=============================================================================
Run Date: JUL 29, 2020                     Designation: XU*8*694
Package : XU - KERNEL                         Priority: Mandatory
Version : 8       SEQ #572                      Status: Released
                  Compliance Date: AUG 29, 2020
=============================================================================


Subject: SSOWAP/KAAJEE 2FA IMPLEMENTATION

Category: 
  - Informational

Description:
============

 This KAAJEE patch, XU*8.0*694,includes changes for enabling Two Factor
 Authentication (2FA) and Technical Reference Model (TRM) Upgrades to
 WebLogic (WL) Server 10.3.6 and 12c, Log4j 2.1, Java 1.7, Apache Commons
 4.1, Commons Codec 1.9, HttpClient 4.5.2, HttpCore 4.5.5, Commons Logging
 1.2, and Connector API 1.5. There are several changes for Fortify Scanning
 Remediation. Fortify changes include: correcting Null Dereferencing,
 Security Issues, Privacy Violation, and Extensible Markup Language (XML)
 External Injection.
  
 This is an informational only patch and is bundled with the Veterans 
 Personal Finance System (VPFS) patch, PRPF*4*4, Kernel Authentication & 
 Authorization for Java 2 Enterprise Edition (KAAJEE) patch XU*8.0*696, 
 and the VistALink patch XOBV*1.6*5.
  
  
 Patch Components:
 =================
  
 Files & Fields Associated:
  
 File Name (Number)      Field Name (Number)     New/Modified/Deleted
 ==================      ===================     ====================
 N/A                     
  
 Forms Associated:
  
 Form Name       File#     New/Modified/Deleted
 =========       =====     ====================
 N/A             
  
 Mail Groups Associated:
  
 Mail Group Name           New/Modified/Deleted
 ===============           ====================
 N/A             
  
 Options Associated:
  
 Option Name     Type     New/Modified/Deleted
 ===========     ====     ==================== 
 N/A             
  
 Protocols Associated:
  
 Protocol Name            New/Modified/Deleted
 =============            ==================== 
 N/A             
  
 Security Keys Associated:
  
 Security Key Name
 =================
 N/A
  
 Templates Associated:
  
 Template Name      Type      File Name (Number)      New/Modified/Deleted 
 =============      ====      ==================      ====================
 N/A             
  
 Additional Information:
 N/A
  
 New Service Requests (NSRs):
 ============================
 N/A
  
 Patient Safety Issues (PSIs):
 =============================
 N/A
  
 Defect Tracking System Ticket(s) & Overview:
 ============================================
  
 1. Rational Defect 755050 - TRM Upgrades
  
 Problem:
 ========
 After a review of the technologies used in Single Sign-On Web Application 
 Plugin (SSOWAP), upgrades are required to the following components,
 Log4j, Web Logic Server, Apache Commons, Commons Codec, HttpClient,
 HttpCore, and Connector Application Programming Interface (API).
  
  
 Resolution:
 ===========
 Updated the .jar libraries of the new components mentioned above and 
 implemented code changes to support the new libraries.
  
  
 2. Rational Defect 755052 - Fortify Remediation
  
 Problem:
 ========
 After scanning the SSOWAP code base through Fortify Security, there were 
 several problems listed as Critical and High priority. 
 These issues included:
  
     Null Dereferencing - The program can potentially dereference a null 
     pointer, thereby causing a null pointer exception.
  
     Privacy Violation - The mishandling of private information, such as 
     customer passwords or social security numbers, can compromise user 
     privacy and is often illegal.
   
     XML External Injection - Using XML parsers, configured to not prevent
     nor limit external entities resolution, can expose the parser to an 
     XML External Entities attack.
  
     System Information Leak - Revealing system data or debugging 
     information helps an adversary learn about the system and form a plan 
     of attack.
  
 Resolution:
 ===========
 Updated and resolved all code that was flagged as Critical and High 
 Priority issues from the Fortify scan.
  
  
 3. Rational Defect 755054 - 2-Factor Authentication
  
 Problem:
 ========
 In accordance with Veteran Affairs (VA) official directive: the 
 Memorandum for Implementation of Federal Personal Identity
 Verification (PIV) Credentials for Federal Employee and Contractor
 Access to VA IT Systems (VAIQ# 7614373), all internal, web 
 based VA applications are required to be two-factor authentication
 (2FA) compliant.
  
  
 Resolution:
 ===========
 SSOWAP passes information for further authentication via the Security 
 Token Service (STS). SSOWAP authorizes the user by validating the 
 provided information and obtaining the role-group mapping from the
 Veterans Information Systems and Technology Architecture (VistA) site. 
  
 *Note: Assign the XUKAAJEE_SAMPLE security key to users testing with   
 the KAAJEE sample application.  
  
 Test Sites:
 ===========
 Edith Nourse Rogers Memorial Hospital (Bedford) 
 Northport VA Medical Center
 Salem VA Medical Center
                                      
  
 Software and Documentation Retrieval Instructions:
 ==================================================
 This release includes software files. They can be obtained at 
 location: /srv/vista/patches/SOFTWARE
 the software files can also be obtained by accessing
 the URL: https://download.vista.domain.ext/index.html/SOFTWARE
  
 File Title                     File Name                      Format
 ---------------------------------------------------------------------
 kaajee- 1.2.0.008              KAAJEE_1_2_0_008.ZIP           Binary
  
  
 Documentation describing the new functionality is included in this 
 release. Documentation can be found on the VA Software Documentation 
 Library at: https://www.domain.ext/vdl/. Documentation can also be 
 obtained at https://download.vista.domain.ext/index.html/SOFTWARE 
  
  
 Title                                         File Name
 ==========================================================================
 Deployment Guide 1.2 (WebLogic 10.3.6 and higher)
                                               KAAJEE_1_2_DEPLOYGUIDE.PDF
 Installation Guide 1.2 (WebLogic 10.3.6 and higher) 
                                               KAAJEE_1_2_INSTALLGUIDE.PDF
 Release Notes 1.2 (WebLogic 10.3.6 and higher) 
                                               KAAJEE_1_2_RELEASENOTES.PDF
  
  
 Patch Installation:
 ===================
 No installation is required at local sites. 
  
 Martinsburg performs the patch installation on a centralized web server.
  
 Pre/Post Installation Overview:
 ===============================
 N/A
  
 Pre-Installation Instructions:
 ==============================
 N/A
  
  
 Installation Instructions:
 ==========================
 ******************************************************************
 **  PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH.       **
 ******************************************************************
  
 This informational patch, XU*8.0*694, is for KAAJEE SSOWAP only.
  
 Installation is done by Martinsburg on a centralized server. 
  
  
 Post-Installation Instructions:
 ===============================
 N/A
  
 Back-Out Plan:
 ==============
 A back-out plan will be sent to Martinsburg and attached to the 
 installation change order (CO), found in the, Installation Guide 1.2 
 (WebLogic 10.3.6 and higher).

Routine Information:
====================
No routines included.

=============================================================================
User Information:
Entered By  :                               Date Entered  : MAY 22, 2018
Completed By:                               Date Completed: JUL 28, 2020
Released By :                               Date Released : JUL 29, 2020
=============================================================================


Packman Mail Message:
=====================

No routines included