Skip to main content

Locked Down InterSystems IRIS Container

Locked Down InterSystems IRIS Container

To support the strictest security requirements, InterSystems provides an image named iris-lockeddown, from which you can deploy a highly secure InterSystems IRIS container. The differences between containers from this image and those from the standard iris image are detailed in the following list.


The characteristics of the iris-lockeddown image are subject to change as best practices evolve. We may add, remove, or change features in response to our best understanding of current security practices and the requirements of the production container orchestrators in use by our customers.

  • The instance in a locked down InterSystems IRIS container was installed with Locked Down securityOpens in a new tab, as opposed to the Normal security installation of an instance in the standard InterSystems IRIS container. For details on the differences between Locked Down and Normal security, see Prepare for InterSystems SecurityOpens in a new tab in Securing Your Instance.

  • The instance’s private web server is disabled. As a consequence, the Management Portal becomes inaccessible, and if InterSystems System Alerting and Monitoring (SAM)Opens in a new tab is part of the deployment it will not be able to access the instance. To restore access to the Management Portal, you can use configuration merge (see Automated Deployment of InterSystems IRIS Containers) when deploying the container to set the WebServerOpens in a new tab parameter by including the following in the merge file:


    The Management Portal itself is not disabled, which means that if you configure a web server for the instance, the portal may become accessible again.

    Be sure to use configuration merge to enable the Management Portal, as above, when deploying with InterSystems Cloud Manager (ICM) or the InterSystems Kubernetes Operator (IKO) if you want access to the deployment or its individual instances through the Management Portal for management and maintenance purposes.

    You can also enable the private web server by adding the WebServer parameter to the [Startup] section of an existing locked down instance’s CPF (using docker exec to modify it inside the container, or modifying it in the durable %SYS directory on the host file system) and then restarting the instance.

  • If SAM is deployed with the instance, to give it access to the instance you must not only set WebServer to 1 as described in the previous point, but change the Allowed Authentication Method setting of the /api/monitor web application from Password to Unauthenticated. To do this, on the Web Applications page of the Management Portal (System Administration > Security > Applications > Web Applications), click /api/monitor in the left-hand column to display the Edit Web Application page, make the needed change in the Security Settings section, and click Save.

  • In addition to the environment variables defined in the standard container, as listed in the following section, the SYS_CONTAINER_LOCKEDDOWN variable is defined as 1 in a locked down container.

FeedbackOpens in a new tab