============================================================================= Run Date: APR 07, 2025 Designation: MAG*3*354 Package : MAG - IMAGING Priority: Mandatory Version : 3 SEQ #263 Status: Released Compliance Date: MAY 08, 2025 ============================================================================= Associated patches: (v)MAG*3*357 <<= must be installed BEFORE `MAG*3*354' Subject: VISTA IMAGING-HYBRID DICOM IMAGE GATEWAY (HDIG) DEFECTS & MAINTENANCE Category: - Routine - Other Description: ============ MAG*3.0*354 provides fixes to Hybrid DICOM Image Gateway (HDIG). This patch addresses the following defects: Defect(s): ========== 1. INC25431541, INC25580083, INC26249889, INC28612987, INC30413435, INC30589391, INC30768051, INC30807505, INC31008193, INC31638746, INC33103130, INC27365961, INC34165410 - VISTAIS-1352 - Radiation Dose Structured Report (SR) extraction for Radiology Package Issues 2. INC16816504 - VISTAIS-2727 - Update the SSL certificate for https. 3. INC25235455 - VISTAIS-3057 - Addressing NESSUS vulnerability - Sun ONE Application Server Upper Case Request JSP Source Disclosure discovered on VistA Imaging devices. 4. INC27199244, INC31894240, INC31099575, INC28687536, INC31115084 - VISTAIS-117 - Importer III issue. HDIG is not working due to JPEG 2000 issues. 5. INC24981861 - VISTAIS-162 - Event log errors after performing P324 HDIG Install Adaptive Maintenance: ===================== 1. VISTAIS-3058 - HDIG Apache Tomcat upgrade to 9.0.86 2. VISTAIS-3059 - HDIG Java upgrade to 8u401 3. VISTAIS-3055 - Addressing TLS 1.0/1.1 vulnerabilities in HDIG and implement TLS 1.2 4. VISTAIS-3129 - Update Listen file to enable most SOP Classes Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. INC25431541, INC25580083, INC26249889, INC28612987, INC30413435, INC30589391, INC30768051, INC30807505, INC31008193, INC31638746, INC33103130, INC27365961, INC34165410 - VISTAIS-1352 - Radiation Dose SR extraction for Radiology Package issues Problem: -------- HDIG is throwing a NullPointerException (NPE) during a Radiation Dose SR extraction for Radiology package and thus fails to ingest some Radiation Dose SR (SOP Class UID: 1.2.840.10008.5.1.4.1.1.88.67). Resolution: ----------- HDIG is handling the following conditions when parsing the DICOM Header for radiation dose information, so that an NPE is not thrown: * A radiation dose sequence does not exist * A sequence exists but the value is not a number * A sequence exists but contains no value 2. INC16816504 - VISTAIS-2727 - Update the SSL certificate for https. Problem: -------- Https for HDIG stats page is not encrypted. Resolution: ----------- Updated the SSL certificate for https so that Https encryption works. 3. INC25235455 - VISTAIS-3057 - Addressing NESSUS vulnerability - Sun ONE Application Server Upper Case Request JSP Source Disclosure discovered on VistA Imaging devices. Problem: -------- Tomcat manager was not working in the index page and displaying the source code. Resolution: ----------- Updated the index page logic to display the correct contents of the page. 4. INC27199244, INC31894240, INC31099575, INC28687536, INC31115084 VISTAIS-117 - Importer III issue. HDIG is not working due to JPEG 2000 issues. Problem: -------- After updating the Laurel Bridge version from 3.3.41 to 3.3.68C in HDIG patch P345, Images with JPEG 2000 transfer syntax imported to VistA through Importer were failing. Resolution: ----------- In Laurel Bridge DCF-3.3.68c a new plugin for Jasper JPEG codec was introduced and DCF-3.3.68c also introduced new settings related to both JPEG 2000 Lossy and JPEG 2000 Lossless. Updates were made to the Listen file with the new settings. NOTE: 1) Due to update of Listen file, need to pay special attention to Pre/Post Installation Overview about the Listen file and not overwrite it with your backup. 2) During the IOC testing of importing of JPEG 2000 images, identified an issue when the patient has 12 or more images in a single import, the HDIG application is not able to send all the images to the storage due to runtime error. This issue is resolved by removing the hardcoded values and released a T2 version of the application. 3) During the P354 T2 Richmond IOC testing an issue was identified. During the conversion of JPEG 2000 file, the application first deletes the original file while keeping the original name of the file and then renames the converted JPEG 2000 file to the original name. Due to network file share issue, the application was not able to rename the JPEG 2000 converted file to the original name. During the retry attempts to convert the JPEG 2000 file (HDIG attempts 5 times), the application looks for the original file, which is no longer available, leading to the issue. In T3 version of the application, this issue is resolved by making a copy of the original file before deleting it. If network file share issue occurs while renaming the converted JPEG 2000 file, the application uses the copy of the original file as a replacement. The resolution tested in T3 and T4 versions identified more changes with logging necessary. A T5 version was created with enhanced logging to correct this. 5. INC24981861 - VISTAIS-162 - Event log errors after performing P324 HDIG Install Problem: -------- During the HDIG installation process, when the 'apachetomcat' user accesses the C:\ drive, the Event Viewer logs a violation error. Resolution: ----------- Updated HDIG installer code to give access to the sub folders instead of the root directory. Adaptive Maintenance: -------------------------------------------- 1. VISTAIS-3058 - HDIG Apache Tomcat upgrade to 9.0.86 Problem: -------- TRM Compliance for Apache Tomcat. Resolution: ----------- During installation HDIG installer removes the 9.0.72 version of Apache Tomcat and installs 9.0.86 version. 2. VISTAIS-3059 - HDIG Java upgrade to 8u401 Problem: -------- TRM Compliance for Java. Resolution: ----------- During installation HDIG installer removes the 8u371 version of Java and installs 8u401. 3. VISTAIS-3055 - Addressing TLS 1.0/1.1 vulnerabilities in HDIG and implement TLS 1.2 Problem: -------- VA has implemented a requirement to disable the SSL v1.0, TLS v1.0, and TLS v1.1 protocols. Emergency patch MAG*3.0*364 addressed the issue with a Powershell Script, but the solution needed to be permanent part of the HDIG install. Resolution: ----------- The changes ensure disabling TLS 1.0/1.1 and enabling TLS v1.2 protocols in the registry and the server.xml file. 4. VISTAIS-3129 - Update Listen file to enable most SOP Classes Problem: -------- When the HDIG was introduced in MAG*3.0*34, any SOP Class processed by the HDIG needs to be enabled by uncommenting it in the Listen file and Apache Tomcat restarted on each server before the HDIG would recognize it. VistA Imaging has requested that all SOP Classes be uncommented in the Listen file to reduce the number of updates that need to be made. Resolution: ----------- Updated the Listen file to uncomment all SOP Classes except: Specific Enhanced SOP Classes (If these need to be enabled, Biomed needs to be aware that they are not viewable in Clinical Display.) 1.2.840.10008.5.1.4.1.1.12.1.1 - Enhanced XA Image Storage 1.2.840.10008.5.1.4.1.1.12.2.1 - Enhanced XRF Image Storage 1.2.840.10008.5.1.4.1.1.130 - Enhanced PET Image Storage 1.2.840.10008.5.1.4.1.1.2.1 - Enhanced CT Image Storage 1.2.840.10008.5.1.4.1.1.4.1 - Enhanced MR Image Storage 1.2.840.10008.5.1.4.1.1.4.3 - Enhanced MR Color Image Storage 1.2.840.10008.5.1.4.1.1.6.2 - Enhanced US Volume Storage Retired SOP Classes 1.2.840.10008.5.1.4.1.1.10 - Standalone Modality LUT Storage 1.2.840.10008.5.1.4.1.1.12.3 - X-Ray Angiographic Bi-Plane Image Storage 1.2.840.10008.5.1.4.1.1.8 - Standalone Overlay Storage 1.2.840.10008.5.1.4.1.1.88.1 - Text SR Storage - Trial 1.2.840.10008.5.1.4.1.1.88.2 - Audio SR Storage - Trial 1.2.840.10008.5.1.4.1.1.88.3 - Detail SR Storage - Trial 1.2.840.10008.5.1.4.1.1.88.4 - Comprehensive SR Storage - Trial 1.2.840.10008.5.1.4.1.1.9.1 - Waveform Storage - Trial 1.2.840.10008.5.1.4.34.1 - RT Beams Delivery Instruction Storage This patch overwrites the site Listen file, potentially overwriting site customizations. For this reason, the installer is instructed to make a backup file and manually compare it with the new Listen file. If any of the excluded SOP Classes listed above need to be uncommented, enable as appropriate. Do NOT overwrite the Listen file with your backup. If any site customizations need to be added back in, manually add them to the new Listen file. Test Sites - SNOW Change Order #: --------------------------------- * Richmond VAMC (Richmond, VA) - CHG0552028 * Royal C. Johnson Veterans' Memorial Hospital (Sioux Falls, SD) - CHG0552053 * Palo Alto VAMC (Palo Alto, CA) - CHG0552229 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released using a host file. The host file is available at the following location: /srv/vista/patches/SOFTWARE/MAG3_0P354.KID Other Software Files: This release also includes other software files. Other software files can be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name Format --------------------------------------------------------------------- Kernel Installation and MAG3_0P354.KID ASCII Distribution System (KIDS) build for Patch 354 Hybrid DICOM Gateway MAG3_0P354_HDIG_SETUP.MSI Binary Installation File Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Documentation Title Name File -------------------------------------------------------------------------- Patch Description for MAG*3.0*354 MAG3_0P354_PATCH_DESCRIPTION.PDF Deployment, Installation, Back-Out, MAG3_0P354_DIBRG.PDF and Rollback Guide Patch Installation: ------------------- Pre/Post Installation Overview: ------------------------------- MAG*3.0*354 must be installed on the VistA System and on 64-bit HDIG servers. This patch must be installed by the compliance date. All sites running VistA Imaging 3.0 must install the KIDS portion of this patch. This patch can be loaded while the VistA Imaging System is active, and users are on the system. Installing the MAG*3.0*354 KIDS takes 2-5 minutes. The HDIG install requires .NET version of 4.6.2 or later. Please refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide for detailed information on installing .NET framework. NOTES: 1. To avoid losing configuration changes, sites with a modified HDIG Listen file will need to save a copy of the file before installing this patch. After the installation is complete, compare the back up Listen file with the new Listen and update the new Listen file wherever is necessary and restart the Tomcat service. Do NOT overwrite the new Listen file with your backup. Modify the new Listen file with any needed site modifications. The location of Listen file is here: C:\DCF_RunTime_x64\cfg\apps\defaults. 2. To avoid losing configuration changes in the PeriodicCommandsConfiguration.config file, sites with a modified PeriodicCommandsConfiguration.config file will need to save a copy of the file before installing this patch. The location of the PeriodicCommandsConfiguration.config file is here: C:\VixConfig\DicomServerConfiguration.config 3. There is a known issue if there are multiple Java versions on the system for HDIG and hence not recommended. Please follow the steps below before installing MAG*3.0*354 (MAG3_0354_HDIG_Setup.msi) client. a. Stop all Legacy DICOM Gateway processing windows. b. Go to services and stop Apache Tomcat service. c. Go to Control Panel and uninstall the existing Java version 8u371 [Java 8 Update 371 (64-bit)] d. Go to Control Panel and uninstall the current HDIG Installation Wizard. e. Restart server manually. 4. Sites must update server bookmarks post installation to reflect https in the URL. Sites must start using https once installed. Supported Versions: -------------------------- When MAG*3.0*354 is released, the list of supported versions of HDIG will change: Versions Supported: ------------------- 3.0.357 3.0.345/3.0.364 3.0.314 Versions No Longer Supported: ----------------------------- 3.0.324 3.0.302 3.0.273 Pre-Installation Instructions: ------------------------------ This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. KIDS Installation Instructions: ------------------------- 1. Use the Load a Distribution option contained on the Kernel Installation and Distribution System Menu to load the Host file. When prompted to "Enter a Host File:" enter /srv/vista/patches/SOFTWARE/MAG3_0P354.KID 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name. (ex. MAG*3.0*354) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build MAG*3.0*354. iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure this message? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. vii. Repeat step ii for each build in the host file. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer . ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer . iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer . Installing and Updating the HDIG: --------------------------------- For installing or updating the HDIG, refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide. Post-Installation Instructions: ------------------------------- N/A - Routine MAGIP354 is a post-installation routine that is automatically deleted after the KIDS installation. Back-Out/Roll Back Plan: ------------------------ Please refer to the Deployment, Implementation, Back-Out and Rollback Guide (MAG3_0P354_DIBRG.PDF) for instructions. Uninstalling the Application: ----------------------------- For uninstalling the HDIG and instructions on reinstalling the patch (MAG*3.0*345), refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide, then apply the emergency patch MAG*3.0*364 and MAG*3.0*357. KIDS Uninstall: --------------- If it is necessary to uninstall the MAG*3.0*354 VistA KIDS, the patch backup must be installed. The Kernel Installation & Distribution System menu option, Backup a Transport Global should have been used to create a patch backup of the build prior to installing the patch. (see Installation Steps section, step 2b). Administrators will need to check MailMan for the backup message sent by the Backup a Transport Global function executed prior to the patch install. The patch backup must first be loaded from the MailMan backup message, by performing the message action Xtract KIDS, followed by the PackMan function INSTALL/CHECK MESSAGE. The patch may then be installed using the Install Package(s) option in the KIDS Installation menu. 1. Navigate to the Mailman inbox containing the patch backup message. a. Select the MAG*3.0*354 backup message as shown below: * Backup of MAG*3.0*354 install on b. At the "Enter message action:" prompt, select the Xtract PackMan option. c. At the "Select PackMan function:" prompt, select the Install/Check Message option. d. Enter Yes at the prompt "OK to continue with Load?" 2. Navigate to the Kernel Installation and Distribution System Menu and select the Installation Menu. From this menu: a. Select the Install Package(s) option and choose the patch to install. At the "Select INSTALL NAME:" prompt, enter MAG*3.0*354b i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. Example, Loading Patch Backup (Build) -------------------------------------------- IN Basket, 1504 messages (1-1847), 427 new *=New/!=Priority.......Subject................Lines.From.......Read/Rcvd 41. [558486] 02/19/23 Backup of MAG*3.0*354 on 4803 Enter message number or command: 41 Subj: Backup of MAG*3.0*354 on Feb 19, 2023 [#558486] 02/19/23@12:33 4803 lines From: MANAGER,SYSTEMS In 'IN' basket. Page 1 -------------------------------------------------------------------------- $TXT Created by PROGRAMMER,MAG at CHY0128.FO-BAYPINES.DOMAIN.EXT (KIDS) on Sunday, 02/19/23 at 12:33 Warning: Installing this backup patch message will install older versions of routines and Build Components (options, protocols, templates, etc.). Please verify with the Development Team that it is safe to install. Type to continue or '^' to exit: ^ Enter message action (in IN basket): Ignore// Xtract KIDS Select PackMan function: 6 INSTALL/CHECK MESSAGE Line 8 Message #558486 Unloading KIDS Distribution MAG*3.0*354b OK to continue with Load? NO// YES Distribution OK! Want to Continue with Load? YES// Loading Distribution... MAG*3.0*354b Example, Installing Patch Backup (Build) ----------------------------------------------- Select OPTION NAME: XPD MAIN Kernel Installation & Distribution System Select Kernel Installation & Distribution System Option: Installation' Select Installation Option: Install Package(s) Select INSTALL NAME: MAG*3.0*354b This Distribution was loaded on Feb 19, 2023@11:54:20 with header of Backup of MAG*3.0*354 on Feb 19, 2023 It consisted of the following Install(s): MAG*3.0*354b Checking Install for Package MAG*3.0*354b Install Questions for MAG*3.0*354b Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO// Want KIDS to INHIBIT LOGONs during the install? NO// Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO// Enter the Device you want to print the Install messages. You can queue the install by enter a 'Q' at the device prompt. Enter a '^' to abort the install. DEVICE: HOME// Linux Telnet /SSH MAG*3.0*354b -------------------------------------------------------------------------- Build Distribution Date: Feb 19, 2023 Installing Routines: Feb 19, 2023@11:54:36 Installing PACKAGE COMPONENTS: Installing OPTION Feb 19, 2023@11:54:36 Routine Information: ==================== The second line of each of these routines now looks like: ;;3.0;IMAGING;**[Patch List]**;Mar 19, 2002;Build 2 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: MAGIP354 Before: n/a After: B4076423 **354** ============================================================================= User Information: Entered By : Date Entered : FEB 24, 2023 Completed By: Date Completed: APR 07, 2025 Released By : Date Released : APR 07, 2025 ============================================================================= Packman Mail Message: ===================== No routines included