| DESCRIPTION OF ENHANCEMENTS |
This patch addresses the following issue:
-----------------
SSH
Key Pair you can skip this step. You can check whether you already
have an existing SSH Key Pair through the 'V' (View Public SSH
Key)
Action.
Encryption Type: DSA, RSA, ECDSA or EDDSA?
-----------------------------------
Digital Signature Algorithm (DSA) (No longer supported) and
Rivest,
Shamir & Adleman (RSA) have been two of the most common encryption
algorithms used by the IT industry for securely sharing data.
Elliptic Curve Digital Signature Algorithm (ECDSA) and
Edward-curve
Digital Signature Algorithm (ed25519) are more complex public key
cryptography encryption algorithms that are now supported by the
VA.
Many of SPMP servers can handle all types; however there are
vendors
that accept only one specific type. You will need to contact the
Files & Fields Associated:
SPMP
vendor support to determine which type to select.
Step 2: Share the Public SSH Key content with the state/vendor. In order
to
successfully establish SPMP transmissions the state/vendor will
have
to install/configure the new SSH Key created in step 1 for the
user id they assigned to your site. Use the 'V' (View Public SSH
Key)
Action to retrieve the content of the Public SSH key. The Public
SSH
Key should not contain line-feed characters, therefore after you
copy
& paste it from the terminal emulator into an email or text editor
make sure it contains only one line of text (no wrapping).
File Name (Number) Field Name (Number) New/Modified/Deleted
------------------ ------------------- --------------------
SPMP STATE PARAMETERS SFTP SSH KEY ENCRYPTION Modified
(#58.41) (#19)
Problem:
--------
With the implementation of Red Hat Enterprise Linux (RHEL 8) stronger
encryption keys ECDSA & EDDSA are now available and supported. SPMP
application currently is using RSA type SSH key for connecting to the
SPMP server to send data.
New keys added:
Elliptic Curve Digital Signature Algorithm (ECDSA)
Edward-curve Digital Signature Algorithm (ed25519)
ECDSA Key creation
EDDSA is also known as ed25519
Necessary changes are required to allow creation of ECDSA & EDDSA keys
for the SPMP application. Support for RSA keys are anticipated to be
deprecated in the future, so to maintain Vista's security posture and
ensure continuous operation of required Vista processes, software
utilizing SSH PKI user keys must be updated to support the stronger ECDSA
& EDDSA encryption keys.
The modification should allow the creation of any ECDSA & EDDSA keys to
be
forward compatible when Red Hat Enterprise Linux (RHEL 8) is implemented.
Resolution:
-----------
File SPMP STATE PARAMETERS (#58.41) field SFTP SSH KEY ENCRYPTION (#19) is
modified to add code ECDSA (Elliptic Curve Digital Signature Algorithm) &
EDDSA (Edward-curve Digital Signature Algorithm).
Modify PSOSPMKY to allow ECDSA or EDDSA (ed25519) key to be created,
Defect Tracking System Ticket(s) & Overview:
viewed, deleted, and update the help text.
Technical Resolution:
---------------------
Add Code ECDSA (Elliptic Curve Digital Signature Algorithm) & EDDSA
(Edward-curve Digital Signature Algorithm) to the set of codes for field
#19 in file #58.41
Routine PSOSPMKY is modified as follows
ACTION+24 is changed from
. S DIR(0)="S^DSA:Digital Signature Algorithm (DSA);RSA:Rivest, Shamir
& Adleman (RSA)"
To
. S DIR(0)="S^RSA:Rivest, Shamir & Adleman (RSA);DSA:Digital Signature
Algorithm (DSA);ECDSA:Elliptic Curve Digital Signature Algorithm
(ECDSA);EDDSA:Edward-curve Digital Signature Algorithm (ed25519)" ;p723
ACTION+26 changed from
1. INC26749697 - ECDSA KEY CREATION
.S ENCRTYPE=Y
To
.S ENCRTYPE=Y I Y="DSA" D Q
.. W !!,$G(IOBON),"WARNING:",$G(IOBOFF)," 'DSA' SSH keys are no longer
supported.",$C(7)
NEWKEY+9 is changed from
I $G(ENCRTYPE)'="DSA",$G(ENCRTYPE)'="RSA" S ENCRTYPE="RSA"
To
S
ENCRTYPE=$S($G(ENCRTYPE)="ECDSA":"ECDSA",$G(ENCRTYPE)="EDDSA":"ed25519",1:
"RSA")
NEWKEY+63 is changed from
S DR="18///"_$S(PSOOS["VMS":"SSH2",1:"OSSH")_";19///"_ENCRTYPE D ^DIE
To
S DR="18///"_$S(PSOOS["VMS":"SSH2",1:"OSSH")_";19////"_ENCRTYPE D ^DIE
The Help text is change to:
Patch Components:
Secure SHell (SSH) Encryption Keys are used to automate the data
transmission
to the State Prescription Monitoring Programs (SPMPs). Follow the steps
below
to successfully setup SPMP transmissions from VistA to the state/vendor
server:
Step 1: Select the 'N' (Create New SSH Key Pair) Action and follow the
prompts
to create a new pair of SSH keys. If you already have an existing
|