Login event Auditing this event can provide information questionable logins. The LoginFailure event Auditing this event can provide information about attempts to gain inappropriate access to the system.

12.7.2 Services
This section displays recommendations on Cach services. For each service, depending on its settings, the Security Advisor may address any of the following issues: Ability to set % globals should be turned off Since % globals often hold system information, allowing users to manipulate these globals can result in serious, pervasive, and unpredictable effects. Unauthenticated should be off Unauthenticated connections give all users, including the unidentified UnknownUser account, unregulated access to Cach through the service. Service should be disabled unless required Access through any service monitored by the Security Advisor can provide an undue level of system access. Service should use Kerberos authentication Access through any other authentication mechanism does not provide the maximum level of security protection. Service should have client IP addresses assigned By limiting the number of IP addresses from which connections are accepted, Cach may be able to more tightly oversee the connections to it. Service is Public Public services give all users, including the unidentified UnknownUser account, unregulated access to Cach through the service.

12.7.3 Roles
This section displays recommendations for all roles that hold possibly undue privileges; other roles are not listed. For each role, the Security Advisor may address any of the following issues: This role holds privileges on the Audit database Read access to the Audit database may expose audited data inappropriately; Write access to the Audit database may allow the inappropriate insertion of data into that database.

Cach Security Administration Guide 149

System Management and Security

This role holds the %Admin_Secure privilege This privilege can allow for the establishing, modifying, and denying access of users to assets; it also allows the modification of other security-related features. This role holds Write privilege on the %CACHESYS database Write access to the %CACHESYS database may allow the compromise of system code and data.

12.7.4 Users
This section displays recommendations related to users generally and for individual user accounts. In this area, the Security Advisor may address any of the following issues: At least 2 and at most 5 users should have the %All role Too few users holding %All can lead to access problems in an emergency; too many users holding it can open the system to compromise This user holds the %All role Explicitly announcing which users hold %All can help eliminate any who hold it unnecessarily. UnknownUser account should not have the %All role A system cannot be properly secured if anonymous users have all privileges. While this is part of any instance with a Minimal security level, such an instance is not properly secured by design. Account has never been used Unused accounts provide an attractive point of entry for those attempting to gain unauthorized access. Account appears dormant and should be disabled Dormant accounts (those that have not been used for over 30 days) provide an attractive point of entry for those attempting to gain unauthorized access. Password should be changed from default password This is a commonly attempted point of entry for those attempting to gain unauthorized access.

12.7.5 CSP, Privileged Routine, and Client Applications

Each application type has its own section, which makes it simpler to review details for each application type. These sections display recommendations related to access to and privileges granted by applications. In this area, the Security Advisor notes the following issues: Application is Public Public applications give all users, including the unidentified UnknownUser account, unregulated access to the data associated with the application and actions that the application supports. This is even more notable if the application also grants the %All role, either conditionally or absolutely. Application conditionally grants the %All role A system cannot be properly secured if users have the possibility of holding all privileges. This is even more notable if the application is also public. Application grants the %All role A system cannot be properly secured if users have all privileges. This is even more notable if the application is also public.

12.8 Effect of Changes

When you make changes to various security settings, the amount of time for these to take effect are as follows: Changes to user properties, such as the roles assigned to the user, are effective with the next login for that user. They have no effect on processes that are already running.

150 Cach Security Administration Guide

Emergency Access

Changes to services, such as whether a service is enabled or authentication is required, are effective for future connection attempts. Existing connections are not affected. Changes to role definitions are effective immediately for any subsequent privilege checks. These affect database resources immediately, because they are checked for each database access. For services and applications, they are effective with subsequent connection attempts or application initiations. The times listed here are the latest times that changes take effect; in some cases, changes may be effective earlier than indicated.

Note:

12.9 Emergency Access

Cach provides a special emergency access mode that can be used under certain dire circumstances, such as if there is severe damage to security configuration information or if no users with the %Admin_Manage:Use or %Admin_Security:Use privileges are available (that is, if all users are locked out). Although Cach attempts to prevent this situation by ensuring that there is always at least one user with the %All role, that user may not be available or may have forgotten the password. When Cach is running in emergency access mode, only a single user (called the emergency user) is permitted. This username does not have to be previously defined within Cach. In fact, even if the username is defined in Cach, the emergency user is conceptually a different user. The emergency username and password are only valid for the single invocation of emergency mode. Other important points about emergency access mode:
%Service_Console, %Service_Terminal, and %Service_CSP are the only services enabled.

There is only access using Cach login no other authentication mechanism is supported. For the web applications that control the Portal (/csp/sys and /csp/sys/*), the standard login page (%CSP.Login.cls) is used during emergency access even if there is a custom login page available; this ensures that the emergency user has access to the Portal, since a custom login page may prevent authentication from occurring. For other web applications, if there is a custom login page, then that page is used during emergency login. Two-factor authentication is disabled. This avoids any situation where two-factor authentication might prevent the emergency user from being able to authenticate.

12.9.1 Invoking Emergency Access Mode

To start Cach in emergency access mode, you must have the appropriate operating-system privileges: On Windows systems, the user must be a member of the Administrators group. On UNIX and MacOS systems, the user must be root. On OpenVMS systems, the user must have a system UIC.

Cach performs authentication by checking operating-system-level characteristics.

12.9.1.1 Invoking Emergency Access Mode on Windows

To start Cach in emergency access mode:

Cach Security Administration Guide 151

System Management and Security

1.

Start the Windows Command Prompt program. (On certain versions of Windows, such as Vista, you must run the Command Prompt as an administrator; to do this, right-click the Command Prompt choice in the menu and then choose Run as Administrator.) Go to the bin directory for your Cach installation. In that directory, invoke Cach at the command line using the appropriate switch and passing in the username and password for the emergency user.
./ccontrol start <cache-instance-name> /EmergencyId=<username>,<password>

2. 3.

This starts an emergency-mode Cach session with only one allowed user where: <cache-instance-name> specifies the instance being started in emergency mode <username> is the sole user of the system <password> is <username>s password On Windows, unlike other operating systems, the EmergencyId switch is preceded by a slash ( / ).

Note:

For example, at the instance MyCache, to start Cach in emergency mode with user Eugenia with the password 52601, the command would be:
./ccontrol start MyCache /EmergencyId=Eugenia,52601

The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia Password: ***** Warning, bypassing system security, running with elevated privileges

Once Cach has started, you can start the Terminal from the Cach cube or run any CSP application. This provides access to the Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Cach in its normal mode.

12.9.1.2 Invoking Emergency Access Mode on UNIX and Mac OS

To start Cach in emergency access mode, invoke Cach at the command line using the appropriate switch and passing in the username and password for the emergency user:
ccontrol start <cache-instance-name> EmergencyId=<username>,<password>

This starts an emergency-mode Cach session with only one allowed user where: <cache-instance-name> specifies the instance being started in emergency mode <username> is the sole user of the system <password> is <username>s password If going from one of these operating systems to Windows, remember that on Windows only, the EmergencyId switch is preceded by a slash ( /).

Note:

For example, at the instance MyCache, to start Cach in emergency mode with user Eugenia with the password 5262001, the command would be:
ccontrol start MyCache EmergencyId=Eugenia,52601

The only user who can then log in is the emergency user, using the appropriate password, such as:

152 Cach Security Administration Guide

Emergency Access
Username: Eugenia Password: ***** Warning, bypassing system security, running with elevated privileges

Once Cach has started, you can run Cach Terminal or any CSP application. This provides access to the Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Cach in its normal mode.

12.9.1.3 Invoking Emergency Access Mode on OpenVMS

To start Cach in emergency access mode, invoke Cach at the command line using the appropriate switch and passing in the username and password for the emergency user, where the username and password are in quotation marks:
ccontrol start <cache-instance-name> EmergencyId="<username>,<password>"

This starts an emergency-mode Cach session with only one allowed user where: <cache-instance-name> specifies the instance being started in emergency mode <username> is the sole user of the system <password> is <username>s password If going from OpenVMS to Windows, remember that on Windows only, the EmergencyId switch is preceded by a slash (/ ).

Note:

For example, at the instance MyCache, to start Cach in emergency mode with user Eugenia with the password 5262001, the command would be:
ccontrol start MyCache EmergencyId="Eugenia,52601"

The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia Password: ***** Warning, bypassing system security, running with elevated privileges

Once Cach has started, you can run Cach Terminal or any CSP application. This provides access to the Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Cach in its normal mode.

12.9.2 Emergency Access Mode Behavior

In emergency access mode, Cach has the following constraints and behaviors: The emergency user is the only permitted user. Any attempt by another user to log in will fail. The emergency user has the %ALL role. Console, Terminal and CSP are the only services that are enabled. All other services are disabled. This does not affect the enabled or disabled status of services when Cach starts in non-emergency mode; only the current (emergency), in-memory information about services is affected. For the enabled services, only authenticated access is permitted. Cach uses its own password authentication for the services, where the emergency access username and password must be used. After emergency access login, Cach attempts to audit all events for the active process; Cach start-up proceeds even if this is not possible. Login failures in emergency access mode are not audited.

Cach Security Administration Guide 153

System Management and Security

The emergency user can make changes to the Cach configuration, but these changes are not activated until the next time that Cach is started in normal (not emergency) mode. This is in contrast to the normal operation of Cach, in which configuration changes are primarily activated without restarting Cach.

154 Cach Security Administration Guide

13
Using SSL/TLS with Cach
This chapter describes the use of Cach with SSL (Secure Sockets Layer) and TLS (Transport Layer Security), its successor. Cach supports the use of SSL/TLS to secure connections of several types: From various client applications that interact with the Cach superserver. This includes connections from Cach shadow destinations to Cach shadow sources. From Telnet clients that interact with the Telnet server. For use with TCP connections where a Cach instance is the client or server (or a Cach instance is at each end). To use SSL/TLS with ODBC, Cach Studio, the CSP Gateway, or the InterSystems Telnet client, contact the InterSystems Worldwide Response Center (WRC).

Important:

As a server, Cach accepts connections and establishes the use of SSL; as a client, Cach is able to connect to servers that require the use of SSL. In all cases, Cach uses what is called an SSL/TLS configuration, which specifies the various characteristics of a Cach instance as part of an SSL/TLS connection. This chapter has the following sections: About SSL/TLS About Configurations Configuring the Cach Superserver to Use SSL/TLS Configuring the Cach Telnet Service to Use SSL/TLS Configuring Java Clients to Use SSL/TLS with Cach Configuring .NET Clients to Use SSL/TLS with Cach Configuring Cach to Use SSL/TLS with TCP Devices Configuring Cach to Use SSL/TLS with Mirroring Configuring the CSP Gateway to Connect to Cach Using SSL/TLS Establishing the Required Certificate Chain

Cach Security Administration Guide 155

Using SSL/TLS with Cach

13.1 About SSL/TLS

SSL/TLS provides strong protection for communication between pairs of entities. It allows you to perform authentication, data integrity protection, and data encryption. SSL was created at Netscape in the mid nineteen-nineties. Version 3.0, which is still in use, was released in 1996. TLS was created as a standardization of SSL 3.0 and version 1.0 was released in 1999. The current version of TLS is 1.2. Among the supported versions of SSL/TLS for Cach, InterSystems recommends the use of the latest version available. The process by which an SSL/TLS connection is established between two entities is known as the SSL/TLS handshake, and it uses a client/server model. Completion of the handshake means that, according to the requirements of the client and the server: The client has authenticated the server. The server has authenticated the client. (If the client and the server have both authenticated each other, this known as mutual authentication.) The client and server have agreed upon session keys. (Session keys are the keys for use with a symmetric-key algorithm that allow the entities to protect data during subsequent communications.) Subsequent communication can be encrypted. The integrity of subsequent communication can be verified.

The ciphersuites of the client and server specify how these activities occur as part of the handshake or are supported for a protected connection. Specifically, a peers ciphersuites specify what features and algorithms it supports. The client proposes a set of possible ciphers for use; from among those proposed, the server selects one. (If there are no common ciphers between the client and server, the handshake fails.) To perform the handshake, SSL/TLS typically uses public-key cryptography (though it can use other means, such as the Diffie-Hellman protocol). With public-key cryptography, each peer (either the client or the server) has a public key and a private key. The private key is a sensitive secret value and the public key is a widely published value; typically, the public key is encapsulated in a certificate, which also contains identifying information about the holder, such as a name, organization, location, issuer validity, and so on. For Cach, an SSL/TLS configuration (described in the section About Configurations) specifies a named set of SSL/TLS-related values, including a certificate file, a private key file, and an optional set of ciphersuites. If successful, the handshake creates session keys that are used to protect subsequent communications. While Cach and applications require various interactions with SSL/TLS, the end-user typically has no such direct interactions. For example, a browser uses SSL/TLS to establish a secure connection with a specified web site by requiring that the site (the server, in this case) authenticate itself to the browser (which occurs unbeknownst to the browsers user) and the lock icon that appears in the browser is designed to indicate that SSL/TLS is protecting the connection.

13.2 About Configurations

Cach can support multiple configurations, each of which specifies a named set of SSL/TLS-related values. All its existing configurations are activated at startup. When you create a new configuration from the Management Portal, Cach activates it when you save it. The page for managing SSL/TLS configurations is the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]). This section covers the following topics:

156 Cach Security Administration Guide

About Configurations

Creating or Editing an SSL/TLS Configuration Deleting a Configuration Reserved Configuration Names

13.2.1 Creating or Editing an SSL/TLS Configuration

The page for creating or editing an SSL/TLS configurations is the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]). To create a new configuration, click Create New Configuration; to edit an existing configuration, click Edit to the right of the name of the configuration. Both these choices display the Edit SSL/TLS Configuration page. (You can also create a new set of configurations for a mirror member by clicking Create Configurations for Mirror; for more information on mirroring and SSL/TLS, see Configuring Cach to Use SSL/TLS with Mirroring. When creating or editing an SSL/TLS configuration, the following fields are available: The string by which the configuration is identified. Configuration names can contain any alphanumeric character and any punctuation except the | character. If you are creating a configuration for the Cach superserver, the configuration name must be %SuperServer; for more information about this topic, see Configuring the Cach Superserver to use SSL/TLS.
Configuration Name Description Enabled

Any text.

Whether or not the configuration is available for activation.

Type Intended purpose for this configuration, where the choice is Client or Server; the default is Client. Clients ini-

tiate the use of the protocol and servers respond to the initial request. (The Cach superserver uses a server configuration; SSL/TLS clients, such as a shadow destination, use a client configuration.) The value chosen for this field determines the choices available for or behavior of the Peer certificate verification level and File containing trusted Certificate Authority X.509 certificate(s) fields.
Peer certificate verification level

Specifies whether or not the configuration requires the verification of the peer to

which it is connecting. For client configurations:

None

continues if certificate verification fails. continues only if certificate verification succeeds.

Require

For server configurations:

None

specifies that the server neither requests nor requires a client certificate.

Request allows the client to provide or not provide a certificate. If the client provides no certificate, then authenti-

cation proceeds; if the client provides a certificate and verification fails, then authentication fails.
Require specifies that the client must provide a certificate; authentication depends on verification of the certificate.

The X.509 certificate(s) of the Certificate Authority or Certificate Authorities that this configuration trusts, including path(s), in PEM format. The path can be specified as either an absolute path or a path relative to the managers directory. (Note that certificates from the Windows Certificate Export Wizard must be in base-64encoded X.509 format, not the default of DER-encoded binary X.509.)
File containing trusted Certificate Authority X.509 certificate(s)

The configuration uses the certificates of the trusted CA(s) to validate peer certificates. Hence, for a server configuration with a peer certification level of None, the field is not available, since there is no peer validation. Note: With mirroring, the configuration must also have enough information to validate its own certificate.

Cach Security Administration Guide 157

Using SSL/TLS with Cach

For information on how these certificates are used, see the section Establishing the Required Certificate Chain. For information on file names for these certificates and how to verify a certificate chain, see the OpenSSL documentation on the verify command.
This clients credentials or This servers credentials The files (if needed) containing the X.509 certificate and private

key for the local configuration: The full location of the configurations own X.509 certificate(s), in PEM format. This can be specified as either an absolute or a relative path. This can include a certificate chain. For information on how this is used for authentication, see the section Establishing the Required Certificate Chain. (Note that certificates from the Windows Certificate Export Wizard must be in base-64 encoded X.509 format, not the default of DER encoded binary X.509.)
File containing this configurations X.509 certificate File containing associated private key The full location of the configurations private key file, specified as either

an absolute or relative path.

Private key type The algorithm used to generate the private key, where valid options are DSA (Digital Signature

Algorithm) and RSA (Rivest, Shamir, and Adleman, for the algorithms inventors).
Private key password

An optional password for encrypting and decrypting the configurations private key. A retyping of the optional password to ensure that it is the intended string.

Private key password (confirm)

Cryptographic settings:

Those communications protocols that the configuration considers valid, where the choices are one or more of SSLv2, SSLv3, and TLSv1. The default is SSLv3 and TLSv1.
Protocols Enabled ciphersuites The set of ciphersuites used to protect communications between the client and the server.

See the Enabled Ciphersuites Syntax section for more information on this topic. Note: The required fields vary, depending on whether the configuration is to be a client or server and on the desired features. Not all fields are required for all SSL configurations.

At the bottom of this page are three buttons: Checks for valid configuration information. If the configurations role is as a client, selecting this button also prompts for a server (its host name, not its URL) and a port number; Cach then tries to establish a test connection to that server. (This button is not available when creating a server configuration.)
Test Save Dismisses the dialog, saving and then activating the configuration. This saves changes to an existing configu-

ration or the configuration being created.

Cancel Dismisses the dialog without saving changes to an existing configuration or without saving a configuration

being created.

13.2.1.1 Required Information for Certificates

When a client authenticates a server, the client needs to have the full certificate chain from the servers own certificate to the servers trusted CA certificate including all intermediaries between the two. There is an issue when setting up a server SSL configuration and the servers trusted CA certificate is not a root certificate. In order for authentication to work properly, the client needs to have access to all the certificates that constitute the certificate chain from the servers personal certificate to a self-signed trusted CA certificate. This chain can be obtained from the combination of the servers certificate file (sent during the handshake) and the clients trusted CA certificate file. The selfsigned trusted root CA certificate must be in the clients CA certificate file, and the servers personal certificate must be the first entry in the servers certificate file. Other certificates may be divided between the two locations. The same constraints apply in reverse when a client authenticates to a server.

158 Cach Security Administration Guide

About Configurations

Regarding certificate formats, note that certificates from the Windows Certificate Export Wizard must be in base-64 encoded X.509 format, not the default of DER encoded binary X.509.

13.2.1.2 Enabled Ciphersuites Syntax

A configuration only allows connections that use its enabled ciphersuites. To specify enabled ciphersuites, you can either: Provide a list of individual ciphersuites, using each ones name. Use OpenSSL syntax for specifying which ciphersuites to enable and disable.

Both the list of ciphersuite names and the syntax for specifying enabled ciphersuites is described on the ciphers(1) man page at openssl.org. This syntax allows you to specify guidelines for requiring or proscribing the use of various features and algorithms for a configuration. The default for a Cach configuration is TLSv1:SSLv3:!ADH:!LOW:!EXP:@STRENGTH which breaks down into the following group of colon-separated statements:
TLSv1 Specifies the inclusion of TLS v1.0 ciphersuites. SSLv3 Specifies the inclusion of SSL v3.0 ciphersuites. !ADH Specifies the unconditional exclusion of anonymous Diffie-Hellman ciphersuites. !LOW Specifies the unconditional exclusion of ciphersuites using 56- or 64-bit encryption algorithms. This statement

does not cause the exclusion of export-approved algorithms.

!EXP Specifies the unconditional exclusion of export-approved algorithms (both 40- and 56-bit). @STRENGTH Specifies that the matching ciphersuites be sorted by strength, from highest to lowest.

13.2.1.3 A Note on Cach Client Applications Using SSL/TLS

For certain activities, you can use Cach instances to support client applications that interact with the Cach superserver. For example, when using SSL/TLS to protect a shadowing connection, a Cach instance serving as a shadow destination would be an SSL/TLS client. When using client applications that interact with the Cach superserver using SSL/TLS, the following aspects of the configuration require particular attention:
Configuration Name While there are no constraints on the name of clients, this information is required to configure

the connection.
Type

Because the instance is serving with an SSL/TLS client, the type must be specified to be of type Client. The specified ciphersuites need to match those required or specified by the server.

Ciphersuites

It is also necessary to ensure that the client and the server are configured so that each may verify the others certificate chain, as described in the section Establishing the Required Certificate Chain.

13.2.2 Deleting a Configuration

The page for deleting an SSL/TLS configuration is the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]). To delete a configuration, click Delete to the right of the name of the configuration. The Portal prompts you to confirm the action.

Cach Security Administration Guide 159

Using SSL/TLS with Cach

13.2.3 Reserved Configuration Names

Cach reserves several SSL/TLS configuration names for use with particular features. When using such a feature, you must use the reserved configuration name(s). The reserved configuration names are:
%MirrorClient For a mirror member when acting as an SSL/TLS client. For more information on mirroring and

SSL/TLS, see Configuring Cach to Use SSL/TLS with Mirroring.

%MirrorServer For a mirror member when acting as an SSL/TLS server. For more information on mirroring

and SSL/TLS, see Configuring Cach to Use SSL/TLS with Mirroring.

%SuperServer For the Cach superserver when accepting connections from other Cach components. For more

information about configuring the superserver to use SSL/TLS, see the next section. Important: For SSL/TLS to function properly, you must use the exact case for each configuration name as it appears here.

13.3 Configuring the Cach Superserver to Use SSL/TLS

To use SSL/TLS for communications among components of Cach, configure the Cach superserver to use SSL/TLS. To do this, the procedure is: 1. 2. 3. 4. From the Management Portal home page, go to the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]). On the SSL/TLS Configurations page, select Create New Configuration, which displays the Edit SSL/TLS Configuration page. On the Edit SSL/TLS Configuration page, create an SSL/TLS server configuration with a configuration name of %SuperServer (using the exact case as specified here). On the System-wide Security Parameters page ([System] > [Security Management] > [System-wide Security Parameters]), for the Superserver SSL/TLS Support field, choose Enabled. This specifies that the superserver supports (but does not require) SSL/TLS-secured connections. Note: If you wish to configure the superserver to require SSL/TLS-secured connections, first specify that SSL/TLS is simply enabled. Once you have verified that this works, consult with the WRC about properly configuring the instance to require SSL/TLS.

5.

Set up clients to use SSL/TLS as appropriate (see the next section).

13.4 Configuring the Cach Telnet Service to Use SSL/TLS

The Cach Telnet service (%Service_Telnet) supports SSL/TLS-protected connections. To establish the use of SSL/TLS for the Telnet service, the steps are: 1. 2. Configuring the Cach Telnet Server for SSL/TLS Configuring Telnet Clients for SSL/TLS

160 Cach Security Administration Guide

Configuring the Cach Telnet Service to Use SSL/TLS

13.4.1 Configuring the Cach Telnet Server for SSL/TLS

To configure the Cach Telnet server to use SSL/TLS, the procedure is: 1. 2. 3. 4. From the Management Portal home page, go to the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]). On the SSL/TLS Configurations page, select Create New Configuration, which displays the Edit SSL/TLS Configuration page. On the Edit SSL/TLS Configuration page, create an SSL/TLS configuration with a configuration name of %TELNET/SSL. On the System-wide Security Parameters page ([System] > [Security Management] > [System-wide Security Parameters]), for the Superserver SSL/TLS Support field, choose Enabled. This specifies that the Telnet server supports (but does not require) SSL/TLS-secured connections. Note: Even if you plan to configure the superserver to require SSL/TLS-secured connections, first specify that SSL/TLS is simply enabled. Once you have verified that this works, consult with the WRC about properly configuring the instance to require SSL/TLS.

5.

Make sure the Telnet service, %Service_Telnet, is enabled. To do this: a. b. c. On the Services page ([System] > [Security Management] > [Services]), click %Service_Telnet to display the Edit Service page for the Telnet service. On the Edit Service page, check Service Enabled if it is not already checked. Click Save to save the settings and to return to the Services page.

13.4.2 Configuring Telnet Clients for SSL/TLS

Cach accepts SSL/TLS connections from third-party Telnet clients. The required or recommended actions for configuring Telnet clients and servers depend on the selected ciphersuites and vary widely. Important: To use SSL/TLS with the InterSystems Telnet client, contact the InterSystems Worldwide Response Center (WRC).

The following guidelines apply: If the Telnet client requires server authentication, then the server must provide a certificate and the client must have access to the servers certificate chain. If the Cach Telnet server requires client authentication, then the client must provide a certificate and the server must have access to the clients certificate chain. If the Cach Telnet server requests client authentication, then the client has the option of providing a certificate and a certificate chain to its certificate authority (CA). If the client does not provide a certificate, then authentication succeeds; if it provides a non-valid certificate or certificate chain, then authentication fails.

For information on how certificate and certificate chains are used for authentication, see the section Establishing the Required Certificate Chain.

Cach Security Administration Guide 161

Using SSL/TLS with Cach

13.5 Configuring .NET Clients to Use SSL/TLS with Cach

This section describes how to configure a .NET client application to use SSL/TLS when it communicates with Cach. This communication occurs through the superserver, so a related required step is setting up the superserver to use SSL/TLS; the process of creating or editing a configuration generally is described in the section Creating or Editing an SSL/TLS Configuration and that of setting up a superserver to use SSL/TLS is described specifically in the section Configuring the Cach Superserver to Use SSL/TLS. The process for establishing a .NET connection that uses SSL/TLS is: 1. 2. Ensure that you have installed any relevant CA certificates for validating the server certificate. The location for these is the current users certificate store (Certificates Current User\Trusted Root Certification Authorities). Establish a connection to a server, based on the format of the connection string as described in the Creating a Connection section of the Connecting to the Cach Database chapter of Using the Cach Managed Provider for .NET. In addition to the name-value pairs for the server, port, and namespace, include the SSL keyword and specify its value as true. For example, a connection that uses SSL/TLS protection might have a connection string of the form:
CacheConnect.ConnectionString = "Server=localhost; Port=1972; Namespace=SAMPLES; SSL=true;" + "Password=SYS; User ID=_SYSTEM;";

The true value of the SSL keyword specifies that SSL/TLS secures the client-server connection (by authenticating the Cach server to the .NET client and, optionally, authenticating the client to the server). Once the secure connection is established, the Cach server uses the User ID and Password keywords to authenticate the identity of the user connecting through the .NET client. (Note that the connection string does not specify anything related to mutual authentication; it merely specifies a server, which in turn may request or require client authentication.)

13.6 Configuring Java Clients to Use SSL/TLS with Cach

This section describes how to configure a Java client application to use SSL/TLS when it communicates with Cach. This communication occurs through the superserver, so a related required step is setting up the superserver to use SSL/TLS; this is described in the section Configuring the Cach Superserver to Use SSL/TLS. Java clients can be implemented using either JDBC or object bindings. The process for configuring a Java client application to use SSL/TLS with Cach is: 1. Determine if the client requires a keystore or a truststore. This depends on several factors: whether or not the Cach server requests or requires client authentication; whether server authentication is required; and the ciphersuites in use. See Determining the Need for a Keystore and a Truststore for more information. Create a configuration file with properties in it to provide those features. See Creating a Client Configuration for more information. In the code for the client application, optionally specify the name of the client configuration; if you do not specify a name, Java uses the default configuration information. See Specifying the Use of the Client Configuration for more information.

2. 3.

162 Cach Security Administration Guide

Configuring Java Clients to Use SSL/TLS with Cach

13.6.1 Determining the Need for a Keystore and a Truststore

A keystore serves as a repository for the clients private key, public key certificate, and any Certificate Authority (CA) information. This information is needed (1) if the Cach server requires client authentication or (2) if the ciphersuite in use requires a client key pair: Whether or not the Cach server requires client authentication is determined by the choice for the Peer certificate verification level field on the Edit SSL/TLS Configuration page for that Cach instances %SuperServer SSL/TLS configuration. If the field has a value of Require, the client must have a certificate; if the field has a value of Request, the server checks a certificate if one is available. The client and server agree upon a ciphersuite to use. This ciphersuite determines whether or not there is a client certificate, a key pair, or both. The enabled server ciphersuites are determined by the value of the Enabled ciphersuites field on the Edit SSL/TLS Configuration page for that Cach instances %SuperServer SSL/TLS configuration. The ciphersuites available to the client depend on the version of Java it is using.

If the client has a private key and certificate, these are stored in the clients keystore; the keystore can also hold the clients root CA certificate and any intermediate CA certificates. To authenticate the server, the client may need to have the root CA certificate for the server and any intermediate CA certificates, these can be stored either in the clients truststore or along with client certificate information in the keystore. For more information on keystores and truststores, see the section Keystores and Truststores in the Java Secure Socket Extension (JSSE) Reference Guide.

13.6.2 Creating a Client Configuration

The behavior of a Java client depends on the values of properties in its configuration. The configuration gets these values from what is known as a configuration file, either from the configuration files default values or from its configurationspecific values. The following sections describe how configuration files work: Configuration Files, Configurations, Properties, Values, and Defaults Java Client Configuration Properties A Sample Configuration File Naming the Configuration File

13.6.2.1 Configuration Files, Configurations, Properties, Values, and Defaults

Each configuration file specifies values for the properties that one or more configurations use. The file includes both default values and configuration-specific values, in the form of name-value pairs. Generally, unversioned property names specify default values for properties and versioned property names specify configuration-specific values. If a configuration file contains only one configuration definition, that single configuration can use unversioned properties. However, it cannot have an associated name property. Without a named configuration, invoke the configuration without specifying a name (as described in Specifying the Use of the Client Configuration and Specifying a Configuration without a Name). If a configuration file contains multiple configurations, each configuration is defined by the existence of a numbered version of the name property of the form name.n, where n is the number of the configuration. The names of a configurations other properties use the same version number as the name property, so that they have a form of propertyname.n where propertyname is the name of the property and n is the number of the configuration. The definitions in a configuration file are case-sensitive. Their use of spaces is flexible. The order of property definitions is also flexible.

Cach Security Administration Guide 163

Using SSL/TLS with Cach

To specify the default value of a property for use by all configurations, specify an unversioned property name and its value in the following form:
propertyName = propertyValue

For example, to specify the default value for the keyStoreType property as pkcs12, the form is:
keyStoreType = pkcs12

To override the default value for a property, specify a versioned property name, such as:
keyStoreType.1 = jceks

If a configuration file contains multiple configuration definitions, then these versions must use sequential ordering; if client application code refers to a configuration that follows a sequential gap, then an error results. For example, suppose that a configuration file has three versioned name properties: name.1, name.2, and name.4; the configuration associated with the name.4 property will not ever be created and a reference to it will fail with an error.

13.6.2.2 Java Client Configuration Properties

The properties are:
cipherSuites A comma-delimited list of ciphersuites, in order of preference for their use. The available ciphersuites

depend on the JRE (Java Runtime Environment) on the machine. [Optional]

debug Whether or not debugging information is logged to the Java system.err file. This property can have a value

of true or false (false is the default). The setting of this property has no effect on exception handling. [Optional]
keyRecoveryPassword Password used to access the clients private key; this was created at the same time as the

private key pair. [Required if the private key has password protections and application code is not passing in the private key as an input parameter.]
keyStore The file for storing the client private key and certificate information. The keystore can also hold the content

typically associated with the truststore. [Optional]

keyStorePassword Password to gain access to the keystore. [Required if a password was specified when the keystore

was created.]
keyStoreType The format of the keystore file, if one is specified. [Optional]

Supported formats are:

jks Java KeyStore, the Java proprietary format. [Default] jceks Java Cryptography Extension KeyStore format. pkcs12 Public Key Certificate Standard #12 format.

logfile The file in which Java records errors. [Optional] name A versioned identifier for the Java client configuration. (Each name property must be versioned. Any unversioned name property is not meaningful and is ignored.)

If the configuration file specifies only a single configuration and only uses unversioned property names, the name property is not required (as described in Specifying the Use of the Client Configuration ). For information about specifying multiple configurations with a single configuration file, see the section Configuration Files, Configurations, Properties, Values, and Defaults ). [Optional]
protocol [Required] The SSL or TLS protocol to be used for the connection. The options and the protocols they

specify are:
SSL Some variant of SSL.

164 Cach Security Administration Guide

Configuring Java Clients to Use SSL/TLS with Cach

SSLv3 Version 3 of SSL. TLS Some variant of TLS. [Default] TLSv1 Version 1 of TLS (equivalent to version 3.1 of SSL). TLSv1.1 Version 1.1 of TLS (equivalent to version 3.2 of SSL).

trustStore The file for storing the servers root CA certificate; it can also hold the certificates for any intermediate

CAs. (This information can also be placed in the keystore.) [Optional]

trustStorePassword Password to gain access to the truststore. [Required if a password was specified when the keystore

was created.]
trustStoreType The format of the truststore file, if one is specified. [Optional]

Supported formats are:

jks Java KeyStore, the Java proprietary format. [Default] jceks Java Cryptography Extension KeyStore format. pkcs12 Public Key Certificate Standard #12 format.

13.6.2.3 A Sample Configuration File

The following is a sample configuration file for use with a Java client:
debug = true protocol = SSLv3 cipherSuites = SSL_RSA_WITH_RC4_128_MD5 keyStoreType = JKS trustStore = ca.ts trustStoreType = JKS name.1 = CacheJavaClient1 keyStore.1 = cjc1.ks keyStorePassword.1 = cjc1kspw123&XtraChar$ trustStore.1 = cjc1.ts trustStorePassword.1 = cjc1tspw[+0therNo|sechars] name.2 = CacheJavaClient2 keyStore.2 = cjc2.ks keyStoreType.2 = pkcs12 name.3 = CacheJavaClient3 debug.3 = false cipherSuites.3 = TLS_RSA_WITH_AES_128_CBC_SHA

13.6.2.4 Naming the Configuration File

Either save the configuration file with the name SSLConfig.Properties or set the value of the Java environment variable com.intersys.SSL.ConfigFile to the name of the file. The code checks for the file in the current working directory.

13.6.3 Specifying the Use of the Client Configuration

Once a configuration has been defined, client application code invokes it when connecting to the server. You can do this either with calls for the DriverManager object or the CacheDataSource object.

13.6.3.1 Using the DriverManager Object

With DriverManager, this involves the following steps: 1. 2. Creating a Java Properties object. Setting the value for various properties of that object.

Cach Security Administration Guide 165

Using SSL/TLS with Cach

3.

Passing that object to Java Connection object for the connection from the client to the Cach server.

To specify information for the connection, the first part of the process is to create a Properties object from a configuration file and set the values of particular properties in it. In its simplest form, the code to do this is:
java.util.Properties prop = new java.util.Properties(); prop.put("connection security level", "10"); prop.put("SSL configuration name",configName); prop.put("key recovery password",keyPassword);

where The connection security level of 10 specifies that the client is attempting use SSL/TLS to protect the connection. configName is a variable whose value holds the name of Java client configuration. If the configuration file has only default values and these are being used for a single configuration, do not include this line; see the following section, Specifying a Configuration without a Name, for details. keyPassword is the password required to extract the clients private key from the keystore.

Once the Properties object exists and has been populated, the final step is to pass it to the connection from the Cach Java client to the Cach server. This is done in the call to the DriverManager.getConnection method. The form of this call is:
Connection conn = DriverManager.getConnection(CacheServerAddress, prop);

where CacheServerAddress is a string that specifies the address of the Cach server and prop is the properties object being passed to that string. If this call succeeds, the SSL/TLS-protected connection has been established. Typically, application code containing calls such as those described in this section includes various checks for success and protection against any errors. For more details about using the Cach Java binding, see Using Java with Cach.

13.6.3.2 Using the CacheDataSource Object

With the CacheDataSource object, the procedure is to create the object, call its methods to set the relevant values, and establish the connection. The methods are: setConnectionSecurityLevel This method takes a single argument: a connection security level of 10, which specifies that the client is attempting use SSL/TLS to protect the connection. setSSLConfigurationName This method takes a single argument: a variable whose value holds the name of Java client configuration. If the configuration file has only default values and these are being used for a single configuration, do not include this line; see the following section, Specifying a Configuration without a Name , for details. setKeyRecoveryPassword This method takes a single argument: the password required to extract the clients private key from the keystore.

In its simplest form, the code to do this is:

try{ CacheDataSource ds = new CacheDataSource(); ds.setURL("jdbc:Cache://127.0.0.1:1972/Samples"); ds.setConnectionSecurityLevel(10); ds.setSSLConfigurationName(configName); ds.setKeyRecoveryPassword(keyPassword); Connection dbconnection = ds.getConnection(); }

For a complete list of the methods for getting and setting properties, see the CacheDataSource section of the Cach JDBC Compliance chapter of Using Cach with JDBC. The JavaDoc for com.intersys.jdbc.CacheDataSource is under
<install-dir>/dev/java/doc/index.html

166 Cach Security Administration Guide

Configuring Cach to Use SSL/TLS with Mirroring

13.6.3.3 Specifying a Configuration without a Name

If a configuration file contains only one configuration definition, that single configuration can use unversioned properties. However, it cannot have an associated name property. When working with a DriverManager object, the Properties object uses only the default values from the configuration file. The code for creating this object differs from the typical case in that there is no call to specify a value for the SSL configuration name key:
java.util.Properties prop = new java.util.Properties(); prop.put("connection security level", "10"); prop.put("key recovery password",keyPassword);

When working with a CacheDataSource object, if you want to specify an unnamed configuration, simply do not call setSSLConfigurationName.

13.7 Configuring Cach to Use SSL/TLS with Mirroring

This section covers the following topics: About Mirroring and SSL/TLS Creating and Editing SSL/TLS Configurations for a Mirror

For general information about Cach support for mirroring, see the Mirroring chapter of the Cach High Availability Guide.

13.7.1 About Mirroring and SSL/TLS

To provide security within a mirror, you can configure its nodes to use SSL/TLS. This provides for both authentication of one node to another, and for encrypted communication between nodes. As sensitive data passes between the failover members (and to an async member), it is recommended to encrypt the communication to prevent data theft or alteration over the network. Additionally, since a failover member has the ability to request an ISCAgent to take action on another Cach system (such as to request journal file information or force Cach down), it is important to protect such communication between the failover members of a mirror (and their corresponding ISCAgent processes). Note: If the failover members use database (or journal) encryption, then SSL/TLS is required for communications between them and with any async members. (Specifically, Cach checks if either member has an encryption key activated; if so, the instance requires that the user enable SSL/TLS with mirroring.) For more details on database encryption and journal file encryption, see the chapter Managed Key Encryption.

To both participate in mirroring (either as a failover member or as an async member) and use SSL/TLS, an instance must have two Cach SSL/TLS configurations one of type server and the other of type client; each of these must have an X.509 SSL/TLS certificate issued by a trusted Certificate Authority. The certificates should contain a unique identifier in the Common Name (CN) component of the certificate, such as the fully qualified domain name (FQDN) of the instance plus the members Cach node name; because the CN is a field in a certificates distinguished name (DN), establishing a unique CN ensures that the certificates DN uniquely identifies the member. To create an instances mirroring configurations, follow the procedure in the next section. When SSL/TLS is enabled, the following actions occur: 1. Server authentication: When the client connects to the server, it requires the server to authenticate itself. This authentication verifies that the DN for the servers certificate matches the DN for a system configured in the clients mirror configuration. If there is no match, the client drops the connection.

Cach Security Administration Guide 167

Using SSL/TLS with Cach

2.

Client authentication: When the server accepts a connection from a client, it requires the client to authenticate itself. This authentication also verifies that the DN for the clients matches the DN for a system configured in the servers mirror configuration. Again, if there is no match, the server drops the connection. Encryption: The SSL protocol automatically uses the servers certificate to establish an encrypted channel between the client and the server, so that any data passing through this channel is encrypted and thereby secured.

3.

InterSystems strongly recommends using SSL/TLS with a mirror.

Note on Configuring an Async Member with SSL/TLS

If a mirror uses SSL/TLS, then in addition to enabling SSL/TLS for the mirror and creating the configurations for each member (described in the following section), there are special steps that must be taken when configuring an async member. These are part of the procedure described in the Adding Authorized Async Members to Mirrors section of the Mirroring chapter of the Cach High Availability Guide. Specifically, for each failover member, on the Mirror Monitor page, you need to enter the DN (distinguished name) in the ID listed as DN in members X.509 credentials field; you can copy the value of the DN from X.509 Distinguished Name field of the Join Mirror as Async page ([System] > [Configuration] > [Join Mirror as Async]) for the async member. (Cach populates the X.509 Distinguished Name field based on the information in the async members certificate.)

Note on Disabling SSL/TLS for a Mirror

If you need to disable SSL/TLS for an existing mirror, first disable it on the secondary and async members, then disable it on the primary member. Important: Use of SSL/TLS with mirroring is highly recommended. Disabling SSL/TLS for a mirror is strongly discouraged.

13.7.2 Creating and Editing SSL/TLS Configurations for a Mirror

To use SSL/TLS with a mirror, each member (failover or async) uses a pair of SSL/TLS configurations that are called %Mirror_Client and %Mirror_Server; the Portal allows you to create and edit these configurations. Note: These configurations must already exist on each member when SSL/TLS is enabled for the mirror.

13.7.2.1 Creating SSL/TLS Configurations for a Mirror Member

To create the configurations, the procedure is: 1. Enable mirroring for that instance of Cach if it is not already enabled. To do this, use the Edit Service page for the %Service_Mirror service; on this page, select the Service Enabled check box. You can reach this page either of two paths: 2. On the Mirror Settings page ([System] > [Configuration] > [Mirror Settings]), select Enable Mirror Service. On the Services page ([System] > [Security Management] > [Services]), select %Service_Mirror.

Go to the Create SSL/TLS Configurations for Mirror page. You can do this either on the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]) by clicking Create Configurations for Mirror or on the Create Mirror page ([System] > [Configuration] > [Create Mirror]) by clicking Set up SSL/TLS. This displays the Create SSL/TLS Configurations for Mirror page. On the Create SSL/TLS Configurations for Mirror page ([System] > [Security Management] > [SSL/TLS Configurations] > [Create SSL/TLS Configurations for Mirror]), complete the fields on the form. The fields on this page are analogous to those on the New SSL/TLS Configuration page (as described in the section Creating or Editing an SSL/TLS Configuration). Since this page creates both server and client configurations that mirroring automatically enables (%MirrorClient and %MirrorServer), there are no Configuration Name, Description, or Enabled fields; also, for the private-key

3.

168 Cach Security Administration Guide

Configuring Cach to Use SSL/TLS with Mirroring

password, this page allows you to enter or replace one (Enter new password), specify that none is to be used (Clear password), or leave an existing one as it is (Leave as is). Since both configurations need the same X.509 credentials, completing this form saves both configurations simultaneously. Fields on this page are:
File containing trusted Certificate Authority X.509 certificate(s)

Note:

This file must include the CA certificate that can be used to verify this configurations X.509 certificate.

File containing this configuration's X.509 certificate

Note:

If the certificate to be used includes either Key Usage or Extended Key Usage extensions, see the following section, Special Considerations for Certificates for Mirror Members. key

File containing associated private Private key type Password

If you select Leave as is, the page displays two additional fields, for entering and confirming a new password for the private key associated with the certificate.
Protocols Enabled ciphersuites

Once you complete the form, click Save. For general information about configuring mirror members, see the Creating a Mirror section of the Mirroring chapter of the Cach High Availability Guide.

13.7.2.2 Editing SSL/TLS Configurations for a Mirror Member

If you have already created a members %Mirror_Client and %Mirror_Server configuration, you can edit them on the Edit SSL/TLS Configurations for Mirror page. To do this, on the SSL/TLS Configurations page ([System] > [Security Management] > [SSL/TLS Configurations]), click Edit Configurations for Mirror, which displays the Edit SSL/TLS Configurations for Mirror page: This page displays the same fields as the Create SSL/TLS Configurations for Mirror page, as described in the previous section.

13.7.2.3 Special Considerations for Certificates for Mirror Members

When using SSL/TLS with mirroring, the %MirrorClient and %MirrorServer configurations must use the same certificate and private key. Because there are certain certificate extensions that are specific to SSL/TLS clients or servers, if any of these appear in a certificate, then the extensions for both client and server must both be present. Specifically, if the Key Usage extension is present, then it must specify both of the following: The Digital Signature key usage (for clients) The Key Encipherment key usage (for servers)

If the Extended Key Usage extension is present, then it must specify both: The Client Authentication key usage The Server Authentication key usage

Cach Security Administration Guide 169

Using SSL/TLS with Cach

If both extensions are present, then each must specify both values. Of course, it is also valid to have neither extension present. If a certificate only specifies one value (either client or server), the SSL/TLS connection for mirroring fails with an error such as:
error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate

The way to eliminate this error depends on how you obtained your certificates: If you are using self-signed certificates, create new certificates (such as with the OpenSSL library) that adhere to these conditions. If you are using a commercial certificate authority tool (such as Microsoft Certificate Services), create new certificates that adhere to these conditions and use the tool to sign your certificate signing requests (CSRs). If you are purchasing certificates from a commercial certificate authority (such as VeriSign), include a request along with your CSRs that they adhere to these conditions.

13.8 Configuring Cach to Use SSL/TLS with TCP Devices

This section describes how to use SSL/TLS with a Cach TCP connection. The process is: 1. 2. 3. Creating an SSL/TLS configuration that specifies the characteristics you want. Opening a TCP connection or open a socket for accepting such connections. Securing the connection using SSL/TLS. This can occur either as part of opening the connection/socket or afterwards.

How you invoke the Cach SSL/TLS functionality depends on whether you are using Cach as a client or server and whether you are creating an initially-secured TCP connection or adding SSL/TLS to an existing connection. This section addresses the following topics: Configuring a Client to Use SSL/TLS with a TCP Connection Configuring a Server to Use SSL/TLS with a TCP Socket

13.8.1 Configuring a Client to Use SSL/TLS with a TCP Connection

To establish a secure connection from a client, the choices are: Opening an SSL/TLS-secured TCP Connection from a Client Adding SSL/TLS to an Existing TCP Connection

13.8.1.1 Opening an SSL/TLS-secured TCP Connection from a Client

In this scenario, Cach is part of the client and the TCP connection uses SSL/TLS from its inception. The procedure is: 1. 2. Make sure that the configuration you wish to use is available. If it was created before Cach was last started, it is activated and ready for use; otherwise, you can create a new one or edit an existing one. Open a TCP connection using SSL/TLS.

If Cach is a client, then it connects to the server via the client application. The connection uses the specified configuration to determine its SSL-related behavior.

170 Cach Security Administration Guide

Configuring Cach to Use SSL/TLS with TCP Devices

Opening a TCP Connection Using SSL/TLS

This involves opening a named connection that uses SSL/TLS and communicates with a particular machine and port number. The procedure is: 1. Specify the device that you are connecting to:
Set MyConn = "|TCP|1000"

The TCP string specifies that this is a TCP device. For more information on initiating a TCP connection, see the section OPEN Command for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide. 2. Open the connection, specifying the use of SSL with either the /SSL or /TLS parameter.
OPEN MyConn:(SvrID:1000:/SSL="MyCfg")

where MyConn is the device previously specified SvrID can be a string that is a resolvable DNS name or an IP address MyCfg is a saved (and activated) SSL/TLS configuration

This call opens a TCP connection to the loopback processor (that is, the local machine) on port 1000 using SSL. It uses SSL according to the characteristics specified by the MyCfg configuration. Optionally, the call can include a password for the private key file:
OPEN MyConn:(SvrID:1000:/SSL="MyCfg|MyPrivateKeyFilePassword")

Here, all the arguments are as above and MyPrivateKeyFilePassword is the actual password. For more information on opening a TCP device, see OPEN and USE Command Keywords for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide. Once the connection is established, you can then use it in the same manner as any other TCP connection.

13.8.1.2 Adding SSL/TLS to an Existing TCP Connection

This scenario assumes that the TCP connection has already been established. The procedure is: 1. 2. Make sure that the configuration you wish to use is available. If it was created before Cach was last started, it is activated and ready for use; otherwise, you can create a new one or edit an existing one. Secure the existing TCP connection using SSL/TLS.

Securing an Existing TCP Connection Using SSL/TLS

This involves adding SSL/TLS to an already-existing connection to a particular machine and port number. The procedure is: 1. Determine the name of the device to which there is a connection. For example, this might have been established using the following code:
SET MyConn="|TCP|1000" OPEN MyConn:("localhost":1000)

The TCP string specifies that this is a TCP device. For more information on initiating a TCP connection, see the section OPEN Command for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide.

Cach Security Administration Guide 171

Using SSL/TLS with Cach

2.

Specify the use of SSL/TLS as follows with either the /SSL or /TLS parameter:
USE MyConn:(::/TLS="MyCfg")

where MyConn is the device previously specified MyCfg is an SSL/TLS configuration

Optionally, the call can include a password for the private key file:
USE MyConn:(::/TLS="MyCfg|MyPrivateKeyFilePassword")

Here, all the arguments are as above and MyPrivateKeyFilePassword is the actual password. For more information on opening a TCP device, see OPEN and USE Command Keywords for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide. Having added SSL/TLS security to the connection, you can continue to use it in the same manner as before.

13.8.2 Configuring a Server to Use SSL/TLS with a TCP Socket

To enable a socket to require a secure connection from a client, you can either: Open a TCP socket specifying that this connection requires SSL or TLS. Establish the requirement for the use of SSL or TLS on an already-existing socket.

13.8.2.1 Establishing an SSL/TLS-secured Socket

In this scenario, Cach is the server and the TCP socket uses SSL/TLS from its inception. The procedure is: 1. 2. Make sure that the configuration you wish to use is available. If it was created before Cach was last started, it is activated and ready for use; otherwise, you can create a new one or edit an existing one. Open a TCP socket that requires the use of SSL/TLS.

This socket requires the use of SSL/TLS from clients connecting to it. When a client attempts to connect to the server, the server attempts to negotiate a connection that uses SSL/TLS. If this succeeds, the connection is available for normal use and communications are secured using the negotiated algorithm. If it fails, there is no connection available for the client.

Opening a TCP Socket Requiring SSL/TLS

To open a socket that requires SSL/TLS, the procedure is: 1. Specify the device that is accepting connections:
SET MySocket = "|TCP|1000"

The TCP string specifies that this is a TCP device. For more information on initiating a TCP connection, see the section OPEN Command for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide. 2. Open the connection, specifying the use of SSL with either the /SSL or /TLS parameter.
OPEN MySocket:(:1000:/TLS="MyCfg")

Optionally, the call can include a password for the private key file:
OPEN MySocket:(:1000:/TLS="MyCfg|MyPrivateKeyFilePassword")

172 Cach Security Administration Guide

Configuring the CSP Gateway to Connect to Cach Using SSL/TLS

This call opens a TCP socket on port 1000 using TLS. For more information on opening a TCP device, see OPEN and USE Command Keywords for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide.

13.8.2.2 Adding SSL/TLS to an Existing Socket

This scenario assumes that a connection to the TCP socket has already been established. The procedure is: 1. 2. Make sure that the configuration you wish to use is available. If it was created before Cach was last started, it is activated and ready for use; otherwise, you can create a new one or edit an existing one. Use SSL/TLS to secure the existing TCP connection to the socket.

Securing an Existing TCP Connection to the Socket Using SSL/TLS

This involves adding SSL/TLS to an already-existing connection to a socket on a particular machine and port number. The procedure is: 1. Determine the name of the device on which the socket is open. For example, this might have been established using the following code:
SET MySocket = "|TCP|1000" OPEN MySocket:(:1000)

The TCP string specifies that this is a TCP device. For more information on initiating a TCP connection, see the section OPEN Command for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide. 2. Specify the use of SSL/TLS as follows with either the /SSL or /TLS parameter:
USE MySocket:(::/SSL="MyCfg")

where MySocket is the device previously specified MyCfg is an SSL/TLS configuration

Optionally, the call can include a password for the private key file:
USE MySocket:(::/SSL="MyCfg|MyPrivateKeyFilePassword")

For more information on opening a TCP device, see OPEN and USE Command Keywords for TCP Devices in the TCP Client/Server Communication chapter of the Cach I/O Device Guide. Having added SSL/TLS security to the socket, you can continue the connection to it in the same manner as before.

13.9 Configuring the CSP Gateway to Connect to Cach Using SSL/TLS

You can use SSL/TLS to set up a secure, encrypted channel between the CSP Gateway and the Cach server. To do this, you need an SSL/TLS certificate and private key that represents the Gateway. The Gateway can then establish an encrypted connection to the Cach server (which has its own certificate and private key), so that all information is transmitted through the connection.

Cach Security Administration Guide 173

Using SSL/TLS with Cach

Note:

For information on setting up a connection between the CSP Gateway and the Cach server that is protected by Kerberos, see the Setting Up a Kerberized Connection from the CSP Gateway to Cach section of the Authentication chapter.

The procedure is: 1. 2. 3. 4. 5. 6. If there is not already a %SuperServer SSL/TLS configuration associated with the Cach server, create one as described in the section Creating or Editing an SSL/TLS Configuration. On the Portals System-wide Security Parameters page ([Home] > [Security Management] > [System-wide Security Parameters]), for the Superserver SSL/TLS Support choice, select Enabled (not Required). Go to the CSP Gateways Server Access page ([System] > [Configuration] > [CSP Gateway Management]). On that page, under Configuration, select Server Access. Next, select Edit Server and click Submit. This displays the configuration page for the CSP Gateway. On this page, configure the CSP Gateway to use SSL/TLS. Specifically, for the Connection Security Level field, select SSL. You must also specify values for the SSL Protocol, SSL Key Type, Require peer certificate verification, SSL Certificate File, SSL Certificate Key File, SSL CA Certificate File, andSSL Private Key Passwor fields. For more details on the fields on this page, see the Configuring Server Access section of the CSP Gateway Operation and Configuration chapter of the CSP Gateway Configuration Guide.

13.10 Establishing the Required Certificate Chain

For a connection to be successfully established using a ciphersuite that uses certificates and keys, the client must be able to verify the servers certificate chain from the servers own certificate to a self-signed certificate from a trusted certificate authority (CA), including intermediate certificates (if any). If the server is authenticating the client user, then the server must also be able to verify the client users certificate chain from the client users own certificate to a trusted CAs selfsigned certificate, including intermediate certificates (if any). Since authentication can be bidirectional, the requirements for certificate chains refer to the verifying entity (the side requiring the authentication) and the verified entity (the side being authenticated), rather than the client and the server. For authentication to be possible, the following conditions must be met: The verifying entity must have access to all the certificates that constitute the certificate chain from the verified entitys own certificate to a trusted CAs self-signed root certificate. The certificates in the chain are obtained from the combination of the verified entitys certificate file (the certificates are sent as part of the handshake protocol) and the verifying entitys trusted CA certificate file. The verifying entity must have the trusted CAs self-signed root certificate in its CA certificate file. The verified entitys own certificate must be the first entry in its certificate file. All intermediate CA certificates must be present. The certificates in the certificate chain may be divided between the verified entitys certificate file and the verifying entitys trusted CA certificate file. However, each part must be a contiguous partial certificate chain, as described in the following example.

Suppose there are: A verified entity (named VE) with a certificate signed by the certificate authority named ICA1.

174 Cach Security Administration Guide

Establishing the Required Certificate Chain

A certificate for ICA1 signed by the certificate authority ICA2, and a certificate for ICA2 signed by RootCA. A trusted CA (named RootCA ) with a self-signed root certificate.

The following are valid distributions of certificates between the verified entity and the verifying entity:

Table 131: Valid Certificate Distribution Schemes

Certificates in the Verified Entitys Certificate File VE VE, ICA1 VE, ICA1, ICA2 Certificates in the Verifying Entitys Trusted CA Certificate File ICA1, ICA2, RootCA ICA2, RootCA RootCA

Note that it is not valid to have VE and ICA2 in the verified entitys certificate file and ICA1 and RootCert in the verifying entitys trusted CA certificate file

Cach Security Administration Guide 175

14
Using Delegated Authentication
Cach supports the use of user-defined authentication mechanisms. This is known as delegated authentication. Delegated authentication allows administrators to implement custom mechanisms to replace the authentication and role-management activities that are part of Cach security. This chapter covers the following topics: Overview of Delegated Authentication Creating Delegated (User-Defined) Authentication Code Setting Up Delegated Authentication After Delegated Authentication Succeeds

14.1 Overview of Delegated Authentication

To use delegated authentication, the steps are: 1. 2. 3. Create the user-defined authentication code in the ZAUTHENTICATE routine. This routine can also perform basic setup for a user account, such as specifying roles and other user properties. Enable delegated authentication for the Cach instance on the Authentication Options page. Enable delegated authentication for the relevant services, applications, or both, as required.

For example, to use delegated authentication for an instances Management Portal, the steps are: 1. 2. 3. 4. Create the user-defined authentication code in ZAUTHENTICATE. Enable delegated authentication for the Cach instance as a whole. Enable delegated authentication for the %Service_CSP service. Enable delegated authentication for the set of /csp/sys* applications.

14.1.1 How Delegated Authentication Works

When a user attempts to log in and Cach invokes delegated authentication, the sequence of events is:

Cach Security Administration Guide 177

Using Delegated Authentication

1.

When a service or application uses delegated authentication, a login attempt automatically results in a call to the ZAUTHENTICATE routine. The authentication code in this routine can be any user-defined Cach ObjectScript, class methods, or $ZF callout code. The next step depends on whether or not authentication succeeds and whether or not this is the first login using ZAUTHENTICATE: If ZAUTHENTICATE succeeds and this is the first time that the user has been authenticated through this mechanism, the user is added to the list of Cach users with a type of Delegated user . If ZAUTHENTICATE sets roles or other characteristics, these become part of the users properties. If ZAUTHENTICATE succeeds and this is not the first login, ZAUTHENTICATE updates the users properties. If ZAUTHENTICATE fails, then the user receives an access denied error and is unable to access the system. To determine why this has occurred: a. b. Check the Reason for Failing to Login field in the User Profile. For more detailed information, check the audit log for the relevant %System/%Login/LoginFailure event. If auditing or the LoginFailure event are not enabled, you may need to enable both of these and then re-create the circumstances of the login failure.

2.

3.

A delegated user is listed as such in the Type column of the list of users on the Users page ([System] > [Security Management] > [Users]). The users properties are displayed read-only in the Management Portal and are not editable from within Cach (since all the information comes from outside Cach). Note: A delegated user cannot also be a Cach password user.

14.2 Creating Delegated (User-Defined) Authentication Code

This section describes various aspects of creating your own ZAUTHENTICATE routine: Authentication Code Fundamentals Signature Authentication Code Setting Values for Roles and Other User Characteristics Return Value and Error Messages

14.2.1 Authentication Code Fundamentals

A system-supplied copy of ZAUTHENTICATE is available in the %SYS namespace in the routine ZAUTHENTICATE.int for instances with Manager Utility Source Code installed. To install Manager Utility Source Code, select that option as part of a Custom install on the Setup Type page of the installation wizard. To use ZAUTHENTICATE.int as a template: 1. Open the routine in Studio.

178 Cach Security Administration Guide

Creating Delegated (User-Defined) Authentication Code

2.

From within Studio, save it as a .MAC file in the %SYS namespace. From the File menu, choose Save as; in the dialog that appears, enter ZAUTHENTICATE in the File name field and choose Macro Routine (*.mac) in the Files of type field. (Saving the routine to a .MAC file preserves it across Cach upgrades, while saving it as an .INT file does not.) Review the comments in the system-supplied code for ZAUTHENTICATE. These provide important guidance about how to implement a custom version of the routine. Edit the routine by adding custom authentication code and any desired code to set user account characteristics. Because Cach places no constraints on the authentication code in ZAUTHENTICATE, the application programmer is responsible for ensuring that this code is sufficiently secure.

3. 4.

CAUTION:

14.2.2 Signature
The signature of ZAUTHENTICATE is:
ZAUTHENTICATE(ServiceName, Namespace, Username, Password, Credentials, Properties) PUBLIC { // authentication code // optional code to specify user account properties and roles }

where: ServiceName A string representing the name of the service through which the user is connecting to Cach, such as %Service_Console or %Service_CSP. Namespace A string representing the namespace on the Cach server to which a connection is being established. This is for use with the %Service_Bindings service, such as with Studio or ODBC. Username A string representing the name of the account entered by the user that is to be validated by the routines code. Password A string representing the password entered by the user that is to be validated. Credentials Passed by reference. Not implemented in this version of Cach. Properties Passed by reference. An array of returned values that defines characteristics of the account named by Username.

When Cach calls ZAUTHENTICATE, it has values for these arguments and supplies them to the routine.

14.2.3 Authentication Code

The content of authentication code is application specific. If authentication succeeds, the routine should return the $$$OK macro; otherwise, it should return an error code. See the section Return Value and Error Messages for more information on return values.

CAUTION:

Because Cach does not and cannot place any constraints on the authentication code in ZAUTHENTICATE, the application programmer is responsible for ensuring that this code is sufficiently secure.

14.2.3.1 The GetCredentials Entry Point

ZAUTHENTICATE includes an GetCredentials entry point. This entry point is called whenever delegated authentication is enabled for a service, and is called before the user is prompted for a username and password. Instead of getting a username and password from the user, code in the function (created by the application developer) specifies the username and password.

Cach Security Administration Guide 179

Using Delegated Authentication

The username and password returned are then authenticated in the normal manner as if the user entered them. A possible use of this mechanism is to provide a username and password within the entry point and then, within authentication code, to $roles for the process. The username and password returned from this entry point can be obtained by any mechanism that the application developer chooses. They can come from a global, an external DLL or LDAP call, or simply set within the routine. The application developer could even provide code to prompt for the username and password, such as in a terminal connection or with a custom CSP login page. If the entry point returns an error status, then the error is logged in the audit log, and the user is denied access to the system; the one exception to this is if the error status $SYSTEM.Status.Error($$$GetCredentialsFailed) is returned, in which the normal username/password prompting proceeds. In the following example of a GetCredentials entry point, the code performs different actions for different services: For %Service_Console, it does not prompt the user for any information and sets the processs username and password to _SYSTEM and SYS, respectively. For %Service_Bindings, it forces the user to provide a username and password. For web applications, it checks if the application in use is the /csp/samples application; if it is that application, it sets the username and password to AdminUser and Test. For all other web applications, it denies access. For any other service, it denies access.

Finally, the Error entry point performs clean-up as necessary. The code is:
GetCredentials(ServiceName,Namespace,Username,Password,Credentials) Public { // For console sessions, authenticate as _SYSTEM. If ServiceName="%Service_Console" { Set Username="_SYSTEM" Set Password="SYS" Quit $SYSTEM.Status.OK() } // For the CSP samples application, authenticate as AdminUser. If $isobject($get(%request)) { If %request.Application="/csp/samples/" { Set Username="AdminUser" Set Password="Test" Quit $System.Status.OK() } } // For bindings connections, use regular prompting. If ServiceName="%Service_Bindings" { Quit $SYSTEM.Status.Error($$$GetCredentialsFailed) } // For all other connections, deny access. Quit $SYSTEM.Status.Error($$$AccessDenied) }

For more details, see the comments for this entry point in ZAUTHENTICATE.INT.

14.2.4 Setting Values for Roles and Other User Characteristics

If initial authentication succeeds, ZAUTHENTICATE can establish the roles and other characteristics for the authenticated user. For subsequent logins, ZAUTHENTICATE can update these elements of the user record. For this to happen, code in ZAUTHENTICATE sets the values of the Properties array. (Properties is passed by reference to ZAUTHENTICATE.) Typically, the source for the values being set is a repository of user information that is available to ZAUTHENTICATE.

180 Cach Security Administration Guide

Creating Delegated (User-Defined) Authentication Code

14.2.4.1 User Properties

The elements in the Properties array are: Properties("Comment") Any text Properties("FullName") The first and last name of the user Properties("NameSpace") The default namespace for a Terminal login Properties("Roles") The comma-separated list of roles that the user holds in Cach Properties("Routine") The routine that is executed for a Terminal login Properties("Password") The users password Properties("Username") The users username

Each of these elements is described in more detail in one of the following sections. Note: The value of each element in the properties array determines the value of its associated property for the user being authenticated. It is not possible to use only a subset of the properties or to manipulate their values after authentication.

Comment
If ZAUTHENTICATE sets the value of Properties("Comment"), then that string becomes the value of the user accounts Comment property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Comment for the user account is a null string and the relevant field in the Management Portal then holds no content.

FullName
If ZAUTHENTICATE sets the value of Properties("FullName"), then that string becomes the value of the user accounts Full name property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Full name for the user account is a null string and the relevant field in the Management Portal then holds no content.

NameSpace
If ZAUTHENTICATE sets the value of Properties("Namespace"), then that string becomes the value of the user accounts Startup Namespace property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Startup Namespace for the user account is a null string and the relevant field in the Management Portal then holds no content. Once connected to Cach, the value of Startup Namespace (hence, that of Properties("Namespace")) determines the initial namespace for any user authenticated for local access (such as for Console, Terminal, or Telnet). If Startup Namespace has no value (since Properties("Namespace") has no value), then the initial namespace for any user authenticated for local access is determined as follows: 1. 2. If the USER namespace exists, that is the initial namespace. If the USER namespace does not exist, the initial namespace is the %SYS namespace. If the user does not have the appropriate privileges for the initial namespace, access is denied.

Note:

Password
If ZAUTHENTICATE sets the value of Properties("Password"), then that string becomes the value of the user accounts Password property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Password for the user account is a null string and the relevant field in the Management Portal then holds no content.

Cach Security Administration Guide 181

Using Delegated Authentication

Roles
If ZAUTHENTICATE sets the value of Properties("Roles"), then that string specifies the Roles to which a user is assigned; this value is a string containing a comma-delimited list of roles. If no value is passed back to the calling routine, then the value of Roles for the user account is a null string and the relevant field in the Management Portal then holds no content. Information about a users roles is available on the Roles tab of a users Edit User page. If any roles returned in Properties("Roles") are not defined, then the user is not assigned to the role. Hence, the logged-in user is assigned to roles as follows: If a role is listed in Properties("Roles") and is defined by the Cach instance, then the user is assigned to the role. If a role is listed in Properties("Roles") and is not defined by the Cach instance, then the user is not assigned to the role. A user is always assigned to those roles associated with the _PUBLIC user. A user also has access to all public resources. For information on the _PUBLIC user, see the section The _PUBLIC Account in the Users chapter; for information on public resources, see the section Services and Their Resources in the Resources chapter.

Routine
If ZAUTHENTICATE sets the value of Properties("Routine"), then that string becomes the value of the user accounts Startup Tag^Routine property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Startup Tag^Routine for the user account is a null string and the relevant field in the Management Portal then holds no content. If Properties("Routine") has a value, then this value specifies the routine to execute automatically following login on a terminal-type service (such as for Console, Terminal, or Telnet). If Properties("Routine") has no value, then login starts the Cach Terminal session in programmer mode.

Username
If the username property is returned by this function, then that username is written to the Cach database. This gives the user a chance to normalize what was entered by the user at the username prompt. Note that the normalized username must only differ by case. If the Username property is not passed back to the calling routine, then the username entered by the user at the username prompt will be used as the username written to the Cach security databases (that is, it is not normalized). If ZAUTHENTICATE sets the value of Properties("Username"), then that string becomes the value of the user accounts Name property in Cach. (This property is described in the section Properties of Users , in the Users chapter.) This provides the application programmer with an opportunity to normalize content provided by the end-user at the login prompt. If there is no explicit call that passes the value of Properties("Username") back to the calling routine, then there is no normalization and the value entered by the end-user at the prompt serves as the value of the user accounts Name property without any modification.

14.2.4.2 The User Information Repository

ZAUTHENTICATE can refer to any kind of repository of user information, such as a global or an external file. It is up to the code in the routine to set any external properties in the Properties array so that the authenticated user can be created or updated with this information. For example, while a repository can include information such as roles and namespaces, ZAUTHENTICATE code must make that information available to Cach. If information in the repository changes, this information is only propagated back into the Cach user information if there is code in ZAUTHENTICATE to perform this action. Also, if there is such code, changes to users roles must occur in the repository; if you change a users roles during a session, the change does not become effective until the next login, at which point the users roles are re-set by ZAUTHENTICATE.

182 Cach Security Administration Guide

Creating Delegated (User-Defined) Authentication Code

14.2.5 Return Value and Error Messages

The routine returns one of the following values: Success $$$OK. This indicates that username/password combination was successfully authenticated Failure $SYSTEM.Status.Error($$$ERRORMESSAGE). This indicates that authentication failed.

ZAUTHENTICATE can return system-defined or application-specific error messages. All these messages use the Error method of the %SYSTEM.Status class. This method is invoked as $SYSTEM.Status.Error and takes one or two arguments, depending on the error condition. The available system-defined error messages are: $SYSTEM.Status.Error($$$AccessDenied) Error message of Access Denied $SYSTEM.Status.Error($$$InvalidUsernameOrPassword) Error message of Invalid Username or Password $SYSTEM.Status.Error($$$UserNotAuthorizedOnSystem,Username) Error message of User Username is not authorized $SYSTEM.Status.Error($$$UserAccountIsDisabled,Username) Error message of User Username account is disabled $SYSTEM.Status.Error($$$UserInvalidUsernameOrPassword,Username) Error message of User Username invalid name or password $SYSTEM.Status.Error($$$UserLoginTimeout) Error message of Login timeout $SYSTEM.Status.Error($$$UserCTRLC) Error message of Login aborted $SYSTEM.Status.Error($$$UserDoesNotExist,Username) Error message of User Username does not exist $SYSTEM.Status.Error($$$UserInvalid,Username) Error message of Username Username is invalid $SYSTEM.Status.Error($$$PasswordChangeRequired) Error message of Password change required $SYSTEM.Status.Error($$$UserAccountIsExpired,Username) Error message of User Username account has expired $SYSTEM.Status.Error($$$UserAccountIsInactive,Username) Error message of User Username account is inactive $SYSTEM.Status.Error($$$UserInvalidPassword) Error message of Invalid password $SYSTEM.Status.Error($$$ServiceDisabled,ServiceName) Error message of Logins for Service Servicename are disabled $SYSTEM.Status.Error($$$ServiceLoginsDisabled) Error message of Logins are disabled $SYSTEM.Status.Error($$$ServiceNotAuthorized,ServiceName) Error message of User not authorized for service

To generate a custom message, use the $SYSTEM.Status.Error() method, passing it the $$$GeneralError macro and specifying any custom text as the second argument. For example:
$SYSTEM.Status.Error($$$GeneralError,"Any text here")

Note that when an error message is returned to the caller, it is logged in the audit database (if LoginFailure event auditing is turned on). However, the only error message the user sees is $SYSTEM.Status.Error($$$AccessDenied). However, the user also sees the message for the $$$PasswordChangeRequired error. Return this error if you want the user to change from the current to a new password.

Cach Security Administration Guide 183

Using Delegated Authentication

14.3 Setting Up Delegated Authentication

Once you have created a ZAUTHENTICATE routine to perform authentication (and, optionally, authorization tasks), the next step is to enable it for the instances relevant services or applications. This procedure is: 1. Enable delegated authentication for entire instance. On the Authentication Options page ([System] > [Security Management] > [Authentication Options]), select Allow Delegated authentication and click Save. With delegated authentication enabled for the instance, a Delegated check box appears on the Edit Service page for relevant services and the Edit Web Application page for those applications. 2. Enable delegated authenticated for services and applications, as appropriate.

The following services support delegated authentication:

%Service_Bindings %Service_CSP %Service_CacheDirect %Service_CallIn %Service_ComPort %Service_Console %Service_Login %Service_Terminal %Service_Telnet

These fall into several categories of access modes: Local access

%Service_CallIn, %Service_ComPort, %Service_Console, %Service_Login, %Service_Terminal, %Service_Telnet

To use delegated authentication with local connections, enable it for the service. Client/Server access
%Service_Bindings, %Service_CacheDirect,

To use delegated authentication with client/server connections, enable it for the service. CSP access
%Service_CSP

To use delegated authentication with web-based connections (through CSP or Zen), enable it for the web application, as well as for the service itself. Enabling it for the service allows the CSP Gateway itself to authenticate using delegated authentication.

14.4 After Delegated Authentication Succeeds

Once the user has authenticated, two important topics are:

184 Cach Security Administration Guide

After Delegated Authentication Succeeds

The State of the System Changing Passwords

14.4.1 The State of the System

Any user who is initially authenticated using delegated authentication is listed in the table of users on the Users page ([System] > [Security Management] > [Users]) as having a type of Delegated user. If a system administrator has explicitly created a user through the Management Portal (or using any other native Cach facility), that user has a type of Cach password user. If a user attempts to log in using delegated authentication and is successfully authenticated, Cach determines that this user already exists as a Cach user not a Delegated user and so login fails.

14.4.2 Changing Passwords

The ZAUTHENTICATE routine also includes an entry point, ChangePassword, to include code to change a users password. The signature of this entry point is:
ChangePassword(Username,NewPassword,OldPassword,Status) Public {}

where Username is a string specifying the user whose password is being changed. NewPassword is a string specifying the new value of the users password. OldPassword is a string specifying the old value of the users password. Status (passed by reference) receives a Cach status value indicating either that the password change has been successful or specifying the error that caused the routine to fail.

Cach Security Administration Guide 185

15
Using LDAP Authentication
Cach provides support for authentication using LDAP, the Lightweight Directory Access Protocol. LDAP systems have a central repository of user information, from which Cach retrieves information. For example, on Windows, a domain controller using Active Directory is an LDAP server. This means that an instance of Cach running on this type of Windows domain can use LDAP for its authentication. The procedure for configuring a Cach service or application to use an existing LDAP server for authentication is as follows: 1. 2. 3. On the LDAP Options page, configure Cach to use the LDAP server. This includes specifying the names of LDAP user properties to be used for setting the values of properties of Cach users. Configure the LDAP server to use the registered LDAP properties. Set up Cach to use LDAP. This involves enabling LDAP for the entire instance of Cach and then enabling it for the relevant services or applications.

When a user attempts to authenticate to an instance of Cach that uses LDAP authentication, the process is: 1. 2. The user is prompted for a username and password. This user, who is trying to authenticate, is known as the target user. Cach establishes a connection to the LDAP server using the values specified for the LDAP username to use for searches and LDAP username password. This user, who has privileges to search the LDAP database so that Cach can retrieve information, is known as the search user. Once the connection is established, the next step is to look up the user in the LDAP database using the LDAP Unique search attribute. If Cach locates the target user in the LDAP database, it retrieves the attributes associated with the user, including the roles to which the user belongs. Note that Cach retrieves all the attributes associated with the user; it is not possible to configure it to retrieve only a subset of these. Cach then attempts to authenticate the user to the LDAP database, using the username and password provided in step 1. If authentication succeeds, the user can then interact with Cach based on the privileges associated with the users roles and any publicly available resources. The users properties are displayed read-only in the Management Portal and are not editable from within Cach (since all the information is coming from outside Cach). If you have more complex authentication and authorization requirements, it is also possible to use delegated authentication to authenticate using the LDAP server. This requires that you use calls to the %SYS.LDAP class as part of the custom authentication code in the ZAUTHENTICATE routine. For sample code that performs these actions, see the LDAP.mac routine in the SAMPLES namespace. For more details about delegated authentication and the ZAUTHENTICATE routine, see the Delegated Authentication chapter.

3. 4.

5. 6.

Note:

Cach Security Administration Guide 187

Using LDAP Authentication

Note:

Support for the use of LDAP over IPv6 is not available on OpenVMS.

15.1 Configuring Cach to Use an LDAP Server

To use LDAP authentication with Cach, the first step is to configure Cach for its interactions with the LDAP server. This includes information required to: Connect to and query the LDAP server Retrieve the required information about the user being authenticated

All this information is specified on the Management Portal LDAP Options page ([System] > [Security Management] > [LDAP Options]). When this page is first displayed, only a single field is visible, the Enable LDAP authentication field. Checking this field displays all the fields for configuration information for connecting the Cach instance to the LDAP server. There are a standard set of fields and there can also be customized fields. When connecting to an LDAP server, Cach refers to various fields for its information; the end-user can do the same. The fields are:
Is the LDAP server a Windows Active Directory server

Windows only. Specifies whether or not the LDAP server is

a Windows Active Directory server. Windows only. Specifies the name of the domain where the LDAP server is located. This field is only editable for a Windows Active Directory server.
LDAP domain name

Specifies the name(s) of the host(s) on which the LDAP server is running. The complexity of each host name can range from an unqualified host name to fully-qualified host name with a port number; the required form of the host name(s) depends on the particular configuration.
LDAP host names

To specify multiple host names, separate the names by spaces. If the LDAP server is configured to use a particular port, you can specify it by appending :portname to the host name; typical usage is not to specify a port and to let the LDAP functions use the default port, such as:
ldapserver.example.com ldapserver.example.com ldapbackup.example.com

LDAP username to use for searches Windows only. The username provided to the LDAP server to establish an initial

connection and which is used to perform LDAP searches and lookups. This user is also known as the search user. The search user must have permission to read the entire LDAP database. It is important to ensure that the search user has uninterrupted access to the LDAP database; for example, to establish this on Windows, set its User cannot change password and Password never expires attributes and set the value of its Account expires attribute to Never. For more information on searching the LDAP database, see the section Searching the LDAP Database.
LDAP DN user to use for searches UNIX and OpenVMS only. The Distinguished Name (DN) of the user provided

to the LDAP server to establish an initial connection and which is used to perform LDAP searches and lookups. This user is also known as the search user. The search user must have permission to read the entire LDAP database. It is also important to ensure that the search user has uninterrupted access to the LDAP database. For example, the users operating-system account should be set so that: The user cannot change the accounts password The password never expires The account never expires

188 Cach Security Administration Guide

Configuring Cach to Use an LDAP Server

For example, if the search user is ldapsearchuser, the Distinguished Name might be as follows:
uid=ldapsearchuser,ou=People,dc=example,dc=com

For more information on searching the LDAP database, see the section Searching the LDAP Database.
LDAP username password

Specifies the password associated with account used for the initial connection.

LDAP Base DN to use for searches Specifies the point in the directory tree from which searches begin. This typically

consists of domain components, such as DC=intersystems,DC=com. Specifies a unique identifying element of each record, which therefore makes it appropriate for searches. For more information on searching the LDAP database, see the section Searching the LDAP Database.
LDAP Unique search attribute

Specifies whether or not to use TLS/SSL encryption to protect data being passed between the Cach server and the LDAP server.
Use TLS/SSL encryption for LDAP sessions

UNIX and OpenVMS only. Specifies the location of the file containing any TLS/SSL certificates (in PEM format) being used to authenticate the server certificate, if needed. For Windows, see Specifying a Certificate File on Windows.
TLS/SSL certificate file User attribute to retrieve comment attribute Specifies the attribute whose value is the source for the Comment property

for a user. This property is described in the section Properties of Users, in the Users chapter.
User attribute to retrieve full name from Specifies the attribute whose value is the source for the Full name property

for a user. This property is described in the section Properties of Users, in the Users chapter.
User attribute to retrieve default namespace Specifies the attribute whose value is the source for the Startup namespace

property for a user. This property of a Cach user is described in the section Properties of Users, in the Users chapter; this LDAP property is described in the section Registered LDAP Properties.
User attribute to retrieve default routine Specifies the attribute whose value is the source for the Tag^Routine property

for a user. This property of a Cach user is described in the section Properties of Users, in the Users chapter; this LDAP property is described in the section Registered LDAP Properties. Specifies the attribute whose value determines the roles to which a user is assigned. When creating this attribute, it must be specified as an LDAP multivalued attribute. For information about a Cach users roles, see the Roles tab of a users Edit User page; this LDAP property is described in the section Registered LDAP Properties.
User attribute to retrieve roles

Specifies any attributes whose values are the source for any applicationspecific variables. Application code can then use the Get method of the Security.Users class to return this information.
LDAP attributes to retrieve for each user

15.1.1 Specifying a Certificate File on Windows

On Windows, to specify the location of a file containing any TLS/SSL certificates (in PEM format) being used to authenticate the server certificate to establish a secure LDAP connection, use Microsoft Certificate Services. Note: Certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities certificate store.

15.1.2 Searching the LDAP Database

Once Cach has established a connection to the LDAP server as the search user, the next step is to retrieve information about the target user. To do this, Cach checks the username provided at login against values in the LDAP database for the LDAP Unique search attribute. (The name of this attribute is often sAMAcccountName for a Windows LDAP server and uid for a UNIX or OpenVMS LDAP server.)

Cach Security Administration Guide 189

Using LDAP Authentication

When looking up a user with the LDAP Unique search attribute, the form of the username depends on the operating system of both the Cach instance and the LDAP server: When connecting from Windows to Windows, it can simply be login name of the user, such as testuser . For any other type of connection, it must include the full DN (distinguished name) of the user. When connecting from UNIX or OpenVMS to a Windows LDAP server, this is case-sensitive. For example: When connecting from UNIX or OpenVMS to Windows, it might be CN=testuser,OU=Users,OU=Cambridge. When connecting from any operating system to UNIX or OpenVMS, it might be uid=testuser,ou=people.

15.2 Configuring the LDAP Server to Use Registered LDAP Properties

InterSystems has registered three field names that are available for use with an LDAP schema to store authorization information. Each has its own dedicated purpose: intersystems-Namespace The name of the users default namespace (LDAP OID 1.2.840.113556.1.8000.2448.2.1). intersystems-Routine The name of the users default routine (LDAP OID 1.2.840.113556.1.8000.2448.2.2). intersystems-Roles The name of the users login roles (LDAP OID 1.2.840.113556.1.8000.2448.2.3).

To use these attributes, the procedure on the LDAP server is: 1. Enable the attributes for use. To do this, modify the value of objectClass field in the LDAP schema by appending the intersystemsAccount value to its list of values. (intersystemsAccount has an LDAP OID of 1.2.840.113556.1.8000.2448.1.1.) Add the fields (as few or as many as required) to the schema. Populate their values for the entries in the LDAP database. It is not required to use the registered LDAP schema names. In fact, you may already use existing attributes from your LDAP schema.

2. 3.

Note:

For example, with a UNIX LDAP server, to define the schema for using LDAP authentication with Cach, use the content that appears the following definitions:
# Attribute Type Definitions attributetype ( 1.2.840.113556.1.8000.2448.2.1 NAME 'intersystems-Namespace' DESC 'InterSystems Namespace' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE ) attributetype ( 1.2.840.113556.1.8000.2448.2.2 NAME 'intersystems-Routine' DESC 'InterSystems Routine' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE ) attributetype ( 1.2.840.113556.1.8000.2448.2.3 NAME 'intersystems-Roles' DESC 'InterSystems Roles' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # Object Class Definitions objectclass ( 1.2.840.113556.1.8000.2448.1.1 NAME 'intersystemsAccount' SUP top AUXILIARY DESC 'Abstraction of an account with InterSystems attributes' MAY ( intersystems-Routine $ intersystems-Namespace $ intersystems-Roles ) )

190 Cach Security Administration Guide

Setting Up LDAP-based Authentication

This content goes to two locations: Place it in the intersystems.schema file in the /etc/openldap/schema/ directory. Include it, along with any other content, in the /etc/openldap/slapd.conf file.

15.3 Setting Up LDAP-based Authentication

Once Cach has been configured for use with LDAP, the next step is to enable it for the instances relevant services or applications. This procedure is: 1. Enable LDAP authentication for entire instance: a. b. From the Management Portal home page, go to the Authentication Options page ([System] > [Security Management] > [Authentication Options]), select Allow LDAP authentication. On the Authentication Options page, you also have the option of selecting Allow LDAP cache credentials authentication. If this is selected and Cach is unable to connect to the LDAP server, then Cach uses the copy of the LDAP credentials that it last cached to authenticate the user. This can be useful if there is a failure in the connection to the LDAP server or if the LDAP server becomes unavailable. Note: If a user password has changed on the LDAP server after the last login and Cach uses the LDAP credentials cache for authentication, authentication can only occur with the old password.

c.

Click Save to apply the changes.

With LDAP authentication enabled for the instance, an LDAP check box appears on the Edit Service page for relevant services and the Edit Web Application page for those applications. 2. Enable LDAP authentication for services and applications, as appropriate.

The following services support LDAP authentication:

%Service_Bindings %Service_CSP %Service_CacheDirect %Service_CallIn %Service_ComPort %Service_Console %Service_Login %Service_Terminal %Service_Telnet

These fall into several categories of access modes: Local access

%Service_CallIn, %Service_ComPort, %Service_Console, %Service_Login, %Service_Terminal, %Service_Telnet

To use LDAP authentication with local connections, enable it for the service.

Cach Security Administration Guide 191

Using LDAP Authentication

Client/Server access
%Service_Bindings, %Service_CacheDirect,

To use LDAP authentication with client/server connections, enable it for the service. Web access
%Service_CSP

To use LDAP authentication with web connections (through CSP or Zen), enable it for the web application. Enabling it for the service also allows the CSP Gateway itself to authenticate using LDAP authentication.

15.4 After Authentication The State of the System

Any user who is initially authenticated using LDAP authentication is listed in the table of users on the Users page ([System] > [Security Management] > [Users]) as having a Type of LDAP user. If a system administrator has explicitly created a user through the Management Portal (or using any other native Cach facility), that user has a type of Cach password user. If a user attempts to log in using LDAP authentication and is successfully authenticated, Cach determines that this user already exists as a Cach user not an LDAP user and so login fails. If you wish to have any LDAP attributes of the current user stored on the Cach server, specify these in the LDAP attributes to retrieve for each user field of the LDAP Options page ([System] > [Security Management] > [LDAP Options]). Your application can then use the Get method of the Security.Users class to return this information.

192 Cach Security Administration Guide

16
Using Delegated Authorization
Cach supports the use of user-defined authorization code. This is known as delegated authorization. Topics in this chapter include: Overview of Delegated Authorization Creating Delegated (User-Defined) Authorization Code Configuring an Instance to Use Delegated Authorization After Authorization The State of the System

16.1 Overview of Delegated Authorization

Delegated authorization allows administrators to implement custom mechanisms to replace the role-assignment activities that are part of Cach security. For example, user-defined authorization code might look up a users roles in an external database and provide that information to Cach. To use delegated authorization, there are the following steps: 1. 2. Creating Delegated (User-defined) Authorization Code in the ZAUTHORIZE routine. Configuring an Instance to Use Delegated Authorization for the Cach instance. Delegated authorization is only supported with Kerberos and Operating-Systembased authentication.

Note:

Interactions between Delegated Authentication and Delegated Authorization

Delegated authorization through ZAUTHORIZE.mac is not supported for use with delegated authentication. The routine for delegated authentication (ZAUTHENTICATE, which is described in the chapter Using Delegated Authentication ) provides support for authorization. When using ZAUTHENTICATE, you have the option to segregate authentication and authorization code.

16.2 Creating Delegated (User-defined) Authorization Code

Topics associated with creating delegated authorization code include:

Cach Security Administration Guide 193

Using Delegated Authorization

Working from the ZAUTHORIZE.int Template ZAUTHORIZE Signature Authorization Code with ZAUTHORIZE ZAUTHORIZE Return Value and Error Messages

16.2.1 Working from the ZAUTHORIZE.int Template

A system-supplied copy of the ZAUTHORIZE routine is available in the %SYS namespace in the routine ZAUTHORIZE.int for instances with the manager utility source code installed. To install the manager utility source code, select an installation type of Development, Server, or a Custom installation that includes the Cach Database Engine. To use ZAUTHORIZE.int as a template: 1. 2. Open the routine in Studio. From within Studio, save it as a .MAC file in the %SYS namespace. To do this, go to the File menu, then choose Save as; in the dialog that appears, enter ZAUTHORIZE in the File name field and choose Macro Routine (*.mac) in the Files of type field. (Saving the routine to a .MAC file preserves it across Cach upgrades, while saving it as an .INT file does not.) 3. 4. Review the comments in the system-supplied code for ZAUTHORIZE. These provide important guidance about how to implement a custom version of the routine. Edit the routine by adding custom authorization code and any desired code to set user account characteristics. Because Cach places no constraints on the authorization code in ZAUTHORIZE, the application programmer is responsible for ensuring that this code is sufficiently secure.

CAUTION:

Upgrading Delegated Authorization Code

Before upgrading to a new version of Cach, check ZAUTHORIZE.int to determine if your current authorization code needs any changes to support new functionality.

16.2.2 ZAUTHORIZE Signature

When configured for delegated authorization, Cach automatically calls ZAUTHORIZE after authentication occurs. Cach supplies values for the parameters defined in the ZAUTHORIZE signature as necessary. The signature of ZAUTHORIZE is:
ZAUTHORIZE(ServiceName, Namespace, Username, Password, Credentials, Properties) PUBLIC { // authorization code // optional code to specify user account properties and roles }

where: ServiceName A string specifying the name of the service through which the user is connecting to Cach, such as %Service_Console or %Service_CSP. Namespace A string specifying the namespace on the Cach server to which a connection is being established. This is for use only with %Service_Bindings, such as connections for Studio or ODBC; for any other service, the value should be "" (the empty quoted string). Username A string specifying the user whose privileges are being determined.

194 Cach Security Administration Guide

Creating Delegated (User-defined) Authorization Code

Password A string specifying the password associated with account in use. This is for use only with the Kerberos K5API authentication mechanism; for any other mechanism, the value should be "" (the empty quoted string). Credentials Passed by reference. Not implemented in this version of Cach. Properties Passed by reference. An array of returned values that specifies characteristics of the account named by Username. For more information, see ZAUTHORIZE and User Properties.

16.2.3 Authorization Code with ZAUTHORIZE

The purpose of ZAUTHORIZE is to establish or update the roles and other characteristics for the authenticated user. The content of authorization code is application-specific. It can include any user-written ObjectScript code, class method, or $ZF callout. ZAUTHORIZE specifies role information by setting the values of the Properties array, which is passed by reference to ZAUTHORIZE. Typically, the source for the values being set is a repository of user information that is available to ZAUTHORIZE.

CAUTION:

Because Cach does not and cannot place any constraints on the authorization code in ZAUTHORIZE, the application programmer is responsible for ensuring that this code is sufficiently secure.

16.2.3.1 ZAUTHORIZE and User Properties

Elements of the Properties array specify values of attributes associated with the user specified by the Username parameter. Typically, code within ZAUTHORIZE sets values for these elements. The elements in the Properties array are: Properties("Comment") Any text. Properties("FullName") The first and last name of the user. Properties("NameSpace") The default namespace for a Terminal login. Properties("Roles") The comma-separated list of roles that the user holds in Cach. Properties("Routine") The routine that is executed for a Terminal login. A value of "" specifies that the Terminal run in programmer mode. Properties("Password") The users password. Properties("Username") The users username.

Each of these elements is described in more detail in one of the following sections. Note: It is not possible to manipulate the value of any member of the Properties array after authorization.

Comment
If ZAUTHORIZE returns a value for Properties("Comment"), then that string becomes the value of the user accounts Comment property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Comment for the user account is a null string and the relevant field in the Management Portal holds no content.

FullName
If ZAUTHORIZE returns a value for Properties("FullName"), then that string becomes the value of the user accounts Full name property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Full name for the user account is a null string and the relevant field in the Management Portal holds no content.

Cach Security Administration Guide 195

Using Delegated Authorization

NameSpace
If ZAUTHORIZE sets the value of Properties("Namespace"), then that string becomes the value of the user accounts Startup Namespace property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Startup Namespace for the user account is a null string and the relevant field in the Management Portal holds no content. Once connected to Cach, the value of Startup Namespace as specified by the value of Properties("Namespace") determines the initial namespace for any user authenticated for local access (such as for Console, Terminal, or Telnet). If Startup Namespace has no value, then the initial namespace for any user authenticated for local access is determined as follows: 1. 2. If the USER namespace exists, that is the initial namespace. If the USER namespace does not exist, the initial namespace is the %SYS namespace. If the user does not have the appropriate privileges for the initial namespace, access is denied.

Note:

Password
If ZAUTHORIZE sets the value of Properties("Password"), then that string becomes the value of the user accounts Password property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Password for the user account is a null string and the relevant field in the Management Portal then holds no content. If ZAUTHORIZE returns a password, this allows the user to log into the system via Password authentication if it is enabled. This is a possible mechanism to help migrate from delegated authentication to Password authentication, though with the usual cautions associated with the use of multiple authentication mechanisms; see Cascading Authentication in the Authentication chapter for more details.

Roles
If ZAUTHORIZE sets the value of Properties("Roles"), then that string specifies the Roles to which a user is assigned; this value is a string containing a comma-delimited list of roles. If no value is passed back to the calling routine, then there are no roles associated with the user account and the Management Portal indicates this. Information about a users roles is available on the Roles tab of a users Edit User page and a users profile. If any roles returned in Properties("Roles") are not defined, then the user is not assigned to the role. Hence, the logged-in user is assigned to roles as follows: If a role is listed in Properties("Roles") and is defined by the Cach instance, then the user is assigned to the role. If a role is listed in Properties("Roles") and is not defined by the Cach instance, then the user is not assigned to the role. A user is always assigned to those roles associated with the _PUBLIC user. A user also has access to all public resources. For information on the _PUBLIC user, see the section The _PUBLIC Account in the Users chapter; for information on public resources, see the section Services and Their Resources in the Resources chapter.

Routine
If ZAUTHORIZE sets the value of Properties("Routine"), then that string becomes the value of the user accounts Startup Tag^Routine property in Cach. (This property is described in the section Properties of Users, in the Users chapter.) If no value is passed back to the calling routine, then the value of Startup Tag^Routine for the user account is a null string and the relevant field in the Management Portal then holds no content. If Properties("Routine") has a value, then this value specifies the routine to execute automatically following login on a terminal-type service (such as Console, Terminal, or Telnet). If Properties("Routine") has no value or a value of "", then login starts the Cach Terminal session in programmer mode, subject to whether they have the privilege to access programmer mode or not.

196 Cach Security Administration Guide

Creating Delegated (User-defined) Authorization Code

Username
If ZAUTHORIZE sets the value of Properties("Username"), then that string becomes the value of the user accounts Name property in Cach. (This property is described in the section Properties of Users , in the Users chapter.) This provides the application programmer with an opportunity to normalize content provided by the end-user at the login prompt (while ensuring that the normalized username only differ by case). If there is no explicit call that passes the value of Properties("Username") back to the calling routine, then there is no normalization and the value entered by the end-user at the prompt serves as the value of the user accounts Name property without any modification.

16.2.3.2 The User Information Repository

ZAUTHORIZE can refer to any kind of repository of user information, such as a global or an external file. It is up to the code in the routine to set any external properties in the Properties array so that the authenticated user can be created or updated with this information. For example, while a repository can include information such as roles and namespaces, ZAUTHORIZE code must make that information available to Cach. If information in the repository changes, this information is only propagated back into the Cach user information if there is code in ZAUTHORIZE to perform this action. Also, if there is such code, changes to users roles must occur in the repository; if you change a users roles during a session, the change does not become effective until the next login, at which point the users roles are reset by ZAUTHORIZE.

16.2.4 ZAUTHORIZE Return Value and Error Messages

The routine returns one of the following values: Success $SYSTEM.Status.OK(). This indicates that ZAUTHORIZE has successfully executed. Depending on the code in the routine, this can indicate successful authentication of the user associated with Username and Password, successful authorization of the user associated Username, or both. Failure $SYSTEM.Status.Error($$$ERRORMESSAGE). This indicates that authorization failed. When ZAUTHORIZE returns an error message, it appears in the audit log if the LoginFailure event auditing is enabled; the end-user only sees the $SYSTEM.Status.Error($$$AccessDenied) error message.

ZAUTHORIZE can return system-defined or application-specific error messages. All these messages use the Error method of the %SYSTEM.Status class. This method is invoked as $SYSTEM.Status.Error and takes one or two arguments, depending on the error condition. The available system-defined error messages are: $SYSTEM.Status.Error($$$AccessDenied) Error message of Access Denied $SYSTEM.Status.Error($$$InvalidUsernameOrPassword) Error message of Invalid Username or Password $SYSTEM.Status.Error($$$UserNotAuthorizedOnSystem,Username) Error message of User username is not authorized $SYSTEM.Status.Error($$$UserAccountIsDisabled,Username) Error message of User username account is disabled $SYSTEM.Status.Error($$$UserInvalidUsernameOrPassword,Username) Error message of User username invalid name or password $SYSTEM.Status.Error($$$UserLoginTimeout) Error message of Login timeout $SYSTEM.Status.Error($$$UserCTRLC) Error message of Login aborted $SYSTEM.Status.Error($$$UserDoesNotExist,Username) Error message of User username does not exist

Cach Security Administration Guide 197

Using Delegated Authorization

$SYSTEM.Status.Error($$$UserInvalid,Username) Error message of Username username is invalid $SYSTEM.Status.Error($$$PasswordChangeRequired) Error message of Password change required $SYSTEM.Status.Error($$$UserAccountIsExpired,Username) Error message of User username account has expired $SYSTEM.Status.Error($$$UserAccountIsInactive,Username) Error message of User username account is inactive $SYSTEM.Status.Error($$$UserInvalidPassword) Error message of Invalid password $SYSTEM.Status.Error($$$ServiceDisabled,ServiceName) Error message of Logins for Service username are disabled $SYSTEM.Status.Error($$$ServiceLoginsDisabled) Error message of Logins are disabled $SYSTEM.Status.Error($$$ServiceNotAuthorized,ServiceName) Error message of User not authorized for service

To use these error codes, uncomment the #Include %occErrors statement that appears in ZAUTHORIZE.int. To generate a custom message, use the $SYSTEM.Status.Error() method, passing it the $$$GeneralError macro and specifying any custom text as the second argument. For example:
$SYSTEM.Status.Error($$$GeneralError,"Any text here")

Note that when an error message is returned to the caller, it is logged in the audit database (if LoginFailure event auditing is turned on). However, the only error message the user sees is $SYSTEM.Status.Error($$$AccessDenied). However, the user also sees the message for the $$$PasswordChangeRequired error. Return this error if you want the user to change from the current to a new password.

16.3 Configuring an Instance to Use Delegated Authorization

Once you have created a customized ZAUTHORIZE routine, the next step is to enable it for the instances relevant services or applications. This procedure is: 1. 2. Run the ^SECURITY routine from the %SYS namespace in a Terminal or Console window. In ^SECURITY, choose System parameter setup; under that, choose Edit authentication options; and under that, choose either Allow Kerberos authentication or Allow Operating System authentication. (Delegated authorization is only supported for these two authentication mechanisms.). If you have selected Allow Operating System authentication, choose Allow Delegated Authorization for O/S authentication. If you have selected Allow Kerberos authentication, choose Allow Delegated Authorization for Kerberos authentication.

3.

Selecting either of these choices causes Cach to invoke the ZAUTHORIZE.mac routine, if one exists, in the %SYS namespace. Important: Cach only calls ZAUTHORIZE after user authentication.

198 Cach Security Administration Guide

After Authorization The State of the System

16.3.1 Delegated Authorization and User Types

When a user first logs in to Cach with an authentication mechanism that uses delegated authorization, Cach creates a user account either of Type OS (for Operating System) or Kerberos. (Note that this value does not appear in the Type column of the table of users on the [System] > [Security Management] > [Users] page.) At the time of account creation and, for subsequent logins, the ZAUTHORIZE routine specifies the roles for the user. Any attempt to log in without using delegated authorization will result in a login failure. This is because only delegated authorization specifies the user Type as OS or Kerberos. When using these authentication mechanisms without delegated authorization, the user is authenticated as being of Type "Cach Password User"; the login fails because a user can only have one type and a user of one type cannot log in using mechanisms associated with another type. (Delegated authentication and LDAP authentication also both fail for the same reason.) For general information about user types, see the section About User Types in the Users chapter.

16.4 After Authorization The State of the System

If the user is successfully authorized, the Cache security database is updated in one of the following ways: 1. 2. If this is the first time the user has logged in, a user record is created in the security database for the entered username, using properties returned by ZAUTHORIZE. If the user has logged in before, the user record is updated in the security database, using properties returned by this function.

Whether for a first-time user or not, the process that logs in has the value of the $ROLES system variable set to the value of Properties("Roles"). For a terminal login, the namespace is set to the value of Properties("NameSpace") and the startup routine is set to the value of Properties("Routine").

Cach Security Administration Guide 199

A
Tightening Security for a Cach Instance
To provide increased security for a Cach instance, you can configure it to more tightly constrain user access. This can prevent unauthorized users from using Cach tools or from gaining access to sensitive resources. This appendix describes various actions that reduce the attack surface of a Cach instance or otherwise increase its security. There are multiple actions for tightening an instances security. They are presented here roughly in the sequence in which they should be performed: Enabling auditing Changing the authentication mechanism for an application Limiting the number of public resources Restricting access to services. This involves: Limiting the number of enabled services Limiting the number of public services Restricting access to services by IP address or machine name

Restricting public privileges Limiting the number of privileged users Disabling the _SYSTEM user Restricting access for UnknownUser

The Cach Security Advisor also provides an automated analysis of the instance and recommendations for actions to increase the security of an instance. Important: A Cach instance has many interdependent elements. Because of this, it is recommended that you only do what is specified for a change, and not more or less. For example, simply removing UnknownUser from the %All role without doing anything else will cause problems for a minimal-security installation.

A.1 Enabling Auditing

The primary elements of security are often described as the Three As : authentication, authorization, and auditing. Auditing, including the auditing provided with Cach, provides two functions: It provides data about what has occurred if there is a security event.

Cach Security Administration Guide 201

Tightening Security for a Cach Instance

The knowledge of its existence can be a deterrent for an attacker, given that the attack will be tracked and there will be evidence of any malicious actions.

To enable auditing for key events for a Cach instance, the procedure is: 1. 2. 3. From the Management Portal home page, select System Administration >> Security >> Auditing >> Enable Auditing. If the choice is not available, auditing is already enabled. From the Management Portal home page, go to Configure System Events page ([System] > [Security Management] > [Configure System Audit Events]. On the Configure System Events page, enable the following events if they are not already enabled by clicking Change Status in the events row: %System/%DirectMode/DirectMode Provides information on console/terminal use. For sites that extensively use command-line utilities, can create large amounts of data. Recommended if increased data is not an issue. %System/%Login/Login Provides information on logins. For large sites, can create large amounts of data. Recommended if increased data is not an issue. %System/%Login/LoginFailure Provides feedback on possible attempted unauthorized logins. Recommended. %System/%Security/Protect Provides data on attempts to read, write, or use protected data. Recommended.

A.2 Changing the Authentication Mechanism for an Application

A key element of restricting access to Cach is configuring the instance to use a stricter authentication mechanism for its applications. This section describes how to perform this procedure, using the Cach Management Portal as an example application and with the change from unauthenticated access (as in a minimal-security installation) to requiring a password as an example of moving to a stricter authentication mechanism. Important: Performing the following procedure may affect aspects of the instance being modified beyond access to the Portal. The specifics depend on (1) the instances configuration and (2) whether you are performing just this procedure or all the procedures in this appendix. Specifically: Making %Service_CSP:Use not public means that all users of web applications will need to be granted %Service_CSP:Use by some other means. Removing UnknownUser from the %All role can have many effects.

To provide properly functioning authentication for an application, there must be consistent authentication mechanisms for both the application and any service that it uses. For a web application, the CSP Gateway must also be configured to match the CSP service. Hence, to provide authentication for the Management Portal, there are three layers that all need to work together: The %Service_CSP service The CSP Gateway The Management Portal application

If these layers do not have matching authentication mechanisms, this usually results in a denial of access for example, there may be a This page cannot be displayed error instead of a login page or access to the Management Portal.

202 Cach Security Administration Guide

Changing the Authentication Mechanism for an Application

Important:

If (1) a web application uses a more powerful authentication mechanism than the CSP Gateway and %Service_CSP and (2) authentication succeeds, then the systems security is only that of the less powerful mechanism.

For an instance with a minimal-security installation, the CSP Gateway, %Service_CSP, and the Management Portal application are all set up for unauthenticated access. To provide password-level authentication for the Portal, various Cach elements must be configured as follows: The CSP service must require password authentication. The CSP Gateway must provide a username and password for that authentication. The user representing the Gateway must have sufficient privilege to use the CSP service. The Management Portal must require password authentication. All the Portals users must have sufficient privilege to use the Portal. Complete the following set of procedures during a single session in the Portal. Otherwise, you may lock yourself out of the Portal and have to perform the remaining procedures through the ^SECURITY routine.

Important:

An overview of the procedure to make these changes is: 1. 2. 3. 4. 5. 6. 7. 8. 9. Optionally, turn on auditing to track the changes to the instance. This is described in the Enabling Auditing section of this appendix. Give the %Service_CSP:Use privilege to the CSPSystem user. Change the password of the CSPSystem user. Configure the CSP Gateway to provide a username and password for authentication. Configure %Service_CSP to require password authentication. Remove the public status of the %Service_CSP:Use privilege. Configure the Management Portal application to require password authentication only. Specifying the appropriate privilege level for the instances users. Optionally, make the documentation or samples available.

10. Begin enforcement of the new policies. Once this process is complete, then a users next attempt to connect to the Portal will result in a login prompt.

CAUTION:

A Cach instance has many interdependent elements. Because of this, it is recommended that you only do what is specified for a change, and not more or less. Otherwise, you may lock yourself out of Cach or could even render the instance temporarily inoperative.

A.2.1 Giving the %Service_CSP:Use Privilege to the CSPSystem User

The Cach installation process creates a CSPSystem user, which represents the CSP Gateway in its interactions with the %Service_CSP service. Since the service is going to have restricted access, this user needs to hold the %Service_CSP:Use privilege for the authentication process. Note: There is a service called %Service_CSP and a resource called %Service_CSP. The resource regulates access to the service. Therefore, to gain access to the service, a user must have Use permission for the resource that is, the %Service_CSP:Use privilege.

Cach Security Administration Guide 203

Tightening Security for a Cach Instance

To associate the %Service_CSP:Use privilege with the CSPSystem user, the procedure is: 1. 2. 3. 4. 5. 6. 7. 8. 9. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Create New Role. This displays the Edit Role page, where the Name field is editable. Enter a name for the role to include the %Service_CSP:Use privilege (such as GatewayRole). Click Save. Cach has now created the role. In the Privileges section on the General tab of the Edit Role page, click Add, which displays a list of available resources for the role. From this list, click %Service_CSP and then click Save. The newly created role now includes the %Service_CSP:Use privilege. Select the Members tab of the Edit Role page. On this tab, you can assign the CSPSystem user to the newly created role. Click CSPSystem from the users in the Available list and move it to the Selected by clicking the right arrow. Click Assign to assign CSPSystem to the role. (In other words, CSPSystem is now a member of the role.) This means that CSPSystem holds the %Service_CSP:Use privilege. Cach creates the CSPSystem user to represent the CSP Gateway. If you prefer, a different user can perform this function. This procedure refers only to the CSPSystem user; if you use a different user, replace CSPSystem with that username where relevant.

Note:

A.2.2 Changing the Password of the CSPSystem User

Because a minimal-security installation gives the CSPSystem user a password of SYS, it is important to change this to a new password one that an attacker would not know or be able to guess. The procedure is: 1. 2. 3. 4. In the Management Portal, go to the Users page ([System] > [Security Management] > [Users]). On the Users page, in the row for the CSPSystem user, click Edit. This displays the Edit User page. Enter the new password for CSPSystem in the Password field. Since no user has to remember this password, you can make it as long and complex as you wish. Reenter the new password in the Confirm Password field and click Save. If the Portal does not display an error message or dialog, then the password change has succeeded.

If you wish, you can also confirm that CSPSystem is assigned to the role created for authentication in the previous procedure. To do this, click on the Roles tab. The table with the column heading CSPSystem is Assigned to the Following Roles should list the newly-created role.

A.2.3 Configuring the CSP Gateway to Provide a Username and Password

Because you are going to configure %Service_CSP to require password authentication, the CSP Gateway needs to provide a username-password pair. Having set up a user with the appropriate level of privilege, you have established a usernamepassword pair that the Gateway can provide. The next step is to configure the Gateway to provide this username-password pair when the Cach server challenges it for them. The procedure is: 1. 2. In the Management Portal, on the Configuration page ([System] > [Configuration]), in the Connectivity column (on the right), select CSP Gateway Management. This displays the Cach Server Pages - Web Gateway Management page. On the Cach Server Pages - Web Gateway Management page, select Server Access from the list on the left side. This displays the Server Access frame.

204 Cach Security Administration Guide

Changing the Authentication Mechanism for an Application

3. 4. 5. 6. 7. 8. 9.

In the Server Access frame, the LOCAL server should be highlighted. Click Submit to edit it, which displays a page with Server Access and Error Pages parameters. On this page, there is a Connection Security section. Ensure that the Connection Security Level drop-down has Password displayed. In the User Name field, enter CSPSystem. In the Password and Password (Confirm) field, enter the password that you selected in the previous section. Click Save Configuration near the bottom of the page. To return to the Management Portal, click Back to Management Portal from the bottom of the list in the left pane.

A.2.4 Configuring %Service_CSP to Require Password Authentication

Now that the Gateway is configured to provide a username and password and you have given the CSPSystem user the necessary level of privilege, the next step is to configure the service that manages CSP (%Service_CSP) so that it requires password authentication. The procedure is: 1. 2. 3. From the Management Portal home page, go to the Services page ([System] > [Security Management] > [Services]). On the Services page, click %Service_CSP. This displays the Edit Service page for %Service_CSP. On the Edit Service page, under Allowed Authentication Methods, make sure that Unauthenticated access is disabled and that Password access is enabled (also known as Cach login ). Click Save.

A.2.5 Removing the Public Status of the %Service_CSP:Use Privilege

With %Service_CSP requiring password authentication and the Gateway able to authenticate with an appropriately authorized user, the next step is to exclude %Service_CSP:Use from public availability. The procedure is: 1. 2. 3. From the Management Portal home page, go to the Resources page ([System] > [Security Management] > [Resources]). On the Resources page, in the row for %Service_CSP, click Edit. This displays the Edit Resource page for %Service_CSP. In the Public Permission section, clear the Use box. Click Save. Once %Service_CSP:Use is not a public privilege, only those users who have been explicitly granted it will be able to use CSP. You may need to assemble a list of these users and grant them this privilege through other means.

Important:

A.2.6 Configuring the Management Portal to Accept Password Authentication Only

Once the connection between the Gateway and the Cach server has a new authentication mechanism, the next task is to configure the Management Portal application to use a matching mechanism. In this example, this mechanism is Cach login. The procedure for changing the Portals authentication mechanism is: 1. 2. From the Management Portal home page, go to the Web Applications page ([System] > [Security Management] > [Web Applications]). On the Web Applications page, the /csp/sys application represents the Management Portal home page. Select Edit in this row to edit the application. This displays the Edit Web Application page for the /csp/sys application.

Cach Security Administration Guide 205

Tightening Security for a Cach Instance

3. 4.

Under Allowed Authentication Methods, disable Unauthenticated access and enable Password access. Click Save. Also disable Unauthenticated access and enable Password access for all the applications that compose the other pages and choices of the Portal. These applications are: /csp/sys/bi /csp/sys/exp /csp/sys/mgr /csp/sys/op /csp/sys/sec

This configures the Portal to require password authentication (also known as Cach login) and not to allow unauthenticated access, and so that all its parts behave consistently. The next step is to ensure that all relevant users have appropriate access to the Portal.

A.2.7 Specifying the Appropriate Privilege Level for the Instances Users
When the Portal is configured to accept unauthenticated connections, any user can connect as the UnknownUser. Because a minimal-security installation makes UnknownUser a member of the %All role, there is no danger of being locked out of the Portal. Now that the Portal requires password authentication, its legitimate users need to be members of the %Operator role, the %Manager role, or the %All role. In a minimal-security installation, SuperUser, Admin, _SYSTEM, and UnknownUser all have this level of privilege; further, these all have passwords of SYS. To properly secure users, the procedure is: 1. Either disable UnknownUser or remove UnknownUser from the %All role. To disable UnknownUser, the procedure is: a. b. On the Users page ([System] > [Security Management] > [Users]), click Edit in the UnknownUser row. This displays the Edit User page for UnknownUser. Clear the User Enabled field and click Save.

To remove UnknownUser from the %All role: a. b. c. On the Users page ([System] > [Security Management] > [Users]), click Edit in the UnknownUser row. This displays the Edit User page for UnknownUser. Go to the Roles tab on the Edit Page. In the UnknownUser is Assigned to the Following Roles table, on the %All row, click the UnknownUser from %All. Click OK in the confirmation dialog. Limiting access through UnknownUser can have widespread effects, particularly if an instances users are not sufficiently privileged. button to remove

d.

Important:

2.

Ensure that any other potentially unauthorized users are not members of %All, %Developer, %Manager, %Operator, %SQL, or any user-defined role that grants privileges. This involves a process analogous to removing UnknownUser from the %All role.

206 Cach Security Administration Guide

Changing the Authentication Mechanism for an Application

(A user-defined role that grants privileges might have Use permission on any of the %Admin... resources, %Development, or any of the %Service or %System resources, or Write permission on %DB_CACHELIB or %DB_CACHESYS.) 3. Ensure that any user who should have access to the Portal is assigned to %All, %Developer, %Manager, %Operator, %SQL, or any user-defined role that grants Portal access. The procedure, for each of these users, is: a. b. c. On the Users page ([System] > [Security Management] > [Users]), click Edit in the users row. This displays the Edit User page for the user being edited. Go to the Roles tab on the Edit Page. Move the desired role(s) from the Available to the Selected list by clicking the right arrow and then click Assign to assign the user to the role(s).

4.

Change the passwords for SuperUser and Admin users from the default. To do this: a. b. c. On the Users page ([System] > [Security Management] > [Users]), click Edit in the users row. This displays the Edit User page for the user being edited. Enter the new password in the Password field. Confirm it in the Confirm Password field and click Save. Make sure that you know the password for at least one user who administers the Portal. Otherwise, you may lock yourself out of the Portal and have to log in using emergency access so that you can reset one or more passwords using the ^SECURITY routine.

Important:

A.2.8 Making the Documentation or Samples Available

Once you finish configuring the service, the CSP Gateway, and the Portal application, you may wish to ensure that the documentation or sample programs are available. The procedure is: 1. 2. From the Management Portal home page, go to the Web Applications page ([System] > [Security Management] > [Web Applications]). To make the sample applications available: a. b. 3. On the Web Applications page, the /csp/samples application represents the Cach sample applications. Select Edit in this row to edit the application. This displays the Edit Web Application page for the /csp/samples application. Under Allowed Authentication Methods, disable Unauthenticated access and enable Password access. Click Save.

To make the documentation available: a. On the Web Applications page, the /csp/docbook application represents the Cach DocBook documentation application. Select Edit in this row to edit the application. This displays the Edit Web Application page for the /csp/docbook application. Under Allowed Authentication Methods, disable Unauthenticated access and enable Password access. Click Save. Return to the Web Applications page. On the Web Applications page, the /csp/documatic application represents the Cach Documentation class reference application. Select Edit in this row to edit the application. This displays the Edit Web Application page for the /csp/documatic application. Under Allowed Authentication Methods, disable Unauthenticated access and enable Password access. Click Save.

b. c. d.

e.

Cach Security Administration Guide 207

Tightening Security for a Cach Instance

Note:

Because the documentation is compose of two individual applications /csp/docbook and /csp/documatic that are separate from each other and from the Portal, each has a separate password prompt.

If you do not perform this procedure, the service requires a password prompt but the application attempts to use unauthenticated access. This prevents all users including those assigned to %All from reaching the documentation or samples.

A.2.9 Beginning Enforcement of New Policies

At this point, the Cach instance is fully configured to operate properly. However, all existing connections are still using unauthenticated access. To begin enforcement of the new policies, the following events must occur: The CSP Gateway must establish an authenticated connection. All users must also establish authenticated connections.

A.2.9.1 Establishing an Authenticated CSP Gateway Connection

To force the CSP Gateway to establish an authenticated connection, the procedure is: 1. 2. 3. From the Management Portal home page, select System Administration >> Configuration >> CSP Gateway Management. This displays the Cach Server Pages - Web Gateway Management page. On the Cach Server Pages - Web Gateway Management page, select Close Connections from the list on the left side. This displays the Close Connections frame. Click Close Connection(s). This displays a message indicating that all connections between the Gateway and Cach server have been closed.

The next time that a user requests a page, the Gateway will reestablish a connection to the Cach server. This connection will use the selected authentication mechanism.

A.2.9.2 Establishing Authenticated User Connections

At this point, all connections to the Management Portal are still using unauthenticated access. If there is no pressing need to require authenticated access, then there is nothing else to do. Users will gradually end their connections to the Portal and will have to authenticate when they reconnect. (Connections may be ended due to machine reboots, stopping and restarting browsers, clearing browser caches, Portal logouts, etc.) If there is a need to force connections to use authenticated access, you can stop and restart Cach. For example, on Windows, if you have Cach available through the default Start menu page: 1. 2. 3. From the Windows Start menu, select Programs >> Cach, then the Cach instance to restart. On the submenu for the instance of Cach, choose Stop Cach. On the dialog that appears, select Restart and click OK. If you are using a production instance of Cach, you may want to choose a low-traffic time for the restart, since users will temporarily not have access to either Cach as a whole or the Portal.

Note:

A.3 Limiting the Number of Public Resources

Any resource can be specified as a public resource. This means that any user has the ability to read, write, or use the resource, depending on its public settings. The following should always be public:

208 Cach Security Administration Guide

Restricting Access to Services

Table I1: Required Public Resources and Their Permissions

Resource
%DB_CACHE %DB_CACHELIB %DB_CACHETEMP

Permission R R RW

Note:

You may also want to make the Read permission on the %DB_DOCBOOK database public, so that all users have access to the documentation.

To tighten the security of an instance, limit the number of public resources. To do this, the procedure is: 1. Ensure that all users who genuinely require access to these resources have been given privileges for them. Important: If you do not provide privileges for %Service_CSP:Use to the appropriate users, then this procedure can result in a widespread lockout from the Management Portal and other CSP applications.

2. 3.

From the Management Portal home page, go to the Resources page ([System] > [Security Management] > [Resources]). On the Resources page, each resource for which there is one or more public permissions has those permissions listed in the Public Permissions column of the table of resources. Select the resource by clicking Edit. This displays the resources Edit Resource page. On the Edit Resource page, clear any checked Public Permission fields and click Save. The resource is no longer public.

4.

Perform this procedure for all public resources.

A.4 Restricting Access to Services

There are various pathways by which users can interact with Cach. Services regulate access to these pathways. To limit access to Cach services, the available choices are: Limiting the number of enabled services to only those required for the applications in use Limiting the number of public services to only those required for the applications in use Restricting access to services by IP address or machine name

A.4.1 Limiting the Number of Enabled Services

To limit the number of enabled services, the procedure is: 1. Determine the required services for the Cach instance. Typically, these are: Whatever service is required for each form of user access Whatever services are required for any automated access Either %Service_Console (on Windows) or %Service_Terminal (on UNIX or OpenVMS), for local programmer-mode access

2.

From the Management Portal home page, go to the Services page ([System] > [Security Management] > [Services]).

Cach Security Administration Guide 209

Tightening Security for a Cach Instance

3. 4.

On the Services page, for each service that is not required, select the service by clicking on its name. This displays the services Edit Service page. On the Edit Service page, clear the Service Enabled field and click Save. The service is now disabled.

Once you have disabled all unnecessary services, the only pathways to Cach are the required services.

A.4.2 Limiting the Number of Public Services

Each service is associated with a resource. In most cases, the resource has the same name as the service, such as %Service_CSP; the exception to this is the %Service_Bindings service, which is associated with the %Service_Object and %Service_SQL resources. Services are public because of the settings for the resources associated with them. Because of this, the procedure for making a service non-public is the same as for making any other resource non-public. This is described in the section, Limiting the Number of Public Resources.

A.4.3 Restricting Access to Services by IP Address or Machine Name

For certain services, you have the option of restricting access to the service according to IP address or machine name. This is known as the ability to limit allowed incoming connections. The services that support this feature are:
%Service_Bindings %Service_CSP %Service_CacheDirect %Service_ECP %Service_Monitor %Service_Shadow %Service_Weblink

By default, a service accepts connections from all machines. If a service has no associated addresses or machine names, then it accepts connections from any machine. If one or more addresses or machine names are specified from which a service accepts connections, then the service only accepts connections from these machines. This feature is not available for %Service_CallIn, %Service_ComPort, %Service_Console, %Service_DataCheck, %Service_Login, %Service_MSMActivate, %Service_Mirror, %Service_Telnet, and %Service_Terminal. To restrict access to a service by IP address, the procedure is: 1. 2. 3. 4. 5. 6. Determine the IP addresses of those machines with legitimate access to the service. From the Management Portal home page, go to the Services page ([System] > [Security Management] > [Services]). On the Services page, for each service for which you are restricting access by IP address, select the service by clicking on its name. This displays the services Edit Service page. On the Edit Service page, in the Allowed Incoming Connections section, click Add. In the displayed dialog, enter an IP address for an allowed incoming connection. Click OK. Click Add and enter other addresses as needed.

Perform this procedure for each service that is restricting the IP addresses from which it accepts connections.

210 Cach Security Administration Guide

Restricting Public Privileges

A.5 Restricting Public Privileges

Whenever any user logs in, that user receives all the privileges associated with the _PUBLIC user. With a minimal-security installation, the _PUBLIC user is not assigned to any roles, but holds a number of SQL privileges. These have been granted by the _SYSTEM user, which is created by the Cach installation in accordance with the SQL standard as the SQL root user. This means that they must be revoked by the _SYSTEM user. To revoke SQL privileges from the _PUBLIC user, the procedure is: 1. Log into the Management Portal as the _SYSTEM user: a. b. c. Enable the _SYSTEM user if that user is not already enabled. (After completing this procedure, you may wish to disable the _SYSTEM user according to the instructions in the section Limiting the Number of Privileged Users.) For a minimal-security installation, change the authentication method for the Management Portal so that it requires logins. This is described in the section Changing Authentication Methods for the Management Portal. Log in as _SYSTEM. In a minimal-security installation, the default password for this user is SYS; in normal and locked-down installations, the default password is whatever was selected during the installation process.

2. 3.

From the Management Portal home page, go to the Execute SQL Query page ([System] > [SQL] > [Execute SQL Query]) for the SAMPLES namespace. (On the Execute SQL Query page, from the list of namespaces on the left, click SAMPLES.) Revoke all the _PUBLIC users privileges on tables in the SAMPLES database. In the pages editing form, enter the following SQL command:
REVOKE ALL PRIVILEGES ON * FROM _PUBLIC

and click Execute Query. 4. Revoke all the _PUBLIC users privileges to invoke stored procedures in the SAMPLES database. In the pages editing form, enter the following SQL command:
REVOKE EXECUTE ON * FROM _PUBLIC

and click Execute Query. 5. To prevent general use of the InterSystems documentation, you can revoke the _PUBLIC users privileges to search the DocBook database. To do this: a. b. c. On the Execute SQL Query page, click DOCBOOK from the list of namespaces. Select the SQL Tables tab. In the pages editing form, enter by the following SQL command:
REVOKE ALL PRIVILEGES ON * FROM _PUBLIC

and click Execute Query.

A.6 Limiting the Number of Privileged Users

Every instance of Cach must have at least one user who is assigned to the %All role. In fact, if there is only one user assigned to this role, then Cach prevents the user from being removed from the role. However, over time, an instance can

Cach Security Administration Guide 211

Tightening Security for a Cach Instance

end up having more users assigned to %All than are necessary. This can arise from assigned users leaving an organization but their accounts not being disabled, from temporary assignments not being revoked, and so on. Along with the %All role, the system-defined roles of %Manager, %Developer, %Operator, and %SQL can give users undue privilege. There also may be user-defined roles that do this. Users assigned to such roles are sometimes known as privileged users. To limit the number of privileged users, determine which users are assigned to each privileged role and remove those who are not needed. The procedure is: 1. 2. 3. 4. From the Management Portal home page, go to the Roles page ([System] > [Security Management] > [Roles]). On the Roles page, click Edit on the row for the relevant role. This displays the Edit Role page for that role. On the Edit Role page, click the Members tab, which displays a list of the users and roles assigned to the role. To remove any user from the specified role, click Remove on the row for the user or role to be removed. Click OK in the confirmation dialog.

Perform this procedure for each privileged role, including %All and the others listed previously. It is also important to disable the _SYSTEM user; the procedure for this is described in the next section, Disabling the _SYSTEM User. Important: Certain seemingly non-privileged roles may have what could be called privileges by proxy. This occurs when a seemingly non-privileged role is assigned to a privileged role. In this case, any user who is assigned to role with privileges by proxy holds all the privileges associated with the privileged role. Avoid creating privileges by proxy whenever possible. When not possible, have as few users as possible assigned to the roles with privileges by proxy.

A.7 Disabling the _SYSTEM User

The Cach installation program creates the _SYSTEM user. This user is created in accordance with the SQL standard as the SQL root user. In a minimal-security installation, the default password for this user is SYS; in normal and lockeddown installations, the default password is whatever was selected during the installation process. Because this user and the password of SYS are both publicly specified by the SQL standard, and because of this users SQL privileges, disabling _SYSTEM is important for tightening access to a Cach instance. To do this, the procedure is: 1. 2. 3. From the Management Portal home page, go to the Users page ([System] > [Security Management] > [Users]). On the Users page, in the row for _SYSTEM, click Edit to open the Edit User page for _SYSTEM. On the Edit User page for _SYSTEM, clear the User Enabled field. Click Save. If you need to check root-level SQL privileges after disabling _SYSTEM, you will have to temporarily enable the user to perform the required action.

Note:

A.8 Restricting Access for UnknownUser

In instances that support unauthenticated access, connections that do not use authentication are established with the UnknownUser account. In minimal-security installations, the default behavior is that:

212 Cach Security Administration Guide

Restricting Access for UnknownUser

All connections use UnknownUser. UnknownUser is assigned to the %All role. UnknownUser holds all SQL privileges.

The most effective way to restrict access for UnknownUser is to disable that account. However, with a minimal-security installation, simply shutting down this account causes a lockout from the Management Portal, as described in the following section. Therefore, you should only disable UnknownUser as part of the procedure for changing the authentication mechanism for the Management Portal. Note: With normal-security and locked-down installations, UnknownUser holds no privileges, so this is not an issue.

A.8.1 Potential Lockout Issue with the UnknownUser Account When Increasing Security
If an instance has been installed with Minimal security, UnknownUser has the %All role; the instance also has unauthenticated access available for all services and applications. If you simply change the users role (from %All to something else) and still allow unauthenticated access, you may be denied access to the Management Portal, the Cach Terminal, and other basic features. This is because, under these conditions, Cach establishes a connection to the selected tool without performing authentication. When there is no authentication, Cach automatically sets the user account to UnknownUser. The next step is to check user privileges. If UnknownUser has insufficient privileges, access to the tool is limited or not available. For example, under these circumstances, the Terminal displays an Access Denied message and then shuts down; the Portal displays its main page, but no options can be selected. To correct this condition: 1. 2. Start Cach in emergency access mode. Restore sufficient privileges to the UnknownUser account.

If you wish to prevent use of UnknownUser, you must upgrade the authentication mechanism for the Management Portal.

Cach Security Administration Guide 213

B
Using the cvencrypt Utility
Cach allows you to use encrypted databases, as described in the chapter Managed Key Encryption. There are occasions when you may need to perform encryption management operations on a database, such as: Converting an Unencrypted Database to Be Encrypted Converting an Encrypted Database to Be Unencrypted Converting an Encrypted Database to Use a New Key Using Command-line Options with cvencrypt Using cvencrypt in Batch Mode on OpenVMS

To perform these operations, Cach supplies cvencrypt, a standalone utility for use with 8-KB format databases. Its available operations are described in the following sections.

B.1 Converting an Unencrypted Database to be Encrypted

This describes the procedure for making an unencrypted database encrypted. 1. Back up the data in the database to be encrypted. The cvencrypt utility encrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.

CAUTION:

It is critical that you back up the database before encrypting it. Failure to do so can result in data being lost.

2. 3. 4.

Have an existing database-encryption key for your Cach instance. If the database is mounted, dismount it. You can do this from the Management Portal Databases page ([System] > [Databases]). In the directory containing the cache.dat file for the database to encrypt, run the cvencrypt utility, providing a path to it. For example, if your database is in the C:\MyDBs directory and is called test1 and Cach is installed in the C:\CacheSys directory, then you would run the utility as follows:
C:\MyDBs\test1>..\..\CacheSys\bin\cvencrypt cache.dat

Cach Security Administration Guide 215

Using the cvencrypt Utility

The utility then provides an informational display message about itself, and then information on the database passed to it. If this is a multivolume database, the utility displays information about this, such as
Database has multiple volumes. Volume ====== c:\mydbs\accounting1\CACHE.DAT c:\mydbs\accounting2\CACHE.EXT c:\mydbs\accounting3\CACHE.EXT Blocks: first ===== 1 129 257 last ==== 128 256 1792

5.

The utility then prompts for what action you wish to take:
1) Encrypt 2) Quit

To encrypt the database, enter 1 and press Enter. 6. This displays a prompt to activate an already-existing encryption key:
Access database encryption key. Keyfile:

At this prompt, enter the full path of the key for encrypting the database. For example, suppose that you have stored the database-encryption keyfile, dek1, in the C:\CacheSys\Mgr directory.
Keyfile: C:\CacheSys\Mgr\dek1

7.

The utility then prompts for the username and password of a keyfile administrator:
Username: dek-admin1 Password: <characters shielded during entry>

When it receives these, the utility then reminds you that it modifies data in place, so that you should be sure that your data is adequately backed up before continuing:
This utility will modify your database in place. Be sure that your data is adequately backed up before proceeding. Continue? [Y/N]:

If you wish to continue, enter Y . it encrypts the database, stating the key that it is using for encryption:
Using database encryption key (ID = 5DBC532D-4D1F-A3A4-30CDA34BB66B).

During encryption, the utility displays a progress indicator, as well as a reminder not to interrupt the process.

CAUTION:

If you interrupt the process while it is incomplete, the database may be in a state in which some of its data is encrypted and some of it is unencrypted. It is impossible for Cach to read such a database, and all the data will be lost.

8.

When finished, the utility announces this, such as:

Processed: 118400 blocks (done!)

216 Cach Security Administration Guide

Converting an Encrypted Database to be Unencrypted

B.2 Converting an Encrypted Database to be Unencrypted

This describes the procedure for making an encrypted database unencrypted. 1. Back up the database to be unencrypted. The cvencrypt utility unencrypts data in place. This means that it uses on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successful completion). If the utility is interrupted before completion, the database will be partly encrypted and partly unencrypted, rendering it unusable.

CAUTION:

It is critical that you back up the database before decrypting it. Failure to do so can result in data being lost.

2. 3.

If the database is mounted, dismount it. You can do this from the Management Portal Databases page ([System] > [Databases]). In the directory containing the cache.dat file for the database to decrypt, run the cvencrypt utility, providing a path to it. For example, if your database is in the C:\MyDBs directory and is called test1 and Cach is installed in the C:\CacheSys directory, then you would run the utility as follows:
C:\MyDBs\test1>..\..\CacheSys\bin\cvencrypt cache.dat

The utility then provides an informational display message about itself, and then information on the database passed to it. If this is a multivolume database, the utility displays information about this, such as
Database has multiple volumes. Volume ====== c:\mydbs\accounting1\CACHE.DAT c:\mydbs\accounting2\CACHE.EXT c:\mydbs\accounting3\CACHE.EXT Blocks: first ===== 1 129 257 last ==== 128 256 1792

4.

If the database is encrypted, the utility displays information about this:

Database is encrypted (Key ID = E1D00BC2-07F4-4495-9562-394B26A2B05B).

It then prompts for an action:

1) Decrypt 2) Re-encrypt with a different key 3) Quit

5.

To decrypt the database, enter 1 and press Enter. This displays a prompt to activate the databases encryption key:
Access original database encryption key (key ID = E1D00BC2-07F4-4495-9562-394B26A2B05B) Keyfile:

Enter the keyfile including its full path, such as C:\encdb\dek; relative pathnames are not valid. 6. The utility then prompts for the username and password of a keyfile administrator:
Username: dek-admin1 Password: <characters shielded during entry>

7.

The utility next states that it is ready to perform the decryption:

Prepared to decrypt database (key ID = E1D00BC2-07F4-4495-9562-394B26A2B05B).

Cach Security Administration Guide 217

Using the cvencrypt Utility

Before decrypting the data, the utility reminds you that it modifies data in place, so that you should be sure that your data is adequately backed up before continuing:
This utility will modify your database in place. Be sure that your data is adequately backed up before proceeding. Continue? [Y/N]:

If you wish to continue, enter Y . Once you confirm your decision, the utility decrypts the database. During decryption, the utility displays a progress indicator, as well as a reminder not to interrupt the process, such as:
Decrypting database (key ID = E1D00BC2-07F4-4495-9562-394B26A2B05B). Do not interrupt this process! Processed: 25000 blocks (16%)

CAUTION:

If you interrupt the process while it is incomplete, the database may be in a state in which some of its data is encrypted and some of it is unencrypted. It is impossible for Cach to read such a database, and all the data will be lost.

8.

When the process is complete, the progress indicator changes to a completion message:
Processed: 153600 blocks (done!)

B.3 Converting an Encrypted Database to Use a New Key

This describes the procedure for re-encrypting an encrypted database using a new key. 1. Back up the data in the database to be re-encrypted. The cvencrypt utility re-encrypts data in place, that is, using the on-disk space for its operations (not copying the database elsewhere and restoring it to its current disk location after successfully completing the decryption). If the utility is interrupted before completion, the database will be partly encrypted with two different keys, rendering it unusable.

CAUTION:

It is critical that you back up the database before decrypting it. Failure to do so can result in data being lost.

2. 3.

If the database is mounted, dismount it. You can do this from the Management Portal Databases page ([System] > [Databases]). Make sure that the key with which the database is being re-encrypted already exists. You can create this key using the Management Portal Database Encryption page ([System] > [Encryption] > [Database Encryption]); if there is already an activated key, you need to deactivate it before creating a new one. In the directory containing the cache.dat file for the database to decrypt, run the cvencrypt utility, providing a path to it. For example, if your database is in the C:\MyDBs directory and is called test1 and Cach is installed in the C:\CacheSys directory, then you would run the utility as follows:
C:\MyDBs\test1>..\..\CacheSys\bin\cvencrypt cache.dat

4.

When it first starts, the utility displays an information message about itself and the database passed to it. If this is a multivolume database, the utility displays information about this, such as

218 Cach Security Administration Guide

Converting an Encrypted Database to Use a New Key

Database has multiple volumes. Volume ====== c:\mydbs\accounting1\CACHE.DAT c:\mydbs\accounting2\CACHE.EXT c:\mydbs\accounting3\CACHE.EXT Blocks: first ===== 1 129 257 last ==== 128 256 1792

5.

The utility displays information about the encryption in use for the database:
Database is encrypted (Key ID = E1D00BC2-07F4-4495-9562-394B26A2B05B).

It then prompts for an action:

1) Decrypt 2) Re-encrypt with a different key 3) Quit

6.

To re-encrypt the database with a new database-encryption key, enter 2 and press Enter. To begin the process of re-encrypting the database, you must have access to the key in which the database is currently encrypted. The utility prompts for the absolute path for this keyfile, and, receiving that, the username of an administrator and that administrator's password:
Access original database encryption key. (key ID = E1D00BC2-07F4-4495-9562-394B26A2B05B) Keyfile: C:\encdb\dek1 Username: dek-admin1 Password: <characters shielded during entry>

7.

Once this information has been successfully entered, the utility prompts for the absolute path of the keyfile for reencrypting the database. Receiving that, it prompts for the username of an administrator and that administrator's password:
Access new database encryption key. Keyfile (full path): C:\encdb\dek2 Username: dek-admin2 Password: <characters shielded during entry>

When it receives information on this second key, the utility reminds you that it modifies data in place, so that you should be sure that your data is adequately backed up before continuing. If you wish to continue, enter Y . Once you confirm that you want to perform this process, the utility encrypts the database. During encryption, the utility displays a progress indicator, as well as a reminder not to interrupt the process, such as:
Do not interrupt this process! Processed: 16000 blocks (10%)

CAUTION:

If you interrupt the process while it is incomplete, the database may be in a state in which some of its data is encrypted with one key and some of it is encrypted with another. It is impossible for Cach to read such a database, and all the data will be lost.

8.

When the process is complete, the progress indicator changes to a completion message:
Processed: 153600 blocks (done!)

Cach Security Administration Guide 219

Using the cvencrypt Utility

B.4 Using Command-line Options with cvencrypt

You can invoke cvencrypt with various command-line options. These allow you to encrypt, decrypt, or re-encrypt one database or multiple databases with a single command; to operate on a single database, use the -dbfile option; to operate on multiple databases with a single command, use the -dbfilelist option. The behavior of the -inkeyfile and -outkeyfile options depends on whether an encrypted or unencrypted database is being processed, and, if an encrypted database is present, if one or both of the options is present. For details, see the description of each option. The available command-line options are: -dbfile argument The database file to encrypt, decrypt, or re-encrypt. argument can be a simple file name, a file name containing a relative path, or a file name containing an absolute path. -dbfilelist argument The name of a file containing a list of databases to process. argument can be a simple file name, a file name containing a relative path, or a file name containing an absolute path. In the file containing the list of databases, each database is listed as the name of a database file, which can also be a simple file name, a file name containing a relative path, or a file name containing an absolute path; place the name of each database file on its own line without any additional punctuation or delimiting characters. -inkeyfile argument The input key file, which contains the database key for decrypting any encrypted input to cvencrypt. When processing an unencrypted database, the -inkeyfile option has no effect. When processing an encrypted database, cvencrypt uses the input key file to decrypt the database. If the input key file and the output key file are both present, then, when processing an encrypted database, cvencrypt uses the input key file to decrypt the database and the output key file to re-encrypt it; if input key file and output key file hold the same database encryption key, cvencrypt does not run. -inpass argument The password to use (along with the -inuser username ) to extract the database encryption key from the input key file. If you do not use the -inpass option with cvencrypt, it prompts you for a password. Important: If you use the -inpass option, then this password may be visible to operating system tools as part of the data associated with the cvencrypt process. For example, on certain versions of UNIX, the ps command displays the value of the -inpass password. If you have any concerns about exposing this information to those who should not have it, do not use the -inpass option; when you invoke cvencrypt, you will be prompted for the password, which will then not appear as part of the data associated with the process.

-inuser argument The administrator name to use (along with the -inpass password) to extract the database encryption key from the input key file. If you do not use the -inuser option with cvencrypt, it prompts you for a username. -outkeyfile argument The output key file, which contains the database key for encrypting the output from cvencrypt. When processing an unencrypted database, cvencrypt uses the output key file to encrypt it. When processing an encrypted database where there is a value for the -outkeyfile option but no value provided for the -inkeyfile option, cvencrypt

220 Cach Security Administration Guide

Using cvencrypt in Batch Mode on OpenVMS

does nothing. When processing an encrypted database, if there are values for both the input and output key files, then cvencrypt uses the input key file to decrypt the database and the output key file to re-encrypt it; if the input and output key files hold the same database encryption key, cvencrypt does not run. -outpass argument The password to use (along with the -outuser administrator name) to extract the database encryption key from the output key file. If you do not use the -outpass option with cvencrypt, it prompts you for a password. Important: If you use the -outpass option, then this password may be visible to operating system tools as part of the data associated with the cvencrypt process. For example, on UNIX, the ps command displays the value of the -outpass password. If you have any concerns about exposing this information to those who should not have it, do not use the -outpass option; when you invoke cvencrypt, you will be prompted for the password, which will then not appear as part of the data associated with the process.

-outuser argument The administrator name to use (along with the -outpass password) to extract the database encryption key from the output key file. If you do not use the -outuser option with cvencrypt, it prompts you for a username.

B.5 Using cvencrypt in Batch Mode on OpenVMS

On OpenVMS, you can run cvencrypt as a batch job that is driven by a command procedure. Important: When running cvencrypt as a batch job, the username and password of the database encryption administrator is visible as part of the operating system process. To avoid exposing sensitive information, the procedure described here includes creating a temporary database encryption administrator immediately before invoking cvencrypt and removing that administrator from the database encryption key file immediately after invoking cvencrypt (which can even occur while the utility is running).

To do this, the procedure is: 1. 2. Back up the database. For details on this process, see the Backup and Restore chapter of the Cach Data Integrity Guide. Add a temporary database encryption administrator to your database encryption key file. To do this with the Management Portal, follow the procedure described in the section Adding an Administrator to a Key File in the Managed Key Encryption chapter. You can also use the ^DATABASE utility, as described in the ^DATABASE section of the Using the Character-based Security Management Routines appendix. 3. Run cvencrypt interactively and answer "N" to the final "Continue? {Y/N}:" prompt. This captures the input that you wish to provide to cvencrypt but does not run it. The operating system displays a message such as:
A command procedure "cvencrypt.com" has been created that you can SUBMIT as a batch job.

4. 5.

Issue the OpenVMS SUBMIT command to run the command procedure as a batch job. Once the job is running, remove the temporary administrator from the key file (using either the Management Portal or ^DATABASE).

InterSystems recommends that you create a new command procedure for each batch job, as the input parameters may differ. Note: Batch mode is only available for OpenVMS. It is not supported for UNIX or Windows.

Cach Security Administration Guide 221

C
Frequently Asked Questions about Cach Security
Troubleshooting
When users attempt to use the Management Portal, they are either prompted to log in as they move among its sections or unexpectedly lack privileges on certain pages or are not allowed to perform certain operations. Why is this and how can I correct it? The Cach Management Portal consists of several separate web applications. The main page of the Portal is associated with the /csp/sys application and other pages are associated with various /csp/sys/* applications (such as the security-related content, which is associated with the /csp/sys/sec application). If the applications do not all have a common set of authentication mechanism(s) in use, users going from one Portal page to another may encounter login prompts or sudden shifts in their level of privilege. For example, if the /csp/sys application is using password authentication exclusively, while other related Portal applications are using unauthenticated access exclusively, then, as users move from one Portal page to another, they go from unauthenticated access to requiring authentication. Another possible case is this: the /csp/sys application supports only password authentication, the other applications support only unauthenticated access, and UnknownUser has no special privileges; in this case, when users go from the Portals main page to its other pages, they may not have sufficient privileges to perform any action. To check and configure the authentication mechanism for a web application, select the application from the Web Applications page in the Portal ([System] > [Security Management] > [Web Applications]) and, for the displayed application, make selections under Allowed Authentication Methods as appropriate (typically, so that /csp/sys and /csp/sys/* share a common set of authentication mechanisms).

Upgrading
These questions address questions for users of Cach 5.0 and previous versions who are considering the security implications of upgrading to Cach 5.1 or more recent versions. Must I use Cach security? What do I need to be aware of when upgrading to the Cach security in version 5.1 or later? What operational aspects of Cach security (5.1 or later) differ from previous versions of Cach?

Cach Security Administration Guide 223

Frequently Asked Questions about Cach Security

Must I use Cach security? Yes. Security in Cach is always enabled. However, you can configure an instances security to mimic the openness of an older system and to support legacy systems without any visible effects. What do I need to be aware of when upgrading to the Cach security in version 5.1 or later? The following items require attention when upgrading: All users require new passwords assigned to them after an upgrade installation. The password hash function used is more robust than those used in earlier versions of Cach. Since Cach only stored (and stores) the hashed form of the password for comparison, there is no way to invert the hashed form (giving a plaintext password) and replace it with the hashed value using the newer function. As a result, to take advantage of this robustness, users need to enter new passwords. By default, developers do not have privileges on many of the Cach services they did under prior versions. The default installation of Cach is configured with a relatively limited set of features accessible by default. The predefined roles do not include privileges for legacy resources such as COM ports, which most customers do not need. As necessary, administrators can alter the predefined roles or create new roles that provide a different set of privileges to meet the needs of each site.

What operational aspects of Cach security (5.1 or later) differ from previous versions of Cach? An instance of Cach 5.1 or later operates slightly differently from prior versions of Cach. Differences include: As of Cach 5.1, Cach ObjectScript has two system variables, $USERNAME and $ROLES that help applications manage their security needs. Both these variables can be used programmatically in routines, methods, and SQL statements. For CSP and Zen applications, security information is maintained as part of the CSP session. The values of $USERNAME and $ROLES are preserved across page requests, even if different processes are used to execute those requests. More specifically, when processing begins for a CSP page, $ROLES contains the users roles as well as roles defined for the application. The session does not contain roles that were dynamically added during processing of a previous page by setting the value of $ROLES or invoking $SYSTEM.Security.AddRoles. This is true for both stateless sessions and those that maintain state.

224 Cach Security Administration Guide

D
Relevant Cryptographic Standards and RFCs
The following are standards and RFCs (requests for comment) that define the cryptographic primitives and algorithms used in Cach security: AES (Advanced Encryption Standard) encryption FIPS (Federal Information Processing Standards) 197 AES Key Wrap NIST (National Institute of Standards and Technology) document AES Key Wrap Specification (http://csrc.nist.gov/CryptoToolkit/kms/AES_key_wrap.pdf) IETF (Internet Engineering Task Force) RFC 3394

Base64 encoding RFC 3548 Block padding PKCS (Public-Key Cryptography Standards) #7 and RFC 2040 CBC (Cipher Block Chaining) cipher mode NIST 800-38A Deterministic random number generator FIPS PUB 140-2, Annex C FIPS PUB 186-2, Change Notice 1, Appendix 3.1 and Appendix 3.3

GSS (Generic Security Services) API The Kerberos Version 5 GSS-API Mechanism RFC 1964 Generic Security Service Application Program Interface, Version 2, Update 1 RFC 2743 Generic Security Service API Version 2: C Bindings RFC 2744 Generic Security Service API Version 2: Java Bindings RFC 2853

Kerberos Network Authentication Service (V5) RFC 1510 Hash-based Message Authentication Code (HMAC) FIPS 198 and RFC 2104 Message Digest 5 (MD5) hash RFC 1321 Password-Based Key Derivation Function 2 (PBKDF2) PKCS #5 v2.0 and RFC 2898 Secure Hash Algorithm (SHA-1) FIPS 180-2 and RFC 3174

Cach Security Administration Guide 225

Relevant Cryptographic Standards and RFCs

All these documents are available online: FIPS documents NIST documents PKCS documents RFCs (IETF)

226 Cach Security Administration Guide

E
Using Character-based Security Management Routines
The preferred and recommended way to manage a Cach installation is the Management Portal. The portal provides a convenient, browser-based interface for controlling the system. However, to cover those instances when the system cannot be managed this way, Cach also has several character-based routines that collectively provide many of the same functions on the Cach Terminal. The utilities described in this appendix are: ^SECURITY addresses the setup and maintenance of the data essential to the proper functioning of Cach security. ^EncryptionKey supports operations for encryption key management, database encryption, and data element encryption. ^DATABASE is used to manage databases; it also allows you to set values related to Cach security. ^%AUDIT allows the reporting of data from the logs, and the manipulation of entries in the audit logs as well as the logs themselves.

Each of the routines is described in its own section along with its top-level functionality. In most cases, the initial menu choice will lead to further requests for information until the routine has sufficient information to accomplish its task. To use any routine from the Cach Terminal, the user must be in the %SYS namespace and have at least the %Manager role. The routine, for example ^SECURITY, is invoked as expected with the command:
DO ^SECURITY

When the routine runs, it presents you with a list of options. Select an option by entering its number after the Option? prompt.

CAUTION:

As previously noted, the preferred way to manage a Cach system is via the Management Portal. Administrators who elect to use the routines described in this documents are assumed to have a detailed operating knowledge of how Cach works and what parameter values are appropriate for the options they choose.

General notes about prompts

The following are characteristics of prompts when using the character-based facilities: Each option has a numeric prefix. Select an option by typing its number. The option-number pattern is used throughout the routines. All option lists have an item to exit this level of menu and return to the previous level. You may also reply to the Option? prompt with Enter. This is interpreted as if you had chosen the Exit option, that is, you are finished with

Cach Security Administration Guide 227

Using Character-based Security Management Routines

that section and you are presented with the next upper level of options. An Enter reply to the top-level of options exits the ^SECURITY routine. Many of the prompts for information have a default value which is selected by typing the Enter key. When there is a default value available, it is shown after the prompt message and followed by the characters => as in
Unsuccessful login attempts before locking user? 5 =>

where the default value is 5 for the number of times a user may try to login and fail before the system locks their username. Prompts whose defaults are Yes or No also accept any matching partial response such as yE or n. The match is done ignoring the case of the response. In options whose intent is to alter the characteristics of existing user, roles, services, and so on, the existing value of the item is displayed as the default. Typing Enter preserves that value and moves on to the next prompt. Some prompts ask for a pattern to use when matching items such as user names. The default pattern is usually * that matches all items. In such patterns the asterisk matches any sequence of characters, much like it does in DOS. A pattern may also consist of a comma-separated list of items each of which is treated as its own pattern. An item is treated as being selected if it matches any pattern in the list. There is nothing to prevent multiple instances of the same routine from being executed at the same time by different system administrators (or even the same administrator). If this happens, it is the responsibility of the administrators to coordinate their activity to avoid conflicts and achieve their objectives with regard to the coherence of the affected data.

CAUTION:

E.1 ^SECURITY
This routine addresses the setup and maintenance of the data essential to the proper functioning of Cach security. The initial menu includes: 1. User setup Users represent actual people or other entities who are permitted access to the system. This is the section for define the characteristics of users for the instance. 2. Role setup Cach users are given permission to perform an action by their assignment to one or more roles. This section is where the characteristics of roles are defined. 3. Service setup Services control the ability to connect to Cach using various connection technologies. They are predefined by InterSystems. The parameters governing their use are set through this option. 4. Resource setup Resources represent assets, such as databases or applications, whose use is to be managed. A resource may represent a single asset such as a database, or it may protect multiple (usually related) assets such as a suite of applications. 5. Application setup Application definitions serve as proxies for the actual application code. Permissions on the definition are interpreted by the security system as granting the same permission on the application associated with the definition. 6. Auditing setup

228 Cach Security Administration Guide

^EncryptionKey

Auditing is the means by which Cach keeps a record of security-related events. This section deals with the definition and management of events whose occurrence is to be noted in the audit log. 7. Domain setup Domains permit a community of users to be partitioned into several groups. This option allows an administrator to set up Cach security to accept users from multiple domains. The domains defined via this option exist only within the Cach system for the purpose of recognizing valid users. When multiple domains have been defined, usernames should include the domains they will be attempting access from, for example, [email protected]. If a users name is given without the domain identification, Cach uses the default domain (if any) set up in the system parameters section. 8. SSL configuration setup SSL/TLS provides authentication and other functionality. This section provides configuration tools if the instance uses Cach support for the SSL/TLS protocol. 9. Mobile phone service provider setup With two-factor authentication, authenticating users receive a one-time security code on their mobile phone that they then enter at a prompt. This section provides the tools for configuring the mobile phone service providers in use for the Cach instance. 10. OpenAM Identity Services setup OpenAM identify services allow Cach to support single-sign on (SSO); by using this feature, users that have already successfully authenticated do not have to re-authenticate. This section deals with managing OpenAM identity services for the Cach instance. 11. Encryption key setup Cach uses keys to encrypt databases or user-specified data elements. This section provides tools for working with keys for both database and managed encryption. 12. System parameter setup The system parameters are a collection of security-related values that apply system-wide. This section includes the ability to export and import all an instances security settings, including those for SQL privileges. Note: If you are importing security settings from a source instance configured with multiple domains to a target instance not configured to allow multiple domains and the source instances default domain differs from that of the target instance, then the import does not update the targets default domain you must explicitly set this value. To do this, use the Default security domain drop-down on the System-wide Security Parameters page ([Home] > [Security Management] > [System Security Settings] > [System-wide Security Parameters]).

13. Exit

E.2 ^EncryptionKey
The ^EncryptionKey routine is for use with managed key encryption; it supports operations for encryption key management (technology for creation and management of encryption keys and key files), database encryption, and data element encryption. 1. Create new encryption key and key file Allows you to create a new database-encryption key, which it stores in a key file. 2. Manage existing encryption key file

Cach Security Administration Guide 229

Using Character-based Security Management Routines

Allows you to list administrators associated with a key file, add an administrator to a key file, and remove an administrator from a key file. 3. Database encryption Allows you to activate a database encryption key, display the unique identifier for the currently activated database encryption key (if there is one), deactivate the activated database encryption key, and configure Cach startup options related to database encryption. 4. Data element encryption for applications Allows you to activate a data element encryption key, list the unique identifier for any currently activated data element encryption keys (if there are any), and deactivate the activated data element encryption key.

E.3 ^DATABASE
The ^DATABASE routine is used to manage databases; it also allows you to set values related to Cach security. 1. Create a database Allows you to create a new database. 2. Edit a database Allows you to change the characteristics of an existing database, for example, by adding additional volumes. 3. List databases Displays the characteristics of one or more databases. 4. Delete a database Allows you to delete a Cach database. This action is irreversible. 5. Mount a database Makes a database ready for use by Cach. Databases must be mounted to Cach in order to be usable. Databases can be set to be automatically mounted at startup. 6. Dismount a database Permits you to quiesce a database and remove it from use by Cach. 7. Compact globals in a database Reorganizes the data inside CACHE.DAT. Note that this option does not reduce the size of the database file; to reduce the size of the database, see option 13. 8. Show free space for a database Displays the available space for a database. This is calculated as the difference between its current contents and its current declared size. 9. Show details for a database Displays detailed information on a specified database including location, size, status, and other controlling parameters. 10. Recreate a database Creates a new, empty database with the parameters of the original database. The new database is the same size as the original database. 11. Manage database encryption

230 Cach Security Administration Guide

^%AUDIT

Removes all the logical data from a database while preserving the properties of the database for reuse. 12. Return unused space for a database Frees either a specified amount of or all available extra space associated with a database, reducing it from its current size to its smallest possible size. 13. Compact free space in a database Removes the free space in a database. Note that this option reduces the size of the database file; to compact globals without changing the size of the database file, see option 7.

E.4 ^%AUDIT
This routine allows the reporting of data from the logs, and the manipulation of entries in the audit logs as well as the logs themselves. 1. Audit reports Permits you to specify selection criteria (date ranges, events, affected users, and so on) and display characteristics, then extracts the data from the audit log and formats it for presentation. 2. Manage audit logs Allows the extraction of log entries to another namespace, the export and import of audit log data to and from external files, and maintenance activities against the audit log itself. 3. Exit

Cach Security Administration Guide 231