============================================================================= Run Date: FEB 03, 2021 Designation: WEBP*1*22 Package : WEBP - PATIENT CENTERED MANAGEMENT Priority: Mandatory Version : 1 SEQ #22 Status: Released Compliance Date: MAR 06, 2021 ============================================================================= Subject: PCMM Technical Remediation Release v1.0 Category: - Informational Description: ============ This document describes WEBP*1*22 (PCMM Technical Remediation Release v1.0). This patch remediates security and compliance issues of outdated libraries and components within the PCMM Application with the VA's Technical Reference Model (TRM) and identified through Fortify security scans. Major changes for this patch are summarized below. - XU*8*695 KAAJEE Classic: o Includes changes for TRM upgrades to WebLogic Server 10.3.6 and WebLogic Server 12.1, Log4j 2.1, Java 1.7, Apache Commons 4.1, Apache Commons Pool 2.5, and Apache Commons Database Connection Pools (DBCP) 2.3. o Fortify changes include: correcting null dereferencing, security issues and header manipulation. - TestNG v7.3.0 - Mirth Connect v3.9.0 -Removal of Libraries: oDrools oJBPM oQuartz oFlex oJasper oGoogle GSoN oNetUI Patch Components: ----------------- This patch includes the following files: File Name Description ========================================================= CISS.EAR Installation file PCMMHELP.WAR Installation file PCCMR.EAR Installation file PCCMR_UNATTENDED_EAR-2.0.1.EAR Installation file This patch installs the following versions: o Mirth Connect v3.9.0 o XU*8*695 KAAJEE Classic Documentation: -------------- This document provides an overview, explains the changes, and outlines the installation for this patch. Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File # New/Modified/Deleted ------------------ ------------------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted ---------------------- --------------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- --------------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Additional Information: There is no additional information associated with this patch. New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & overview: -------------------------------------------- 1) INC11913828 - INACTIVE_INSTITUTIONS: PCMM Web / SCMC Proxy Account - VistALink Errors / 568GH (d)INC14716869 - INACTIVE_INSTITUTIONS: VISTALINK ERROR -SEEM TO BE CAUSED BY PROXY ACCT SCMC,APPLICATION PROXY - Black Hills (station 568) (568HM Inactive) (d)INC13913415 - INACTIVE_INSTITUTIONS: FHM - Ref prior ticket: INC8749353 - VistA error trap entries: VistALink Errors (d)INC13972712 - INACTIVE_INSTITUTIONS: VistA Link error 182308 caused by local server XX.XXX.X.XXX / VAPHCAPPPCM22 Station 550GC (d)INC11913828 - INACTIVE_INSTITUTIONS: PCMM Web / SCMC Proxy Account - VistALink Errors / 568GH (d)INC15128458 - INACTIVE_INSTITUTIONS: PCMM / VistALink Error 182308 / Northern Indiana 610 (Station 610GA causing errors) Problem: -------- Sites reported VistAlink errors due to queries made by PCMM containing inactive divisions which resulted in numerous entries in the Vista Error trap. This is also causing web server degradation due to the unreleased JMS connection pool resources which causes PCMM background processes to pile up and slow down or crash the application. Resolution: ----------- This patch fixes the VistAlink errors by validating the status of the divisions/stations in PCMM prior to making any calls to Vista to retrieve data which eliminates the errors and potential JMS connection pool issues. 2) Jira Ticket # N/A Problem ======= Several components of the PCMM application have been identified as being out of compliance with TRM standards. WEBP*1*22 remediates several of these issues by upgrading to TestNG to a compliant version and removing the following uncompliant libraries: DROOLS, JBPM, Quartz, Flex, Jasper, Google GSON, and NetUI. Resolution ---------- This build removes expired and non compliant libraries from the application. Test Sites: ----------- Montana Health Care System Memphis VAMC Minneapolis VAMC Software and Documentation Retrieval Instructions: -------------------------------------------------- The installation package will be installed at the Enterprise Development Environment (EDE) SQA Environment and the Enterprise Testing Service's (ETS) PCMM environment by the PCMM Sustainment Team. Documentation can also be found on the VA Software Documentation Library at: http://www4.domain.ext/vdl/ Title File Name FTP Mode ------------------------------------------------------------------------ Patient-Centered Management WEBP-1-22-DIBRG.DOCX BINARY Module (PCMM) Web Deployment Installation, Back-Out, and Rollback Guide Patch Installation: =================== PCMM Web WEBP*1*22 is a centrally managed web-based application and will be implemented and deployed to a central web server. No installation is required by sites. Pre-Installation Instructions: ------------------------------ Verify that the patches listed in the Associated Patches section of this document have been previously installed. This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. There are no Menu options to disable. Installation Prerequisites Verify that required patches and any optional patches that support desired or needed features have been installed. For a summary of associated patches, see the Associated Patches section of this document. Installation Instructions: -------------------------- 1.1. Access Requirements and Skills Needed for the Installation To install this Web interface, the installer must have a proper Zero (0) account in order to gain access to the PROD servers with elevated privileges. Knowledge on how to install Web interfaces using the items on this menu option is also a required skill. 1.2. Installation Procedure All procedures must be completed during off hours as this requires a Production application outage. Since this is not the initial deployment of the application since all Veterans Affairs Medical Centers (VAMCs) were complete with national deployment in October 2016, steps listed below may no longer be applicable and PITC standard processes should be followed if re-installation is required. The following steps are estimated to take approximately four (4) hours to install and validate. 1.2.1. Updates to Configuration and Property Files A. Build and redeploy connector EAR. B. Deploy attended and unattended application EAR files to appropriate servers. 1.2.2. Update Mirth Connect Configuration Update Mirth connect configuration to replicate configuration from ETS by performing the following steps. 1) Make a backup of the Production mirth configuration. 2) Make a backup of ETS mirth configuration. 3) Restore the Production Mirth configuration from the ETS backup. 4) Fix end Post-Installation Instructions: -------------------------- This "Information only" patch is referring to a centralized server promotion. No installation is required at local sites. Back-Out Plan: -------------------------- Backout plan is provided as part of deployment guide detailed in section 5.1 page 25 in DIBRG document. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : SEP 11, 2020 Completed By: Date Completed: FEB 02, 2021 Released By : Date Released : FEB 03, 2021 ============================================================================= Packman Mail Message: ===================== No routines included