$TXT Created by MNTVBB.DOMAIN.EXT (KIDS) on Tuesday, 10/03/23 at 13:16 ============================================================================= Run Date: DEC 15, 2023 Designation: PSO*7*723 Package : PSO - OUTPATIENT PHARMACY Priority: Mandatory Version : 7 SEQ #612 Status: Released Compliance Date: JAN 15, 2024 ============================================================================= Associated patches: (v)PSO*7*625 <<= must be installed BEFORE `PSO*7*723' Subject: SPMP ECDSA/EDDSA KEY CREATION Category: - Routine - Data Dictionary - Informational Description: ============ This patch addresses the following issue: ECDSA/EDDSA Key creation 1. INC26749697 - ECDSA KEY CREATION Outpatient Pharmacy service does not need to take any action after installation of this patch until further notice from their State PDMP or OIT services regarding SSH PKI user keys for SPMP. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- SPMP STATE PARAMETERS SFTP SSH KEY ENCRYPTION Modified (#58.41) (#19) Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: 1. INC26749697 - ECDSA KEY CREATION Problem: -------- With the implementation of Red Hat Enterprise Linux (RHEL 8) stronger encryption keys ECDSA & EDDSA are now available and supported. State Prescription Monitoring Program (SPMP) application currently is using RSA type SSH key for connecting to the SPMP server to send data. New keys added: Elliptic Curve Digital Signature Algorithm (ECDSA) Edward-Curve Digital Signature Algorithm (ed25519) EDDSA is also known as ed25519 ECDSA keys can created for encryption length of 256, 384 or 521 bits. Necessary changes are required to allow creation of ECDSA and EDDSA keys for the SPMP application. Support for RSA keys are anticipated to be deprecated in the future, so to maintain VistA's security posture and ensure continuous operation of required VistA processes, software utilizing SSH PKI user keys must be updated to support the stronger ECDSA and EDDSA encryption keys. Resolution: ----------- The SFTP SSH KEY ENCRYPTION (#19) field in the SPMP STATE PARAMETERS (#58.41) file is modified to add codes ECDSA and EDDSA. Modify PSOSPMKY to allow ECDSA or EDDSA keys to be created, viewed, deleted, and update the help text. Removed code that tasked the creation of the keys to a background process. The code to create the key pairs takes less than a second so this code was completely unnecessary and could cause a delay in creating the keys if there is any problem tasking the job. Technical Resolution: --------------------- Add Code ECDSA and EDDSA to the set of codes for the SFTP SSH KEY ENCRYPTION (#19) field in the SPMP STATE PARAMETERS (#58.41) file. Routine PSOSPMKY is modified as follows ACTION+24 is changed from . S DIR(0)="S^DSA:Digital Signature Algorithm (DSA);RSA:Rivest, Shamir & Adleman (RSA)" To . S DIR(0)="S^RSA:Rivest, Shamir & Adleman (RSA);DSA:Digital Signature Algorithm (DSA);ECDSA:Elliptic Curve Digital Signature Algorithm (ECDSA);EDDSA:Edward-curve Digital Signature Algorithm (ed25519)" ;p723 NEWKEY+8 is changed from I $G(ENCRTYPE)'="DSA",$G(ENCRTYPE)'="RSA" S ENCRTYPE="RSA" To S ENCRTYPE=$S($G(ENCRTYPE)="ECDSA":"ECDSA",$G(ENCRTYPE)="EDDSA":"ed25519",1: "RSA") Code is added at ACTION+30 to prompt for ECDSA encryption length . I ENCRTYPE="ECDSA" D I $D(DUOUT)!($D(DIRUT)) Q . . K DIR S DIR("A")="ECDSA encryption key size (bit size)",DIR("?")="Available key sizes are 256 bits, 384 bits, or 521 bits. Also referred to as key length." . . S DIR(0)="S^256:256 bits;384:384 bits;521:521 bits" . . S DIR("B")="256" D ^DIR . S ENCRBITS=$S(ENCRTYPE="ECDSA":Y,1:"") ACTION+35 is changed from . K DIR S DIR("A")="Confirm Creation of SSH Keys for "_$$GET1^DIQ(5,STATEIEN,.01),DIR(0)="Y",DIR("B")="NO" To . K DIR S DIR("A")="Confirm Creation of SSH "_ENCRTYPE_" Keys for "_$$GET1^DIQ(5,STATEIEN,.01),DIR(0)="Y",DIR("B")="NO" ACTION+41 through ACTION+49 are commented out, tasking is unnecessary . ;p723 removing the task off logic, unnecessary . ;N ZTRTN,ZTIO,ZTDESC,ZTDTH,ZTSK . ;S ZTRTN="NEWKEY^PSOSPMKY("_STATEIEN_","""_ENCRTYPE_""")" . ;S ZTDESC="State Prescription Monitoring Program (SPMP) SSH Key Generation" . ;S ZTDTH=$$NOW^XLFDT() D ^%ZTLOAD K ZTSK . ;K ^TMP("PSOPUBKY",$J) . ;F I=1:1:30 D RETRIEVE(STATEIEN,"PUB") Q:$D(^TMP("PSOPUBKY",$J)) H 1 . ; If unable to create the key via Taskman after 30 seconds, creates them in the foreground . ;I '$D(^TMP("PSOPUBKY",$J)) D ACTION+54 add K ENCRBITS NEWKEY+32 is added to build the ECDSA encryption length string . S ENCRBITS=$S($G(ENCRBITS):" -b "_ENCRBITS,1:"") NEWKEY+33 is changed from X "S PV=$ZF(-1,""ssh-keygen -q -N '' -C '' -t "_$$LOW^XLFSTR($G(ENCRTYPE))_" -f "_LOCALDIR_KEYFILE_""")" To I 'ENCRBITS X "S PV=$ZF(-1,""ssh-keygen -q -N '' -C '' -t "_$$LOW^XLFSTR($G(ENCRTYPE))_" -f "_LOCALDIR_KEYFILE_ENCRBITS_""")" NEWKEY+63 is changed from S DR="18///"_$S(PSOOS["VMS":"SSH2",1:"OSSH")_";19///"_ENCRTYPE D ^DIE To S DR="18///"_$S(PSOOS["VMS":"SSH2",1:"OSSH")_";19////"_ENCRTYPE D ^DIE The Help text that is accessed from Help selection under the Manage Secure SHell (SSH) Keys [PSO SPMP SSH KEY MANAGEMENT] option is changed to: Secure SHell (SSH) Encryption Keys are used to automate the data transmission to the State Prescription Monitoring Programs (SPMPs). Follow the steps below to successfully setup SPMP transmissions from VistA to the state/vendor server: Step 1: Select the 'N' (Create New SSH Key Pair) Action and follow the prompts to create a new pair of SSH keys. If you already have an existing SSH Key Pair you can skip this step. You can check whether you already have an existing SSH Key Pair through the 'V' (View Public SSH Key) Action. Encryption Type: DSA, RSA, ECDSA or EDDSA? ----------------------------------- Digital Signature Algorithm (DSA) (No longer supported) and Rivest, Shamir & Adleman (RSA) have been two of the most common encryption algorithms used by the IT industry for securely sharing data. Elliptic Curve Digital Signature Algorithm (ECDSA) and Edward-curve Digital Signature Algorithm (EDDSA) are more complex public key cryptography encryption algorithms that are now supported by the VA. Many of SPMP servers can handle all types; however there are vendors that accept only one specific type. You will need to contact the SPMP vendor support to determine which type to select. If ECDSA is selected you will be prompted to enter the Bit size. Valid selections are 256, 384 or 521. Step 2: Share the Public SSH Key content with the state/vendor. In order to successfully establish SPMP transmissions the state/vendor will have to install/configure the new SSH Key created in step 1 for the user id they assigned to your site. Use the 'V' (View Public SSH Key) Action to retrieve the content of the Public SSH key. The Public SSH Key should not contain line-feed characters, therefore after you copy & paste it from the terminal emulator into an email or text editor make sure it contains only one line of text (no wrapping). Test Sites: ----------- Jessie Brown VAMC (Chicago, IL) Meds by Mail Test Sites - SNOW Change Order #: -------------------------------- Chicago - CHG0425366 Meds by Mail - CHG0425847 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Documentation Title File Name --------------------------------------------------------------------- Outpatient Pharmacy (PSO) PSO_7_0_P723_MAN_UM.DOCX Manager's User Manual Outpatient Pharmacy (PSO) PSO_7_0_P723_MAN_UM.PDF Manager's User Manual Patch Installation: ------------------- Pre-Installation Instructions: This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name (ex. PSO*7.0*723) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build PSO*7.0*723 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure your build? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO Back-out/Rollback Strategy: --------------------------- Back-out will be done only with the concurrence and participation of development team and appropriate VA site/region personnel. The decision to back-out or rollback software will be a joint decision between development team, VA site/region personnel and other appropriate VA personnel. Prior to installing an updated KIDS package, the site/region should have saved a backup of the build in a mail message using the Backup a Transport Global [XPD BACKUP] menu option (this is done at time of install). The message containing the backed-up build can be loaded with the "Xtract PackMan" function at the Message Action prompt. The Packman function "INSTALL/CHECK MESSAGE" is then used to install the backed up routines onto the VistA System. The back-out plan is to restore the build from the backup created. No data was modified by this patch installation and, therefore, no rollback strategy is required. Validation of Back-out Procedure: -------------------------------- The Back-out Procedure can be verified by confirming the checksums have been returned to the pre-patch value using CHECK1^XTSUMBLD. It can also be verified by printing the first 2 lines of the PSO routine(s) contained in this patch using the option First Line Routine Print [XU FIRST LINE PRINT]. Once the routine(s) contained in this patch have been backed out, the Second line of each routine will no longer contain the designation of patch PSO*7.0*723. Routine Information: ==================== The second line of each of these routines now looks like: ;;7.0;OUTPATIENT PHARMACY;**[Patch List]**;DEC 1997;Build 13 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: PSOSPMKY Before:B102749976 After:B123640658 **451,625,723** Routine list of preceding patches: 625 ============================================================================= User Information: Entered By : Date Entered : APR 13, 2023 Completed By: Date Completed: DEC 14, 2023 Released By : Date Released : DEC 15, 2023 ============================================================================= Packman Mail Message: ===================== $END TXT