Prepare for InterSystems Security
The material in this section describes some of the security-related issues you need to consider before installing InterSystems IRIS. For an overview of the InterSystems security features, see “About InterSystems Security”; you may also want to review details about authentication or authorization.
This section covers the following topics:
-
Initial InterSystems Security Settings — Describes the characteristics of the different default security settings. It is particularly useful if you choose to use Normal or Locked Down InterSystems security.
-
Configure User Accounts — Discusses the necessary permissions for a user account that runs InterSystems IRIS.
-
Prepare the Security Environment for Kerberos — Details the additional tasks you need to perform if you are planning on using Kerberos as an authentication mechanism with InterSystems IRIS. If you are not using Kerberos in your environment, you can bypass this topic.
After reading About InterSystems Security and following the procedures in this section, you are prepared to provide the pertinent security information to the installation procedure, as described in the Installation Guide.
Initial InterSystems Security Settings
During installation, there are three initial security configurations to choose from: Minimal, Normal, or Locked Down. A good rule of thumb is to choose Locked Down for instances to be used in production environments and Normal for instances to be used in development environments. The following sections describe the differences between these configurations, as well as the initial service properties for each configuration:
For production environments, you should adjust the individual security settings after installation, regardless of which option you choose. For more information see the following sections:
Initial User Security Settings
For general information about InterSystems IRIS user accounts, see User Accounts.
All user accounts share certain password requirements and settings. The initial values for these settings are based on which security level you choose, as described in the following table:
| Security Setting |
Minimal |
Normal |
Locked Down |
Description |
| Password Pattern* |
3.32ANP |
3.32ANP |
8.32ANP |
By default, passwords allow alphanumeric characters and punctuation. The initial length requirement is 3 to 32 characters for Minimal and Normal installations, or 8 to 32 for Locked Down installations.
For more information about password patterns, see Password Strength and Password Policies. |
| Inactive Limit* |
0 |
90 days |
90 days |
The Inactive Limit is the number of days an account can be inactive before it is disabled. For Minimal installations, the limit is set to 0 indicating that accounts are never disabled, no matter how long they are inactive. Normal and Locked Down installations have the default limit of 90 days. |
| Enable _SYSTEM User |
Yes |
Yes |
No |
|
| Roles assigned to UnknownUser |
%All |
None |
None |
When an unauthenticated user connects, InterSystems IRIS assigns a special name, UnknownUser, to $USERNAME and assigns the roles defined for that user to $ROLES. In a Minimal security installation, the UnknownUser is assigned the %All role; UnknownUser has no roles when choosing a security level other than Minimal.
For more details on the use of $USERNAME and $ROLES, see Users and Roles. |
* You can maintain these settings from the System > Security Management > System Security Settings > System-wide Security Parameters page of the Management Portal. See System-wide Security Parameters for more information.
Initial User Account Passwords
InterSystems IRIS creates multiple user accounts during installation. The predefined InterSystems IRIS user accounts have different default passwords and behavior depending on whether an installation uses Minimal security, Normal security, or Locked Down security. These differences are as follows:
-
Minimal security – All the created accounts except _PUBLIC have an initial default password of “SYS”. With the exception of UnknownUser, you should change the account passwords after installation in order to prevent unauthorized access to your InterSystems IRIS instance.
The _PUBLIC account has no password by default and should never be given a password, since it is never enabled.
-
Normal security – All the created accounts except _PUBLIC receive the same password as is chosen for the privileged user account. It is recommended that you change these passwords after installation, so that each account has its own password.
The _PUBLIC account has no password by default and should never be given a password, since it is never enabled.
-
Locked Down security – All the created accounts except _PUBLIC receive the same password as is chosen for the privileged user account. It is recommended that you change these passwords after installation, so that each account has its own password.
The _PUBLIC account has no password by default and should never be given a password, since it is never enabled. In Locked-Down installations, the _SYSTEM account is also disabled.
Caution:
The default password is a security vulnerability, particularly in a Minimal Security installation. To address this issue, disable the accounts or change their passwords. InterSystems recommends disabling the account.
This is a critical concern with containerized instances in particular; see Authentication and passwordsOpens in a new tab for more information, including ways in which you can address the issue.
Initial Service Properties
Services are the primary means by which users and computers connect to InterSystems IRIS. For detailed information about the InterSystems services see Services.
| Service Property |
Minimal |
Normal |
Locked Down |
Description |
| Use Permission is Public |
Yes |
Yes |
No |
If the Use permission on a service resource is Public, any user can employ the service; otherwise, only privileged users can employ the service. |
| Requires Authentication |
No |
Yes |
Yes |
For installations with initial settings of Normal or Locked Down, all services require authentication of some kind (Instance Authentication, operating-system–based, or Kerberos). Otherwise, unauthenticated connections are permitted. |
| Enabled Services |
Most |
Some |
Fewest |
The initial security settings of an installation determine which of certain services are enabled or disabled when InterSystems IRIS first starts. The Enabled Services table below shows these initial settings. |
Enabled Services
| Service |
Minimal |
Normal |
Locked Down |
| %Service_Bindings |
Enabled |
Enabled |
Disabled |
| %Service_CacheDirect |
Enabled |
Disabled |
Disabled |
| %Service_CallIn |
Enabled |
Disabled |
Disabled |
| %Service_ComPort |
Disabled |
Disabled |
Disabled |
| %Service_Console* |
Enabled |
Enabled |
Enabled |
| %Service_ECP |
Disabled |
Disabled |
Disabled |
| %Service_Monitor |
Disabled |
Disabled |
Disabled |
| %Service_Telnet* |
Disabled |
Disabled |
Disabled |
| %Service_Terminal† |
Enabled |
Enabled |
Enabled |
| %Service_WebGateway |
Enabled |
Enabled |
Enabled |
* Service exists on Windows servers only
† Service exists on non-Windows servers only
Configure User Accounts
During the installation process, you must choose an account to run the InterSystems IRIS process as the instance owner. The installation creates an InterSystems IRIS account with the %All role for the instance owner, providing that account with full administrator access to InterSystems IRIS.
To ensure that the instance owner has the necessary privileges, you may need to create a new user account. The following sections contain OS-specific details about what accounts and privileges are necessary:
Prepare the Security Environment for Kerberos
All InterSystems IRIS supported platforms have versions of Kerberos supplied and supported by the vendors. To use Kerberos, you must have either a Kerberos key distribution center (KDC) or a Windows domain controller available on your network. The installation preparations for each are as follows:
-
Windows domain controller
This configuration uses a Windows domain controller for KDC functionality with InterSystems IRIS servers and clients on Windows and non-Windows machines. A domain administrator creates domain accounts for running the InterSystems services on InterSystems IRIS servers. See the following sections for the requirements for using both Windows and non-Windows InterSystems IRIS servers:
-
Non-Windows KDC
This configuration uses a UNIX® or Kerberos KDC with InterSystems IRIS servers and all clients on non-Windows machines. See the following two sections for the requirements for using a UNIX® or macOS KDC and InterSystems IRIS servers:
A Note on Terminology
This document refers to related, but distinct entities:
-
Service account — An entity within an operating system, such as Windows, that represents a software application or service.
-
Service principal — A Kerberos entity that represents a software application or service.
Create Windows Service Accounts for Windows Servers
Microsoft Windows implements the Kerberos authentication protocol by integrating the KDC with other security services running on the domain controller. Before you install InterSystems IRIS in a Windows domain, you must use the Windows domain controller to create a service account for each InterSystems IRIS server instance on a Windows machine.
Account Characteristics
When you create this account on the Windows domain controller, configure it as follows:
-
Set the account's Password never expires property.
-
Make the account a member of the Administrators group on the InterSystems IRIS server machine.
-
Add the account to the Log on as a service policy.
Important:
If a domain-wide policy is in effect, you must add this service account to the policy for InterSystems IRIS to function properly.
Names and Naming Conventions
In an environment where clients and servers are exclusively on Windows, there are two choices for naming service principals. You can follow the standard Kerberos naming conventions, which ensures compatibility with any non-Windows systems in the future, or you can use any unique string. Each of these choices involves a slightly different process of configuring a connection to a server.
-
For a name that follows Kerberos conventions, the procedure is:
-
Run the Windows setspn command, specifying the name of service principal in the form service_principal/fully_qualified_domain_name, where service_principal is typically iris and fully_qualified_domain_name is the machine name along with its domain. For example, a service principal name might be iris/irisserver.example.com. For detailed information on the setspn tool, see the SetspnOpens in a new tab page in the Microsoft documentation.
-
In the InterSystems IRIS Server Manager dialog for adding a new preferred server, choose Kerberos. What you specify for the Service Principal Name field should match the principal name specified in setspn.
-
For a name that uses any unique string, the procedure is:
-
Choose a name for the service principal. A suggested naming convention for each account representing an InterSystems IRIS server instance is “irisHOST”, which is the literal iris followed by the host computer name in uppercase. For example, if you are running an InterSystems IRIS server on a Windows machine called WINSRVR, name the domain account irisWINSRVR.
-
In the InterSystems IRIS Server Manager dialog for adding a new preferred server, choose Kerberos. Specify the selected name for the service principal in the Service Principal Name field.
For more information on configuring remote server connections, see Connecting to Remote Servers for the detailed procedure.
Configure Windows Kerberos Clients
If you are using Windows clients with Kerberos, you may also need to configure these so that they do not prompt the user to enter credentials. This is required if you are using a program that cannot prompt for credentials — otherwise, the program is unable to connect.
To configure Windows not to prompt for credentials, the procedure is:
-
On the Windows client machine, start the registry editor, regedit.exe.
-
Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters key.
-
In that key, set the value of AllowTgtSessionKey to 1.
Create Windows Service Accounts for Non-Windows Servers
Before you install InterSystems IRIS in a Windows domain, you must use the Windows domain controller to create a service account for each InterSystems IRIS server instance on a non-Windows machine. Create one service account for each machine, regardless of the number of InterSystems IRIS server instances on that machine.
A suggested naming convention for these accounts is “irisHOST,” which is the literal, iris, followed by the host computer name in uppercase. For example, if you run an InterSystems IRIS server on a non-Windows machine called UNIXSRVR, name the domain account irisUNIXSRVR. For InterSystems IRIS servers on non-Windows platforms, this is the account that maps to the Kerberos service principal.
Important:
When you create this account on the Windows domain controller, InterSystems IRIS requires that you set the Password never expires property for the account.
To set up a non-Windows InterSystems IRIS server in the Windows domain, it must have a keytab file from the Windows domain. A keytab file is a file containing the service name for the InterSystems IRIS server and its key.
To accomplish this, map the Windows service account (irisUNIXSRVR, in this example) to a service principal on the InterSystems IRIS server and extract the key from the account using the ktpass command-line tool on the domain controller; this is available as part of the Windows support tools from Microsoft.
The command maps the account just set up to an account on the UNIX®/Linux machine; it also generates a key for the account. The command must specify the following parameters:
| Parameter |
Description |
| /princ |
The principal name (in the form iris/<fully qualified hostname>@<kerberos realm>). |
| /mapuser |
The name of the account created (in the form iris<HOST>). |
| /pass |
The password specified during account creation. |
| /crypto |
The encryption type to use (use the default unless specified otherwise). |
| /out |
The keytab file you generate to transfer to the InterSystems IRIS server machine and replace or merge with your existing keytab file. |
Important:
The principal name on UNIX®/Linux platforms must take the form shown in the table with the literal iris as the first part.
Once you have generated a key file, move it to a file on the InterSystems IRIS server with the key file characteristics described in the section below.
Create Service Principals on a KDC for Non-Windows Servers
In a non-Windows environment, you must create a service principal for each UNIX®/Linux or macOS InterSystems IRIS server that uses a UNIX®/Linux or macOS KDC. The service principal name is of the form iris/<fully qualified hostname>@<kerberos realm>.
Key File Characteristics
Once you have created this principal, extract its key to a key file on the InterSystems IRIS server with the following characteristics:
-
On most versions of UNIX®, the pathname is install-dir/mgr/iris.keytab. On macOS and SUSE Linux, the pathname is /etc/krb5.keytab.
-
It is owned by the user that owns the InterSystems IRIS installation and the group irisusr.
-
Its permissions are 640.
Test Kerberos KDC Functions
When using Kerberos in a system of only non-Windows servers and clients, it is simplest to use a native UNIX®/Linux KDC rather than a Windows domain controller. Consult the vendor documentation on how to install and configure the KDC; these are usually tasks for your system administrator or system manager.
When installing Kerberos, there are two sets of software to install:
-
The KDC, which goes on the Kerberos server machine.
-
There also may be client software, which goes on all machines hosting Kerberos clients. This set of software can vary widely by operating system. Consult your operating system vendor documentation for what client software exists and how to install it.
After installing the required Kerberos software, you can perform a simple test using the kadmin, kinit, and klist commands to add a user principal to the Kerberos database, obtain a TGT (ticket-granting ticket) for this user, and list the TGT.
Once you successfully complete a test to validate that Kerberos is able to provide tickets for registered principals, you are ready to install InterSystems IRIS.
