Skip to main content

This is documentation for Caché and Ensemble. See the InterSystems IRIS version of this content.Opens in a new tab

Please read this important announcement about the future of Caché and Ensemble maintenanceOpens in a new tab. Contact your account team to migrate to InterSystems IRIS.

Authentication: Establishing Identity

Authentication: Establishing Identity

Authentication is how you prove to Caché that you are who you say you are. Without trustworthy authentication, authorization is moot — one user can impersonate another and then take advantage of the fraudulently-obtained privileges.

The authentication mechanisms available depend on how you are accessing Caché. Caché has a number of available authentication mechanisms:

  • Kerberos — The most secure means of authentication. The Kerberos Authentication System provides mathematically proven strong authentication over a network.

  • Operating-system–based — OS-based authentication uses the operating system’s identity for each user to identify that user for Caché purposes.

  • LDAP — With the Lightweight Directory Access Protocol (LDAP), Caché authenticates the user based on information in a central repository, known as the LDAP server.

  • Caché login — With Caché login, Caché prompts the user for a password and compares a hash of the provided password against a value it has stored.

  • Delegated authentication — Delegated authentication provides a means for creating customized authentication mechanisms. The application developer entirely controls the content of delegated authentication code.

You can also allow all users to connect to Caché without performing any authentication. This option is appropriate for organizations with strongly protected perimeters or in which neither the application nor its data are an attractive target for attackers.

About Kerberos

For maximally secure connections, Caché supports the Kerberos authentication system, which provides a highly secure and effective means of verifying user identities. Kerberos was developed at the Massachusetts Institute of Technology (MIT) to provide authentication over an unsecured network, and protects communications using it against sophisticated attacks. The most evident aspect of this protection is that a user’s password is never transmitted over the network — even encrypted.

Kerberos is what is called a trusted-third-party system: the Kerberos server holds all sensitive authentication information (such as passwords) and is itself kept in a physically secure location.

Kerberos is also:

  • Time-tested — Kerberos was originally developed in the late nineteen-eighties. Its principal architecture and design have been used for many years at many sites; subsequent revisions have addressed issues that have been discovered over the years.

  • Available on all supported Caché platforms — Originally developed for UNIX®, Kerberos is available on all Caché-supported variants of UNIX®; Microsoft has integrated Kerberos into Windows 2000 and subsequent versions of Windows. (Note that because the Microsoft .NET framework does not include direct Kerberos support, Caché does not support Kerberos for the Caché Managed Provider for .NET.)

  • Flexibly configurable — It accommodates heterogeneous networks.

  • Scalable — The Kerberos protocol minimizes the number of interactions with its Key Distribution Center (KDC); this prevents such interactions from becoming a bottleneck on larger systems.

  • Fast — As an open-source product, the Kerberos code has been scrutinized and optimized extensively over the years.

Underlying Kerberos authentication is the AES encryption algorithm. AES — the Advanced Encryption Standard — is a royalty-free, publicly-defined symmetric block cipher that supports key sizes of 128, 192, and 256 bits. It is part of the US Federal Information Processing Standard (FIPS), as chosen by United States National Institute of Standards and Technology (NIST).

For detailed content, see “Configuring for Kerberos Authentication” in the “Authentication” chapter.

About Operating-System–Based Authentication

Caché supports what is called operating-system–based (or OS-based) authentication. With operating system authentication, Caché uses the operating system’s user identity to identify the user for Caché. When operating system authentication is enabled, the user authenticates to the operating system using according to the operating system’s protocols. For example, on UNIX®, this is traditionally a login prompt where the operating system compares a hash of the password to the value stored in the /etc/passwd file. When the user first attempts to connect to Caché, Caché obtains the process’ operating system level user identity. If this identity matches a Caché username, then that user is authenticated.

This capability only applies to server-side processes, such as terminal-based applications (for example, connecting through the Terminal) or batch processes started from the operating system. It is not available for an application that is connecting to Caché from another machine, such as when a copy of Studio on one machine is connecting to a Caché server on another.

This mechanism is typically used for UNIX® systems, in addition to the Windows console.

For detailed content, see “Configuring for Operating-System–Based Authentication” in the “Authentication” chapter.

About LDAP Authentication

Caché supports authentication through the Lightweight Directory Access Protocol (LDAP). In this case, Caché contacts an LDAP server to authenticate users, relying on its database of users and their associated information to perform authentication. The LDAP server also controls all aspects of password management, password policies, and so on.

For detailed content, see the “Using LDAP” chapter.

About Caché Login

Caché itself can provide a login mechanism. Specifically, Caché maintains a password value for each user account and compares that value to the one provided by the user at each login. (As with traditional OS-based authentication, Caché stores a hashed version of the password. When the user logs in, the password value entered is hashed and the two hashed versions are compared.) The system manager can configure certain password criteria, such as minimum length, to ensure a desired degree of robustness in the passwords selected by users.

For detailed content, see “Configuring for Authentication with Caché Login” in the “Authentication” chapter.

About Delegated Authentication

Caché supports delegated authentication, which allows you to create your own authentication mechanism. As the application developer, you fully control the content of delegated authentication code. Caché includes a routine, ZAUTHENTICATE.mac, that serves as a template for creating custom authentication code.

For detailed content, see the “Using Delegated Authentication” chapter.

Next sectionAuthorization: Controlling User Access
FeedbackOpens in a new tab