%SYSTEM.Security.Users
abstract class %SYSTEM.Security.Users
Method Inventory
- GetTelnetSSLSetting()
- ImpersonateUser()
- LogoffUser()
- LogonUser()
- RevertToSelf()
- SSLGetCipher()
- SSLGetCipherList()
- SSLGetLastError()
- SSLGetPeerCertificate()
- SSLGetPeerName()
- SSLGetProtocol()
- SSLGetSession()
- SSLPeekClientHello()
- SetTelnetSSLSetting()
Methods
classmethod GetTelnetSSLSetting() as %Integer
Fetch Windows Telnet service SSL security setting. Only applicable to instances on Windows platform. See also the SetTelnetSSLSetting method.
- Return value = 0: Disabled
- Return value = 1: Enabled
- Return value = 2: Required
classmethod ImpersonateUser() as %Integer
Impersonates the user logged on by the LogonUser() method by calling the Windows ImpersonateLoggedOnUser() API with the security token saved by LogonUser().
ImpersonateUser() and RevertToSelf do not affect the user context contained in $USERNAME.
Returns 0 on success, -1 if no security token has been saved, or the value returned by GetLastError() on failure.
classmethod LogoffUser() as %Integer
Closes the handle to the security token previously created by LogonUser() after reverting the process user context to the original user context.
Return value is 0.
Calls the Windows LogonUser() API and saves the security token for the current process.
The user context is unaffected until the ImpersonateUser() method is called.
Return value is 0 on success or the error value retrieved from GetLastError() on failure.
This method is only available on Windows platforms. It cannot be called from a local InterSystems IRIS Terminal process which displays TRM:pid (InstanceName) in the title bar because this process is already impersonating the logged in Windows user. An attempt to call LogonUser() from a local terminal process will result in a error.
This method is only available on Windows platforms. It cannot be called from a local InterSystems IRIS Terminal process which displays TRM:pid (InstanceName) in the title bar because this process is already impersonating the logged in Windows user. An attempt to call LogonUser() from a local terminal process will result in a
classmethod RevertToSelf() as %Integer
Reverts the process user context to the original logon context.
Returns 0.
classmethod SSLGetCipher() as %String
Returns the name of the SSL/TLS ciphersuite currently in use over the current device,
if an SSL/TLS connection is currently established.
classmethod SSLGetCipherList(Direction As %Integer, TLSMinVersion As %Integer, TLSMaxVersion As %Integer, CipherList As %String) as %String
Returns a colon-delimited list of the names of all supported ciphersuites for TLSv1.2 and below
that are consistent with the input parameters.
Parameters:
Direction:
0 = client
1 = server
TLSMinVersion:
4 = TLSv1.0
8 = TLSv1.1
16 = TLSv1.2
TLSMaxVersion:
4 = TLSv1.0
8 = TLSv1.1
16 = TLSv1.2
Note: TLSMaxVersion cannot be less than TLSMinVersion
CipherList, a colon-delimited string constraining the return values, as specified in the OpenSSL Cipher man page
Parameters:
Direction:
0 = client
1 = server
TLSMinVersion:
4 = TLSv1.0
8 = TLSv1.1
16 = TLSv1.2
TLSMaxVersion:
4 = TLSv1.0
8 = TLSv1.1
16 = TLSv1.2
Note: TLSMaxVersion cannot be less than TLSMinVersion
CipherList, a colon-delimited string constraining the return values, as specified in the OpenSSL Cipher man page
classmethod SSLGetLastError() as %String
Returns a description of the SSL/TLS error encountered, if any, during the most recent SSL/TLS
operation over the current device.
classmethod SSLGetPeerCertificate() as %String
Returns the X.509 certificate used
to verify the peer for the SSL/TLS session running over the current
principal TCP device, in binary DER format. The certificate can be used as
input to $System.Encryption.X509GetField() and the RSA* functions.
To save the certificate to a file in PEM format:
Do file.Write("-----BEGIN CERTIFICATE-----"_$c(13,10))
Do file.Write($System.Encryption.Base64Encode(certificate))
Do file.Write($c(13,10)_"-----END CERTIFICATE-----"_$c(13,10))
Do file.Write("-----BEGIN CERTIFICATE-----"_$c(13,10))
Do file.Write($System.Encryption.Base64Encode(certificate))
Do file.Write($c(13,10)_"-----END CERTIFICATE-----"_$c(13,10))
Returns a string representation of the X.500 distinguished name contained in the X.509 certificate used
to verify the peer for the SSL/TLS session running over the
current device. Called with no arguments it returns the entire
name on one line. Called with an optional argument specifying a component
name entry it retuns just that entry, if present. Legal values for the
entry argument, and their legal short abreviations, are:
"commonName","CN"
"countryName","C"
"localityName","L"
"stateOrProvinceName","ST"
"organizationName","O"
"organizationalUnitName","OU"
"givenName","G"
"surname","S"
"initials","I"
"uniqueIdentifier","UID"
"serialNumber","SN"
"title","T"
"description","D"
Also supports the IA5 string components of the X.509 v3 subjectAltName extension. Additional legal values for the entry argument are:
"email"
"DNS"
"URI"
"commonName","CN"
"countryName","C"
"localityName","L"
"stateOrProvinceName","ST"
"organizationName","O"
"organizationalUnitName","OU"
"givenName","G"
"surname","S"
"initials","I"
"uniqueIdentifier","UID"
"serialNumber","SN"
"title","T"
"description","D"
Also supports the IA5 string components of the X.509 v3 subjectAltName extension. Additional legal values for the entry argument are:
"email"
"DNS"
"URI"
classmethod SSLGetProtocol() as %String
Returns the name of the protocol currently in use over the current device,
if an SSL/TLS connection is currently established.
classmethod SSLGetSession() as %String
Returns the SSL session parameters used
for the SSL/TLS session running over the current
principal TCP device, in binary DER format.
To save the session to a file in PEM format:
Do file.Write("-----BEGIN SSL SESSION PARAMETERS-----"_$c(13,10))
Do file.Write($System.Encryption.Base64Encode(session))
Do file.Write($c(13,10)_"-----END SSL SESSION PARAMETERS-----"_$c(13,10))
Do file.Write("-----BEGIN SSL SESSION PARAMETERS-----"_$c(13,10))
Do file.Write($System.Encryption.Base64Encode(session))
Do file.Write($c(13,10)_"-----END SSL SESSION PARAMETERS-----"_$c(13,10))
If the current device is a TCP device, peek into the TCP receive buffer.
Returns 1 if it contains an SSLv3 or TLSv1 Client Hello message, or an SSLv2 Client Hello message requesting SSLv3 or later. Otherwise returns 0. Parameter:
Timeout, time to wait for data, in seconds
Returns 1 if it contains an SSLv3 or TLSv1 Client Hello message, or an SSLv2 Client Hello message requesting SSLv3 or later. Otherwise returns 0. Parameter:
Timeout, time to wait for data, in seconds
Set the SSL requirement (Disabled/Enabled/Required) for inbound connections on the %Service_Telnet service.
The default value is 1 (Enabled) if a %TELNET/SSL configuration exists is enabled.
The default value is 0 (Disabled) of no %TELNET/SSL configuration exists or is enabled.
This method can be called from SYSTEM^%ZSTART to establish the setting for an instance at startup.
This setting is only applicable on the Windows platform. Valid inputs are:
Returns previous setting.
- Setting = 0: Disabled
- Setting = 1: Enabled
- Setting = 2: Required
Returns previous setting.