$TXT Created by NTHONY at DEVVOO.DOMAIN.EXT (KIDS) on Tuesday, 10/12/21 at 15:07 ============================================================================= Run Date: NOV 03, 2021 Designation: DG*5.3*1065 Package : DG - REGISTRATION Priority: EMERGENCY Version : 5.3 SEQ #927 Status: Released Compliance Date: NOV 04, 2021 ============================================================================= Associated patches: (v)DG*5.3*1014 <<= must be installed BEFORE `DG*5.3*1065' Subject: UAM - SET API KEY IN MESSAGE HEADER Category: - Routine - Enhancement () - Other Description: ============ ************************************************************************** ************************************************************************** IMPORTANT NOTE: DG*5.3*1065 is an emergency patch. The national release date is Nov 03, 2021, with a one-day compliance period. This patch must be installed at all VistA sites by close of business on Thursday, Nov 04, 2021. ************************************************************************** ************************************************************************** Veterans Health Information Systems and Technology Architecture (VistA) Registration, Eligibility & Enrollment (REE) patch DG*5.3*1065 is being released to support enhancements for the Enterprise Health Benefits Determination (EHBD) program. This patch focuses on updates for the Enrollment System Modernization (ESM) Phase 4 project. Patch DG*5.3*1065 fixes a security issue with the VistA REE Universal Addressing Module (UAM) Address Validation Service. The Application Programming Interface (API) Key sent on each request is now submitted in the message header and not in the query parameters. ************************************************************************* NOTE: When running the ^XINDEX routine, sites will encounter an XINDEX Error after the installation of this patch. Routine DGUAMWS uses HealtheVet Web Services Client (HWSC). It calls a Cache Class to parse the eXtensible Markup Language (XML) document returned by the web service call. A Standards and Conventions (SAC) Exemption (ID 20200806-01) was approved on 08/06/2020. ************************************************************************* The errors reported by XINDEX are: DGUAMWS * * 202 Lines, 11849 Bytes, Checksum: B111128641 S DGHTTPREQ.SSLCheckServerIdentity = 0 ; Older versions of xobw.WebServer.cls don't set this value. Setting here to prevent Error #6156 during the POST below. EN+24 W - Vendor specific code is restricted. EN+24 F - Unrecognized argument in SET command. EN+24 F - UNDEFINED COMMAND (rest of line not checked). D DGHTTPREQ.EntityBody.Write(DGJSON) ; places the entire json string into EntityBody EN+28 W - Vendor specific code is restricted. F DGHEADER="Accept","ContentType" D DGHTTPREQ.SetHeader(DGHEADER,"application/json") EN+29 W - Vendor specific code is restricted. D DGHTTPREQ.SetHeader("apiKey",DGKEY) EN+33 W - Vendor specific code is restricted. S DGHTTPRESP=DGHTTPREQ.HttpResponse EN+38 W - Vendor specific code is restricted. S DGDATA=DGHTTPRESP.Data.ReadLine() ; reads json string response from the data stream. EN+39 W - Vendor specific code is restricted. Q DGSTAT_"^"_$$RSPMSG(DGHTTPRESP.StatusCode,.DGRESPMSG) EN+47 W - Vendor specific code is restricted. N DGERRCODE S DGERRCODE=DGRESPERR.code ERRRSPMSG+4 W - Vendor specific code is restricted. ************************************************************************* Listing of Updates: =================== This patch makes the following enhancements to VistA REE: 1. A new entry DG UAM API KEY is added to the PARAMETER DEFINITION file (#8989.51). NUMBER: 1053 NAME: DG UAM API KEY DISPLAY TEXT: UAM Address Validation Service API Key MULTIPLE VALUED: No PROHIBIT EDITING: No VALUE DATA TYPE: free text VALUE HELP: Enter the API Key for the UAM Address Validation Service. DESCRIPTION: The API Key is sent on the message header for the UAM Address Validation Service. Without a valid key, the request is rejected. PRECEDENCE: 1 ENTITY FILE: PACKAGE 2. The post-install routine, POST^DG531065P, performs the following actions: a. Determines the appropriate API Key based on the VA site region. b. Stores the API Key in the DG UAM API KEY parameter instance in the PARAMETERS file (#8989.5). c. Modifies the CONTEXT ROOT (#200) field of the WEB SERVICE FILE (#18.02) for the entries DG UAM AV CANDIDATE and DG UAM AV VALIDATE. The /apikey is removed from the entries. 3. Routine DGUAMWS, which invokes the UAM Address Validation Service, is modified to retrieve the API Key from the DG UAM API KEY parameter instance in the PARAMETERS file (#8989.5) and place the key in the message header. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- DG UAM API KEY NEW Additional Information: ----------------------- N/A New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- Jira VES-17652: API Keys used for the UAM in VistA should be submitted in the API header and not in query parameters. Problem: -------- Some submissions are passing API keys in the query parameters. This is a security risk because it can potentially expose personal information in Lighthouse databases. Resolution: ----------- With patch DG*5.3*1065, the API Key sent on each request is now submitted in the message header and not in the query parameters. Test Sites: ----------- VA Hudson Valley Health Care System (Montrose, Castle Point), NY Robley Rex VA Medical Center, Louisville, KY Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name --------------------------------------------------------------------- DG*5.3*1065 Release Notes DG_5_3_1065_RN.PDF PIMS Version 5.3 Technical Manual PIMS_TM.PDF Patch Installation: ------------------- Pre/Post Installation Overview: ------------------------------- N/A Pre-Installation Instructions: ------------------------------ This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. The following options should be disabled during installation. Register a Patient [DG REGISTER PATIENT] Load/Edit Patient Data [DG LOAD PATIENT DATA] View Registration Data [DG REGISTRATION VIEW] Eligibility Verification [DG ELIGIBILITY VERIFICATION] Patient Address Update [DG ADDRESS UPDATE] Update Patient Record [UPDATE PATIENT RECORD] FBCH Enter Request Notification [FBCH ENTER REQUEST] Preregister a Patient [DGPRE PRE-REGISTER OPTION] Enter/Edit Billing information [IB EDIT BILLING INFO] Installation Instructions: -------------------------- 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME, enter the patch name (ex. DG*5.3*1065). B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build DG*5.3*1065 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build (including Routines) R Routines Only Enter response: Build iv. When prompted "Do you wish to secure this message? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer YES. a. When prompted 'Enter options you wish to mark as 'Out Of Order':', select the following options: Option Name Menu Text ----------- --------- Register a Patient [DG REGISTER PATIENT] Load/Edit Patient Data [DG LOAD PATIENT DATA] View Registration Data [DG REGISTRATION VIEW] Eligibility Verification [DG ELIGIBILITY VERIFICATION] Patient Address Update [DG ADDRESS UPDATE] Update Patient Record [UPDATE PATIENT RECORD] FBCH Enter Request Notification [FBCH ENTER REQUEST] Preregister a Patient [DGPRE PRE-REGISTER OPTION] Enter/Edit Billing information [IB EDIT BILLING INFO] Press the Enter key when you are done selecting options. b. When prompted 'Enter protocols you wish to mark as 'Out Of Order':', press the Enter key. c. When prompted 'Delay Install (Minutes): (0 - 60): 0//', answer 0. Post-Installation Instructions: ------------------------------- The post-install routine POST^DG531065P (described above) is deleted after installation by the KIDS build. Back-Out/Roll Back Plan: ------------------------ In the event a site/patch installer determines that this patch should be backed out, the site/patch installer should submit a YOUR IT Services ticket with the Enterprise Service Desk (ESD) for assistance with the procedure. Any issues would need to be evaluated to determine if: a back-out of the software is appropriate; a new patch is needed; or if data requires correction or restoration. During installation, if the option "Backup a Transport Global" was run as directed, then the entire Build or Routines (depending on which option was chosen) will have the ability to be restored from the "backup" MailMan message that was generated. Routine Information: ==================== The second line of each of these routines now looks like: ;;5.3;Registration;**[Patch List]**;Aug 13, 1993;Build 6 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: DG531065P Before: n/a After:B156438537 **1065** Routine Name: DGUAMWS Before:B107230386 After:B111128641 **1014,1065** Routine list of preceding patches: 1014 ============================================================================= User Information: Entered By : Date Entered : SEP 30, 2021 Completed By: Date Completed: NOV 03, 2021 Released By : Date Released : NOV 03, 2021 ============================================================================= Packman Mail Message: ===================== $END TXT