Preparing for Caché Security

The material in this section is intended for those using Caché security features. For an overview of those features, especially the authentication and authorization options, review the “Introduction” to the Caché Security Administration Guide. This material can help you select the security level for your site, which determines the required tasks to prepare the security environment before installing Caché.

This section covers the following topics:

Preparing the Security Environment for Kerberos — If you are not using the Kerberos authentication method in your environment, you can bypass this section.
Initial Caché Security Settings — This section describes the characteristics of the different default security settings. It is particularly useful if you are choosing to use Normal or Locked Down Caché security.

Important:

If your security environment is more complex than those this document describes, contact the InterSystems Worldwide Response Center (WRC)Opens in a new tab for guidance in setting up such an environment.

Preparing the Security Environment for Kerberos

These sections describe the installation preparation for three types of environments:

Windows-only Environment
This configuration uses a Windows domain controller for KDC functionality with Caché servers and clients on Windows machines. A domain administrator creates domain accounts for running the Caché services on Caché servers.
See the Creating Service Accounts on a Windows Domain Controller for Windows Caché Servers section for the requirements of using Windows Caché servers. Depending on the applications in use on your system, you may also need to perform actions described in the Configuring Windows Kerberos Clients section.
Mixed Environment Using a Windows Domain Controller
This configuration uses a Windows domain controller with Caché servers and clients on a mix of Windows and non-Windows machines. See the following sections for the requirements for using both Windows and non-Windows Cache servers:
- Creating Service Accounts on a Windows Domain Controller for Windows Caché Servers
- Creating Service Accounts on a Windows Domain Controller for Non-Windows Caché Servers
- Depending on the applications in use on your system, you may also need to perform actions described in the Configuring Windows Kerberos Clients section.
Non-Windows Environment
This configuration uses a UNIX® or Kerberos KDC with Caché servers and clients all on non-Windows machines. See the following two sections for the requirements for using a UNIX® or macOS KDC and Caché servers:
- Creating Service Principals on a KDC for Non-Windows Caché Servers
- Testing Kerberos KDC Functions

All Caché supported platforms have versions of Kerberos supplied and supported by the vendor; see the appropriate operating system documentation for details. If you choose to use Kerberos, you must have a Kerberos key distribution center (KDC) or a Windows domain controller available on your network. Microsoft Windows implements the Kerberos authentication protocol by integrating the KDC with other security services running on the domain controller.

A Note on Terminology

This document refers to related, but distinct entities:

Service account — An entity within an operating system, such as Windows, that represents a software application or service.
Service principal — A Kerberos entity that represents a software application or service.

Creating Service Accounts on a Windows Domain Controller for Windows Caché Servers

Before installing Caché in a Windows domain, the Windows domain administrator must create a service account for each Caché server instance on a Windows machine using the Windows domain controller.

Account Characteristics

When you create this account on the Windows domain controller, configure it as follows:

Set the account's Password never expires property.
Make the account a member of the Administrators group on the Caché server machine.
Add the account to the Log on as a service policy.

Important:

If a domain-wide policy is in effect, you must add this service account to the policy for Caché to function properly.

Names and Naming Conventions

In an environment where clients and servers are exclusively on Windows, there are two choices for naming service principals:

Follow the standard Kerberos naming conventions. This ensures compatibility with any non-Windows systems in the future.
Use any unique string.

Each of these choices involves a slightly different process of configuring a connection to a server as described in the following sections.

Names That Follow Kerberos Conventions

For a name that follows Kerberos conventions, the procedure is:

Run the Windows setspn command, specifying the name of service principal in the form service_principal/fully_qualified_domain_name, where service_principal is typically cache and fully_qualified_domain_name is the machine name along with its domain. For example, a service principal name might be cache/cacheserver.example.com. For detailed information on the setspn tool, see the SetspnOpens in a new tab page in the Microsoft documentation.
In the Caché Server Manager dialog for adding a new preferred server, choose Kerberos. What you specify for the Service Principal Name field should match the principal name specified in setspn.

For detailed information on configuring remote server connections, see the “Connecting to Remote Servers” chapter of the Caché System Administration Guide.

Names That Are Unique Strings

For a name that uses any unique string, the procedure is:

Choose a name for the service principal.
In the Caché Server Manager dialog for adding a new preferred server, choose Kerberos. Specify the selected name for the service principal in the Service Principal Name field.

If you decide not to follow Kerberos conventions, a suggested naming convention for each account representing a Caché server instance is “cacheHOST”, which is the literal, cache, followed by the host computer name in uppercase. For example, if you are running a Caché server on a Windows machine called WINSRVR, name the domain account cacheWINSRVR.

For more information on configuring remote server connections, see the “Connecting to Remote Servers” chapter of the Caché System Administration Guide for the detailed procedure.

Creating Service Accounts on a Windows Domain Controller for Non-Windows Caché Servers

Before you install Caché in a Windows domain, you need to create a service account on the Windows domain controller for each Caché server on a non-Windows machine. Create one service account for each machine, regardless of the number of Caché server instances on that machine.

A suggested naming convention for these accounts is “cacheHOST,” which is the literal, cache, followed by the host computer name in uppercase. For example, if you run a Caché server on a non-Windows machine called UNIXSRVR, name the domain account cacheUNIXSRVR. For Caché servers on non-Windows platforms, this is the account that maps to the Kerberos service principal.

Important:

When you create this account on the Windows domain controller, Caché requires that you set the Password never expires property for the account.

To set up a non-Windows Caché server in the Windows domain, it must have a keytab file from the Windows domain. A keytab file is a file containing the service name for the Caché server and its key.

To accomplish this, map the Windows service account (cacheUNIXSRVR, in this example) to a service principal on the Caché server and extract the key from the account using the ktpass command-line tool on the domain controller; this is available as part of the Windows support tools from Microsoft.

The command maps the account just set up to an account on the UNIX®/Linux machine; it also generates a key for the account. The command must specify the following parameters:

Parameter	Description
/princ	The principal name (in the form cache/<fully qualified hostname>@<kerberos realm>).
/mapuser	The name of the account created (in the form cache<HOST>).
/pass	The password specified during account creation.
/crypto	The encryption type to use (use the default unless specified otherwise).
/out	The keytab file you generate to transfer to the Caché server machine and replace or merge with your existing keytab file.

Important:

The principal name on UNIX®/Linux platforms must take the form shown in the table with the literal cache as the first part.

Once you have generated a key file, move it to a file on the Caché server with the key file characteristics described in the following section.

Creating Service Principals on a KDC for Non-Windows Caché Servers

In a non-Windows environment, you must create a service principal for each UNIX®/Linux or macOS Caché server that uses a UNIX®/Linux or macOS KDC. The service principal name is of the form cache/<fully qualified hostname>@<kerberos realm>.

Key File Characteristics

Once you have created this principal, extract its key to a key file on the Caché server with the following characteristics:

On most versions of UNIX®, the pathname is install-dir/mgr/cache.keytab. On macOS and SUSE Linux, the pathname is /etc/krb5.keytab.
It is owned by the user that owns the Caché installation and the group cacheusr.
Its permissions are 640.

Configuring Windows Kerberos Clients

If you are using Windows clients with Kerberos, you may also need to configure these so that they do not prompt the user to enter credentials. This is required if you are using a program that cannot prompt for credentials — otherwise, the program is unable to connect.

To configure Windows not to prompt for credentials, the procedure is:

On the Windows client machine, start the registry editor, regedit.exe.
Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters key.
In that key, set the value of AllowTgtSessionKey to 1.

Testing Kerberos KDC Functions

When using Kerberos in a system of only non-Windows servers and clients, it is simplest to use a native UNIX®/Linux KDC rather than a Windows domain controller. Consult the vendor documentation on how to install and configure the KDC; these are usually tasks for your system administrator or system manager.

When installing Kerberos, there are two sets of software to install:

The KDC, which goes on the Kerberos server machine.
There also may be client software, which goes on all machines hosting Kerberos clients. This set of software can vary widely by operating system. Consult your operating system vendor documentation for what client software exists and how to install it.

After installing the required Kerberos software, you can perform a simple test using the kadmin, kinit, and klist commands to add a user principal to the Kerberos database, obtain a TGT (ticket-granting ticket) for this user, and list the TGT.

Once you successfully complete a test to validate that Kerberos is able to provide tickets for registered principals, you are ready to install Caché.

Initial Caché Security Settings

During installation, there is a prompt for one of three sets of initial security settings: Minimal, Normal, and Locked Down. This selection determines the initial authorization configuration settings for Caché services and security, as shown in the following sections:

If you select Normal or Locked Down for your initial security setting, you must provide additional account information to the installation procedure. If you are using Kerberos authentication, you must select Normal or Locked Down mode. See the Configuring User Accounts section for details.

Important:

If you are concerned about the visibility of data in memory images (often known as core dumps), see the section “Protecting Sensitive Data in Memory Images” in the “System Management and Security” chapter of the Caché Security Administration Guide.

Initial User Security Settings

The following tables show the user password requirements and settings for predefined users based on which security level you choose.

Initial User Security Settings

Security Setting	Minimal	Normal	Locked Down
Password Pattern	3.32ANP	3.32ANP	8.32ANP
Inactive Limit	0	90 days	90 days
Enable _SYSTEM User	Yes	Yes	No
Roles assigned to UnknownUser	%All	None	None

You can maintain both the password pattern and inactive limit values from the System-wide Security Parameters page (System > Security Management > System Security Settings > System-wide Security Parameters). See the System-wide Security Parameters section of the “System Management and Security” chapter of the Caché Security Administration Guide for more information.

After installation, you can view and maintain the user settings at the Users page (System > Security Management > Users).

Password Pattern

When Caché is installed, it has a default set of password requirements. For locked-down installations, the initial requirement is that a password be from 8 to 32 characters, and can consist of alphanumeric characters or punctuation; the abbreviation for this is 8.32ANP. Otherwise, the initial requirement is that the password be from 3 to 32 characters, and can consist of alphanumeric characters or punctuation (3.32ANP).

Inactive Limit

This value is the number of days an account can be inactive before it is disabled. For minimal installations, the limit is set to 0 indicating that accounts are not disabled, no matter how long they are inactive. Normal and locked-down installations have the default limit of 90 days.

Enable _SYSTEM User

In versions of Caché prior to 5.1, all installed systems included an SQL System Manager user named _SYSTEM with a password of SYS. This Caché version creates the _SYSTEM and the following additional predefined users, using the password you provide during the installation: _SYSTEM, Admin, SuperUser, CSPSystem, and the instance owner (the installing user on Windows and the username specified by the installer on other platforms).

For more details on these predefined users, see the Predefined User Accounts section of the “Users” chapter of the Caché Security Administration Guide.

Roles Assigned to UnknownUser

When an unauthenticated user connects, Caché assigns a special name, UnknownUser, to $USERNAME and assigns the roles defined for that user to $ROLES. The UnknownUser is assigned the %All role with a Minimal-security installation; UnknownUser has no roles when choosing a security level other than Minimal.

For more details on the use of $USERNAME and $ROLES, see the “Users” and “Roles” chapters of the Caché Security Administration Guide.

Initial Service Properties

Services are the primary means by which users and computers connect to Caché. For detailed information about the Caché services see the “Services” chapter of the Caché Security Administration Guide.

Initial Service Properties

Service Property	Minimal	Normal	Locked Down
Use Permission is Public	Yes	Yes	No
Requires Authentication	No	Yes	Yes
Enabled Services	Most	Some	Fewest

Use Permission is Public

If the Use permission on a service resource is Public, any user can employ the service; otherwise, only privileged users can employ the service.

Requires Authentication

For installations with initial settings of locked down or normal, all services require authentication of some kind (Caché login, operating-system–based, or Kerberos). Otherwise, unauthenticated connections are permitted.

Enabled Services

The initial security settings of an installation determine which of certain services are enabled or disabled when Caché first starts. The following table shows these initial settings:

Initial Enabled Settings for Services

Service	Minimal	Normal	Locked Down
%Service_Bindings	Enabled	Enabled	Disabled
%Service_CSP	Enabled	Enabled	Enabled
%Service_CacheDirect	Enabled	Disabled	Disabled
%Service_CallIn	Enabled	Disabled	Disabled
%Service_ComPort	Disabled	Disabled	Disabled
%Service_Console*	Enabled	Enabled	Enabled
%Service_ECP	Disabled	Disabled	Disabled
%Service_MSMActivate	Disabled	Disabled	Disabled
%Service_Monitor	Disabled	Disabled	Disabled
%Service_Shadow	Disabled	Disabled	Disabled
%Service_Telnet*	Disabled	Disabled	Disabled
%Service_Terminal†	Enabled	Enabled	Enabled
%Service_WebLink	Disabled	Disabled	Disabled

* Service exists on Windows servers only

† Service exists on non-Windows servers only

After installation, you can view and maintain these services at the Services page (System > Security Management > Services).

Configuring User Accounts

If you select Normal or Locked Down for your initial security setting, you must provide additional information to the installation procedure:

User Credentials for Windows server installations only — Choose an existing Windows user account under which to run the Caché service. You can choose the default system account, which runs Caché as the Windows Local System account, or enter a defined Windows user account.

Important:

If you are using Kerberos, you must enter a defined account that you have set up to run the Caché service. InterSystems recommends you use a separate account specifically set up for this purpose as described in the Creating Service Principals for Windows Caché Servers section.

If you enter a defined user account, the installation verifies the following :
- The account exists on the domain.
- You have supplied the correct password.
- The account has local administrative privileges on the server machine.
Caché Users Configuration for Windows installations — The installation creates a Caché account with the %All role for the user that is installing Caché to grant that user access to services necessary to administer Caché.
Owner of the instance for non-Windows installations — Enter a username under which to run Caché. Caché creates an account for this user with the %All role.
Enter and confirm the password for this account. The password must meet the criteria described in the Initial User Security Settings table.
Setup creates the following Caché accounts for you:_SYSTEM, Admin, SuperUser, CSPSystem, and the instance owner (installing user on Windows or specified user on other platforms) using the password you provide.

Important:

If you select Minimal for your initial security setting on a Windows installation, but Caché requires network access to shared drives and printers, you must manually change the Windows user account under which to run the Caché service. Choose an existing or create a new account that has local administrative privileges on the server machine.

The instructions in the platform-specific chapters of this book provide details about installing Caché. After reading the Caché Security Administration Guide introduction and following the procedures in this section, you are prepared to provide the pertinent security information to these installation procedures.