This utility addresses the setup and maintenance of the data essential to the proper functioning of InterSystems security.
Note:
Effective with InterSystems IRIS 2021.2, exported and imported security information is versioned. In 2021.2 and all subsequent versions, you can import settings from the same or any later version. For example, in version 2022.1 you can import settings from 2022.1 (the same version) and 2023.1 (an arbitrary later version). Any needed conversions occur automatically on import.
-
User setup
Users represent actual people or other entities who are permitted access to the system. You can create, edit, delete, list, export, and import users.
-
Role setup
InterSystems IRIS users have the ability to perform actions based on their roles. You can create, edit, delete, list, export, and import roles.
-
Service setup
Services control predefined technologies that support connections to InterSystems IRIS. You can edit, list, export, and import services.
-
Resource setup
Resources represent assets that require security management; a resource may represent a single asset such as a database, or it may protect multiple (usually related) assets such as a suite of applications. You can create, edit, delete, list, export, and import resources.
-
Application setup
Application definitions represent applications, and there are several types. In each submenu, you can edit, list, export, and import each application type.
Note:
Because client applications are only available on Windows, the options associated client applications do not appear on other operating systems.
-
Auditing setup
Auditing allows InterSystems IRIS to track security-related events. You can enable and disable auditing, view the audit database, configure audit events, and manage the audit log.
-
Note:
This option is available in legacy products, but not in InterSystems IRIS.
-
SSL configuration setup
TLS, the successor to SSL, provides authentication and other functionality, including for use with mirroring. You can create, edit, delete, list, test, export, and import TLS configurations.
-
Mobile phone service provider setup
To support two-factor authentication, users must register their mobile phone and service provider. You can create, edit, delete, and list mobile phone service providers.
-
OpenAM Identity Services setup
OpenAM identity services allow InterSystems IRIS to support single-sign on (SSO). If users have already successfully authenticated, OpenAM eliminates the need to re-authenticate. Using this option, you can use the %SYS.OpenAM.IdentityServicesOpens in a new tab class API to authenticate against a specified OpenAM server. You can create, edit, delete, and list OpenAM identity services.
Note:
To use OpenAM via a web policy agent, you must install and configure the web policy agent on the web server that you are using with InterSystems IRIS.
When a user connects, the web policy agent redirects that user to the OpenAM server. The OpenAM server authenticates and directs the user to the system to which they are connecting; it also provides them with an OpenAM token in a cookie. The web policy agent recognizes the token, validates it with the OpenAM server, sets the value of the REMOTE_USER variable to their username, and connects to the web server. The web application can then set $USERNAME to the value of REMOTE_USER, such as through delegated authentication. Subsequent connections to any supported service validate the token, so the original authentication is persistent.
In order to do this, you must install and configure a Web Policy Agent on the server that you are using with InterSystems IRIS.
-
Encryption key setup
InterSystems IRIS uses keys to encrypt databases or user-specified data elements. You can create and manage keys in files, activate and deactivate keys, list keys, specify default keys, configure encryption startup options, and modify the encryption status of a database.
-
System parameter setup
The system parameters specify system-wide security values. You can:
-
Edit system options (manage configuration security, specify the use of multiple domains, manage the default domain, manage inactive account and login limits, manage password expiration duration, manage password requirements, specify a password validation routine, manage writing to percent (%) globals, specify a required role for the system, specify the required or permitted TLS server authentication mode, and specify the default signature hash)
-
Display system options
-
Enable and disable authentication options.
-
Create, edit, delete, list, export, and import LDAP configurations.
-
Export and import all security settings, including those for SQL privileges. (See note above about exporting and importing security information.)
Note also:
-
If you are importing security settings from a source instance configured with multiple domains to a target instance not configured to allow multiple domains and the source instance’s default domain differs from that of the target instance, then the import does not update the target’s default domain — you must explicitly set this value. To do this, use the Default security domain drop-down on the System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters).
-
When importing all security settings, the import/export file includes web application settings; each web application has a Path setting. Before importing settings onto a new drive, VM, or hardware, for each web application, ensure that the value of the Path setting is accurate for that environment. If the web applications associated with the Management Portal do not have correct Path values, the Management Portal will not display correctly.
To locate the Path setting for each web application in the import/export file (SecurityExport.xml), look in the ApplicationsExport section; in each Applications section, identify the application by the value of the Name setting; then update the value of the Path setting as appropriate.
-
X509 User setup
X.509 is the standard for certificates that a public key infrastructure (PKI) uses. InterSystems IRIS uses X.509 certificates for its PKI, and each user associated with an X.509 certificate is known as an X.509 user. You can create, edit, delete, list, export, and import them.
-
KMIP server setup
A KMIP server is a key management server that communicates using the key management interoperability protocol (KMIP). You can create, edit, delete, list, test, export, and import KMIP server configurations.
-
Exit