STANDARD DATA DICTIONARY #6.666 -- KERNEL PKI LOGS FILE 6/27/25 PAGE 1
STORED IN ^XULOGS(6.666, *** NO DATA STORED YET *** SITE: WWW.BMIRWIN.COM UCI: VISTA,VISTA (VERSION 8.0)
DATA NAME GLOBAL DATA
ELEMENT TITLE LOCATION TYPE
-----------------------------------------------------------------------------------------------------------------------------------
The KERNEL PKI LOGS file is meant to be used by the Kernel team to log which SAML TOKENS would fail PKI digital signature
validation. This file has been released in patch XU*8*810.
At minimum a log entry MUST contain a DATE/TIME CREATED and a SAML TOKEN. Please note that to preserve the byte by byte integrity
of the SAML TOKEN the SAML TOKEN has been saved in base64 format.
The USER'S SECID, FIRST NAME and LAST NAME fields are extracted from the given SAML TOKEN; therefore it is possible that this data
is forged, inaccurate or simply not provided. The main takeaway is that we understand who the user said they were using SECID so
that we can later compare that to IAM.
The ERROR MESSAGE FROM API and ERROR MESSAGE FROM RSA fields are meant to store messages reported by the InterSystems APIs. The
OTHER MESSAGE field is meant to store other messages that maybe relevant to help triage why the SAML TOKEN failed PKI digital
signature validation.
DD ACCESS: @
RD ACCESS: @
WR ACCESS: @
DEL ACCESS: @
LAYGO ACCESS: @
AUDIT ACCESS: @
APPLICATION GROUP(S): XU
CROSS
REFERENCED BY: DATE/TIME CREATED(B)
LAST MODIFIED: FEB 4,2025@15:29:39
6.666,.01 DATE/TIME CREATED 0;1 FREE TEXT (Required)
INPUT TRANSFORM: I $$UP^XLFSTR(X)="NOW" S X=$$NOW^XUPKILOG
MAXIMUM LENGTH: 40
LAST EDITED: NOV 22, 2024
HELP-PROMPT: Enter the date and time the record was created using ISO 8601 format.
DESCRIPTION: The DATE/TIME CREATED field stores when the entry was inserted into the file following the ISO 8601
date/time format.
The date/time format for November 1st, 2024 at 5:23 PM HST would be ISO 8601 formatted as:
2024-11-01T17:23:00-10:00
NOTES: XXXX--CAN'T BE ALTERED EXCEPT BY PROGRAMMER
CROSS-REFERENCE: 6.666^B
1)= S ^XULOGS(6.666,"B",$E(X,1,30),DA)=""
2)= K ^XULOGS(6.666,"B",$E(X,1,30),DA)
6.666,10 USER'S SECID 0;3 FREE TEXT
INPUT TRANSFORM: K:$L(X)>40!($L(X)<3) X
MAXIMUM LENGTH: 40
LAST EDITED: NOV 22, 2024
HELP-PROMPT: Enter the user's SECID with leading zeros, i.e., 00019283.
DESCRIPTION: The USER'S SECID is extracted from the SAML TOKEN. This data may be forged, inaccurate or empty due
to a SAML TOKEN failing digital signature validation.
6.666,11 USER'S FIRST NAME 0;4 FREE TEXT
INPUT TRANSFORM: K:$L(X)>99!($L(X)<1) X
MAXIMUM LENGTH: 99
LAST EDITED: NOV 05, 2024
HELP-PROMPT: Enter the user's first name as it is given in the SAML TOKEN.
DESCRIPTION: The USER'S FIRST NAME is extracted from the SAML TOKEN. This data may be forged, inaccurate or
empty due to a SAML TOKEN failing digital signature validation.
6.666,12 USER'S LAST NAME 1;1 FREE TEXT
INPUT TRANSFORM: K:$L(X)>99!($L(X)<1) X
MAXIMUM LENGTH: 99
LAST EDITED: NOV 05, 2024
HELP-PROMPT: Enter the user's last name as it is given in the SAML TOKEN.
DESCRIPTION: The USER'S LAST NAME is extracted from the SAML TOKEN. This data may be forged, inaccurate or empty
due to a SAML TOKEN failing digital signature validation.
6.666,20 SAML TOKEN 2;0 Multiple #6.676
LAST EDITED: OCT 25, 2024
DESCRIPTION: The SAML TOKEN field stores the actual SAML TOKEN that failed PKI digital signature validation in
base64 format.
6.666,20.5 SAML TOKEN HASH 7;1 FREE TEXT
INPUT TRANSFORM: K:$L(X)>128!($L(X)<10) X
MAXIMUM LENGTH: 128
LAST EDITED: NOV 04, 2024
HELP-PROMPT: Enter the SHA-256 hash of the SAML TOKEN.
DESCRIPTION:
The SAML TOKEN HASH field stores the SHA-256 hash of the SAML TOKEN.
6.666,21 ERROR MESSAGE FROM API 3;1 FREE TEXT
INPUT TRANSFORM: K:$L(X)>256!($L(X)<1) X
MAXIMUM LENGTH: 256
LAST EDITED: NOV 04, 2024
HELP-PROMPT: Enter the error message returned by the InterSystems APIs.
DESCRIPTION: The ERROR MESSAGE FROM API may store the error message returned by the InterSystems APIs that
perform digital signature validation.
6.666,22 ERROR MESSAGE FROM RSA 4;1 FREE TEXT
INPUT TRANSFORM: K:$L(X)>256!($L(X)<1) X
MAXIMUM LENGTH: 256
LAST EDITED: NOV 04, 2024
HELP-PROMPT: Enter the error message returned by the InterSystems APIs.
DESCRIPTION: The ERROR MESSAGE FROM RSA may store any error messages produced by the OpenSSL implementation when
attempting PKI digital signature validation.
TECHNICAL DESCR: The ERROR MESSAGE FROM RSA stores the error message returned from the InterSystems API:
%SYSTEM.Encryption.RSAGetLastError()
If this message is present, it means that the underlying OpenSSL implementation has returned a
critical error. This critical error should be resolved first.
When a message is not present then this is considered normal operation and no issue is present. For
example, if a SAML token is modified it will fail digital signature validation and thus will not
produce an error.
If OpenSSL failed to validate the SAML token digital signature because the certificate trust store
does not contain the root or intermediate certificate authorities then the following message would
be logged: unable to get local issuer certificate
6.666,23 OTHER MESSAGE 8;1 FREE TEXT
INPUT TRANSFORM: K:$L(X)>255!($L(X)<1) X
MAXIMUM LENGTH: 255
LAST EDITED: NOV 04, 2024
HELP-PROMPT: Enter any additional message that may aid in explaining why this SAML TOKEN was logged.
DESCRIPTION: This optional field will be used to capture any additional messages that may aid in explaining why
this SAML TOKEN was logged.
6.666,30 RPC BROKER CONTEXT 5;1 POINTER TO OPTION FILE (#19)
INPUT TRANSFORM: I $P(^(0),U,4)="B" D ^DIC K DIC S DIC=$G(DIE),X=+Y K:Y<0 X
LAST EDITED: NOV 04, 2024
HELP-PROMPT: Enter the RPC BROKER CONTEXT option that was used after the SAML TOKEN failed digital signature
validation.
DESCRIPTION: The RPC BROKER CONTEXT describes the context option that was used after the SAML TOKEN was
authenticated.
This helps to identify which applications might be using modified SAML TOKENS.
SCREEN: I $P(^(0),U,4)="B"
EXPLANATION: The screen only allows the selection of broker types.
6.666,31 CLIENT IP ADDRESS 5;2 FREE TEXT
INPUT TRANSFORM: K:$L(X)>50!($L(X)<1) X
MAXIMUM LENGTH: 50
LAST EDITED: NOV 05, 2024
HELP-PROMPT: Enter the client's IP address that sent the SAML TOKEN.
DESCRIPTION: The CLIENT IP ADDRESS is the source IP address of the system or user who is sending a SAML TOKEN
that fails digital signature validation.
6.666,32 SERVER IP ADDRESS 5;3 FREE TEXT
INPUT TRANSFORM: K:$L(X)>50!($L(X)<1) X
MAXIMUM LENGTH: 50
LAST EDITED: NOV 05, 2024
HELP-PROMPT: Enter the IP address of the server that the client connected to.
DESCRIPTION: The SERVER IP ADDRESS identifies the VistA backend or frontend server that the client has connected
to.
This is useful in determining which server may have a misconfiguration in its PKI setup.
6.666,33 LOGIN METHOD 5;4 SET
'R' FOR RPC BROKER;
'S' FOR SSH (ROLL-N-SCROLL);
'V' FOR VISTALINK;
'H' FOR HL7;
'B' FOR BROKER SECURITY ENHANCEMENT;
LAST EDITED: NOV 05, 2024
HELP-PROMPT: Enter the login method used to authenticate a VistA session.
DESCRIPTION: The LOGIN METHOD describes the path taken by the user or application to authenticate with VistA.
For example, if the user connected and authenticated through the RPC Broker then R would be the
LOGIN METHOD.
6.666,34 SAML TOKEN REUSE COUNT 5;5 NUMBER
INPUT TRANSFORM: K:+X'=X!(X>999999999999)!(X<1)!(X?.E1"."1.N) X
LAST EDITED: NOV 04, 2024
HELP-PROMPT: Enter the number of times this SAML TOKEN has been used to authenticate to VistA.
DESCRIPTION: This SAML TOKEN REUSE COUNT tracks how many times a SAML TOKEN has been reused to authenticate with
VistA.
FILES POINTED TO FIELDS
OPTION (#19) RPC BROKER CONTEXT (#30)
INPUT TEMPLATE(S):
PRINT TEMPLATE(S):
SORT TEMPLATE(S):
FORM(S)/BLOCK(S):