Home Package List Routine Alphabetical List Global Alphabetical List FileMan Files List FileMan Sub-Files List Package Component Lists Package-Namespace Mapping

Info | Desc | Pointer To FileMan Files | Fields

Print Page as PDF

Global: ^XULOGS(6.666

Package: Kernel

Global: ^XULOGS(6.666

Information

FileMan FileNo	FileMan Filename	Package
6.666	KERNEL PKI LOGS	Kernel

Description

The KERNEL PKI LOGS file is meant to be used by the Kernel team to log which SAML TOKENS would fail PKI digital signature validation. This file has been released in patch XU*8*810. At minimum a log entry MUST contain a DATE/TIME CREATED and a SAML TOKEN. Please note that to preserve the byte by byte integrity of the SAML TOKEN the SAML TOKEN has been saved in base64 format. The USER'S SECID, FIRST NAME and LAST NAME fields are extracted from the given SAML TOKEN; therefore it is possible that this data is forged, inaccurate or simply not provided. The main takeaway is that we understand who the user said they were using SECID so that we can later compare that to IAM. The ERROR MESSAGE FROM API and ERROR MESSAGE FROM RSA fields are meant to store messages reported by the InterSystems APIs. The OTHER MESSAGE field is meant to store other messages that maybe relevant to help triage why the SAML TOKEN failed PKI digital signature validation.

Pointer To FileMan Files, Total: 1

Package	Total	FileMan Files
Kernel	1	OPTION(#19)[30]

Fields, Total: 14

Field #	Name	Loc	Type	Details
.01	DATE/TIME CREATED	0;1	FREE TEXT	**********************REQUIRED FIELD********************** INPUT TRANSFORM: `I $$UP^XLFSTR(X)="NOW" S X=$$NOW^XUPKILOG` `MAXIMUM LENGTH: 40` LAST EDITED: `NOV 22, 2024` HELP-PROMPT: `Enter the date and time the record was created using ISO 8601 format.` DESCRIPTION: `The DATE/TIME CREATED field stores when the entry was inserted into the file following the ISO 8601 date/time format.` `The date/time format for November 1st, 2024 at 5:23 PM HST would be ISO 8601 formatted as: 2024-11-01T17:23:00-10:00` NOTES: `XXXX--CAN'T BE ALTERED EXCEPT BY PROGRAMMER` CROSS-REFERENCE: `6.666^B` `1)= S ^XULOGS(6.666,"B",$E(X,1,30),DA)=""` `2)= K ^XULOGS(6.666,"B",$E(X,1,30),DA)` FIELD INDEX: `C (#1747) REGULAR IR LOOKUP & SORTING` `Short Descr: This cross reference provides a M natively sorted DATE/TIME CREATED.` `Description: This cross reference is built by converting the ISO 8601 formatted DATE/TIME CREATED value to the unix timestamp format so that the data can be organized and stored optimally.` `Set Logic: S ^XULOGS(6.666,"C",$E(X,1,40),DA)=""` `Kill Logic: K ^XULOGS(6.666,"C",$E(X,1,40),DA)` `Whole Kill: K ^XULOGS(6.666,"C")` `X(1): DATE/TIME CREATED (6.666,.01) (Subscr 1) (Len 40) (forwards)` `Transform (Storage): N XX S XX=$ZDATETIMEH(X,3,5) S X=$ZDATETIME(XX,-2)` RECORD INDEXES: `D (#1748)`
10	USER'S SECID	0;3	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>40!($L(X)<3) X` `MAXIMUM LENGTH: 40` LAST EDITED: `NOV 22, 2024` HELP-PROMPT: `Enter the user's SECID with leading zeros, i.e., 00019283.` DESCRIPTION: `The USER'S SECID is extracted from the SAML TOKEN. This data may be forged, inaccurate or empty due to a SAML TOKEN failing digital signature validation.` RECORD INDEXES: `D (#1748)`
11	USER'S FIRST NAME	0;4	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>99!($L(X)<1) X` `MAXIMUM LENGTH: 99` LAST EDITED: `NOV 05, 2024` HELP-PROMPT: `Enter the user's first name as it is given in the SAML TOKEN.` DESCRIPTION: `The USER'S FIRST NAME is extracted from the SAML TOKEN. This data may be forged, inaccurate or empty due to a SAML TOKEN failing digital signature validation.`
12	USER'S LAST NAME	1;1	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>99!($L(X)<1) X` `MAXIMUM LENGTH: 99` LAST EDITED: `NOV 05, 2024` HELP-PROMPT: `Enter the user's last name as it is given in the SAML TOKEN.` DESCRIPTION: `The USER'S LAST NAME is extracted from the SAML TOKEN. This data may be forged, inaccurate or empty due to a SAML TOKEN failing digital signature validation.`
20	SAML TOKEN	2;0	WORD-PROCESSING #6.676	LAST EDITED: `OCT 25, 2024` DESCRIPTION: `The SAML TOKEN field stores the actual SAML TOKEN that failed PKI digital signature validation in base64 format.` LAST EDITED: `DEC 18, 2024` HELP-PROMPT: `Enter the SAML TOKEN used that failed PKI digital signature validation.` DESCRIPTION: `The SAML TOKEN field stores the actual SAML TOKEN that failed PKI digital signature validation in base64 format.`
20.5	SAML TOKEN HASH	7;1	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>128!($L(X)<10) X` `MAXIMUM LENGTH: 128` LAST EDITED: `NOV 04, 2024` HELP-PROMPT: `Enter the SHA-256 hash of the SAML TOKEN.` DESCRIPTION: `The SAML TOKEN HASH field stores the SHA-256 hash of the SAML TOKEN.`
21	ERROR MESSAGE FROM API	3;1	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>256!($L(X)<1) X` `MAXIMUM LENGTH: 256` LAST EDITED: `NOV 04, 2024` HELP-PROMPT: `Enter the error message returned by the InterSystems APIs.` DESCRIPTION: `The ERROR MESSAGE FROM API may store the error message returned by the InterSystems APIs that perform digital signature validation.`
22	ERROR MESSAGE FROM RSA	4;1	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>256!($L(X)<1) X` `MAXIMUM LENGTH: 256` LAST EDITED: `NOV 04, 2024` HELP-PROMPT: `Enter the error message returned by the InterSystems APIs.` DESCRIPTION: `The ERROR MESSAGE FROM RSA may store any error messages produced by the OpenSSL implementation when attempting PKI digital signature validation.` TECHNICAL DESCR: `The ERROR MESSAGE FROM RSA stores the error message returned from the InterSystems API: %SYSTEM.Encryption.RSAGetLastError()` `If this message is present, it means that the underlying OpenSSL implementation has returned a critical error. This critical error should be resolved first.` `When a message is not present then this is considered normal operation and no issue is present. For example, if a SAML token is modified it will fail digital signature validation and thus will not produce an error.` `If OpenSSL failed to validate the SAML token digital signature because the certificate trust store does not contain the root or intermediate certificate authorities then the following message would be logged: unable to get` `local issuer certificate`
23	OTHER MESSAGE	8;1	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>255!($L(X)<1) X` `MAXIMUM LENGTH: 255` LAST EDITED: `NOV 04, 2024` HELP-PROMPT: `Enter any additional message that may aid in explaining why this SAML TOKEN was logged.` DESCRIPTION: `This optional field will be used to capture any additional messages that may aid in explaining why this SAML TOKEN was logged.`
30	RPC BROKER CONTEXT	5;1	POINTER TO OPTION FILE (#19)	OPTION(#19) INPUT TRANSFORM: `I $P(^(0),U,4)="B" D ^DIC K DIC S DIC=$G(DIE),X=+Y K:Y<0 X` LAST EDITED: `NOV 04, 2024` HELP-PROMPT: `Enter the RPC BROKER CONTEXT option that was used after the SAML TOKEN failed digital signature validation.` DESCRIPTION: `The RPC BROKER CONTEXT describes the context option that was used after the SAML TOKEN was authenticated.` `This helps to identify which applications might be using modified SAML TOKENS.` SCREEN: `I $P(^(0),U,4)="B"` EXPLANATION: `The screen only allows the selection of broker types.`
31	CLIENT IP ADDRESS	5;2	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>50!($L(X)<1) X` `MAXIMUM LENGTH: 50` LAST EDITED: `NOV 05, 2024` HELP-PROMPT: `Enter the client's IP address that sent the SAML TOKEN.` DESCRIPTION: `The CLIENT IP ADDRESS is the source IP address of the system or user who is sending a SAML TOKEN that fails digital signature validation.`
32	SERVER IP ADDRESS	5;3	FREE TEXT	INPUT TRANSFORM: `K:$L(X)>50!($L(X)<1) X` `MAXIMUM LENGTH: 50` LAST EDITED: `NOV 05, 2024` HELP-PROMPT: `Enter the IP address of the server that the client connected to.` DESCRIPTION: `The SERVER IP ADDRESS identifies the VistA backend or frontend server that the client has connected to.` `This is useful in determining which server may have a misconfiguration in its PKI setup.`
33	LOGIN METHOD	5;4	SET	'R' FOR RPC BROKER; 'S' FOR SSH (ROLL-N-SCROLL); 'V' FOR VISTALINK; 'H' FOR HL7; 'B' FOR BROKER SECURITY ENHANCEMENT; LAST EDITED: `NOV 05, 2024` HELP-PROMPT: `Enter the login method used to authenticate a VistA session.` DESCRIPTION: `The LOGIN METHOD describes the path taken by the user or application to authenticate with VistA.` `For example, if the user connected and authenticated through the RPC Broker then R would be the LOGIN METHOD.`
34	SAML TOKEN REUSE COUNT	5;5	NUMBER	INPUT TRANSFORM: `K:+X'=X!(X>999999999999)!(X<1)!(X?.E1"."1.N) X` LAST EDITED: `NOV 04, 2024` HELP-PROMPT: `Enter the number of times this SAML TOKEN has been used to authenticate to VistA.` DESCRIPTION: `This SAML TOKEN REUSE COUNT tracks how many times a SAML TOKEN has been reused to authenticate with VistA.`

Info | Desc | Pointer To FileMan Files | Fields