Authentication

Kerberos AuthenticationCopy link to this section

Where strong authentication is required, Caché can use the Kerberos protocol to enable users and Caché itself to identify each other and to ensure the validity of communications within a session. For a brief overview of Kerberos, see the “About Kerberos” section in the “Introduction” chapter of this book; for more detailed information, see the MIT Kerberos Web site and its list of available documentation.

In the Kerberos model, there are several different actors. All the different programs and people being authenticated by Kerberos are known as principals. The Kerberos system is administered by a Kerberos Key Distribution Center (KDC); on Windows, the Windows Domain Controller performs the tasks of a KDC. The KDC issues tickets to users so that they can interact with programs, which are themselves represented by service principals. Once a user has authenticated and has a service ticket, it can then use a program.

Specifically, Kerberos authentication involves three separate transactions:

1. The client receives what is called a “ticket-granting ticket” (“TGT”) and an encrypted session key.

2. The client uses the TGT and session key to obtain both a service ticket for Caché as well as another encrypted session key.

3. The client uses the service ticket and second session key to authenticate to Caché and optionally establish a protected connection.

Aside from a possible initial password prompt, this is designed to be invisible to the user.

In order for strong authentication to be meaningful, all Caché services that support it must have Kerberos enabled and those that don’t support it must be disabled. The exception to this is that services intended to operate within the Caché security perimeter, such as ECP, do not support Kerberos; you can simply enable or disable these services, since they are designed for use in an externally secured environment.

Operating-System–Based AuthenticationCopy link to this section

With operating-system–based authentication, Caché uses the operating system’s user identity to identify the user for Caché purposes. Specifically, the process is:

1. Caché obtains the process’ operating-system user identity.

2. Caché checks if the operating system identity matches a Caché username. If so, then the user is automatically authenticated for Caché as well.

Caché AuthenticationCopy link to this section

Caché has its own algorithms for providing password-based authentication. This mechanism is listed in the Management Portal as “Password” authentication. Since Kerberos and OS-based authentication both typically use passwords, this documentation refers to the native Caché mechanism as Caché login.

For password authentication, Caché maintains a password value for each user account and compares that value to the one provided by the user at each log in. (In actuality, Caché does not store the password value itself but a hashed version of it. When the user logs in, that entered password value is hashed and the two hashed versions are compared.) The system manager can establish certain password criteria, such as minimum length, to ensure a certain degree of robustness in the passwords selected by users; the criteria are described in the section “Password Strength and Password Policies” in the chapter “System Management and Security.”

Caché stores only irreversible cryptographic hashes of passwords. The hashes are calculated using the PBKDF2 algorithm with the HMAC-SHA-1 pseudorandom function, as defined in Public Key Cryptography Standard #5 v2.1: “Password-Based Cryptography Standard.” The current implementation uses 1024 iterations, 64 bits of salt, and generates 20 byte hash values. There are no known techniques for recovering original passwords from these hash values.

LDAP AuthenticationCopy link to this section

Caché supports authentication based on LDAP (the Lightweight Directory Access Protocol). With LDAP authentication, Caché retrieves user information from a central LDAP repository. Because an environment may already support LDAP authentication, such as with Windows Active Directory, an instance of Caché may be able to use LDAP for its authentication and simply fit into this larger infrastructure. For more details about LDAP authentication, see the chapter “Using LDAP Authentication.”

Delegated AuthenticationCopy link to this section

Caché supports the use of custom authentication mechanisms through what is known as “delegated authentication.” Delegated authentication occurs if an instance of Caché has a ZAUTHENTICATE routine in its %SYS namespace. If such a routine exists, Caché uses it to authenticate users, either with calls to new or existing code. For more details about delegated authentication, see the chapter “Using Delegated Authentication.”

Unauthenticated AccessCopy link to this section

You can configure any Caché service to operate without any authentication mechanism. This is known as unauthenticated access. Generally, if you configure Caché services to allow unauthenticated access, it is recommended there be unauthenticated access exclusively. If there is support for an authentication mechanism and then unauthenticated access if authentication fails, this is what is called cascading authentication, which is described in the section “Cascading Authentication”; the circumstances for using more than one authentication mechanism are described in the section “Using Multiple Authentication Mechanisms.”

About Local AccessCopy link to this section

With local access, the end-user is on the same machine as the Caché server. To gain access to the data, the user runs a private image of Caché that is reading from and writing to shared memory. If there are multiple local users, each has an individual copy of the Caché executable and all the executables point to the same shared memory. Because the user and the executable are on the same machine, there is no need to protect or encrypt communications between the two, since nothing is being passed from one executable to another. Because communications between the user and Caché go on within a single process, this is also known as in-process authentication.

Local access is available for:

• The terminal — The Terminal uses the %Service_Console service on Windows and the %Service_Terminal service on other operating systems.

• Callin — Callin uses the %Service_CallIn service.

About Client/Server AccessCopy link to this section

With client/server access, the Caché executable is the server and there is a client executable that can reside on a separate machine. Caché accepts a connection, possibly over a wire, from the client. This connection can use any language or protocol that Caché supports. These include:

• ActiveX — Uses %Service_Bindings

• C++ — Uses %Service_Bindings

• Caché Direct — Uses %Service_CacheDirect

• ComPort — Uses %Service_ComPort

• Java — Uses %Service_Bindings

• JDBC — Uses %Service_Bindings

• ODBC — Uses %Service_Bindings

• Perl — Uses %Service_Bindings

• Python — Uses %Service_Bindings

• Telnet — Uses %Service_Telnet

All connection tools support authentication through Kerberos or Caché login except %Service_ComPort, which only supports authentication through Caché login.

In each case, the server specifies the supported authentication type(s). When the client initiates contact with the server, it must attempt to use one of these supported types; otherwise, the connection attempt is rejected. Not all authentication types are available for all connection tools.

About Web AccessCopy link to this section

The web access mode supports connections of the following form:

1. A user requests content or an action in a Web browser.

2. The Web browser passes along the request to the Web server.

3. The Web server is co-located with the CSP Gateway and passes the request to the Gateway.

4. The Gateway passes the request to the Caché server.

When the Caché server provides content for or performs an action relating to the user, the entire process happens in the other direction.

For the user to authenticate to Caché, a username and password must be passed down the line. Hence, this access mode is also known as a proxy mode or proxy connection. Once the information reaches the Caché machine, the arrangement between user and server is similar to that in the local access mode. In fact, the web access mode also uses in-process authentication.

About Kerberos and the Access ModesCopy link to this section

Each connection tool uses a service to establish communications with Caché. It also uses a particular access mode. To ensure maximum protection, determine which services you need, based on which connection tools you are using. If you are not using a service, disable it.

The following is a list of connection tools, their access modes, and their services:

Web

When running a web application (using either CSP or Zen), the user does not interact directly with the Caché server. To protect all information from monitoring, you need to encrypt the connections between the user and Caché as follows:

• Configure the Web server so that it uses SSL to secure browser connections to it.

• Co-locate the Web server and the CSP Gateway, so there is no need to secure the connection between them.

• Configure the CSP Gateway to use Kerberos authentication and encryption. Use the Gateway’s Kerberos principal to establish such a connection.

This applies to both CSP and Zen, since Zen uses CSP for its underlying connection.

The architecture is:

Architecture of a Kerberos-Protected Web Connection

Any communications between the end-user and Caché occurs through SSL-encrypted or Kerberos-encrypted pipes. For Kerberos-secured connections, this includes the end-user’s Kerberos authentication.

Because the Caché server cannot prompt the end-user for a password, it invokes an API that sends HTML content to the browser to prompt. The user completes this form that has been sent; it travels back to the Web server, which hands it to the CSP Gateway, which then hands it to the CSP server (which is part of Caché itself). The CSP server acts as a proxy on behalf of the user at the browser; this is why this kind of a connection is known as a proxy connection. At the same time, all information related to the user resides on the server machine (as with the local access mode); hence a web connection is also a form of in-process authentication.

Specifying Connection Security LevelsCopy link to this section

Client/server connections to Caché use one of the following services:

• %Service_Bindings — ActiveX, C++, Java, JDBC, ODBC, Perl, Python

• %Service_CacheDirect — Caché Direct

• %Service_Telnet — Telnet

For any Kerberos connection using one of these services, you must specify the connection security levels which the server accepts. To configure the service’s supported connection security levels, the procedure is:

1. On the Authentication/CSP Session Options page (System Administration > Security > System Security > Authentication/CSP Session Options), specify which connection security levels to enable for the entire Caché instance, where these can be:

   • Kerberos — Initial authentication only

   • Kerberos with Packet Integrity — Initial authentication and packet integrity

   • Kerberos with Encryption — Initial authentication, packet integrity, and encrypting all messages

   For more information on the Authentication Options page, see the section “Authentication Options” in the chapter “System Management and Security.”

2. On the Services page (System Administration > Security > Services), click the service name (in the Name column); this displays the Edit Service page for the service.

3. On the Edit Service page, specify which connection security levels to require as part of a Kerberos connection. After making this selection, click Save.

If a client attempts to connect to the server using a lower level of security than that which is specified for the server, then the connection is not accepted. If a client attempts to connect to the server using a higher level of security than that which is specified for the server, then the server connection attempts to perform authentication using the level of security that it specified.

Setting Up a ClientCopy link to this section

When using the client/server access mode, you need to configure the client. The particulars of this process depend on the connection technology being used.

Obtaining User CredentialsCopy link to this section

For all access modes, you need to specify whether the application obtains the user’s credentials from an existing credentials cache or by prompting for a username and password.

Obtaining Credentials for Client/Server Access Mode

For client/server access mode, the user’s credentials reside on the machine that hosts the client application. In this case, the manner in which you specify how to obtain credentials varies according to how the client is connecting:

• ActiveX, Caché Direct, C++, ODBC, Perl, Python, and Telnet

• Java and JDBC

ActiveX, Caché Direct, C++, ODBC, Perl, Python, and Telnet

The underlying Caché code used by these connection tools assumes that end-users already have their credentials; no prompting is necessary.

On Windows, every user logged on in the domain has a credentials cache.

On other operating systems, a user has a credentials cache if the operating system has performed Kerberos authentication for the user, or if the user has explicitly run kinit. Otherwise, the user has no credentials in the cache and the connection tool fails authentication.

Note:

Not all connection tools are available on all operating systems.

Java and JDBC

When using Java and JDBC, there are two different implementations of Java available — either Sun or IBM. These have several common behaviors and several differing behaviors.

Both implementations store information about a connection in properties of an instance of the java.util.Properties class. These properties are:

• user — The name of the user who is connecting to the Caché server. This value is only set for certain connection behaviors.

• password — That user’s password. This value is only set for certain connection behaviors.

• service principal name — The Kerberos principal name for the Caché server. This value is set for all connection behaviors.

• connection security level — The type of protection that Kerberos provides for this connection. 1 specifies that Kerberos is used for authentication only; 2 specifies that Kerberos is used for authentication and to ensure the integrity of all packets passed between client and server; and 3 specifies that Kerberos is used for authentication, packet integrity, and to encrypt all messages. This value is set for all connection behaviors.

In the following discussions, the instance of the java.util.Properties class is referred to as the connection_properties object, where the value of each of its properties is set with a call to the connection_properties.put method, such as

 String principalName = "MyCacheServer";
 connection_properties.put("service principal name",principalName);

Copy code to clipboard

For both implementations, credentials-related behavior is determined by the value of a parameter in the isclogin.conf file (see “Setting Up a Java or JDBC Client for Use with Kerberos” for more information on this file).

There are two differences between the behavior of the two Java implementations:

• To specify credentials-related behavior, the parameter name to set in the isclogin.conf file differs for each implementation:

  • For IBM, it is useDefaultCcache.

  • For Sun, it is useTicketCache.

• There are different behaviors available on each implementation. These are described in the following sections.

Specifying Behavior on a Client Using the IBM Implementation

The options are:

• To use a credentials cache, set the value of the useDefaultCcache parameter to TRUE and do not set the values of the user or password properties. Note that if no credentials cache is available, then an exception is thrown.

• To use a username and password that are passed in programmatically, set the value of the useDefaultCcache parameter to FALSE and set the values of the user and password properties.

• To prompt for a username and password, set the value of the useDefaultCcache parameter to FALSE and do not set the values of the user or password properties. Because these properties do not have values set, classes from libraries supplied with Caché can be used to generate prompts for them.

Specifying Behavior on a Client Using the Sun Implementation

The options are:

• To exclusively use a username and password that are passed in programmatically, set the value of the useTicketCache parameter to FALSE and set the values of the user and password properties.

• To exclusively prompt for a username and password, set the value of the useTicketCache parameter to FALSE and do not set the values of the user or password properties. Because these properties do not have values set, classes from libraries supplied with Caché can be used to generate prompts for them.

• To exclusively use a credentials cache, set the value of the useTicketCache parameter to TRUE. To prevent any further action, set the values of the user and password properties to bogus values; this prevents prompting from occurring and ensures the failure of any authentication attempt based on the properties’ values.

• To attempt to use a credentials cache and then fall through to using a username and password that are passed in programmatically, set the value of the useTicketCache parameter to TRUE and set the values of the user and password properties. If there is no credentials cache, then the properties’ values are used.

• To attempt to use a credentials cache and then fall through to prompting for a username and password, set the value of the useTicketCache parameter to TRUE and do not set the values of the user or password properties. If there is no credentials cache, then classes from libraries supplied with Caché can be used to generate prompts for them.

Setting Up a Secure Channel for a Web ConnectionCopy link to this section

To maximally secure a web connection, it is recommended that the two legs of communication — both between the browser and the Web server and then between the CSP Gateway and Caché — use secure channels. This ensures that any information, such as Kerberos usernames and passwords, be protected in transmission from one point to another. To secure each communications channel, the procedure is:

• Between the Web browser and Web server

• Between the CSP Gateway and Caché

A Note on %Service_ConsoleCopy link to this section

Since the console (%Service_Console) is a Windows-based service and Windows domain logins typically use Kerberos, console’s OS-based authentication provides authentication for local logins.

A Note on %Service_CallinCopy link to this section

With callin (%Service_Callin), OS-based authentication is only available from an OS-level prompt. When using callin programmatically, OS-based authentication is not supported — only unauthenticated access is available.

WebCopy link to this section

For web access, you can optionally require that the CSP Gateway authenticate itself to the Caché server through Caché login. To perform this configuration, the procedure is:

1. From the Management Portal home page, go to the Web Gateway Management page (System Administration > Configuration > CSP Gateway Management).

2. On the Web Gateway management page, there are a set of choices on the left. Under Configuration, click Server Access. This displays the Server Access page.

3. On the Server Access page, you can add a new configuration or edit an existing one. To add a new configuration, click the Add Server button; to edit an existing one, select it from the list on the left, select the Edit Server radio button, and click Submit. This displays the page for editing or configuring server access parameters. In addition to the general parameters on this page (described on its help screen), this page allows you to specify security-related parameters for the Gateway. For Caché login connections, these are:

   • Connection Security Level — Choose Password from the drop-down list to use Caché login.

   • User Name — The user name under which the Gateway service runs (the installation process creates the CSPSystem user for this purpose). This user (CSPSystem or any other) should have no expiration date; that is, its Expiration Date property should have a value of 0.

   • Password — The password associated with the user account just entered.

   • Product — Caché or Ensemble, depending on which product you are using.

   • Service Principal Name — Do not specify a value for this. (This field is used when configuring the Gateway for use with Kerberos.)

   • Key Table — Do not specify a value for this. (This field is used when configuring the Gateway for use with Kerberos.)

   After entering all these values, click the Save Configuration button to save them.

It is important to remember that the authentication requirements for the Gateway are not directly related to those for an application that uses the Gateway. For example, you can require Caché login as the authentication mechanism for a web application, while configuring the Gateway to use Kerberos authentication — or no authentication at all. In fact, choosing a particular authentication mechanism for the Gateway itself makes no technical requirement for the web application, and vice versa. At the same time, some pairings are more likely to occur than others. If a web application uses Kerberos authentication, then using any other form of authentication for the Gateway means that Kerberos authentication information will be flowing through an unencrypted channel, thereby potentially reducing its effectiveness.

With a web application that uses Caché login, the username and password of the end-user are passed from the browser to the Web server, which then hands them to the co-located CSP Gateway. Since the Gateway has its own connection to the Caché server, it then passes the username and password to the Caché server. To establish its connection to the Caché server, the Gateway uses the CSPSystem account, which is one of the Caché predefined accounts.

By default, all these transactions are unencrypted. You can use SSL to encrypt messages from the browser to the Web server. You can use Kerberos to encrypt messages from the Gateway to the Caché server as described in the section “Setting Up a Secure Channel for a CSP Connection”; if you are not using Kerberos, you may prefer to physically secure the connection between the host machines, such as by co-locating the Gateway and Caché server machines in a locked area with a direct physical connection between them.

ODBCCopy link to this section

Caché supports Caché login for ODBC connections among all its supported platforms. This requires client-side configuration. The ways of configuring client behavior vary by platform:

• On non-Windows platforms, use the Caché ODBC initialization file to specify name-value pairs that provide connection information . This file is described generally in Using Caché ODBC. The file has the following variables relevant to Caché login:

  • Authentication Method — Specifies how the ODBC client authenticates to the DSN. 0 specifies Caché login; 1 specifies Kerberos.

  • UID — Specifies the name for the default user account for connecting to the DSN. At runtime, depending on application behavior, the end-user may be permitted to override this value with a different user account.

  • Password — Specifies the password associated with the default user account. If the end-user has been permitted to override the UID value, the application will accept a value for the newly specified user’s password.

• On a Windows client, you can specify connection information either through a GUI or programmatically:

  • Through a GUI, there is an ODBC DSN configuration dialog. Caché provides options on the System DSN tab. This screen has associated help that describes its fields. The path from the Windows Start menu to display this screen varies by version of Windows; it may be listed in the Windows Control Panel, under Administrative Tools, on the screen for Data Sources (ODBC).

  • Programmatically, the SQLDriverConnect function is available, which accepts a set of name-value pairs. SQLDriverConnect is a C call that is part of the ODBC API and is documented at the Microsoft Web site. Its name-value pairs are the same as those for the initialization file available on non-Windows platforms, except that the password is identified with the PWD keyword.

Telnet and Caché DirectCopy link to this section

When establishing a connection using Caché Direct and the Caché Telnet server for Windows, the client uses configuration information that has been stored as part of a Caché remote server. To configure a remote server, go to the client machine. On that machine, the procedure is:

1. Click on the Caché cube and select Preferred Server from the menu (the Preferred Server choice also displays the name of the current preferred server).

2. From the submenu that appears, choose Add/Edit.

3. To create a new remote server, click the Add button; to configure an already-existing server, choose the Caché server to which you are connecting and click the Edit button.

4. This displays the Add Connection dialog. In the Authentication Method area on that dialog, click Password for Caché login.

5. If you are editing the values for an already-existing server, there should be no need to change or add values for the more general fields in this dialog, as they are determined by the server that you chose to edit.

   If you are adding a new server, the fields to complete are described in the section “Define a Remote Server Connection” of the “Connecting to Remote Servers” chapter of the Caché System Administration Guide.

6. Click OK to save the specified values and dismiss the dialog.

Overview of Setting Up Two-Factor AuthenticationCopy link to this section

The major steps to setting up two-factor authentication are:

1. Enable and configure two-factor authentication for the instance as a whole. You can configure the instance to use SMS text authentication, TOTP authentication, or both. For details about TOTP authentication, see the “Two-Factor TOTP Overview” section.

2. For SMS text authentication, configure the mobile phone service provider(s), if necessary. This includes:

   • Adding any mobile phone service providers if any are required and are not included in the list of default providers.

   • Changing configuration information as necessary for any existing providers (default or added).

3. Configure the service, as appropriate:

   • %Service_Bindings — Enable two-factor authentication for the service and continue to the next step.

   • %Service_Console and %Service_Terminal — Simply enable two-factor authentication for the service. This is all that is required.

   • %Service_CSP — There is no central means of enabling two-factor authentication for %Service_CSP. Continue to the next step.

   You can enable either or both types of authentication for each service. For more information about services, see the “Services” chapter.

4. Configure client/server applications and web applications, as appropriate:

   1. For client/server applications (those that use %Service_Bindings), add the appropriate calls into the client application to support it; this is a programming task that varies according to the client-side component in use (for example, ODBC, JDBC, C++, Java, .NET, Python, or Perl).

      Important:

      Two-factor authentication is designed to receive a response from a human end-user in real time. If what the end-user considers a single session actually consists of multiple, sequential sessions, then the repeated prompting for the second factor may result in an unexpectedly difficult user experience. With client/server applications, the underlying protocol often causes clients to establish, disconnect, and reestablish connections repeatedly; such activity makes the use of two-factor authentication less desirable for this type of application.

   2. For web applications (those that use %Service_CSP), configure each application to support it.

   Note:

   For the Caché Terminal, which uses the %Service_Console service on Windows and the %Service_Terminal service on other operating systems, there is no configuration required other than server-side setup; since Caché controls the prompting in these, it simply follows the standard prompt (regardless of the authentication mechanism) with the two-factor authentication prompt and processes end-user input accordingly.

5. If you are using delegated authentication, modify the ZAUTHENTICATE.mac routine as required. See “Using Delegated Authentication” for more information.

6. Configure each end-user to enable SMS text authentication or TOTP authentication. An end-user can be configured to use both mechanisms, but cannot have both mechanisms enabled simultaneously.

Two-Factor TOTP OverviewCopy link to this section

Two-factor authentication using a time-based one-time password (TOTP) authentication works as follows:

1. As a requirement, each end-user must have either an authentication device or an application that generates such passwords. For example, end-users can use one of the following apps for mobile phones:

   • Google Authenticator, for Android, BlackBerry, or iPhone

   • Duo Mobile, for Android or iPhone

   • Amazon AWS MFA, for Android

   • Authenticator, for Windows Phone 7

2. When you configure an end-user for two-factor TOTP authentication, the system generates a secret key, which is displayed as a base-32 encoded randomized bit string. Caché and the end-user share this secret key (which is why it is known as a shared secret). Both Caché and the end-user’s authentication device or application use it to generate the TOTP itself, which serves as a verification code. The TOTP, which the end-user enters into a Verification code field or prompt, is a string of six digits, and a new one is generated at a regular interval (thirty seconds, by default).

3. At login time, after the end-user provides Caché with a password, Caché then additionally prompts for the TOTP. The end-user provides the TOTP, and then completes the login process.

The end-user can get the secret key from Caché in several ways:

• When you configure the end-user’s account to support two-factor TOTP authentication, the Edit User page for the end-user displays the end-user’s secret key, as well as the name of the issuer and the end-user’s account name. It also displays a QR code that includes all this information (a QR code is a machine-readable code such as the one pictured below). The end-user can then enter the information into an authentication device or an application by scanning the code or entering the information manually.

• If you choose to show the end-user their secret key during the login to a web application or the Terminal session (using %Service_Console or %Service_Terminal), you can enable this behavior by selecting the Display Time-Based One-time Password QR Code on next login field on the Edit User page. The Terminal session will then display the end-user’s issuer, account, and secret key. A web application will display the end-user’s issuer, account, and secret key, along with a QR code; here, the end-user can then scan the code or enter the information manually.

  Important:

  InterSystems does not recommend this option. See the following caution for more details.

Caution:

The following are critical security concerns when using two-factor TOTP authentication:

• Do not transmit the secret key or QR code in an unsecured environment. Out-of-band transmission is preferable to transmission even on a secure network. (The secret key gives an end-user the means to log into Caché or a Caché application. If you and your end-users do not ensure the secret key’s safety, then an attacker may gain access to it, which renders it useless for security.)

• When configuring two-factor TOTP authentication for your organization, InterSystems strongly recommends that you provide the secret key to each end-user in person or by phone, or that you have the end-user scan the QR code in the physical presence of an administrator. This provides the opportunity to authenticate the individual who obtains the secret key.

  Delivering the secret key over the network increases the possibility of exposing it. This includes displaying the secret key to the end-user when they first log into a web application, console, or the Terminal; this also includes displaying the QR code to the end-user when they first log into a web application.

A TOTP Issuer, Account, Key, and QR Code

Note:

If you are using two-factor TOTP authentication and wish to generate QR codes, Java 1.7 or higher must be running on the Caché server. Without Java, Caché can use two-factor TOTP authentication, but the end-user enters the values for the issuer, account, and key manually on the authentication device or in the application.

Configuring Two-Factor Authentication for the ServerCopy link to this section

The steps in configuring two-factor authentication for the Caché server are:

1. Enable and configure two-factor authentication for the instance as a whole. You can configure the instance to use SMS text authentication, TOTP authentication, or both.

2. For SMS text authentication, configure the mobile phone service provider(s), if necessary. This includes:

   • Adding any mobile phone service providers if any are required and are not included in the list of default providers.

   • Changing configuration information as necessary for any existing providers (default or added).

Enabling or Disabling Two-Factor Authentication for a ServiceCopy link to this section

To enable or disable two-factor authentication for %Service_Bindings, %Service_Console, and %Service _Terminal, procedure is:

1. From the Management Portal home page, go to the Services page (System Administration > Security > Services).

2. On the Services page, click the name of the service for which you wish to enable either form of two-factor authentication. This displays the Edit Service page for the service.

3. On the service’s Edit Service page, select or clear the Two-factor SMS check box, Two-factor Time-based One-time Password check box, or both. Note that each of these check boxes only appear if two-factor authentication is enabled for the instance.

4. Click Save.

Configuring Web Applications for Two-Factor AuthenticationCopy link to this section

Once you have enabled two-factor authentication for an instance, you must enable it for all web applications that will use it. The procedure to enable it for an application is:

1. From the Management Portal home page, go to the Web Applications page (System Administration > Security > Applications > Web Applications).

2. On the Web Applications page, for the application you wish to enable two-factor authentication, click the name of the application, which displays its Edit page.

3. On the Edit page, in the Security Settings section of the page, select or clear the Two-factor SMS check box, Two-factor Time-based One-time Password check box, or both. Note that each of these check boxes only appear if two-factor authentication is enabled for the instance.

For general information about the Edit Web Application page, see the “CSP Application Options” section of the “CSP Architecture” chapter of the Using Caché Server Pages (CSP) book.

Configuring an End-User for Two-Factor AuthenticationCopy link to this section

To configure an end-user to receive a one-time security token for two-factor authentication, the procedure is:

1. From the Management Portal home page, go to the Users page (System Administration > Security > Users):

2. For an existing user, click the name of the user to edit; for a new user, begin creating the user by clicking Create New User (for details about creating a new user, see the “Creating a New User” section of the “Users” chapter). Either of these actions displays the Edit page for the end-user.

3. On the Edit User page, select SMS text enabled or Time-based One-time Password enabled, as appropriate.

4. If you select SMS Text, you must complete the following fields:

   • Mobile phone service provider — The company that provides mobile phone service for the user. Either select a provider from those listed or, if the provider does not appear in the list, click Create new provider to add a new provider for the Caché instance. (Clicking Create a new provider displays the Create a New Mobile Phone Provider window, which has fields for the Service Provider and the SMS Gateway, the purpose of which are identical to those described in the section Creating or Editing a Mobile Phone Service Provider.)

   • Mobile phone number — The user’s mobile phone number. This is the second factor, and is where the user receives the text message containing the one-time security token.

5. If you select Time-based One-time Password enabled, the page displays the following fields and information:

   • Display Time-Based One-time Password QR Code on next login — Whether or not to display a QR code when the user next logs in. If selected, Caché displays the code at the next login and prompts the user to scan it into the authentication device or application, and then to provide the displayed token to complete the authentication process. By default, this option is not selected. InterSystems recommends that you do not use this option.

   • Generate a new Time-based One-time Password Key — Creates and displays both a new shared secret for the end-user and a new QR code.

     Important:

     If you generate a new time-based one-time password key for a user, the current key in the user’s authenticator application will no longer work. Before logging in, the user must enter the new key into the authenticator, either by scanning the QR code or by manually entering it. (This does not affect existing sessions.)

   • Issuer — The identifier for the Caché instance, which you established when configuring two-factor TOTP authentication for the instance.

   • Account — The identifier for the Caché account, which is the account’s username.

   • Base-32 Time-Based One-Time Password (OTP) Key — The secret key that the end-user enters into the authentication device or application.

   • QR Code — A scannable code that contains the values of the issuer, account, and secret key.

6. Click Save to save these values for the user.

If a service uses two-factor authentication and an end-user has two-factor authentication enabled, then authentication requires:

• For SMS text authentication, a mobile phone that is able to receive text messages on that phone.

• For TOTP authentication, an application or authentication device that can generate verification codes.

Otherwise, the end-user cannot authenticate:

• For SMS text authentication, the end-user must have a mobile phone and be able to receive text messages on that phone. This is the phone number at which the user receives a text message containing the one-time security token as an SMS text.

• For TOTP authentication, the user must have an authentication device or application that can either scan a QR code or that can accept the secret key and other information required to generate each TOTP (which serves as a verification code).

Configuring Bindings Clients for Two-Factor AuthenticationCopy link to this section

Client/server connections use %Service_Bindings. For these connections, the code required to use two-factor authentication varies by programming language. (Note that Console, the Terminal, and web applications do not require any client-side configuration.) Supported languages include:

• C++

• Java and JDBC

• .NET

• ODBC

• Perl

• Python

Client-side code performs three operations:

1. After establishing a connection to the Caché server, it checks if two-factor authentication is enabled on the server. Typically, this uses a method of the client’s connection object.

2. It gets the one-time security token from the user. This generally involves user-interface code that is not specifically related to Caché.

3. It provides the one-time security token to the Caché server. This also typically uses a connection object method.

C++Copy link to this section

With C++, support for two-factor authentication uses two methods of the tcp_conn class:

• bool tcp_conn::is_two_factor_enabled()

  Copy code to clipboard

  This method checks if two-factor authentication is enabled on the server. It returns a boolean; true means that two-factor authentication is enabled.

• bool tcp_conn::send_two_factor_token(const wchar_t* token, Conn_err* err)

  Copy code to clipboard

  This method provides the two-factor authentication token to the server. It returns a boolean; true means that the user has been authenticated. It takes two arguments:

  • token, the two-factor authentication token that the user has received. Note that the client application is responsible for obtaining the value of the token from the user.

  • err, an error that the method throws if the user does not successfully authenticate.

Important:

If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn:

1. It uses that instance’s methods to check if two-factor authentication is enabled.

2. It attempts to provide the token to the server and performs error processing if this fails. Note that the sample code here assumes that the application code has stored the one-time security token in a variable of type std::string; it then uses the c_str method of the string class to extract the one-time security token as a null-terminated string to pass to the server.

// Given a connection called "conn"
if (conn->is_two_factor_enabled()) {
  // Prompt the user for the one-time security token.
  // Store the token in the "token" variable of type std::string.
  Conn_err err;
  if (!conn->send_two_factor_token(token.c_str(), &err;))
      // Process the error from a invalid authentication token here.
} 

Copy code to clipboard

Note:

The light C++ binding does not support two-factor authentication.

Java and JDBCCopy link to this section

With Java, support for two-factor authentication uses two methods of the CacheConnection class:

• public boolean isTwoFactorEnabled() throws Exception

  Copy code to clipboard

  This method checks if two-factor authentication is enabled on the server. It returns a boolean; true means that two-factor authentication is enabled.

• public void sendTwoFactorToken(String token) throws Exception

  Copy code to clipboard

  This method provides the one-time security token to the server. It takes one argument, token, the one-time security token that the user has received.

The following example uses an instance of a connection called conn:

1. It uses that instance’s methods to check if two-factor authentication is enabled.

2. It attempts to provide the token to the server and performs error processing if this fails.

Important:

If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

// Given a connection called "conn"
if (conn.isTwoFactorEnabled()) {
  // Prompt the user for the two-factor authentication token.
  // Store the token in the "token" variable.
  try {
    conn.sendTwoFactorToken(token); 
  } 
  catch (Exception ex) {
    // Process the error from a invalid authentication token here.
  }
}

Copy code to clipboard

.NETCopy link to this section

For .NET, Caché supports connections with two-factor authentication with the managed provider and with ADO.NET. Support for two-factor authentication uses two methods of the tcp_conn class:

• bool CacheConnection.isTwoFactorEnabledOpen()

  Copy code to clipboard

  This method opens a connection to the Caché server and checks if two-factor authentication is enabled there. It returns a boolean; true means that two-factor authentication is enabled.

• void CacheConnection.sendTwoFactorToken(token)

  Copy code to clipboard

  This method provides the one-time security token to the server. It has no return value. It takes one argument, token, the one-time security token that the user has received. If there is a problem with either the token (such as if it is not valid) or the connection, then the method throws an exception.

Important:

A client application makes a call to isTwoFactorEnabledOpen instead of a call to CacheConnection.Open. The isTwoFactorEnabledOpen method requires a subsequent call to sendTwoFactorToken.

Also, if two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn:

1. It uses that instance’s methods to check if two-factor authentication is enabled.

2. It attempts to provide the token to the server and performs error processing if this fails.

// Given a connection called "conn"
try {
  if (conn.isTwoFactorEnabledOpen()) {
    // Prompt the user for the two-factor authentication token.
    // Store the token in the "token" variable.
    conn.sendTwoFactorToken(token);
  }
}
catch (Exception ex) {
  // Process exception
}

Copy code to clipboard

ODBCCopy link to this section

With ODBC, support for two-factor authentication uses two standard ODBC function calls (which are documented in the Microsoft ODBC API Reference):

• SQLRETURN rc = SQLGetConnectAttr(conn, 1002, &attr, sizeof(attr), &stringLengthPtr);

  Copy code to clipboard

  The SQLGetConnectAttr function, part of the Microsoft ODBC API, returns the current value of a specified connection attribute. The Caché ODBC client uses this function to determine if the server supports two-factor authentication. The value of the first argument is a handle to the connection from the client to the server; the value of the second argument is 1002, the ODBC attribute that specifies whether or not two-factor authentication is supported; the values of the subsequent arguments are for the string containing the value of attribute 1002, as well as relevant variable sizes.

• SQLRETURN rc = SQLSetConnectAttr(conn, 1002, unicodeToken, SQL_NTS);

  Copy code to clipboard

  The SQLSetConnectAttr function, also part of the Microsoft ODBC API, sets the value of a specified connection attribute. The Caché ODBC client uses this function to send the value of the two-factor authentication token to the server. The values of the four arguments are, respectively:

  • The connection from the client to the server.

  • 1002, the ODBC attribute that specifies whether or not two-factor authentication is supported.

  • The value of the one-time security token.

  • SQLNTS, which indicates that the one-time security token is stored in a string.

Important:

If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn:

1. It uses SQLGetConnectAttr to check if two-factor authentication is enabled.

2. It attempts to provide the token to the server with the SQLSetConnectAttr call and performs error processing if this fails. If SQLSetConnectAttr fails, the server drops the connection, so you need to reestablish the connection before you can attempt authentication again.

// Given a connection called "conn"
SQLINTEGER stringLengthPtr;
SQLINTEGER attr;  
SQLRETURN rc = SQLGetConnectAttr(conn, 1002, &attr, sizeof(attr), &stringLengthPtr);
if attr {
  // Prompt the user for the two-factor authentication token.
  wstring token;
  SQLRETURN rc = SQLSetConnectAttr(conn, 1002, token, SQL_NTS);
    if !rc {
      // Process the error from a invalid authentication token.
    }
} 

Copy code to clipboard

PerlCopy link to this section

With Perl, support for two-factor authentication uses two methods of the Intersys::PERLBIND::Connection class:

• is_two_factor_enabled()

  Copy code to clipboard

  This method checks if two-factor authentication is enabled on the server. It returns a integer; 1 means that two-factor authentication is enabled and 0 means that it is disabled.

• send_two_factor_token($token)

  Copy code to clipboard

  This method provides the two-factor authentication token to the server. It returns a integer; 1 indicates success and 0 indicates failure. Its argument, $token, is the two-factor authentication token that the user has received and then entered at the client prompt. Note that the client application is responsible for obtaining the value of the token from the user.

Important:

If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn:

1. It uses that instance’s methods to check if two-factor authentication is enabled.

2. It attempts to provide the token to the server and performs error processing if this fails.

// Given a connection called "conn"
if ($conn->is_two_factor_enabled()) {
  # Prompt the user for the one-time security token.
  # Store the token in the "token" variable of type std::string.
  if (!$conn->send_two_factor_token($token)) {
    # Process the error from a invalid authentication token here.
  } else {
    # two-factor authentication succeeded
} 
else {
  # Handle if two-factor authentication is not enabled on the server.
}

Copy code to clipboard

Caché comes with sample programs that demonstrate two-factor authentication with Perl. These programs are in the install-dir\dev\perl\ directory, and are samples\two_factor.pl. For more information on Perl sample programs for use with Caché, see the “Sample Programs” section of the “Caché Perl Binding” chapter of Using Perl with Caché.

PythonCopy link to this section

With Python, support for two-factor authentication uses two methods of the intersys.pythonbind.connection class:

• is_two_factor_enabled()

  Copy code to clipboard

  This method checks if two-factor authentication is enabled on the server. It returns a boolean; true means that two-factor authentication is enabled.

• send_two_factor_token(token)

  Copy code to clipboard

  This method provides the two-factor authentication token to the server. It returns a boolean; true means that the user has been authenticated. It takes one argument, token, the two-factor authentication token that the user has received. Note that the client application is responsible for obtaining the value of the token from the user.

  Note:

  Python leaves carriage returns in input. This means that, when processing the one-time security token, it is necessary to strip any carriage returns out of it.

Important:

If two-factor authentication is enabled on the server and the client code does not implement two-factor authentication calls, then the server will drop the connection with the client.

The following example uses an instance of a connection called conn:

1. It uses that instance’s methods to check if two-factor authentication is enabled.

2. It attempts to provide the token to the server and performs error processing if this fails.

// Given a connection called "conn"
if conn.is_two_factor_enabled():
  # Prompt the user for the one-time security token.
  # Store the token in the "token" variable of type std::string.
  # Make sure that the carriage returns are stripped from the string.
  if !conn.send_two_factor_token(token):
    # Process the error from a invalid authentication token here.
  else:
    # two-factor authentication succeeded
else:
  # Handle if two-factor authentication is not enabled on the server.

Copy code to clipboard

Caché comes with sample programs that demonstrate two-factor authentication with Python. These programs are in the install-dir\dev\Python\ directory; they are samples\two_factor.py for Python 2.6 and samples3\two_factor.py for Python 3.0. For more information on Python sample programs for use with Caché, see the “Sample Programs” section of the “Caché Python Binding” chapter of Using Python with Caché.

System Variables and AuthenticationCopy link to this section

After authentication, two variables have values:

• $USERNAME contains the username

• $ROLES contains a comma-delimited list of the roles held by the user

The $ROLES variable allows you to manage roles programmatically. For more information on this, see the section “Programmatically Managing Roles” in the “Roles” chapter.

Using Multiple Authentication MechanismsCopy link to this section

The one situation in which InterSystems recommends the use of multiple authentication mechanisms is when moving from a less rigorous mechanism to a more rigorous one. For example, if an instance has been using no authentication and plans to make a transition to Kerberos, the following scenario might occur:

1. For the transition period, configure all supported services to allow both unauthenticated and Kerberos-authenticated access. Users can then connect using either mechanism.

2. If appropriate, install new client software (which uses Kerberos for authentication).

3. Once the list of Caché users has been synchronized with that in the Kerberos database, shut off unauthenticated access for all services.

The use of multiple authentication mechanisms is often in conjunction with cascading authentication, described in the next section.

Cascading AuthenticationCopy link to this section

While Caché supports for a number of different authentication mechanisms, InterSystems recommends that you do not use any other password-based authentication mechanism along with Kerberos. Also, there are limited sets of circumstances when it is advisable for an instance to have multiple authentication mechanisms in use.

If a service supports multiple authentication mechanisms, Caché uses what is called “cascading authentication” to manage user access. With cascading authentication, Caché attempts to authenticate users via the specified mechanisms in the following order:

• Kerberos cache (includes Kerberos with or without integrity-checking or encryption)

• OS-based

• LDAP (with checking the LDAP credentials cache second)

• Delegated

• Caché login

• Unauthenticated

For example, if a service supports authentication through:

1. Kerberos cache

2. OS-based

3. Unauthenticated

If a user attempts to connect to Caché, then there is a check if the user has a Kerberos ticket-granting ticket; if there is such a ticket, there is an attempt to obtain a service ticket for Caché. If this succeeds, the user gets in. If either there is no initial TGT or a Caché service cannot be obtained, authentication fails and, so, cascades downward.

If the user has an OS-based identity that is in the Caché list of users, then the user gets in. If the user’s OS-based identity is not in the Caché list of users, then authentication fails and cascades downward again.

When the final option in cascading authentication is unauthenticated access, then all users who reach this level gain access to Caché.

Establishing Connections with the UnknownUser AccountCopy link to this section

If Caché login and unauthenticated mode are both enabled, then a user can simply press Enter at the Username and Password prompts to connect to the service in unauthenticated mode, using the UnknownUser account. If only Caché login is enabled, then pressing Enter at the Username and Password prompts denies access to the service; Caché treats this as a user attempting to log in as the UnknownUser account and providing the wrong password.

Programmatic LoginsCopy link to this section

In some situations, it may be necessary for a user to log in after execution of an application has begun. For example, an application may offer some functionality for unauthenticated users and later request the user to log in before some protected functionality is provided.

An application can call the Caché log in functionality through the Login method of the $SYSTEM.Security class with the following syntax:

 set success = $SYSTEM.Security.Login(username,password)

Copy code to clipboard

where

• success is a boolean where 1 indicates success and 0 indicates failure

• username is a string holding the name of the account logging in

• password is a string holding the password for the username account

If the username and password are valid and the user account is enabled and its expiration date has not been reached, then the user is logged in, $USERNAME and $ROLES are updated accordingly, and the function returns 1. Otherwise, $USERNAME and $ROLES are unchanged and the function returns 0.

No checking of privileges occurs as a result of executing $SYSTEM.Security.Login. As a result, it is possible that the process has lost privileges that were previously held.

There is also a one-argument form of $SYSTEM.Security.Login:

 set success = $SYSTEM.Security.Login(username)

Copy code to clipboard

It behaves exactly the same as the two-argument form except that no password checking is performed. The single-argument form of $SYSTEM.Security.Login is useful when applications have performed their own authentication and want to set the Caché user identity accordingly. It can also be used in situations where a process is executing on behalf of a specific user but is not started by that user.

The JOB Command and Establishing a New User IdentityCopy link to this section

When a process is created using the JOB command, it inherits the security characteristics (that is, the values of $USERNAME and $ROLES) of the process that created it. Note that all roles held by the parent process, User as well as Added, are inherited.

In some cases, it is desirable for the newly created process to have $USERNAME and $ROLES values that are different from its parent’s values. For example, a task manager might be created to start certain tasks at certain times on behalf of certain users. While the task manager itself would likely have significant privileges, the tasks should run with the privileges of the users on whose behalf they are executing, not with the task manager’s privileges.

The following pseudocode illustrates how this can be done:

WHILE ConditionToTest {
    IF SomeThingToStart {
        DO Start(Routine, User)
    }
}

Start(Routine, User) {
    NEW $ROLES    // Preserve $USERNAME and $ROLES

    // Try to change username and roles
    IF $SYSTEM.Security.Login(User) {
        JOB ...
        QUIT $TEST
    }
    QUIT 0       // Login call failed
}

Copy code to clipboard