Services
There are various pathways for connecting to a Caché instance for users, applications, and even other Caché instances.
These pathways are managed by Caché services, which serve as gatekeepers for connecting to Caché. Because Caché services are the primary means by which users and computers connect to Caché, their management is an essential part of security administration.
Topics in this chapter are:
• Available services
• Service properties
• Services and authentication
• Services and their resources
7.1 Available Services
The Services page ([Home] > [Security Management] > [Services]) provides a list of services that Caché provides.
There are two groups of services:
• Resource-based Services — These are services that provide user access to Caché. This kind of service needs the authentication and authorization infrastructure of Caché security, so it has an associated resource and uses the various available authentication mechanisms.
• Basic Services — These are services that provide connections between a Caché server and a Caché application. These do not have associated resources, so they provide little more than the basic security functionality of being turned on or off. Enabling or disabling them controls all forms of access.
The following lists the available services, what each controls, and what kind of service it is:
• %Service_Bindings — SQL or Objects; use of Studio [resource-based]
• %Service_CSP — CSP application pages [resource-based]
• %Service_CacheDirect — Cache Direct [resource-based]
• %Service_CallIn — The CallIn interface [resource-based]
• %Service_ComPort — COMM ports attached to a Windows system [resource-based]
• %Service_Console — Caché Terminal from a Windows console (analogous to %Service_Terminal for Mac, UNIX®, and OpenVMS) [resource-based]
• %Service_DataCheck — The DataCheck [basic]
• %Service_ECP — Enterprise Cache Protocol (ECP) [basic]
• %Service_Login — Use of $SYSTEM.Security.Login [resource-based]
• %Service_MSMActivate — MSM Activate protocol [basic]
• %Service_Mirror — Caché database mirroring [basic]
• %Service_Monitor — SNMP and remote Monitor commands [basic]
• %Service_Shadow — Access to this instance from shadow destinations [basic]
• %Service_Telnet — Telnet sessions on a Windows server [resource-based]
• %Service_Terminal — Caché Terminal from a Mac, UNIX®, and OpenVMS console (analogous to
%Service_Console for Windows) [resource-based]
• %Service_Weblink — WebLink [basic]
The table of services includes a column for each service property.
7.1.1 Notes on Individual Services
7.1.1.1 %Service_Bindings
For the %Service_Bindings service, there are a pair of resources that manage access: the %Service_Object resource and the %Service_SQL resource. Once a user has authenticated, these two resources control whether data is accessible to the user as either objects or SQL respectively. (If a user has table-level SQL privileges on data, then Caché automatically grants an authenticated user the %Service_SQL:Use privilege for the duration of the connection.)
7.1.1.2 %Service_CacheDirect
This service authenticates connections to Caché through the Caché Direct server. The Caché Direct server is available on any supported platform; clients for this service can only be on Windows.
%Service_CacheDirect manages access for two types of client-side applications:
• Client applications that use the Caché Direct client software. These have all authentication mechanisms available.
• Client applications that use the legacy CacheObject.dll library. These have no security features available; for these legacy applications, the %Service_CacheDirect service must enable the Unauthenticated mechanism only.
Since legacy applications can only support unauthenticated access and both types of client applications use the same service, Kerberos authentication is not available for Caché Direct clients if Caché is configured to accept connections from a legacy application; similarly, if a Caché instance is configured to accept Kerberos-authenticated connections from Caché Direct clients, legacy clients cannot connect to it.
Note: CacheObject.dll is supported for legacy applications only. New development should use either the Caché Direct client or the CacheActiveX.dll and the %Service_Bindings service.
78 Caché Security Administration Guide Services
7.1.1.3 %Service_Console and %Service_Terminal
These two services both provide console or terminal-style access to Caché. This functionality is analogous for both Windows and non-Windows systems; %Service_Console provides this functionality for Windows and %Service_Terminal provides this functionality for UNIX®, OpenVMS, and Mac.
CAUTION: Terminal or console access is one of the most sensitive aspects of Caché security. If an attacker gains access to Caché in one of these ways, it can be possible to read or destroy sensitive data.
7.1.1.4 %Service_CSP
This service manages connections that serve up CSP pages. Specifically, it manages connections between the CSP Gateway and the Caché server. If there is no unauthenticated access for the service and the CSP Gateway has no valid authentication information, then there is no access to the server via CSP. Hence, if you disable unauthenticated access through this service, then you must ensure that the CSP Gateway has the information it needs to authenticate to the Caché server. For Caché login (password) access, this is a valid username-password pair; for Kerberos access, this is a valid service principal name and key table location. To specify these values use the CSP Gateway Web Management interface; for a standard installation, the URL for this is http://localhost:57772/csp/bin/systems/module.cxw, where localhost represents 127.0.0.1 for IPv4 and ::1 for IPv6.
Because %Service_CSP regulates the use of the Portal and its subapplications, disabling %Service_CSP does not disable any system applications (/csp/broker, /csp/docbook, /csp/documatic, /csp/sys, /csp/sys/exp, /csp/sys/mgr, /csp/sys/op, /csp/sys/sec, /isc/studio/rules, and /isc/studio/templates). For more information on system applications, see the section System Applications in the “ Applications ” chapter.
Important: If you inadvertently lock yourself out of the Portal, you can use emergency access emergency access mode to reach the Portal and correct the problem; this is described in the section Emergency Access in the chapter “ System Management and Security. ”
7.1.1.5 %Service_DataCheck
This service regulates the use of the DataCheck utility, which provides a mechanism to compare the state of data on two systems. For more details, see the “Data Consistency on Multiple Systems” chapter of the Caché Data Integrity Guide, and, for security issues, particularly the section “Enabling the DataCheck Service. ”
7.1.1.6 %Service_ECP
A resource does not govern the use of ECP. Rather, you either enable or disable the service (this makes ECP what is called a “ basic service ” ). This means that all the instances in an ECP configuration need to be within the secured Caché perimeter.
See the “Specifying ECP Privileges and Roles” section of the “ Configuring Distributed Systems ” chapter of the Caché Distributed Data Management Guide for details on how privileges work within an ECP configuration.
7.1.1.7 %Service_Login
This service controls the ability to explicitly invoke the Login method of the %SYSTEM.Security class. Calls to this method are of the form:
Set Success = $SYSTEM.Security.Login(username, password)
where username is the user being logged in and password is that user’s password.
Available Services
7.1.1.8 %Service_Mirror
This service regulates the use of the Caché database mirroring, which provides automatic failover between two systems.
For more details about mirroring generally, see the “Mirroring” chapter of the Caché High Availability Guide; for more details about security for mirroring (though the use of SSL/TLS), see the “Configuring Caché to Use SSL/TLS with Mir-roring” section in the “ Configuring Caché to Use SSL/TLS with Mirroring ” chapter.
7.1.1.9 %Service_Shadow
This service regulates the use of a Caché instance as a shadow source. For more details, see “Configuring the Source Database Server” in the “ Shadow Journaling ” chapter of the Caché Data Integrity Guide.
7.1.1.10 %Service_Telnet
This service is only valid on a Windows Caché server and only accepts connections from a Windows client.
7.1.1.11 Legacy Services
Caché includes support for a number of legacy services. These are all basic services, and can simply be enabled or disabled.
They include %Service_MSMActivate and %Service_Weblink.