$TXT Created by at KRN.FO-OAKLAND.DOMAIN.EXT (KIDS) on Tuesday, 01/14/20 at 15:31 ============================================================================= Run Date: MAR 25, 2020 Designation: XU*8*702 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #562 Status: Released Compliance Date: APR 25, 2020 ============================================================================= Associated patches: (v)XU*8*659 <<= must be installed BEFORE `XU*8*702' (v)XU*8*701 <<= must be installed BEFORE `XU*8*702' Subject: REFLECTION 2-FACTOR AUTHENTICATION Category: - Routine - Other - Enhancement (Mandatory) Description: ============ This patch provides enhancements needed to implement Single Sign-On internal (SSOi) for identification and authentication of users into VistA for terminal emulator access using Micro Focus Reflection. In addition to this PackMan KIDS build, client-side software is provided to be used with the COTS product Micro Focus Reflection. The provided software is a Dynamic Link Library (DLL) and a Visual Basic (VB) script. The combination of this patch, the DLL and VB script, will allow users to login/authenticate into VistA via Micro Focus Reflection using their PIV card. VAIQ #7613595 "Mandatory Use of PIV Multifactor Authentication to VA Information Systems" dated June 30, 2015, requires all VA IT systems to be PIV-enabled and requires the use of multifactor authentication when using a local, network, or remote account to log into a VA information system. This patch provides the VistA Kernel utilities needed to implement this requirement. The use of these utilities are expected to improve security and auditing capabilities in accordance with VA Handbook 6500 Appendix F and revision 4 of NIST SP 800-53. As required by FIPS 199 and using guidance from NIST SP 800-60, the recommended security categorization for these applications is HIGH. Integration with Identity and Access Management (IAM) services are mandated by executive management via the following memorandums: - IAM Identity Services (IdS) mandate memorandum (VAIQ #7011145). All applications within VA must comply with IAM requirements to ensure that references to the identities of Veterans and their beneficiaries are accurate. - IAM Access Services (AcS) functionality within VA is mandated by VAIQ #7060071 The following changes have been made to VistA: Identity and Access Management (IAM) - Added code to the sign-on routine ^XUS to accept IAM SAML token for authentication using terminal emulator (roll-and-scroll) interface. The Visual Basic (VB) script and DLL are used to enable Micro Focus Reflection 2-factor authentication into IAM, and using the received IAM SAML token to authenticate into VistA. - The DLL performs the authentication with IAM and returns a SAML token. - The VB script, used within Reflection, calls the DLL and passes the SAML token to VistA. Documentation is contained in the xu_8_0_702_dibr.pdf file, which includes instructions for installing/implementing the DLL and VB script in Micro Focus Reflection. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: Blood Bank Team Coordination: ----------------------------- Clearance - <11/14/19> EFFECT ON BLOOD BANK FUNCTIONAL REQUIREMENTS: Patch XU*8*702 contains changes to a package referenced in ProPath standard titled: BBM Team Review of VistA Patches. This patch does not alter or modify any VistA Blood Bank software design safeguards or safety critical elements functions. RISK ANALYSIS: Changes made by patch XU*8*702 have no adverse effect on Blood Bank software functionality, therefore RISK is none. New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- N/A Problem: -------- N/A Resolution: ----------- N/A Test Sites: ----------- Central Arkansas Health Care System (Station 598 | VISN 16) Fargo VA Health Care System (Station 437 | VISN 23) Clement J. Zablocki VA Medical Center (Station 695 | VISN 12) Central Texas VA Health Care System (Station 674 | VISN 17) Software and Documentation Retrieval Instructions: -------------------------------------------------- Documentation describing the new functionality and/or a host file containing a build may be included in this release. The preferred method is to retrieve the files from download.vista.domain.ext. This transmits the files from the first available server. Sites may also elect to retrieve the files directly from a specific server. Sites may retrieve the software and/or documentation directly using Secure File Transfer Protocol (SFTP) from the ANONYMOUS.SOFTWARE directory at the following OI Field Offices: Hines: domain.ext Salt Lake City: domain.ext Documentation can also be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/ Documentation Title File Name FTP Mode --------------------------------------------------------------------- Patch XU*8.0*702 Deployment, Installation, Back-Out, and xu_8_0_702_dibr.pdf BINARY Rollback Guide (PDF) Patch XU*8.0*702 Deployment, Installation, Back-Out, and xu_8_0_702_dibr.docx BINARY Rollback Guide (Word) Patch XU*8.0*702 Quick Reference Guide (PDF) xu_8_0_702_qr.pdf BINARY Patch XU*8.0*702 Quick Reference Guide (Word) xu_8_0_702_qr.docx BINARY Host File Name FTP Mode --------------------------------------------------------------------- XU_8_702.zip BINARY Patch Installation: ------------------- Pre/Post Installation Overview: The post-installation routine XU8P702 adds 2 new entries to the REMOTE APPLICATION file (#8994.5) and removes entries that were included in XU*8.0*681 and are no longer needed. The new entries are used with the SIGN-ON LOG file (#3.081) to describe the type of access into VistA. The routine will be automatically deleted after patch installation. Pre-Installation Instructions: This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. There are no menus or options that need to be disabled. This patch should take less than 5 minutes to install. Installation Instructions: 1. If the release is provided using PackMan, choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. If this release is provided using a Host file, use the Load a Distribution option contained on the Kernel Installation and Distribution System Menu to load the Host file. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch name (ex. XU*8.0*702). NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message of any routines exported with this patch. It will not backup any other changes such as DDs or templates. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO a. When prompted 'Enter options you wish to mark as 'Out Of Order':', press the Enter key. b. When prompted 'Enter protocols you wish to mark as 'Out Of Order':', press the Enter key. c. When prompted 'Delay Install (Minutes): (0 - 60): 0//', answer 0. Post-Installation Instructions: The post-installation routine XU8P702 will add 2 new entries to the REMOTE APPLICATION file (#8994.5) to identify terminal emulator applications in the SIGN-ON LOG file (#3.081). The new entries are TERMINAL EMULATOR and MICRO FOCUS REFLECTION. Additionally, the routine will remove entries from the REMOTE APPLICATION file (#8994.5) that may have been installed by patch XU*8.0*681 and are no longer needed. The routine will be automatically deleted after patch installation. Back-Out/Roll Back Plan: ------------------------ Refer to the Patch XU*8.0*702 Deployment, Installation, Back-Out, and Rollback Guide (xu_8_0_702_dibr.pdf) for Back-Out/Roll Back information. Routine Information: ==================== The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995;Build 19 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XU8P702 Before: n/a After: B27211732 **702** Description of Changes: This post-install routine adds entries to the REMOTE APPLICATION file (#8994.5). These entries are referenced by the SIGN-ON LOG file (#3.081) to display entries logged on via terminal emulator (using A/V codes or SSOi). This post-install routine also removes entries from the REMOTE APPLICATION file (#8994.5) that were added previously by patch XU*8.0*681. These entries are no longer needed for reference in the SIGN-ON LOG file (#3.081). Routine Name: XUS Before: B35560117 After: B46293083 **16,26,49,59,149,180,265,337, 419,434,584,659,702** Description of Changes: Modified to allow the ACCESS CODE prompt to accept a STS SAML Token as login for use with 2-Factor Authentication via an SSH terminal emulator, such as Micro Focus Reflection. Routine list of preceding patches: 659 ============================================================================= User Information: Entered By : Date Entered : AUG 27, 2018 Completed By: Date Completed: MAR 24, 2020 Released By : Date Released : MAR 25, 2020 ============================================================================= Packman Mail Message: ===================== $END TXT