$TXT Created by KRNDEV.FO-OAKLAND.DOMAIN.EXT (KIDS) on Thursday, 02/20/25 at 03:25 ============================================================================= Run Date: APR 03, 2025 Designation: XU*8*817 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #650 Status: Released Compliance Date: MAY 01, 2025 ============================================================================= Associated patches: (c)XWB*1.1*77 install with patch `XU*8*817' (v)XU*8*701 <<= must be installed BEFORE `XU*8*817' (v)XU*8*727 <<= must be installed BEFORE `XU*8*817' (v)XU*8*779 <<= must be installed BEFORE `XU*8*817' Subject: LOGGING MODIFIED SAML TOKENS Category: - Data Dictionary - Routine - Other Description: ============ --- *** === ATTENTION! ATTENTION! ATTENTION! === *** --- Kernel Patch XU*8.0*817 and RPC Broker Patch XWB*1.1*77 are associated patches. The XU*8.0*817 patch should be installed first, then XWB*1.1*77 patch should be installed second. Due to the nature of XU*8*817 and XWB*1.1*77, the release of this patch will be done in phased approach by region. Each region will be asked to stagger the installation to minimize errors. Each region following Region 1 will not begin installation until three criteria have been met: 1. The previous region began installation 1 week prior. 2. The previous region's installation was successful - free from error logs, and user login/authentication tickets. 3. Verification from Release manager (Jeremy Ackley) to proceed with installation. Assuming installations are successful and there are no delays, we expect the release schedule for production to be as follows: -Install and test in region 1 for the remainder of that week and a full week after (4-7 to 4-11). -If successful, install in region 2 from 4-14 to 4-18 (one week). -If successful, install in region 3 from 4-21 to 4-25 (one week). -If successful, install in region 4 and all remaining sites 4-28 to 5-1 (Compliance date: 5-1). --- *** === ATTENTION! ATTENTION! ATTENTION! === *** --- This patch is part of the Public Key Infrastructure (PKI) SAML OBSERVE REPORT REMEDIATE (ORR) project. Kernel Patch XU*8.0*817 updates the REMOTE PROCEDURE CALL (RPC) named XUS ESSO VALIDATE to log the Security Assertion Markup Language (SAML) token and its relevant information in a new VA FileMan file called KERNEL PKI LOGS (#6.666) when a modified SAML token is used for authentication. This patch also adds a new REMOTE APPLICATION named XU PKI ORR. This REMOTE APPLICATION will be used to support the VDIF framework. To disable logging of modified SAML tokens, a privileged user can update the new LOG MODIFIED SAML TOKENS (#666) field in the KERNEL SYSTEM PARAMETERS (#8989.3) file. There are no restrictions that limit where this patch can be installed. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- KERNEL PKI LOGS (6.666) DATE/TIME CREATED (.01) New KERNEL PKI LOGS (6.666) USER'S SECID (10) New KERNEL PKI LOGS (6.666) USER'S FIRST NAME (11) New KERNEL PKI LOGS (6.666) USER'S LAST NAME (12) New KERNEL PKI LOGS (6.666) SAML TOKEN (20) New KERNEL PKI LOGS (6.666) SAML TOKEN HASH (20.5) New KERNEL PKI LOGS (6.666) ERROR MESSAGE FROM API (21) New KERNEL PKI LOGS (6.666) ERROR MESSAGE FROM RSA (22) New KERNEL PKI LOGS (6.666) OTHER MESSAGE (23) New KERNEL PKI LOGS (6.666) RPC BROKER CONTEXT (30) New KERNEL PKI LOGS (6.666) CLIENT IP ADDRESS (31) New KERNEL PKI LOGS (6.666) SERVER IP ADDRESS (32) New KERNEL PKI LOGS (6.666) LOGIN METHOD (33) New KERNEL PKI LOGS (6.666) SAML TOKEN REUSE COUNT (34) New KERNEL SYSTEM PARAMETERS (8989.3) LOG MODIFIED SAML TOKENS (666) NEW Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- XUS ESSO VALIDATE Modified Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- Remote Application entry, XU PKI ORR, is created for Veterans Data Integration and Federation(VDIF) application's authentication. Remote Applications Associated: Remote Application Name New/Modified/Deleted ----------------------- -------------------- XU PKI ORR New New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: N/A Test Sites SNOW Change Order #: ---------- -------------------- Central Alabama CHG0582108 Muskogee CHG0579053 Albuquerque CHG0581990 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Patch Installation: ------------------- Pre/Post Installation Overview: The post installation routine XU8P817 creates a new REMOTE APPLICATION entry for VDIF authentication and authorization. Despite the new entry, it does not grant any additional access or RPC CONTEXT OPTION. This post routine will be deleted after install. An issue that was discovered only occurs if $$VERSION^%ZOSV(1) does not contain "IRIS". As part of the migration from Cache to IRIS, All VAMC production and mirror systems were confirmed that XU*8.0*736 was installed. However, for systems that have not migrated to IRIS, the installation of XU*8.0*736 should be manually checked by reviewing the INSTALL file for "XU*8.0*736". This is only a concern for non-VAMC production systems. Pre-Installation Instructions: This patch may be installed with users on the system, although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. There are no menu options for sites to disable. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name. (ex. XU*8.0*817) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build XU*8.0*817 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build (including Routines) R Routines Only Backup Type: B// iv. When prompted "Do you wish to secure your build? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO. Post-Installation Instructions: N/A Back-Out/Roll Back Plan: ------------------------ a. Use MailMan [XMUSER] menu to locate the PackMan message containing the backup build. The subject of the PackMan message begins with "Backup of XU*8.0*817". Use the PackMan message action XTRACT KIDS. b. Use the PackMan INSTALL/CHECK MESSAGE option to load the backup KIDS distribution. c. Use KIDS [XPD MAIN] menu to install the backup KIDS distribution using the Install Package(s) [XPD INSTALL BUILD] option. d. After back-out, sites should use CHECK1^XTSUMBLD to verify routine checksums. For further rollback/backout assistance, please log a SNOW ticket with the group SPM.HEALTH.HISM.APP.VADKERNEL.TRIAGE Routine Information: ==================== The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995;Build 21 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XU8P817 Before: n/a After: B13303840 **817** Routine Name: XUCERT Before: B3716666 After: B3810505 **659,701,817** Routine Name: XUCERT1 Before: B24855596 After: B27635575 **659,701,817** Routine Name: XUESSO4 Before: B66296950 After: B68405158 **659,630,701,727,817** Routine Name: XUPKICA Before: n/a After: B58439208 **817** Routine Name: XUPKICA1 Before: n/a After: B58766423 **817** Routine Name: XUPKILOG Before: n/a After: B81760511 **817** Routine Name: XUSAML Before:B164935883 After:B171484649 **655,659,630,701,731,771,779,817** ============================================================================= User Information: Entered By : Date Entered : FEB 05, 2025 Completed By: Date Completed: APR 02, 2025 Released By : Date Released : APR 03, 2025 ============================================================================= Packman Mail Message: ===================== $END TXT