$TXT Created by at KRNDEV.FO-OAKLAND.DOMAIN.EXT (KIDS) on Friday, 01/16/26 at 06:26 ============================================================================= Run Date: MAY 14, 2026 Designation: XU*8*787 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #664 Status: Released Compliance Date: JUN 14, 2026 ============================================================================= Subject: KERNEL ENHANCEMENT TO SUPPORT ENCRYPTED SOCKETS Category: - Data Dictionary - Routine - Other - Enhancement (Mandatory) Description: ============ Kernel enhancement to enable encrypted socket support for Broker Remote Procedure Call (RPC) clients, including implementation of the 'XU START TLS' Transport Layer Security (TLS) RPC command, which upgrades an existing Transmission Control Protocol (TCP) socket to use TLS encryption. Kernel Patch XU*8.0*787 Changes: - Adds the field DEFAULT TLS SERVER CONFIG. (#667) to the file KERNEL SYSTEM PARAMETERS (#8989.3). - Adds the Remote Procedure 'XU START TLS' to the file REMOTE PROCEDURE (#8994) - Its TAG^ROUTINE should be INITRPC^XUTLS. - Updates the form 'XUSITEPARM' used for file KERNEL SYSTEM PARAMETERS (#8989.3) with a new field 'DEFAULT TLS SERVER CONFIG.' (#667) - Enables selection of a TLS server configuration from a list retrieved from the IRIS 'Security.SSLConfigs' table, to be set as the 'DEFAULT TLS SERVER CONFIG.'. - Adds the routine XUKSPTLSF to aid in editing of the field 'DEFAULT TLS SERVER CONFIG.' (#667) on the form XUSITEPARM. - Adds the routine XUSUDO which reads data from IRIS table 'Security.SSLConfigs'. This routine requires elevated privileges. - Adds the routine XUTLS with extrinsic variables and functions to read the field 'DEFAULT TLS SERVER CONFIG.' (#667) from the file KERNEL SYSTEM PARAMETERS (#8989.3) and initialize a server-side OPEN or USE command for TLS communication. EHRM Impact Statement: ---------------------- - This patch should have no EHRM impact, and can be installed at all sites, including EHRM converted sites. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- KERNEL SYSTEM PARAMETERS DEFAULT TLS SERVER CONFIG. New (8989.3) (667) Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- XUSITEPARM KERNEL SYSTEM PARAMETERS Modified (8989.3) Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- XU START TLS New Remote Applications Associated: Remote Application Name New/Modified/Deleted ----------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: SCTASK11411113 VistA issues on VA network XU*8*787 (VP-40). Problem: -------- RPC Broker clients are sending data in clear text across the network. Resolution: ----------- Update VistA Kernel with the ability to encrypt RPC Broker client data. Test Sites: Change Order #: --------------------------------------- Alexandria CHG0691261 Grand Junction CHG0696543 Miami CHG0698523 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation describing the new functionality is included in this release. Documentation can be found in the VA Software Document Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name ----------------------------------------------------------------------- Kernel 8.0 System Management KRN_8_0_SM_SIGNON_SECURITY_UG.PDF Signon/Security User Guide KRN_8_0_SM_SIGNON_SECURITY_UG.DOCX Kernel 8.0 and Kernel Toolkit 7.3 KRN_8_0_TM.PDF Technical Manual KRN_8_0_TM.DOCX Kernel 8.0 Developer's Guide KRN_8_0_DG_TLS.PDF Transport Layer Security (TLS) KRN_8_0_DG_TLS.DOCX Patch Installation: ------------------- Note: If the installer runs XINDEX on the patch after installation, XINDEX will report errors in the routine XUSUDO related to ObjectScript. These are normal and covered by the Standards and Conventions Committee (SACC) exemption 20260430-59. Pre/Post Installation Overview: This patch requires a manual pre- installation check and a post-installation routine. During the post-installation process, the routine initializes the KERNEL SYSTEM PARAMETERS (#8989.3) file. After installation completes, KIDS will automatically delete the routine. Pre-Installation Instructions: Read all of the pre-installation instructions before proceeding. Before installing this patch, InterSystems IRIS must already have HS-TIP 73 installed. If HS-TIP 73 is not installed, stop and do not proceed with this patch installation. To verify HS-TIP 73 installation, run the following command in VistA programmer mode: VISTA>!ls -lah /srv/vista/OCSP* --- Example: HS-TIP 73 Installed --- VISTA>!ls -lah /srv/vista/OCSP* total 4.0K drwxrwxr-x. 2 alxirisusr alxirisusr 33 Feb 24 09:00 . drwxr-xr-x. 7 root root 67 Feb 24 09:00 .. -rw-r--r--. 1 alxirisusr alxirisusr 1.5K Mar 21 11:00 ocsp_stapling.cache --- Example: HS-TIP 73 NOT Installed --- VISTA>!ls -alh /srv/vista/OCSP* ls: cannot access '/srv/vista/OCSP*': No such file or directory --- If no files are found, HS-TIP 73 is not installed. Stop here - do NOT install this patch. The installer must submit a ticket to the SNOW group SPM.HEALTH.HISM.HEALTHSYSTEMS.TRIAGE requesting installation of HS-TIP 73. Once Health Systems confirms that HS-TIP 73 has been installed, the installer may run the HS-TIP 73 verification check again. This patch may be installed with users on the system, although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. There are no menu options for sites to disable. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name. (ex. XU*8.0*787) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build XU*8.0*787 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build (including Routines) R Routines Only Backup Type: B// iv. When prompted "Do you wish to secure your build? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also choose to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO. Post-Installation Instructions: Post-Install routine: KIDS calls POST^XUSUDOPI after the installation to initialize the file KERNEL SYSTEM PARAMETERS (#8989.3) with field DEFAULT TLS SERVER CONFIG. (#667) to "tls_encrypt_server". KIDS will then delete the post install routine XUSUDOPI. 1. Verify that the installation was successful. See Sample Install below. 2. Verify that no new errors related to this patch are appearing in the Error Log [XUERTRAP]. Sample Install on a test account shown below, note the two lines containing information about the Post-Install routine being run and its output: -------------------------------------- Installing REMOTE PROCEDURE Nov 07, 2025@06:31:28 Running Post-Install Routine: POST^XUSUDOPI KERNEL SYSTEM PARAMETERS updated DEFAULT TLS SERVER CONFIG. initialized to "tls_encrypt_server" Updating Routine file... Updating KIDS files... XU*8.0*787 Installed. Nov 07, 2025@06:31:28 Not a production UCI NO Install Message sent -------------------------------------- Back-Out/Roll Back Plan: ------------------------ a. Use MailMan [XMUSER] menu to locate the PackMan message containing the backup build. The subject of the PackMan message begins with "Backup of XU*8.0*787". Use the PackMan message action XTRACT KIDS. b. Use the PackMan INSTALL/CHECK MESSAGE option to load the backup KIDS distribution. c. Use KIDS [XPD MAIN] menu to install the backup KIDS distribution using the Install Package(s) [XPD INSTALL BUILD] option. d. After back-out sites should use CHECK1^XTSUMBLD to verify routine checksums. e. Delete field DEFAULT TLS SERVER CONFIG. (#667) from file KERNEL SYSTEM PARAMETERS (#8989.3) Example FileMan session below: >D P^DI VA FileMan 22.2 Select OPTION: 4 MODIFY FILE ATTRIBUTES Do you want to use the screen-mode version? YES// NO Modify what File: KERNEL SYSTEM PARAMETERS// (1 entry) Select FIELD: 667 DEFAULT TLS SERVER CONFIG. LABEL: DEFAULT TLS SERVER CONFIG. Replace @ SURE YOU WANT TO DELETE THE ENTIRE 'DEFAULT TLS SERVER CONFIG.' FIELD? Y (Yes) OK TO DELETE 'DEFAULT TLS SERVER CONFIG.' FIELDS IN THE EXISTING ENTRIES? Yes// (Yes). f. Delete field DEFAULT TLS SERVER CONFIG. from form XUSITEPARM. Example FileMan session below: >D P^DI VA FileMan 22.2 Select OPTION: OTHER Select OTHER OPTION: SCREEN Select SCREENMAN OPTION: EDIT Edit/Create Form for what File: // KERNEL SYSTEM PARAMETERS Select FORM: XUSITEPARM Kernel Site Parameter edit DOMAIN:__________________________________________ DEFAULT # OF ATTEMPTS: ___ AGENCY CODE: _________ DEFAULT LOCK-OUT TIME: ____ MULTIPLE SIGN-ON LIMIT: ___ DEFAULT MULTIPLE SIGN-ON: ________ DEFAULT AUTO SIGN-ON: ________ DEFAULT AUTO-MENU: ___ SIGN-ON LOG RETENTION: ____ DEFAULT LANGUAGE: __________ BROKER TIMEOUT: _____ DEFAULT TYPE-AHEAD: ___ STRICT TOKEN VALIDATION: ___ DEFAULT TIMED-READ (SECONDS): _____ CID RETENTION: ___ BYPASS DEVICE LOCK-OUT: ___ CCOW TOKEN TIMEOUT: _____ LIFETIME OF VERIFY CODE: ___ ASK DEVICE TYPE AT SIGN-ON: ___ DEFAULT INSTITUTION: ______________________________ AUTO-GENERATE ACCESS CODES: ___ AUTO-GENERATE VERIFY CODES: ___ DEFAULT TLS SERVER CONFIG.: ______________________________ __________________________________________________________________________ File: KERNEL SYSTEM PARAMETERS (#8989.3) R2,C1 Form: XUSITEPARM (#8) Page: 1 (Page 1) Q=Quit E=Exit S=Save V=Block Viewer H=Help to the line containing DEFAULT TLS SERVER CONFIG. field or twice to position the cursor on field DEFAULT TLS SERVER CONFIG. to select field DEFAULT TLS SERVER CONFIG. , which will make the field bold in appearance. to edit the field @ WARNING: DELETIONS ARE DONE IMMEDIATELY! (EXITING WITHOUT SAVING WILL NOT RESTORE DELETED RECORDS.) Are you sure you want to delete this entire Subrecord (Y/N)? Y Q Select SCREENMAN OPTION: Select OTHER OPTION: Select OPTION: Routine Information: ==================== The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995;Build 73 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XUKSPTLSF Before: n/a After: B15583382 **787** Routine Name: XUSUDO Before: n/a After: B65333024 **787** Routine Name: XUSUDOPI Before: n/a After: B3478914 **787** Routine Name: XUTLS Before: n/a After: B82396289 **787** ============================================================================= User Information: Entered By : Date Entered : APR 13, 2023 Completed By: Date Completed: MAY 12, 2026 Released By : Date Released : MAY 14, 2026 ============================================================================= Packman Mail Message: ===================== $END TXT