$TXT Created by MNTVBB.DOMAIN.EXT (KIDS) on Monday, 06/03/24 at 08:54 ============================================================================= Run Date: JUL 16, 2024 Designation: PSN*4*575 Package : PSN - NATIONAL DRUG FILE Priority: Mandatory Version : 4 SEQ #557 Status: Released Compliance Date: AUG 16, 2024 ============================================================================= Associated patches: (v)PSN*4*563 <<= must be installed BEFORE `PSN*4*575' (v)PSN*4*573 <<= must be installed BEFORE `PSN*4*575' Subject: ECDSA KEY CREATION Category: - Routine - Data Dictionary - Other Description: ============ This patch will address: INC26749697 - ECDSA Key creation ****ATTENTION**** This patch allows creation of the ECDSA key, however, at this time the sites are requested to install the patch *BUT NOT* create the key. National Pharmacy support team will schedule for each site to create and authenticate the key. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- PPS-N UPDATE CONTROL SFTP SSH KEY ENCRYPTION Modified (#57.23) (#41) PPS-N UPDATE CONTROL ECDSA New (57.23) (#11) Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: 1. INC26749697 - ECDSA KEY CREATION Problem: -------- With the implementation of Red Hat Enterprise Linux (RHEL 8), stronger encryption key ECDSA is now available and supported. The Pharmacy Product System-National(PPS-N) application at this time is using Rivest, Shamir & Adleman (RSA) type Secure SHell (SSH) key for connecting to the PPS-N server to receive the dat file that is used for updating National Drug files. New key added: Elliptic Curve Digital Signature Algorithm (ECDSA) ECDSA keys can be created for encryption length of 256, 384 or 521 bits. We recommend 521 bits. Necessary changes are required to allow creation of the ECDSA key for the PPS-N application. Support for RSA keys are anticipated to be deprecated in the future, so to maintain VistA's security posture and ensure continuous operation of required VistA processes, software utilizing SSH PKI user keys must be updated to support the stronger ECDSA encryption key. The modification should allow the creation of any ECDSA keys to be forward compatible when RHEL 8 is implemented. Resolution: ----------- The SFTP SSH KEY ENCRYPTION (#41) field in the PPS-N UPDATE CONTROL (#57.23) file is being modified to add code ECDSA. Routine PSNOSKEY is modified to allow the ECDSA key to be created, viewed, deleted, and the help text updated. Routine PSNPARM is modified to use new field ECDSA (#11) in the PPS-N UPDATE CONTROL (#57.23) file in option PPS-N Site Parameters (Enter/Edit) to set if ECDSA keys are allowed to be created. The HELP text is updated to the following: Secure SHell (SSH) Encryption Keys are used to allow data file download. Follow the steps below to successfully setup data file download from Austin server to VistA sites: Step 1: Select the 'C' (Create New SSH Key Pair) Action and follow the prompts to create a new pair of SSH keys. If you already have an existing SSH Key Pair you can skip this step. You can check whether you already have an existing SSH Key Pair through the 'V' (View Public SSH Key) Action. Encryption Type: RSA or ECDSA? ----------------------------------- Rivest, Shamir & Adleman (RSA) has been one of the most common encryption algorithms used by the IT industry for securely sharing data. Elliptic Curve Digital Signature Algorithm (ECDSA) is a more complex public key cryptography encryption algorithm that is now supported by the VA. If ECDSA is selected you will be prompted to enter the Bit size. Valid selections are 256, 384 or 521. You will need to contact the Austin SFTP server support to determine which type to select. Press Return to continue: Step 2: Share the Public SSH Key content with the PPS-N SFTP server (Austin). In order to successfully establish the data download files, the SFTP server at Austin needs to install/configure the new SSH Key created in step 1 for the user id they assigned to your site. Use the 'V' (View Public SSH Key) Action to retrieve the content of the Public SSH key. The Public SSH Key should not contain line-feed characters, therefore after you copy & paste it from the terminal emulator into an email or text editor make sure it contains only one line of text (no wrapping). ****ATTENTION**** National Pharmacy support team will co-ordinate above steps between the site and the PPS-N SFTP server (Austin). Technical Resolution: --------------------- Routine PSNOSKEY is modified as follows: ACTION+24 is changed from .S DIR(0)="S^RSA:Rivest, Shamir & Adleman (RSA);DSA:Digital Signature Algorithm (DSA)" to .;PSN*4*575 Add ECDSA .S PSNDSA=$$GET1^DIQ(57.23,1,11,"I") .I 'PSNDSA S DIR(0)="S^RSA:Rivest, Shamir & Adleman (RSA);DSA:Digital Signature Algorithm (DSA)" .I PSNDSA S DIR(0)="S^RSA:Rivest, Shamir & Adleman (RSA);DSA:Digital Signature Algorithm (DSA);ECDSA:Elliptic Curve Digital Signature Algorithm (ECDSA)" ACTION+30 add these lines: . ;p575 prompt for bit size for ECDSA . I ENCRTYPE="ECDSA" D I $D(DUOUT)!($D(DIRUT)) Q . . K DIR S DIR("A")="ECDSA encryption key size (bit size)",DIR("?")="Available key sizes are 256 bits, 384 bits, or 521 bits. Also referred to as key length." . . S DIR(0)="S^256:256 bits;384:384 bits;521:521 bits" . . S DIR("B")="256" D ^DIR . S ENCRBITS=$S(ENCRTYPE="ECDSA":Y,1:"") ACTION+44 remove tasking logic: . ;p575 removing the task off logic, unnecessary .;N ZTRTN,ZTIO,ZTDESC,ZTDTH,ZTSK .;S ZTRTN="NEWKEY^PSNOSKEY("""_ENCRTYPE_""")",ZTIO="",ZTDESC="SSH Key Generation",ZTDTH=$$NOW^XLFDT() .;D ^%ZTLOAD K ZTSK,^TMP("PSNPUBKY",$J) .;F I=1:1:30 D RETRIEVE("PUB") Q:$D(^TMP("PSNPUBKY",$J)) H 1 .; -- If unable to create the key via Taskman after 30 seconds, creates them in the foreground .;I '$D(^TMP("PSNPUBKY",$J)) D NEWKEY+6 is changed from I $G(ENCRTYPE)'="RSA" S ENCRTYPE="DSA" to ;PSN*4*575 handle ECDSA ;I $G(ENCRTYPE)'="RSA" S ENCRTYPE="DSA" S ENCRTYPE=$S($G(ENCRTYPE)="ECDSA":"ECDSA",$G(ENCRTYPE)="EDDSA":"ed25519",1: "RSA") NEWKEY+28 is changed to . I ($P($$VERSION^%ZOSV(1),"/",1)[("Cache")) D . . S:ENCRBITS ENCRBITS=" -b "_ENCRBITS . . X "S PV=$ZF(-1,""ssh-keygen -q -N '' -C '' -t "_$$LOW^XLFSTR($G(ENCRTYPE))_" -f "_LOCALDIR_KEYFILE_ENCRBITS_""")" NEWKEY+31 is changed to . I $P($$VERSION^%ZOSV(1),"/",1)'[("Cache") D . . I ENCRBITS S PV=$ZF(-100,"","ssh-keygen","-q","-t",ENCRTYPE,"-b",ENCRBITS,"-f",LOCALDIR _KEYFILE,"-N","","-C","") . . I ENCRBITS="" S PV=$ZF(-100,"","ssh-keygen","-q","-t",ENCRTYPE,"-f",LOCALDIR_KEYFILE,"-N", "","-C","") .S FILE2DEL(KEYFILE)="",FILE2DEL(KEYFILE_".pub")="" Routine PSNPARM is modified to add parameter ECDSA keys to Pharmacy Product System-National(PPS-N) Site Parameters: The following lines are modified DISP+14 is added S PSNAR(15)=$S($P(NODE0,"^",11)=1:"ALLOWED",1:"NOT ALLOWED")_"^57.23^11" ADD+4 is changed from I X="A" S X="1:14" To I X="A" S X="1:15" ADD+5 is changed from I X?.N1":".N S Y=$E(X),Z=$P(X,":",2) I Y<1!(Z>14)!(Y>Z) D HELP G:PSNOUT END G ASK To I X?.N1":".N S Y=$E(X),Z=$P(X,":",2) I Y<1!(Z>15)!(Y>Z) D HELP G:PSNOUT END G ASK FIELD+15^PSNPARM adds this line ;;15^ECDSA/EDDSA keys Test Sites: ----------- Jesse Brown VAMC (Chicago, Il) Meds by Mail Test Sites - SNOW Change Order #: -------------------------------- Chicago - CHG0493537 Meds by Mail - CHG0493834 Software and Documentation Retrieval Instructions: -------------------------------------------------- This software is being released as a PackMan message. Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Documentation Title File Name --------------------------------------------------------------------- National Drug File Version 4 PSN_4_P575_TM.PDF Technical Manual PSN_4_P575_TM.DOCX National Drug File Version 4 PSN_4_P575_UM.PDF User Manual PSN_4_P575_UM.DOCX Patch Installation: ------------------- ****ATTENTION**** This patch allows creation of the ECDSA key, however, at this time the sites are requested to install the patch *BUT NOT* create the key. National Pharmacy support team will schedule for each site to create and authenticate the key. Pre-Installation Instructions: This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name (ex. PSN*4.0*575) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build PSN*4.0*575 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure your build? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO Back-out/Rollback Strategy: --------------------------- Back-out will be done only with the concurrence and participation of development team and appropriate VA site/region personnel. The decision to back-out or rollback software will be a joint decision between development team, VA site/region personnel and other appropriate VA personnel. Prior to installing an updated KIDS package, the site/region should have saved a backup of the build in a mail message using the Backup a Transport Global [XPD BACKUP] menu option (this is done at time of install). The message containing the backed-up build can be loaded with the "Xtract PackMan" function at the Message Action prompt. The Packman function "INSTALL/CHECK MESSAGE" is then used to install the backed up routines onto the VistA System. The back-out plan is to restore the build from the backup created. No data was modified by this patch installation and, therefore, no rollback strategy is required. Validation of Back-out Procedure: --------------------------------- The Back-out Procedure can be verified by printing the first 2 lines of the routines contained in this patch using the option First Line Routine Print [XU FIRST LINE PRINT]. Once the build contained in the PSN*4.0*575 patch has been backed out, the first two lines of the routine will no longer contain the designation of this patch in the patch list section on line 2. Routine Information: ==================== The second line of each of these routines now looks like: ;;4.0;NATIONAL DRUG FILE;**[Patch List]**; 30 Oct 98;Build 22 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: PSNOSKEY Before: B85806980 After:B112551991 **513,563,575** Routine Name: PSNPARM Before: B56730894 After: B57712704 **513,573,575** Routine list of preceding patches: 563, 573 ============================================================================= User Information: Entered By : Date Entered : APR 13, 2023 Completed By: Date Completed: JUL 16, 2024 Released By : Date Released : JUL 16, 2024 ============================================================================= Packman Mail Message: ===================== $END TXT