InterSystems IRIS for Health™ Upgrade Checklist (2022.1)

DP-282954

CWE: CWE-208: Observable Timing Discrepancy
Severity: Medium
CVSS Score: 5.3
Version: 2022.1.0

FIXED: An unauthenticated actor may have been able to use a timing discrepancy to determine existing usernames for the instance.

DP-406999

CWE: CWE-20: Improper Input Validation
Severity: Medium
CVSS Score: 6.3
Version: 2022.1.0

FIXED: Due to improper input validation, a user with access to terminal may be able to execute arbitrary commands with %All privilege.

DP-408556

CWE: CWE-287: Improper Authentication
Severity: Medium
CVSS Score: 5.3
Version: 2022.1.0

FIXED: SSL/TLS clients performing hostname checking may send some of the message payload contents before the hostname check occurs, potentially disclosing information to a server that would later fail the hostname check.

DP-417272

CWE: CWE-285: Improper Authorization
Severity: Medium
CVSS Score: 4.2
Version: 2022.1.0

FIXED: In rare circumstances, a user may be able to run a cached query for which they did not have privileges.

DP-401734: Prevent missed updates from the DSTIME list when using %FixBuildErrors/%ProcessFact and %SynchronizeCube

Category: Business Intelligence
Platforms: All
Version: 2021.2.0

This change corrects a bug in which updates to a source record were not caught by a call to %SynchronizeCube() in the following scenario:

1. Multiple records are updated or inserted in the source class, and logged to ^OBJ.DSTIME.
2. CubeA, based on that source class, is synchronized, processing ^OBJ.DSTIME into ^DeepSee.Update.
3. %ProcessFact() is called for one or more records (but not all the updated records) on CubeB, which is also based on the same source class. This updates the facts in question and runs %SetCubeDSTime() for CubeB, marking it as up-to-date with ^DeepSee.Update as of the current time.
4. CubeB is synchronized and does not receive updates for records that were updated or inserted in step 1 but not processed in step 3.

Note that this change removes the automatic advancement of the cube's timestamp when using %ProcessFact(), so applications relying on %ProcessFact() for updates will need to manually advance the cube timestamp.

DP-403240: Cube <expression> cannot have a period character in its logical name

Category: Business Intelligence
Platforms: All
Version: 2021.2.0

With this release, any cube <expression> element which uses the period (.) character in the logical name will throw a compile error. Cubes that were successfully compiled in a previous release will still function exactly as they did before until they are recompiled. You should update each <expression> element to remove any period (.) characters and recompile so that future compiles will succeed.

This change means that an intermediate expression in Architect can return an object with properties, rather than a single value.

DP-404204: Upgrading containers and file ownership changes

Category: Cloud
Platforms: Cloud
Versions: 2020.1.1, 2021.1.1, 2021.2.0

The volume mounted for durable %SYS must now be writeable by user 51773 (irisowner), because cloning into that directory now happens as irisowner instead of root. When it isn't writeable, startup will fail. The cloud distribution now uses a non-root install, not a traditional installation. All files are now owned by 51773:51773 (aka irisowner:irisowner). The installation directory has not changed (still /usr/irissys). 

Before upgrading, users (excluding those using ICM or IKO) MUST chown their durable %SYS directory ($ISC_DATA_DIRECTORY) so that all files are owned by irisowner, for example:

chown -R 51773:51773 $ISC_DATA_DIRECTORY

This will most likely need to be done as root. IKO and ICM perform this ownership change automatically. 

For locked down images, the installation directory ($ISC_PACKAGE_INSTALLDIR) has changed from /home/irisowner/IRIS to /usr/irissys.

Upgrades with IRIS-lockeddown and IRISHealth-lockeddown between versions pre- and post- this change are not supported and will not succeed.

DP-404238: Limit use of PasswordHash to initial configuration

Category: Cloud
Platforms: Cloud
Versions: 2021.1.1, 2021.2.0

PasswordHash makes it easy to change system-wide passwords during the initial system configuration. The password change is effective before the instance is initialized. In previous releases, you could also use this feature to make system-wide password changes once the system was in use and no longer had the initial passwords. With this change, PasswordHash can only be used during the initial system configuration and cannot be used later to change passwords.

Specifically, PasswordHash will only be processed if the existing hash matches a known, fixed value used to set the initial password.

DP-409557: ICM has new default WebServerPort 57772

Category: Cloud
Platforms: All
Version: 2022.1.0

In this release, ICM uses a default web server port 57772. In previous releases, it used 52773. If your deployment expects the previous default port, you should override WebServerPort to match your existing deployment, using the JSON field "WebServerPort".

DP-413775: Change a few DataMove APIs

Category: DataMove
Platforms: All
Version: 2022.1.0

Several of the DataMove API's have been changed to add a new first parameter "Name" in the DataMove.API class as follows:

MapInitialize(Name as %String, Namespaces As %String)
MapGlobalsCreate(Name as %String, Namespace As %String, GblName As %String, ByRef Properties As %String)
MapGlobalsDelete(Name as %String, Namespace As %String, GblName As %String) As %Status
MapGlobalsModify(Name as %String, Namespace As %String, GblName As %String, ByRef Properties As %String)

Customer will need to update their scripts to add this new parameter.

DP-409755: Remove $system.Python.Install()

Category: Embedded Python
Platforms: All
Version: 2021.2.0

This change removes $system.Python.Install().

To install Python packages for your system, you should only use

pip3 install

DP-407501: 32-bit processes and external language servers

Category: Gateways - .NET
Platforms: All
Versions: 2021.1.1, 2021.2.0

External language servers that do not have "Exec 32" checked will change from executing as a 32-bit process to executing as a 64-bit process when started from the Management Portal. This will only affect you if you are loading external assemblies compiled for x86 and did not check the Exec 32 box of the server definition.

DP-410470: Change in behavior to deprecated $view(n,-5)

Category: Global Module
Platforms: All
Version: 2022.1.0

Although it is now an undocumented internal function, $view(n,-5) may still be used in legacy code.

The behavior of $view(n,-5) for even values of 'n' has changed when the block in the view buffer is a (type 8) data block. If the value to be returned (the value of node number n/2) is a big string, a <VALUE OUT OF RANGE> error will now be thrown. Before this change, the big string block numbers stored in the data block would be read in a best-effort attempt to return the big string value. That however could lead to unexpected behavior on systems if the database had changed in the interim. The unexpected behavior could include <DATABASE>, an invalid value, or under very rare circumstances, a cache coherency issue. Code that uses this function may need to be reviewed and remedied as follows:

• For callers of $view(n,-5) for even values of 'n' that intend to operate only on pointer blocks, but may have ended up with a data block in the view buffer due to concurrent changes to the database, either (a) check that the block type in the header matches the expected type or (b) trap the error and treat <VALUE OUT OF RANGE> as invalid block. Note that (a) is best practice and if not done then such code was already subject to bad behavior due to the possibility of getting an unexpected data block value that may be confused for a down pointer value.
• For callers that intend to retrieve global values from a data block, either trap the error from $view(n,-5), or use $v(n,-6) to check the node type first. In either case, if the value is needed, get the current value by constructing the appropriate glvn (based on $view(n-1,-5)) to use $data or $get with indirection.

Note that before this change, when operating on a data block from a remote database, a big string value may have been returned as null.   With this change the behavior is the same for local and remote databases, throwing <VALUE OUT OF RANGE> error.

DP-408131: Accessing install directory on Windows from ODBC requires additional privileges

Category: Installation
Platforms: Windows
Version: 2022.1.0

Users in "Authenticated Users" group no longer are able to write files into the installation directory in locked down install without additional privileges.

DP-404469: New privilege needed to schedule Ens.Util.Tasks.Purge* tasks

Category: Interoperability
Platforms: All
Version: 2022.1.0

To schedule Ens.Util.Tasks.Purge* tasks, the user must have the %Ens_PurgeSchedule:USE privilege, which is granted by the %EnsRole_Administrator role, and which can be added to custom roles. The %Ens_MessageResubmit and %Ens_SequenceManager resources no longer exist; no customer code should have referenced them directly.

DP-405689: BPL calls now respect async="true" setting

Category: Interoperability
Platforms: All
Version: 2021.2.0

In previous releases, BPL calls with async="true" were run synchronously, not asynchronously. In this release, this setting is respected and the call be will run asynchronously.

DP-13515: If compact double is enabled, all clients must support it

Category: JDBC
Platforms: All
Version: 2021.2.0

Users who enable the Compact Double feature will need to ensure that all clients, such as xDBC and Native, have been upgraded to a version that supports Compact Double; otherwise they will fail to connect. Users who do not enable Compact Double will not be affected. In previous releases, the Compact Double Feature was not available. If you do not enable it, you will be able to connect with all clients that you could in the previous version, but if you do enable it, you may not be able to connect with some of these clients.

DPP-367: Need new drivers for new SQL syntax features

Category: JDBC
Platforms: All
Version: 2021.2.0

Although existing SQL code will continue to work with the previous JDBC and ODBC drivers, if you want to use the new SQL syntax features, such as SQL LOAD, you'll need to update your JDBC or ODBC driver to the one provided with this release. Some applications, such as DBeaver, come with an InterSystems IRIS driver included, but you can still point it to a newer version of the library if you want.

DP-10904: Journaling files may be compressed

Category: Kernel
Platforms: All
Version: 2021.2.0

The system can now automatically compress journal files after they are created to reduce the amount of space consumed by older journal files. Compressed files have a 'z' appended to their name. Any code which scans for journal files by name needs to be updated to cater for this change (if compression is enabled).

The size column in the %SYS.Journal.ByTimeReverseOrder query is the size on disk. Previously the size on disk and the amount of journal data in a file were more or less the same but with compressed files this is no longer the case. $$$GetJrnDataSize(%jrnfile) in %syJrninc.inc will return the amount of journal data in a file (from the journal file header) regardless of whether a file is compressed or not.

Compression is enabled by default during an upgrade from a version which did not support it.

DP-13424: Cannot connect with ECP to older releases by default

Category: Kernel
Platforms: All
Version: 2021.2.0

By default, this release may compress compiled routines to improve efficiency. These compiled routines cannot be handled by previous releases of the product. Consequently, it will not allow ECP connections to instances that don't support this feature; specifically, if you attempt to connect to older instances, the result will be an error.

You may disable this compression feature system-wide with $ZU(69,87,1). If you disable this feature, then this release will be able to connect through ECP with older releases.

DP-401740: (Windows) Greater precision in $ZNOW and $ZTIMESTAMP

Category: Kernel
Platforms: Windows
Version: 2021.2.0

With this change, on Windows, $NOW and $ZTIMESTAMP have more digits of precision than in previous releases.

Also, previous releases included the special functions $ZU(136,21,0), $ZU(136,21,1), and $ZU(136,21) for use on Windows, to work around limitations in how Windows returned time values. Windows now returns more accurate time values and these functions are not needed. If you call these functions, you must update your code.

DP-404334: Quote $ZF() shell commands on Windows

Category: Kernel
Platforms: Windows
Versions: 2021.1.1, 2021.2.0

Windows shell commands must be enclosed in quotes if there are quoted arguments along with a quoted command path. Those quotes will now be added by $ZF(-1), $ZF(-2), and $ZF(-100,"SHELL").

DP-405025: Changes to rounding of ObjectScript decimal floating-point values

Category: Kernel
Platforms: All
Version: 2021.2.0

This release contains a slight improvement in rounding of ObjectScript decimal floating-point. One specific value of the IEEE floating point significand:

-9223372036854775808

-9223372036854775810

This error does not involve IEEE ($DOUBLE) binary floating-point representation. It only involves ObjectScript decimal floating-point representation.

Certain computations using a decimal significand of -2**63 (or -9223372036854775808), especially multiplications by a power of 10, were incorrectly rounded up to -9223372036854775810 when -9223372036854775808 is the exact answer. This has been fixed. Note that the positive valued significand of +9223372036854775808 does not exist so it is always rounded up to 9223372036854775810. This means that -(9223372036854775808) does not equal -9223372036854775808 because the first expression is rounded up before the negation operator is applied.

DP-406134: Change to error signalled by dynamic objects and arrays

Category: Kernel
Platforms: All
Version: 2021.2.0

ObjectScript programs that used to catch <PROPERTY DOES NOT EXIST> error when $GET/$DATA was applied to a %DynamicObject or %DynamicArray element must now instead catch the <ILLEGAL CLASS> error. Since $GET/$DATA always signals an error when applied to existent or nonexistent Dynamic Object elements, it is unlikely that there are any programs that are deliberately generating this error signal and testing for it.

DP-407539: Improvements to purging backup logs

Category: Kernel
Platforms: All
Version: 2022.1.0

In previous releases, only backup logs within the file named "idpbackup.log" (created by running ^BACKUP from terminal) were being purged by the PurgeBackupLog task, and log files generated by running backups from the Management Portal were never purged. This change makes the handling of these logs consistent: purging purges both kinds of logs. In addition, this changes the default number of days to purge logs from 7 to 30.

Changes affecting the different entry points for running backups are as follows:

• Backups run from Management Portal: Backup logs will be created and named the same as they were before (according to the name of the task being run), but they will now be purged by the PurgeBackupLog task (before, they were never purged).
• Backups run from Terminal (^BACKUP): Rather than appending each backup log into the same idpbackup.log file, each backup run will generate a new idpbackup_date_counter.log file. The PurgeBackupLog task will then delete these files individually rather than scanning and trimming the contents of the idpbackup.log file.
• Backups run externally ($$BACKUP^DBACK()): The backup log file specified by the user in the arguments will be created newly or overwritten (rather than appending to it); if there is no file specified, the backup will generate a new idpbackup_date_counter.log file as for TUI backups. The PurgeBackupLog task will work as for TUI backups.

DP-408501: Replace random number generator algorithm in $Random with Splitmix64

Category: Kernel
Platforms: All
Version: 2022.1.0

Before this change, $random used a pseudo random number generator algorithm. With this change, we replace it with Splitmix64, a fast pseudo random number generator algorithm that can pass rigorous statistical tests of its randomness.

In most cases, this does not impact compatibility, but if your application uses $zu(165) to specify a seed and relies on an expected sequence of random numbers, you will have to update your code with the new sequence. For example, the %Populate utilities will produce different results than prior versions with the same seed.

DP-409100: Run object destructors when a .Net application quits

Category: Kernel
Platforms: All
Version: 2022.1.0

Actions performed by an object's %OnClose method, such as unlocking a record in a persistent class, were not being performed in a timely manner for a client/server application using .Net, JDBC, etc.

DP-409851: Change to viewing private program data on AIX

Category: Kernel
Platforms: AIX
Version: 2021.2.0

With this change, on AIX, you will receive a <PROTECT> error when you attempt to view private program data that is outside of the instance's partition. You can get this error from the $VIEW function or the VIEW command. You can enable viewing and avoid the error by calling $ZU(69,23,1).

InterSystems strongly discourages users from using the $ZU(69,23,1) feature. This feature leaves Open M/SQL-UNIX open to abnormal termination of M processes and hangs due to programming errors.

DP-410050: Correct a rare bug on class initialization

Category: Kernel
Platforms: All
Version: 2022.1.0

This change corrects a very rare bug that could cause the wrong version of a class to be loaded into memory. This could lead to increased memory usage if class components are not being used. Otherwise, it only changes the time at which they are loaded into memory.

DP-410087: Change in error when dynamic dispatch is not implemented

Category: Kernel
Platforms: All
Version: 2022.1.0

If a class does not implement dynamic dispatch and a method whose name ends with Get or Set is called and the method does not exist, the error is now <METHOD DOES NOT EXIST> instead of <PROPERTY DOES NOT EXIST>.

DP-412202: Changes to $zversion String and GetPlatform() for Linux

Category: Kernel
Platforms: Linux
Version: 2022.1.0

The $zv string will now include the Linux distribution version. If your code parses this string, you may have to modify it to handle this change. This string is also returned by the GetPlatform() method of %SYSTEM.Version class.

DP-13952: .NET compact double changes to IRISList

Category: Language Bindings - Native
Platforms: All
Version: 2021.2.0

This release adds support for the Compact Double feature for .NET client technologies: ADO, XEP IRISNative, and the Object Gateway (External Language Server). If your code is connecting to a .NET server with Compact Double enabled and your code includes IRISList and you want the values stored as compact doubles, you must modify the IRISList to enable compact double. If you do not want to have IRISList store compact double values, you do not need to change your code to connect with a server that supports compact double.

Application code can check if Compact Double is enabled for the connection by checking the "IsCompactDoubleEnabled" field on the IRISADOConnection object. You can use this value to control whether a new IRISList enables compact double with the following:

IRISList list = new IRISList(connection.ServerEncoding, connection.IsCompactDoubleEnabled);

Attempting to store a compact double on a server where it is disabled will produce an error. If you embed an IRISList within another, the compact double state must be the same in both.

DP-407972: Language SDK unified schema caches will be purged

Category: Language SDK
Platforms: All
Version: 2022.1.0

When you upgrade to this release, all Language SDK Unified Schemas will be purged from the cache. This change does not require any change to your code, but each schema will be processed and cached the first time it is accessed.

DP-405941: %Monitor.Process now uses same metric names as ^PERFMON and &MONLBL

Category: Monitoring
Platforms: All
Version: 2021.2.0

Modified %Monitor.Process to use the same list of metric names that the ^PERFMON and ^MONLBL routines use. If your code identifies metrics by name, you should modify it to use the new set of names.

DP-8357: Improve %FromJSON() error checking

Category: Object
Platforms: All
Version: 2022.1.0

The %FromJSON() method would accept numeric input with an illegal format (a few example arrays [0e] and [-].) In the past this very deviant numeric syntax did not generate an error. However, some illegal numeric syntax is accepted by some third party JSON decoders by making minor corrections to illegally numeric syntax. Example arrays that will be accepted and corrected by the %FromJSON(....) method are: (1) [-5.] will become [-5.0] and (2) [-.5] will become [-0.5].  Also, the maximum input length for a JSON numeric string has been increased to 1022 characters.

DP-411367: Change with XEP unified schema and maximum field length

Category: Object - .NET XEP
Platforms: All
Version: 2022.1.0

Existing classes will be unaffected by this change; only classes newly generated by Unified Schemas will be affected. There should not be any new behavior except when using SQL or InterSystem IRIS Objects against these tables/classes. Prior to this change, the default MAXLEN=50 is used. With this change, the size is not constrained to a maximum length of 50. There could be differences when querying string data that exceeds the 50 character default MAXLEN.

DP-409204: Java binding collections now behave consistently

Category: Object - Java Binding
Platforms: All
Version: 2022.1.0

Previously, in Java Bindings ArrayOfDataTypes and ListOfDataTypes did not behave consistently. In this release, there is a new behavior that will be a change for each type, but the behaviors are consistent with each other. For ArrayOfDataType, previously when inserting elements there was a check to confirm the type matched the type of previously inserted elements, and would throw an error if that was the case. This change no longer checks this, as we are supporting arrays of multiple types. For both ArrayOfDataTypes and ListOfDataTypes, there used to be required conversions by the user for special types (Date, Time, and DateTime). Now, if the elementType is set to one of these types, the conversion is done automatically and the user receives an already converted value.

DP-20958: %Net.SMTP no longer sends email if server doesn't support authentication

Category: Object Library
Platforms: All
Version: 2021.2.0

Before this release, if you used %Net.SMTP to try to authenticate to an SMTP server that did not support authentication, %Net.SMTP would send the email. Now in the same scenario, %Net.SMTP will return the following error and will not send the email:

ERROR #6166: Server does not support authentication

Users who prefer the old behavior and want to continue the exchange unauthenticated after a failed authentication attempt can set the new IgnoreFailedAuth property of %Net.SMTP to true. Users who do not use authentication with SMTP as well as users who do not want to continue with an unauthenticated exchange if authentication fails don't need to do anything.

DP-292449: In %Net.Http, GetJson() replaces getJSON()

Category: Object Library
Platforms: All
Version: 2021.2.0

In %Net.Http, the new GetJson() replaces the getJSON() method. The new method has the following signature:

classmethod GetJson(requestURL As %RawString = "", request As %String(MAXLEN="")="") 
            as %DynamicAbstractObject

DP-405034: %Net.SMTP checks server identities by default

Category: Object Library
Platforms: All
Versions: 2019.1.2, 2020.1.2, 2021.1.1, 2021.2.0

This change fixes a bug where the SSLCheckServerIdentity property in %Net.SMTP defaulted to false, but was documented as defaulting to true. The property now defaults to true and is in alignment with documentation. This means that, when connecting to an SSL/TLS secured web server, %Net.SMTP will check that the certificate server name matches the DNS name used to connect to the server and fail if they don't match. This is the behavior specified in RFC 2818 section 3.1.

As a result, when connecting to an SSL/TLS secured web server, the default behavior of %Net.SMTP will now be to fail if the certificate server name does not match the DNS name used to connect to the server.

This change is unlikely to cause compatibility issues, but it is possible that when using %Net.SMTP to send messages you might have issues connecting to an SSL/TLS enabled server. If this happens, and you understand the security trade-offs, you can set SSLCheckServerIdentity to 0 to restore the previous behavior.

DP-402912: Fix problem where errors within ZWRITE command are not raised to caller's error trap

Category: ObjectScript
Platforms: All
Versions: 2021.1.1, 2021.2.0

This change fixes a problem where errors within ZWRITE command are not raised to caller's error trap.

Now ZWRITE throws some errors that were ignored before, but they are serious show-stopper errors that should not happen in a normal environment.

DP-404892: Changes to how ZWRITE displays IEEE doubles

Category: ObjectScript
Platforms: All
Version: 2021.2.0

There are minor changes in the way ZWRITE displays IEEE double-precision floating-point values. The new formatting is more readable and provides better cutting and pasting output values. This should not impact most code, but if your code is looking for specific text in ZWRITE output, you may have to modify it to handle these changes.

DP-410011: ZWRITE preserves $ZR unless a global arg is given

Category: ObjectScript
Platforms: All
Version: 2022.1.0

In this release, ZWRITE has the following new behavior:

• If you ZWRITE a local variable (defined or not): ZWRITE will always preserve the original $ZR value. In previous releases, $ZR could be set to an unexpected value overwriting the previous $ZR value.
• If you ZWRITE a global with or without a subscript, it will always set $ZR to be that global reference, defined or not. In previous releases ZWRITE a global would vary how it set $ZR depending on whether the global was defined with or without a subscript.

DP-408254: Do not allow insert SQL_CHAR or SQL_WCHAR values into BINARY field

Category: ODBC
Platforms: All
Version: 2022.1.0

If your code uses SQL_CHAR or SQL_WCHAR for binding into a BINARY field, you need to change it to SQL_BINARY. This combination is unlikely to be used in code.

DP-402686: Changes to Security.Events:ListAll query arguments

Category: Security
Platforms: All
Version: 2021.2.0

The Security.Events:ListAll query is a public API though it is mostly used internally. If you are using it, you may need to update your code to handle the changes in the arguments. It has been changed to now only accept three arguments (Filter, OwnerFlag, Flags) instead of five (EventSources, EventTypes, Events, OwnerFlag, Flags). Therefore, after upgrading, you will have to make changes everywhere you call ListAll if you specify more multiple arguments.

Instead of searching EventSources, EventTypes, and Events separately, ListAll now combines the Source, Type, and Name of each event into one forward slash-delineated string and searches just that string. This means that the Filter argument essentially combines EventSources, EventTypes, and Events into one.

If you are only using one of EventSources, EventTypes, or Events, you can pass that value into the new ListAll as the Filter parameter and the query's behavior shouldn't change.

If you are using more than one of EventSources, EventTypes, and Events, you will have to make changes. The simplest thing to do is to combine the previous fields into one by putting a forward slash in between each field. For example, if you have EventSources="%System" and EventTypes="%Login" you can now use Filter="%System/%Login". Unfortunately, the new ListAll can't combine EventSources and Events without also having an EventType. So to specify EventSources="%System" and Events="Logout" you need to also have an EventType, for example: Filter="%System/%Login/Logout".

DP-403594: Use OpenSSL MD5 Implementation

Category: Security
Platforms: All
Version: 2021.2.0

This change removes the ability to use the MD5 hashing algorithm on when in FIPS mode. Refer to the class reference for %SYSTEM.Encryption, which enumerates the limitations of encryption methods in FIPS mode, for more information.

DP-404283: Changes to enabling %ZEN.Dialog classes

Category: Security
Platforms: All
Versions: 2019.1.2, 2020.1.2, 2021.1.1, 2021.2.0

In this release, %ZEN.Dialog.* classes cannot be run in web applications unless the web application is enabled for analytics, the namespace is enabled for interoperability productions, or it is explicitly enabled for the web application. To explicitly enable %ZEN.Dialog.* classes, enter the following:

Set ^SYS("Security","CSP","AllowPrefix",application-name,"%ZEN.Dialog.")=1

Also, with this change, any web application that is enabled for analytics or interoperability will have %ZEN.Dialog.* classes enabled by default.

DP-406389+DP-406711: Add versions to security tables

Category: Security
Platforms: All
Version: 2021.2.0

In previous releases, you could only export and import security tables between instances with the same major version. Now the security tables have an embedded version number, which allows finer access over allowable imports. You can export security tables from versions 2021.1 and 2021.2 and then import them to this version, 2022.1.

DP-408241: Change in permissions needed to run Task Manager tasks

Category: Security
Platforms: All
Version: 2022.1.0

Now %SYS.TaskSuper requires %Admin_Manage:Use in order to modify the ExecuteCode field of %SYS.Task.RunLegacyTask. Previously this check was only done in the Management Portal page.

The Management Portal page now checks for %Admin_Secure:Use in order to set the RunAsUser to a user other than the current user. Previously it incorrectly checked for %Admin_Manage:Use (TaskSuper checks %Admin_Secure).

DP-408293: Web Gateway now uses PBKDF2 to hash passwords

Category: Security
Platforms: All
Version: 2022.1.0

The Web Gateway provides a feature where if a plain-text password is written to CSP.ini directly, the Web Gateway encodes the password at startup. This feature will no longer work if the plain-text password starts with the string "PBKDF2|".

The CSPpwd utility is recommended if you want to avoid this limitation.

DP-413405: Revert Security.Events:ListAll() to preserve backwards compatibility

Category: Security
Platforms: All
Version: 2022.1.0

Previously, DP-402686 added a new query called ListByFilter() to the Security.Events class and then reconfigured the ListAll() query to call this new query. In doing so, it changed the signature of ListAll(), which broke backwards compatibility.

This change reverts Security.Events:ListAll() to what it was before DP-402686. Then, to maintain the SMP fix that DP-402686 introduced, it changes the SystemEvents and UserEvents SMP pages to call the ListByFilter() query instead of ListAll().

As a result, the backwards compatibility of Security.Events:ListAll() has been restored.

DP-402901: SQL PURGE QUERIES BY AGE and FREEZE BY ID changes

Category: SQL
Platforms: All
Version: 2021.2.0

If you use any of the following PURGE or FREEZE constructs, you must ensure that you specify the value with a literal, not with an identifier:

• PURGE [CACHED] QUERIES BY AGE value
• [UN]FREEZE BY ID value

DP-405610+DP-408694: (New installs) default DDL type mapping for TIMESTAMP is %Library.PosixTime

Category: SQL
Platforms: All
Version: 2021.2.0

In new installations, the default DDL Mapping for type TIMESTAMP has been changed from %Library.TimeStamp to %Library.PosixTime. This does not affect instances which were upgraded from a previous release. If you port code from a previous release to a new installation of this release, you may need to modify code to handle this change.

If a field has a datatype of %Library.DateTime, the fastinsert optimization will not be used and execution will be slower. You can resolve this issue by updating the datatype to use PosixTime, which is recommended over DateTime.

DP-406218: Runtime Plan Choice (RTPC) is now enabled by default

Category: SQL
Platforms: All
Version: 2021.2.0

The default value for the RTPC parameter has changed from 0 to 1. When RTPC is enabled (=1), InterSystems SQL queries can perform optimization based on outlier information. For further details on outlier selectivity, refer to Tune Table in the InterSystems SQL Optimization Guide.

Note that for some queries, this may not be the best choice. See Adaptive SQL Optimizer for details on RTPC and review whether you wish to use this optimization.

DP-408808: When FETCH call has two sets of INTO variables, fetch results into both sets of variables

Category: SQL
Platforms: All
Version: 2022.1.0

This change restore behavior of embedded SQL when DECLARE <name> CURSOR has INTO variables and the FETCH also has INTO variables. A previous change unintentionally modified the behavior so that the code updated only the DECLARE <name> CURSOR variables.

This change restores the previous behavior of updating both sets of variables.

DP-407254: Update interaction between delegated and password authentication

Category: System
Platforms: All
Versions: 2021.1.1, 2021.2.0

This fixes an issue with authentication ordering when delegated and password authentication are enabled. If your user authentication includes both delegated authentication and password authentication, you can choose either to call or not call ZAUTHENTICATE for password users. Typically, ZAUTHENTICATE is only used for delegated users and not for password users.

But if you want your ZAUTHENTICATE routine to also be called for password users, you should check the <b>Always try Delegated Authentication</b> in the <b>System Administration > Security > System Security > Authentication/Web Sessions Options</b> page in the Management Portal or by using the ^SECURITY utility (System Parameter Setup, Edit authentication options).

The default for <b>Always try Delegated Authentication</b> is No and ZAUTHENTICATE is not called for password users.

DP-408802: Remove experimental database compression from CreateDatabase() method

Category: System
Platforms: All
Version: 2021.2.0

This release removes an experimental feature, database compression, because the minor savings in storage did not justify the increased compute load. This removal should not impact any existing code unless you called ##class(SYS.Database).CreateDatabase() and included the compression engine parameter. If you did, you must remove this parameter or you will get a <PARAMETER> error.

Please note this experimental feature is independent of the journal compression and stream compression features, which are unaffected by this change.

DP-405460: Modify InterSystems IRIS to use the hash of the CPF in place of the timestamp

Category: Web Gateway
Platforms: All
Version: 2021.2.0

InterSystems IRIS now sends a hashcode instead of a timestamp to indicate whether the server configuration has been changed, and the Web Gateway now accommodates these hashcodes in addition to timestamps from older servers.

A newer standalone Web Gateway connecting to older InterSystems IRIS instances functions as before. An old Web Gateway connecting to newer InterSystems IRIS instances is not and has historically not been supported, but with this change it's particularly important for customers to keep their Web Gateway up to date. Old Gateways don't handle the hash from newer InterSystems IRIS instances and thus will not update their server configurations.

DP-404679: Some tasks removed from the Task Manager

Category: Work Queue Manager
Platforms: All
Version: 2021.2.0

Some of the automated maintenance tasks have been removed from the Task Manager and are now handled purely internally by the Work Queue manager. Specifically, the following tasks have been removed from the Task Manager:

• Update SQL Query Statistics
• Scan frozen plans
• Cleanup SQL Statement Index
• Resource Cleanup

DP-411063: Work Queue settings removed on upgrade to 2021.2

Category: Work Queue Manager
Platforms: All
Version: 2021.2.0

When upgrading to 2021.2, the settings for "Work Queue Manager Categories" are reset to the system defaults, and any user-defined settings are deleted. The new settings in version 2021.2 are not compatible with the previous settings and cannot be converted. If you have defined settings, redefine them if necessary.

DP-408030: xDBC rejects connections when server ListFormat is not supported

Category: xDBC Server
Platforms: All
Version: 2022.1.0

This change corrects a connection error with an illegal ListFormat setting that was ignored by previous releases. If the server was configured with ListFormat 2 or 3, the connection will now be rejected. This setting was never supported by the clients and could result in inconsistent behavior or data loss if the connection was allowed.