$TXT Created by FORT,WALLY at NXT.KERNEL.FO-OAKLAND.MED.VA.GOV (KIDS) on Wednesday, 08/16/06 at 08:19 ============================================================================= Run Date: SEP 18, 2006 Designation: XU*8*404 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #346 Status: Released Compliance Date: OCT 19, 2006 ============================================================================= Associated patches: (v)XU*8*395 <<= must be installed BEFORE `XU*8*404' (v)XWB*1.1*45 <<= must be installed BEFORE `XU*8*404' Subject: Broker Security Enhancement Category: - Routine - Enhancement (Mandatory) Description: ============ This patch is part of the Broker Security Enhancement (in conjunction with patch XWB*1.1*45). ************************** NOTE ************************************** Patch XWB*1.1*45 must be installed before this patch. Broker Signon(s) should not be permitted during installation (XUSRB errors could result) ************************************************************************ The concept of a visitor signon from a remote GUI application was initially requested and used by the CAPRI program. It permits Veterans Benefits Administration (VBA) support personnel to access records for determination of service connected status. This type of access has also been used by VistaWeb and requested by other applications. This patch provides this type of access to those programs that can justify its use, while increasing the security to insure that the access is not used by rogue applications. A new file (REMOTE APPLICATION, #8994.5) is created by this patch. Any application using this type of access must create an entry for itself in the REMOTE APPLICATION file. That entry will contain the one-way hash value for a security phrase known only to the application and the context option, which users should have. In addition, there is a sub-file containing information on how to contact the authenticating server. Most applications that will implement the Broker Security Enhancement (BSE) are expected to have a central application server where the users will be authenticated; although, VistaWeb will still depend upon authentication of users at their individual home VistA sites. The address and port number for the application servers and a mechanism for connecting to them will be specified in the sub-file. The remote server will connect with the authenticating server and obtain the information for the visiting user directly. An application that wants to use BSE access will have to have a KIDS build installed on the remote system(s) to generate the entry in the REMOTE APPLICATION file (#8994.5). Access for entry into the file will be via the one-way hash of the security phrase; thus, unauthorized applications would not be able to access the systems by mimicking the authorized application unless they had direct access to the security phrase itself. For more information on BSE please refer to the 'RPC Broker Technical Manual' version 1.1 (Patch XWB*1.1*45) and the 'Broker Security Enhancement (BSE) Supplement to Patch Description', which will be located on the Anonymous Directories and on the VDL at: http://www.va.gov/vdl/Infrastructure.asp?appID=23. This patch contains the following: * Three (3) M routines * Two (2) entries in the REMOTE PROCEDURE FILE ("XUS SET VISITOR" and "XUS GET VISITOR"). Patch XWB*1.1*45 must be installed prior to installation of this patch. In order to implement BSE and use the RPC-Broker callback type, the central Authenticating VistA M server must run the RPC Broker as a TCPIP service. The Non-callback RPC Broker Listener/TCPIP service is distributed and described with RPC Broker Patch XWB*1.1*35 and updated with XWB*1.1*44. NOISs E3Rs List of Test Sites ================== A testing waiver has been granted. Blood Bank Clearance: ============================= 8/9/2006 Installation Instructions: 1. Users ARE allowed to be on the system during the installation. 2. Use the 'INSTALL/CHECK MESSAGE' option on the PackMan menu. This option will load the KIDS (Kernel Installation and Distribution System) package onto your system. 3. You DO NOT need to stop TaskMan or the background filers. 4. The patch has now been loaded into a transport global on your system. On the KIDS menu, select the 'Installation' menu and use the following options: Verify Checksums in Transport Global Print Transport Global Compare Transport Global to Current System Backup a Transport Global Installation will take less than 2 minutes. Return to Programmers Prompt and use "D ^XPDKRN": Select KIDS OPTION: Install ======= Install Package(s) Select INSTALL NAME: XU*8.0*404 ========== Want KIDS to INHIBIT LOGONs during the install? YES// YES === Want to DISABLE Scheduled Options, Menu Options, and Protocols? YES// NO == ========================================================================= Routine Summary: The following routines are included in this patch. The second line of each of these routines now looks like: ;;8.0;KERNEL;**[patch list]**;Jul 10, 1995 Checksums: ========== Checksums obtained using CHECK^XTSUMBLD Rtn Nm Chksum Before Chksum After Patch List ------ ------------- ------------ ---------- XUSBSE1 N/A 6542345 **404** XUSBSE2 N/A 3375553 **404** XUSRB 8688070 7468656 **11,16,28,32,59,70,82,109,115, 165,150,180,213,234,238,265, 337,395,404** List of preceding patches: 395 Sites should use CHECK^XTSUMBLD to verify checksums. Routine Information: ==================== The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XUSBSE1 Before: n/a After: B24454678 **404** Routine Name: XUSBSE2 Before: n/a After: B9339084 **404** Routine Name: XUSRB Before: B37739188 After: B30617453 **11,16,28,32,59,70,82,109,115, 165,150,180,213,234,238,265,337, 395,404** ============================================================================= User Information: Entered By : FORT,WALLY Date Entered : DEC 15, 2005 Completed By: ALDERMAN,MATT S Date Completed: SEP 12, 2006 Released By : TILLIS,LEWIS Date Released : SEP 18, 2006 ============================================================================= Packman Mail Message: ===================== $END TXT