============================================================================= Run Date: JUN 16, 2017 Designation: MAG*3*181 Package : MAG - IMAGING Priority: Mandatory Version : 3 SEQ #131 Status: Released Compliance Date: AUG 20, 2017 ============================================================================= Subject: Clinical display 2 factor authentication Category: - Other Description: ============ Associated Patches: ================== This patch must be installed after MAG*3.0*167. Subject: TWO-FACTOR AUTHENTICATION FOR CLINICAL DISPLAY ======= Category: OTHER ======== Description: =========== MAG*3.0*181 provides two-factor authentication (2FA) for the Clinical Display client. When the user starts Clinical Display, they will be prompted for their Personal Identity Verification (PIV)/Personal Identification Number (PIN) to log into Veterans Health Information Systems and Technology Architecture (VistA). In order to implement 2FA for Clinical Display, the development environment was upgraded to Delphi XE8. A splash screen will be displayed during startup and initialization of the Display application. The splash screen will close when the application is ready to be used. There are no other changes to functionality of the Clinical Display client. Patch Components: ================ This patch includes software and documentation files. This document, MAG3_0P 181_Patch_Description.pdf, provides an overview, explains the changes, and outlines the installation for this patch. MAG3_0P181_README.txt, if present, is an informative file associated with the patch. Software: ======== File Name Description ========= =========== MAG3_0P181.KID Kernel Installation and Distribution System (KIDS) build for Patch 181 MAG3_0P181_Clinical_Display_Setup.exe Clinical Display client installation file. MAG3_0P181_CLINICAL_DISPLAY_INSTALL.MSI Clinical Display push installation file. Documentation: ============= This document, MAG3_0181_Patch_Description.pdf, provides an overview, explains the changes, and outlines the installation for this patch. Files & Fields Associated: ========================= There are no files or fields associated with this patch. Forms Associated: ================ There are no forms associated with this patch. Mail Groups Associated: ====================== There are no mail groups associated with this patch. Options Associated: ================== There are no options associated with this patch. Protocols Associated: ==================== There are no protocols associated with this patch. Security Keys Associated: ======================== There are no security keys associated with this patch. Templates Associated: ==================== There are no templates associated with this patch. Additional Information: ======================= New Service Requests (NSRs): =========================== There are no new service requests addressed in this patch. Patient Safety Issues (PSIs): ============================ There are no patient safety issues associated with this patch. Defect Tracking System Ticket(s) & Overview: =========================================== 1. Update Clinical Display for 2FA ================================== Problem: Per the U.S. Department of Veterans Affairs (VA) mandate to meet PIV requirements (VAIQ #7712300), all existing systems must be upgraded to use PIV credentials for authentication. Resolution: The Remote Procedure Call (RPC) Broker establishes a common and consistent connection for VistA client/server applications. The kernel development team has updated the RPC Broker to accept a PIV for authentication in XWB*1.1*64 and RPC Broker Development Tool Kit XWB*1.1*65. The RPC Broker client component uses the Identity and Access Management (IAM) SSOi Secure Token Service (STS) for Authentication. The client authenticates to IAM with PIV/PIN and obtains a Security Assertion Markup Language (SAML) token; this token is associated with a VistA access/verify code and is used to authenticate to VistA. Test Sites: ========== The following site is a test site for this patch: VA Salt Lake City Health Care System VA Eastern Kansas Health Care System - Topeka Software and Documentation Retrieval Instructions: ================================================= Software being released and/or documentation describing the new functionality introduced by this patch are available. The preferred method is to retrieve files from anonymous@download.vista.domain.ext from the COMMAND prompt (example: sftp anonymous@download.vista.domain.ext). This transmits the files from the first available server. Sites may also elect to retrieve files directly from a specific server. Sites may retrieve the software and/or documentation directly using Secure File Transfer Protocol (SFTP) from the ANONYMOUS.SOFTWARE directory at the following OI Field Offices: When using Attachmate Reflection (Secure Shell): Albany: domain.ext Hines: domain.ext Salt Lake City: domain.ext When using the COMMAND prompt (example: sftp anonymous@domain.ext): Albany: anonymous@domain.ext Hines: anonymous@domain.ext Salt Lake City: anonymous@domain.ext Documentation can also be found on the VA Software Documentation Library at: http://www4.domain.ext/vdl/ Patch Installation: ================== Supported Client Versions ========================= When MAG*3.0*181 is released, the list of supported versions of Clinical Display will change: Supported Versions No Longer Supported 3.0.181 3.0.131 3.0.167 3.0.122 3.0.161 3.0.117 3.0.149 3.0.106 3.0.130 3.0.94 Pre/Post Installation Overview: ============================== MAG*3.0*181 must be installed on the VistA System and on 64-bit workstations on which the VistA Imaging Applications will be used. This patch must be installed by the compliance date. This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Pre-Installation Instructions: ============================= Verify that the patches listed in the Associated Patches section of this document have been previously installed. Note: ==== All released VistA Imaging patches must be installed on the VistA system before installing MAG*3.0*181. VistA System (KIDS) Installation Instructions ============================================= Installation Steps ================== KIDS installation will take less than one minute. 1 On the VistA system, access the Kernel Installation and Distribution System Menu [XPD MAIN]. 2 Run the Installation option [XPD INSTALLATION MENU]. 3 Load the KIDS file by performing the following steps: a. Run the Load a Distribution option [XPD LOAD DISTRIBUTION] to load the KIDS distribution. b. When prompted, enter the path and file name (MAG3_0P181.KID) of the Patch 181 KIDS file. c. When prompted to continue with the load, enter "YES". A Distribution OK! message will be displayed when the load is complete. 4 After loading the KIDS file, use the following options to verify the contents of the patch and to back up any affected routines. a.Verify Checksums in Transport Global [XPD PRINT CHECKSUM] - Run this option if you want to ensure the integrity of the routines in the patch. b.Compare Transport Global to Current System [XPD COMPARE TO SYSTEM] - Run this option if you want to view all changes that will be made when the patch is installed. All components (routines, options, and so on) in the patch will be compared. c.Backup a Transport Global [XPD BACKUP] - Run this option if you want to create a backup message of any routines exported with the patch. It will NOT back up any of the other changes. 5 After performing the load and any optional verification steps, install the KIDS file by performing the following steps: a. Run the Install Package(s) [XPD INSTALL BUILD] option. b. When prompted for the install name, enter "MAG*3.0*181". c. Answer "NO" to the following prompts: Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO// Want KIDS to INHIBIT LOGONs during the install? NO// Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO// 6 When installation is finished, an Install Complete message will be displayed. KIDS Installation Example ========================= This example shows the output when the KIDS file is installed for the first time. If you have already installed the patch and are installing the KIDS file in a namespace on which it has previously been installed, your output may be different. Select INSTALL NAME: MAG*3.0*181 3/1/17@15:13:33 => VistA Imaging V3 - Patch 181 - Display 2FA XE8 ;Created on Feb 24, This Distribution was loaded on Mar 01, 2017@15:13:33 with header of VistA Imaging V3 - Patch 181 - Display 2FA XE8 ;Created on Feb 24, 2017@1 3:25:38 It consisted of the following Install(s): MAG*3.0*181 Checking Install for Package MAG*3.0*181 Install Questions for MAG*3.0*181 Want KIDS to INHIBIT LOGONs during the install? NO// Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO// Enter the Device you want to print the Install messages. You can queue the install by enter a 'Q' at the device prompt. Enter a '^' to abort the install. Running Pre-Install Routine: PRE^MAGIP181 Running Post-Install Routine: POS^MAGIP181 Post Install Mail Message: Mar 01, 2017@15:13:56 Updating Routine file... Updating KIDS files... MAG*3.0*181 Installed. Mar 01, 2017@15:13:56 Not a production UCI NO Install Message sent 100% Complete Install Completed VistA Imaging Clinical Display Client Installation Instructions =============================================================== The Clinical Imaging Display client software can be updated using one of the methods outlined below: -Manual installation -Automatic installation using other methods (SMS, PSexec, etc.) Note: ==== The Clinical Display Application is only supported on a Windows 7 operating system; other operating systems are not officially supported. Clinical Display is distributed as an MSI and EXE installation. The MSI is intended for sites that want to do a push installation (using SCCM or another tool). The EXE is intended for use to install on a single workstation. After client installation is complete, log in to an updated workstation and use the Help | About menu option to verify that the version number is 3.0.181.1. Manual Installation =================== The MAG3_0P181_Clinical_Display_Setup.exe file can be installed manually on workstations as described in Section "Single Workstation Installation" in the VistA Imaging System Installation Guide. Auto-update Installation ======================== VistA Imaging Auto-update functionality is no longer supported. Uninstalling Clinical Display Client MAG*3.0*181 ================================================ If it is necessary to uninstall the MAG*3.0*181 client, use the Uninstall option from Windows Control Panel to Uninstall: "VistA Imaging Clinical Display".Then install the previous version of Clinical Display which was included in MAG*3.0*167. Routine Information: =================== This section lists modified routines for the VistA KIDS build. For each routine, the second line will contain the following information: ;;3.0;IMAGING;**[Patch List]**; Mar 19, 2002;Build 1;Feb 15, 2017 CHECK1^XTSUMBLD is used to generate the checksums. Routine Checksum Checksum Patch List Before After MAGGTU4D 5313965 5320928 **93, 94, 106, 117, 122, 131,149, 138, 156, 161, 167, 181** MAGIP181 NA 4214985 **181** Routine MAGIP181 is an installation routine that is automatically deleted after the KIDS installation. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JAN 17, 2017 Completed By: Date Completed: JUN 14, 2017 Released By : Date Released : JUN 16, 2017 ============================================================================= Packman Mail Message: ===================== No routines included