Caché Installation Guide
Preparing for Caché Security
[Back] [Next]
   
Server:docs2
Instance:LATEST
User:UnknownUser
 
-
Search:    

The material in this appendix is intended for those using Caché security features. For an overview of those features, especially the authentication and authorization options, review the Introduction to the Caché Security Administration Guide. This material can help you select the security level for your site, which determines the required tasks to prepare the security environment before installing Caché.

This appendix covers the following topics:
Important:
If your security environment is more complex than those this document describes, contact the InterSystems Worldwide Response Center (WRC) for guidance in setting up such an environment.
Preparing the Security Environment for Kerberos
These sections describe the installation preparation for three types of environments:
  1. Windows-only Environment
    This configuration uses a Windows domain controller for KDC functionality with Caché servers and clients on Windows machines. A domain administrator creates domain accounts for running the Caché services on Caché servers.
    See the Creating Service Accounts on a Windows Domain Controller for Windows Caché Servers section for the requirements of using Windows Caché servers. Depending on the applications in use on your system, you may also need to perform actions described in the Configuring Windows Kerberos Clients section.
  2. Mixed Environment Using a Windows Domain Controller
    This configuration uses a Windows domain controller with Caché servers and clients on a mix of Windows and non-Windows machines. See the following sections for the requirements for using both Windows and non-Windows Cache servers:
  3. Non-Windows Environment
    This configuration uses a UNIX® or OpenVMS Kerberos KDC with Caché servers and clients all on non-Windows machines. See the following two sections for the requirements for using a UNIX®, Mac, or OpenVMS KDC and Caché servers:
All Caché supported platforms have versions of Kerberos supplied and supported by the vendor; see the appropriate operating system documentation for details. If you choose to use Kerberos, you must have a Kerberos key distribution center (KDC) or a Windows domain controller available on your network. Microsoft Windows implements the Kerberos authentication protocol by integrating the KDC with other security services running on the domain controller.
A Note on Terminology
This document refers to related, but distinct entities:
Creating Service Accounts on a Windows Domain Controller for Windows Caché Servers
Before installing Caché in a Windows domain, the Windows domain administrator must create a service account for each Caché server instance on a Windows machine using the Windows domain controller.
Account Characteristics
When you create this account on the Windows domain controller, configure it as follows:
Important:
If a domain-wide policy is in effect, you must add this service account to the policy for Caché to function properly.
Names and Naming Conventions
In an environment where clients and servers are exclusively on Windows, there are two choices for naming service principals:
Each of these choices involves a slightly different process of configuring a connection to a server as described in the following sections.
Names That Follow Kerberos Conventions
For a name that follows Kerberos conventions, the procedure is:
  1. Run the Windows setspn command, specifying the name of service principal in the form service_principal/fully_qualified_domain_name, where service_principal is typically cache and fully_qualified_domain_name is the machine name along with its domain. For example, a service principal name might be cache/cacheserver.example.com. For detailed information on the setspn tool, see the Setspn Syntax page on the Microsoft TechNet web site.
  2. In the Caché Server Manager dialog for adding a new preferred server, choose Kerberos. What you specify for the Service Principal Name field should match the principal name specified in setspn.
For detailed information on configuring remote server connections, see the Connecting to Remote Servers chapter of the Caché System Administration Guide.
Names That Are Unique Strings
For a name that uses any unique string, the procedure is:
  1. Choose a name for the service principal.
  2. In the Caché Server Manager dialog for adding a new preferred server, choose Kerberos. Specify the selected name for the service principal in the Service Principal Name field.
If you decide not to follow Kerberos conventions, a suggested naming convention for each account representing a Caché server instance is cacheHOST”, which is the literal, cache, followed by the host computer name in uppercase. For example, if you are running a Caché server on a Windows machine called WINSRVR, name the domain account cacheWINSRVR.
For more information on configuring remote server connections, see the Connecting to Remote Servers chapter of the Caché System Administration Guide for the detailed procedure.
Creating Service Accounts on a Windows Domain Controller for Non-Windows Caché Servers
Before you install Caché in a Windows domain, you need to create a service account on the Windows domain controller for each Caché server on a non-Windows machine. Create one service account for each machine, regardless of the number of Caché server instances on that machine.
A suggested naming convention for these accounts is cacheHOST,” which is the literal, cache, followed by the host computer name in uppercase. For example, if you run a Caché server on a non-Windows machine called UNIXSRVR, name the domain account cacheUNIXSRVR. For Caché servers on non-Windows platforms, this is the account that maps to the Kerberos service principal.
Important:
When you create this account on the Windows domain controller, Caché requires that you set the Password never expires property for the account.
To set up a non-Windows Caché server in the Windows domain, it must have a keytab file from the Windows domain. A keytab file is a file containing the service name for the Caché server and its key.
To accomplish this, map the Windows service account (cacheUNIXSRVR, in this example) to a service principal on the Caché server and extract the key from the account using the ktpass command-line tool on the domain controller; this is available as part of the Windows support tools from Microsoft.
The command maps the account just set up to an account on the UNIX® or OpenVMS machine; it also generates a key for the account. The command must specify the following parameters:
Parameter Description
-princ The principal name (in the form cache/<fully qualified hostname>@<kerberos realm>).
-mapuser The name of the account created (in the form cache<HOST>).
-pass The password specified during account creation.
-crypto The encryption type to use (use the default, DES-CBC-CRC, unless specified otherwise).
-out The keytab file you generate to transfer to the Caché server machine and replace or merge with your existing keytab file.
Important:
The principal name on UNIX® and OpenVMS platforms must take the form shown in the table with the literal cache as the first part.
Once you have generated a key file, move it to a file on the Caché server with the key file characteristics described in the following section.
Creating Service Principals on a KDC for Non-Windows Caché Servers
In a non-Windows environment, you must create a service principal for each UNIX®, Mac, or OpenVMS Caché server that uses a UNIX®, Mac, or OpenVMS KDC. The service principal name is of the form cache/<fully qualified hostname>@<kerberos realm>.
Key File Characteristics
Once you have created this principal, extract its key to a key file on the Caché server with the following characteristics:
Configuring Windows Kerberos Clients
If you are using Windows clients with Kerberos, you may also need to configure these so that they do not prompt the user to enter credentials. This is required if you are using a program that cannot prompt for credentials — otherwise, the program is unable to connect.
To configure Windows not to prompt for credentials, the procedure is:
  1. On the Windows client machine, start the registry editor, regedit.exe.
  2. In that key, set the value of AllowTgtSessionKey to 1.
Testing Kerberos KDC Functions
When using Kerberos in a system of only non-Windows servers and clients, it is simplest to use a native UNIX® or OpenVMS KDC rather than a Windows domain controller. Consult the vendor documentation on how to install and configure the KDC; these are usually tasks for your system administrator or system manager.
When installing Kerberos, there are two sets of software to install:
After installing the required Kerberos software, you can perform a simple test using the kadmin, kinit, and klist commands to add a user principal to the Kerberos database, obtain a TGT (ticket-granting ticket) for this user, and list the TGT.
Once you successfully complete a test to validate that Kerberos is able to provide tickets for registered principals, you are ready to install Caché.
Initial Caché Security Settings
During installation, there is a prompt for one of three sets of initial security settings: Minimal, Normal, and Locked Down. This selection determines the initial authorization configuration settings for Caché services and security, as shown in the following sections:
If you select Normal or Locked Down for your initial security setting, you must provide additional account information to the installation procedure. If you are using Kerberos authentication, you must select Normal or Locked Down mode. See the User Account Configuration section for details.
Important:
If you are concerned about the visibility of data in memory images (often known as core dumps), see the section Protecting Sensitive Data in Memory Images in the “System Management and Security” chapter of the Caché Security Administration Guide.
Initial User Security Settings
The following tables show the user password requirements and settings for predefined users based on which security level you choose.
Initial User Security Settings
Security Setting Minimal Normal Locked Down
Password Pattern 3.32ANP 3.32ANP 8.32ANP
Inactive Limit 0 90 days 90 days
Enable _SYSTEM User Yes Yes No
Roles assigned to UnknownUser %All None None
You can maintain both the password pattern and inactive limit values from the [Home] > [Security Management] > [System Security Settings] > [System-wide Security Parameters] page of the System Management Portal. See the System-wide Security Parameters section of the “System Management and Security” chapter of the Caché Security Administration Guide for more information.
After installation, you can view and maintain the user settings at the [Home] > [Security Management] > [Users] page of the System Management Portal.
Password Pattern
When Caché is installed, it has a default set of password requirements. For locked-down installations, the initial requirement is that a password be from 8 to 32 characters, and can consist of alphanumeric characters or punctuation; the abbreviation for this is 8.32ANP. Otherwise, the initial requirement is that the password be from 3 to 32 characters, and can consist of alphanumeric characters or punctuation (3.32ANP).
Inactive Limit
This value is the number of days an account can be inactive before it is disabled. For minimal installations, the limit is set to 0 indicating that accounts are not disabled, no matter how long they are inactive. Normal and locked-down installations have the default limit of 90 days.
Enable _SYSTEM User
In versions of Caché prior to 5.1, all installed systems included an SQL System Manager user named _SYSTEM with a password of SYS. This Caché version creates the _SYSTEM and the following additional predefined users, using the password you provide during the installation: _SYSTEM, Admin, SuperUser, CSPSystem, and the instance owner (the installing user on Windows and the username specified by the installer on other platforms).
For more details on these predefined users, see the Predefined User Accounts section of the “Users” chapter of the Caché Security Administration Guide.
Roles Assigned to UnknownUser
When an unauthenticated user connects, Caché assigns a special name, UnknownUser, to $USERNAME and assigns the roles defined for that user to $ROLES. The UnknownUser is assigned the %All role with a Minimal-security installation; UnknownUser has no roles when choosing a security level other than Minimal.
For more details on the use of $USERNAME and $ROLES, see the Users and Roles chapters of the Caché Security Administration Guide.
Initial Service Properties
Services are the primary means by which users and computers connect to Caché. For detailed information about the Caché services see the Services chapter of the Caché Security Administration Guide.
Initial Service Properties
Service Property Minimal Normal Locked Down
Use Permission is Public Yes Yes No
Requires Authentication No Yes Yes
Enabled Services Most Some Fewest
Use Permission is Public
If the Use permission on a service resource is Public, any user can employ the service; otherwise, only privileged users can employ the service.
Requires Authentication
For installations with initial settings of locked down or normal, all services require authentication of some kind (Caché login, operating-system–based, or Kerberos). Otherwise, unauthenticated connections are permitted.
Enabled Services
The initial security settings of an installation determine which of certain services are enabled or disabled when Caché first starts. The following table shows these initial settings:
Initial Enabled Settings for Services
Service Minimal Normal Locked Down
%Service_Bindings Enabled Enabled Disabled
%Service_CSP Enabled Enabled Enabled
%Service_CacheDirect Enabled Disabled Disabled
%Service_CallIn Enabled Disabled Disabled
%Service_ComPort Disabled Disabled Disabled
%Service_Console* Enabled Enabled Enabled
%Service_ECP Disabled Disabled Disabled
%Service_MSMActivate Disabled Disabled Disabled
%Service_Monitor Disabled Disabled Disabled
%Service_Shadow Disabled Disabled Disabled
%Service_Telnet* Disabled Disabled Disabled
%Service_Terminal† Enabled Enabled Enabled
%Service_WebLink Disabled Disabled Disabled
* Service exists on Windows servers only
† Service exists on non-Windows servers only
After installation, you can view and maintain these services at the [Home] > [Security Management] > [Services] page of the System Management Portal.
User Account Configuration
If you select Normal or Locked Down for your initial security setting, you must provide additional information to the installation procedure:
  1. User Credentials for Windows server installations only — Choose an existing Windows user account under which to run the Caché service. You can choose the default system account, which runs Caché as the Windows Local System account, or enter a defined Windows user account.
    Important:
    If you are using Kerberos, you must enter a defined account that you have set up to run the Caché service. InterSystems recommends you use a separate account specifically set up for this purpose as described in the Create Service Principals for Windows Caché Servers section.
    The installation verifies the following if you enter a defined user account:
  2. Caché Users Configuration for Windows installations — The installation creates a Caché account with the %All role for the user that is installing Caché to grant that user access to services necessary to administer Caché.
    Owner of the instance for non-Windows installations — Enter a username under which to run Caché. Caché creates an account for this user with the %All role.
    Enter and confirm the password for this account. The password must meet the criteria described in the Initial User Security Settings table.
    Setup creates the following Caché accounts for you: _SYSTEM, Admin, SuperUser, CSPSystem, and the instance owner (installing user on Windows or specified user on other platforms) using the password you provide.
Important:
If you select Minimal for your initial security setting on a Windows installation, but Caché requires network access to shared drives and printers, you must manually change the Windows user account under which to run the Caché service. Choose an existing or create a new account that has local administrative privileges on the server machine.
The instructions in the platform-specific chapters of this guide provide details about installing Caché. After reading the Caché Security Administration Guide introduction and following the procedures in this appendix, you are prepared to provide the pertinent security information to these installation procedures.