$TXT Created by FORT,WALLY at PAT-XWB.FO-OAKLAND.MED.VA.GOV (KIDS) on Monday, 08/14/06 at 10:06 ============================================================================= Run Date: SEP 18, 2006 Designation: XWB*1.1*45 Package : XWB - RPC BROKER Priority: Mandatory Version : 1.1 SEQ #38 Status: Released Compliance Date: OCT 19, 2006 ============================================================================= Associated patches: (v)XWB*1.1*28 <<= must be installed BEFORE `XWB*1.1*45' Subject: Broker Security Enhancement Category: - Routine - Data Dictionary - Other - Enhancement (Mandatory) Description: ============ This patch is part of the Broker Security Enhancement (in conjunction with patch XU*8*404). ************************** NOTE ************************************** This Patch must be installed before XU*8*404. ************************************************************************ The concept of a visitor signon from a remote GUI application was initially requested and used by the CAPRI program. It permits Veterans Benefits Administration (VBA) support personnel to access records for determination of service connected status. This type of access has also been used by VistaWeb and requested by other applications. This patch provides this type of access to those programs that can justify its use, while increasing the security to insure that the access is not used by rogue applications. A new file (REMOTE APPLICATION, #8994.5) is created by this patch. Any application using this type of access must create an entry for itself in the REMOTE APPLICATION file. That entry will contain the one-way hash value for a security phrase known only to the application and the context option, which users should have. In addition, there is a sub-file containing information on how to contact the authenticating server. Most applications that will implement the Broker Security Enhancement (BSE) are expected to have a central application server where the users will be authenticated; although, VistaWeb will still depend upon authentication of users at their individual home VistA sites. The address and port number for the application servers and a mechanism for connecting to them will be specified in the sub-file. The remote server will connect with the authenticating server and obtain the information for the visiting user directly. An application that wants to use BSE access will have to have a KIDS build installed on the remote system(s) to generate the entry in the REMOTE APPLICATION file (#8994.5). Access for entry into the file will be via the one-way hash of the security phrase; thus, unauthorized applications would not be able to access the systems by mimicking the authorized application unless they had direct access to the security phrase itself. For more information on BSE please refer to the 'RPC Broker Technical Manual' version 1.1 (file name 'XWB1_1P45_TECHNICAL_MANUAL.PDF') and the 'Broker Security Enhancement (BSE) Supplement to Patch Description', (file name 'XWB1_1P45_SUPPLEMENTAL.PDF') which will be located on the Anonymous Directories and on the VDL at: http://www.va.gov/vdl/Infrastructure.asp?appID=23. This patch contains the following: * Four (4) M routines * One (1) new REMOTE APPLICATION file (#8994.5) * Three (3) pas files, if you are using the Broker Development Kit (BDK) to create GUI applications. These files can be downloaded from one of the FTP servers (see below) The Server side of this patch must be installed prior to installation of patch XU*8*404. In order to implement BSE and use the RPC-Broker callback type, the central Authenticating VistA M server must run the RPC Broker as a TCPIP service. The Non-callback RPC Broker Listener/TCPIP service is distributed and described with RPC Broker Patch XWB*1.1*35 and updated with XWB*1.1*44. NOISs E3Rs List of Test Sites ================== A testing waiver has been granted. Blood Bank Clearance: ============================= 8/9/2006 Installation Instructions: 1. Users ARE allowed to be on the system during the installation. 2. Use the 'INSTALL/CHECK MESSAGE' option on the PackMan menu. This option will load the KIDS (Kernel Installation and Distribution System) package onto your system. 3. You DO NOT need to stop TaskMan or the background filers. 4. The patch has now been loaded into a transport global on your system. On the KIDS menu, select the 'Installation' menu and use the following options: Verify Checksums in Transport Global Print Transport Global Compare Transport Global to Current System Backup a Transport Global Installation will take less than 2 minutes. Select KIDS OPTION: Install ======= Install Package(s) Select INSTALL NAME: XWB*1.1*45 ========== Want KIDS to INHIBIT LOGONs during the install? YES// YES === Want to DISABLE Scheduled Options, Menu Options, and Protocols? YES// NO == The client-side software distribution includes: Date Time Attrib Bytes CRC-32 Filename ---------- -------- ------ ----------- -------- -------- 04/06/2006 11:26:42 A----- 22,269 970090E0 XWB1_1P45.zip CLIENT SIDE SOFTWARE RETRIEVAL: The client side software for this package is available for retrieval via FTP. All VA Medical Centers are encouraged to use the TCPIP FTP functionality to obtain the software from one of the following OI Field Office ANONYMOUS.SOFTWARE directories: IRM Field Office FTP Address ================ =========== Albany ftp.fo-albany.med.va.gov Hines ftp.fo-hines.med.va.gov Salt Lake City ftp.fo-slc.med.va.gov VistA Download Site download.vista.med.va.gov Client Side: ============ You will need to install the BDK32 from patch XWB*1.1*40, since this patch contains only those files that were changed for the Broker Security Enhancement. The following lists the files installed by unzipping the file XWB_1-1_45.zip into the Source file for your BDK32 installation. We would recommend that a copy of the original files be saved to a safe location prior to installing these files over them. They are shown for installation into the default directory (C:\Progam Files\Vista\BDK32), and the locations would differ for installation into another directory. Date Time Attrib Bytes CRC-32 Filename ---------- -------- ------ ----------- -------- -------- After unzipping the files: C:\Program Files\VistA\BDK32\Source 02/15/2006 16:54:02 A----- 13,497 2B52B2AC Loginfrm.pas 05/10/2005 16:14:46 A----- 9,531 AF7F10B1 RpcSLogin.pas 01/30/2006 17:28:06 A----- 60,950 CE71DECB Trpcb.pas C:\Program Files\Vista\BDK32\Samples\BSE 04/07/2006 16:35:24 A----- 386 8D297EAC BseSample1.cfg 04/07/2006 16:35:24 A----- 1,465 0D9A4287 BseSample1.dof 02/15/2006 16:09:30 A----- 202 C951284F BseSample1.dpr 04/09/2006 15:59:42 A----- 545,792 98DDFB6E BseSample1.exe 04/09/2006 15:59:42 A----- 545,792 98DDFB6E BseSample1.exe.RENAME 02/23/2006 13:19:48 A----- 100 D5006056 BseSample1.inc 02/15/2006 16:02:52 A----- 876 483416C3 BseSample1.res 04/07/2006 15:23:04 A----- 699,904 BB23CCCE BSEWebServer.exe 04/09/2006 15:53:46 A----- 4,170 330EFD13 fBseSample1.dfm 03/20/2006 10:41:22 A----- 89,893 40B913C7 fBseSample1.jpg 04/07/2006 16:36:54 A----- 3,877 45E2CC1F fBseSample1.pas =============== Routine Summary The following routines are included in this patch. The second line of each of these routines now looks like: ;;1.1;RPC BROKER;**[Patch List]**;Mar 28, 1997 Checksum Routine Before After Patch List XWB45PO n/a 1295305 **45** XWBM2MEZ n/a 716202 **45** XWBRM 3795059 4095330 **28,45** XWBTCPM2 n/a 980598 **45** List of preceding patches: 28 Sites should use CHECK^XTSUMBLD to verify checksums. Routine Information: ==================== The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XWB45PO Before: n/a After: B1790358 **45** Routine Name: XWBM2MEZ Before: n/a After: B1400319 **45** Routine Name: XWBRM Before: B13386009 After: B13950171 **28,45** Routine Name: XWBTCPM2 Before: n/a After: B3174797 **45** ============================================================================= User Information: Entered By : FORT,WALLY Date Entered : MAR 13, 2006 Completed By: ALDERMAN,MATT S Date Completed: SEP 13, 2006 Released By : PALMER,MICHAEL Date Released : SEP 18, 2006 ============================================================================= Packman Mail Message: ===================== $END TXT