Caché Security Administration Guide
System Management and Security
[Back] [Next]
   
Server:docs2
Instance:LATEST
User:UnknownUser
 
-
Go to:
Search:    

This chapter covers the following topics:

System Security Settings Page
The System Security Settings page (System Administration > Security > System Security) provides links to pages that configure the entire Caché instance for security. These pages are:
System-Wide Security Parameters
This section describes security issues that affect an entire Caché instance. This includes the system-wide security parameters and handling sensitive data in memory images.
Caché includes a number of system-wide security parameters. You can configure these on the System Security Settings page (System Administration > Security > System Security > System-wide Security Parameters). These are:
Protecting Sensitive Data in Memory Images
Certain error conditions can cause the contents of a process’s memory to be written to a disk file, known as a “core dump.” This file contains copies of all data that was in use by the process at the time of the dump, including potentially sensitive application and system data. This can be prevented by disallowing core dumps on a system-wide basis. The method for disallowing core dumps varies according to the operating system in use; for details, consult the documentation of your operating system.
Authentication Options
The Authentication/CSP Sessions Options page (System Administration > Security > System Security > Authentication/CSP Options) allows you to enable or disable authentication mechanisms for the entire Caché instance:
The authentication options are:
If there are multiple authentication options, Caché uses cascading authentication. For more information on authentication, see the chapter Authentication.”
The Secure Debug Shell
Caché includes the ability to suspend a routine and enter a shell that supports full debugging capabilities (as described in the Command-line Routine Debugging chapter of Using Caché ObjectScript). Caché also includes a secure debug shell, which has the advantage of ensuring that users are prevented from exceeding or circumventing their assigned privileges.
The secure debug shell helps better control access to sensitive data. It is an environment that allows users to perform basic debugging, such as stepping and displaying variables, but does not allow them to do anything that changes the execution path or results of a routine. This protects against access that can lead to issues such as manipulation, malicious role escalation, and the injection of code to run with higher privileges.
The secure debug shell starts when a Break command is executed, a breakpoint or watchpoint is encountered, or an uncaught error is issued.
Within the secure debug shell, the user cannot invoke:
Within the secure debug shell, when a user attempts to invoke a restricted command or function, Caché throws a <COMMAND> or <FUNCTION> error, respectively.
Enabling Use of the Secure Shell
By default, users at the debug prompt maintain their current level of privileges. To enable the secure shell for the debug prompt and thereby restrict the commands that the user may issue, the user must hold the %Secure_Break:Use privilege (the Use permission for the %Secure_Break resource). To give a user this privilege, make the user a member of a role which includes the %Secure_Break:Use privilege, such as the predefined %SecureBreak role.
Restricted Commands and Functions
This section lists the restricted activities within the secure debug shell:
Restricted ObjectScript Commands
The following are the restricted ObjectScript commands for the secure debug shell:
Restricted ObjectScript Functions
The following are the restricted ObjectScript functions for the secure debug shell:
Restricted Object Constructions
No method or property references are allowed. Property references are restricted because they could invoke a propertyGet method. Some examples of the object method and property syntax constructions that are restricted are:
Note:
Even without passing a variable by reference, a method can modify public variables. Since a property reference could invoke a propGet method, no property access is allowed.
Restricted MultiValue Commands
The following are the restricted MultiValue commands for the secure debug shell:
Password Strength and Password Policies
Caché allows you to specify requirements for user passwords by supplying a string of the form:
X.Y[ANP]
where
These rules are based on the Caché ObjectScript pattern matching functionality. This functionality is described in the Pattern Matching section of the “Operators and Expressions” chapter of Using Caché ObjectScript.
Note:
The value for this parameter does not affect existing passwords.
Suggested Administrator Password Strength
Ideally, administrator passwords should be a random mixture of uppercase and lowercase alphabetic characters, numerals, and punctuation. InterSystems strongly recommends a minimum password length of 12 such random characters.
Protecting Caché Configuration Information
Caché configuration information is stored in a text file outside of Caché. This file is known as a Caché parameter file and often referred to as a cache.cpf file. Because this file can be modified while Caché is not running, Caché controls the ability to start a system with a modified cache.cpf.
To protect your instance against intentional or accidental misconfiguration, check the Configuration Security box to “on”. If Caché startup detects that the Caché parameter file has been modified outside the control of the Management Portal since the last time Caché was started, Caché startup requests a username and password to validate the changes. The username supplied must have %Admin_Manage:Use privileges. If an appropriate username and password cannot be provided, Caché allows the operator to choose as follows:
  1. Re-enter the username and password.
  2. Start using the last known good configuration.
  3. Abort startup.
If the operator chooses option 2, Caché renames the parameter file that was invoked at startup (file.cpf) with the suffix _rejected (file.cpf_rejected). Caché then overwrites the file.cpf with the last known good configuration (_LastGood_.cpf) and starts up using this configuration.
Note:
The protections for the cache.cpf file are not a substitute for operating-system–level security. It is recommended that you protect the configuration file by strictly limiting the ability of users to modify it, at the operating-system level.
For more information on the configuration file generally, see the Caché Parameter File Reference.
Managing Caché Security Domains
Caché security domains provide a grouping of users that corresponds to Kerberos realms and Windows domains. If your instance is using Kerberos, its Caché domain corresponds to a Kerberos realm. If you are using a Windows domain, this also corresponds to a Kerberos realm.
While a security domain name often takes the form of an Internet domain name, there is no requirement that it do so. A security domain name can contain any character except “@”.
Single and Multiple Domains
You can configure Caché for either a single-domain or multiple-domain configuration.
For an instance with a single domain:
For an instance with multiple domains:
In a multiple-domain configuration, a fully-qualified user identifier consists of a username, an at sign (“@”), and a domain name, such as, “info@intersystems.com”.
To specify support for a single domain or multiple domains, use the Allow multiple security domains field of the System-wide Security Parameters page of the Management Portal (System Administration > Security > System Security > System-wide Security Parameters), described in the System-wide Security Parameters section of this chapter.
The Default Security Domain
Each instance has a default security domain. This is the domain assumed for any username where no domain is specified. For example, if the default domain is “intersystems.com”, the user identifiers “info” and “info@intersystems.com” are equivalent. When Caché is installed, it uses the local domain name to provide an initial value for the parameter.
For instances with multiple security domains, you can select a new default security domain using the Default Security Domain field of the System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters), described in the System-wide Security Parameters section of this chapter.
Listing, Editing, and Creating Domains
The Security Domains page (System Administration > Security > Security Domains) provides a table that lists the existing security domains for a Caché instance.
For each domain, the table has:
The page also has a Create New Domain button. Selecting this displays the Edit Domain page which accepts a domain name and an optional domain description. After entering this information, select Save to create the domain.
Security Advisor
To assist system managers in securing a Caché system, Caché includes a Security Advisor. This is a Web page that shows current information related to security in the system configuration. It recommends changes or areas for review, and provides links into other system management Web pages to make the recommended changes.
Important:
The Security Advisor provides general recommendations, but does not have any knowledge of an instance’s needs or requirements. It is important to remember that each Caché instance has its own requirements and constraints, so that issues listed in the Security Advisor may not be relevant for your instance; at the same time, the Security Advisor may not list issues that are of high importance for you. For example, the Security Advisor exclusively recommends that services use Kerberos authentication, but, depending on your circumstances, authentication through the operating system, Caché login, or even unauthenticated access may be appropriate.
There are some general features in the Security Advisor:
Auditing
This section displays recommendations on auditing itself and on particular audit events:
Services
This section displays recommendations on Caché services. For each service, depending on its settings, the Security Advisor may address any of the following issues:
Roles
This section displays recommendations for all roles that hold possibly undue privileges; other roles are not listed. For each role, the Security Advisor may address any of the following issues:
Users
This section displays recommendations related to users generally and for individual user accounts. In this area, the Security Advisor may address any of the following issues:
CSP, Privileged Routine, and Client Applications
Each application type has its own section, which makes it simpler to review details for each application type. These sections display recommendations related to access to and privileges granted by applications. In this area, the Security Advisor notes the following issues:
Effect of Changes
When you make changes to various security settings, the amount of time for these to take effect are as follows:
Note:
The times listed here are the latest times that changes take effect; in some cases, changes may be effective earlier than indicated.
Emergency Access
Caché provides a special emergency access mode that can be used under certain dire circumstances, such as if there is severe damage to security configuration information or if no users with the %Admin_Manage:Use or %Admin_Security:Use privileges are available (that is, if all users are locked out). Although Caché attempts to prevent this situation by ensuring that there is always at least one user with the %All role, that user may not be available or may have forgotten the password.
When Caché is running in emergency access mode, only a single user (called the emergency user) is permitted. This username does not have to be previously defined within Caché. In fact, even if the username is defined in Caché, the emergency user is conceptually a different user. The emergency username and password are only valid for the single invocation of emergency mode.
Other important points about emergency access mode:
Invoking Emergency Access Mode
To start Caché in emergency access mode, you must have the appropriate operating-system privileges:
Caché performs authentication by checking operating-system-level characteristics.
Invoking Emergency Access Mode on Windows
To start Caché in emergency access mode:
  1. Start a command prompt. This can either be:
  2. Go to the bin directory for your Caché installation.
  3. In that directory, invoke Caché at the command line using the appropriate switch and passing in the username and password for the emergency user. This depends on the command prompt that you are using:
    Note:
    On Windows, unlike other operating systems, the EmergencyId switch is preceded by a slash (“/”).
    For example, at the instance MyCache, to start Caché in emergency mode with user Eugenia with the password 52601, the command would be:
    ccontrol start MyCache /EmergencyId=Eugenia,52601
    The only user who can then log in is the emergency user, using the appropriate password, such as:
    Username: Eugenia
    Password: *****
    Warning, bypassing system security, running with elevated privileges
    
Once Caché has started, you can start the Terminal from the Caché cube or run any CSP application. This provides access to the Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Caché in its normal mode.
Invoking Emergency Access Mode on UNIX® and Mac OS
To start Caché in emergency access mode, invoke Caché at the command line using the appropriate switch and passing in the username and password for the emergency user:
./ccontrol start <cache-instance-name> EmergencyId=<username>,<password>
This starts an emergency-mode Caché session with only one allowed user where:
Note:
If going from one of these operating systems to Windows, remember that on Windows only, the EmergencyId switch is preceded by a slash (“/”).
For example, at the instance MyCache, to start Caché in emergency mode with user Eugenia with the password 5262001, the command would be:
./ccontrol start MyCache EmergencyId=Eugenia,52601
The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia
Password: *****
Warning, bypassing system security, running with elevated privileges
Once Caché has started, you can run Caché Terminal or any CSP application. This provides access to the Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Caché in its normal mode.
Invoking Emergency Access Mode on OpenVMS
To start Caché in emergency access mode, invoke Caché at the command line using the appropriate switch and passing in the username and password for the emergency user, where the username and password are in quotation marks:
ccontrol start <cache-instance-name> EmergencyId="<username>,<password>"
This starts an emergency-mode Caché session with only one allowed user where:
Note:
If going from OpenVMS to Windows, remember that on Windows only, the EmergencyId switch is preceded by a slash (“/”).
For example, at the instance MyCache, to start Caché in emergency mode with user Eugenia with the password 5262001, the command would be:
ccontrol start MyCache EmergencyId="Eugenia,52601"
The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia
Password: *****
Warning, bypassing system security, running with elevated privileges
Once Caché has started, you can run Caché Terminal or any CSP application. This provides access to the Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Caché in its normal mode.
Emergency Access Mode Behavior
In emergency access mode, Caché has the following constraints and behaviors: