AMS Release Notes AMS - 4.2

Continued Implementation of HSPD-12 Program Release Notes AMS Release Notes - AMS_4.2

AMS Release Notes – AMS - 4.2 This document contains information about the scope of changes to the Access Management System (AMS). Release AMS-4.2 will be delivered into the AMS environment on 06/11/2012 and will include the following changes: New Features 1. SSO integration with Business Intelligence Information Systems (BIIS) 2. SSO integration with HHS Enterprise Architecture (HEAR) 3. SSO integration with Managing Accounting Credit Card System (MACCS) 4. SSO integration with GovNET-NG 5. Optimization of Validation for Certificate Revocation List (CRL) 6. Accept externally-issued and approved HSPD-12 Personal Identity Verification (PIV) card

7. Provide authentication logs to ArcSight, HHS’s behavioral analysis system.

8. New BIIS-AMS data synchronization. 9. Other enhancements

Business Intelligence Information Systems (BIIS) Integration  Provide Simplified Sign-on access to BIIS –HHS’s reporting application  Scope of the BIIS application user community is all HHS federal staff and contractors  Configure Role Assignment Service to allow BIIS administrators to manage BIIS application access.  The application will be accessible via HHS intranet  BIIS access via AMS is not restricted to PIV only

HHS Enterprise Architecture (HEAR) Integration  Provide Simplified Sign-on access to HEAR –HHS’s planning application to manage IT investment portfolio.  Scope of the HEAR application user community is all HHS federal staff and contractors  Configure Role Assignment Service to allow HEAR administrators to manage HEAR application access.  The application will be accessible via the internet.  HEAR access via AMS is not restricted to PIV only

Managing Accounting Credit Card System (MACCS) Integration  Provide Simplified Sign-on access to MACCS – HHS’s credit card management tool.  Scope of the MACCS application user community is all HHS federal staff and contractors  Configure Role Assignment Service to allow MACCS administrators to manage MACCS application access.  The application will be accessible via HHS intranet  MACCS access via AMS is not restricted to PIV only

GovNET-NG Integration  Provide Simplified Sign-on access to GovNET-NG – HHS’s data mining application.  Scope of the GovNET-NG application user community is all HHS federal staff and contractors  Configure Role Assignment Service to allow GovNET-NG administrators to manage GovNET- NG application access.  The application will be accessible via HHS intranet  GovNET-NG access via AMS is not restricted to PIV only

AMS 4.2 Release Notes Version 1.0 06112012 Page 1 Continued Implementation of HSPD-12 Program Release Notes AMS Release Notes - AMS_4.2

Optimization of Validation for Certificate Revocation List (CRL)  Optimized certificate revocation list (CRL) validation to improve AMS systems’ performance during peak PIV authentications.

Accept externally-issued and approved HSPD-12 Personal Identity Verification (PIV) card  Accept externally-issued and approved HSPD-12 Personal Identity Verification (PIV) card to log into AMS.

 With this release, GSA Managed Service Office (MSO) will be accepted as an externally-issued PIV card.  A first time/ one-time only registration process is required for users with GSA PIV card

Provide authentication logs to ArcSight, HHS’s behavioral analysis system.  New ArcSight interface, a behavioral analysis system, used by HHS to detect anomalous behavior and activity.  AMS will supply ArcSight with authentication logs to support monitoring and alert requirements.  An automated process runs on a periodic basis that pulls incremental AMS Login audit data from the audit tables.  The process will transfer authentication log entries to the ArcSight server.

New BIIS-AMS data synchronization  In order to improve data quality and support future SSO integrations with other applications, AMS integration with BIIS will periodically synchronize EHRP employee identity attributes with the AMS User Profile.  AMS integration with BIIS will supply BIIS with HHSID and email address for HHS employees that have enrolled in the SCMS.  This data synchronization process will run bi-weekly.

AMS Enhancements 1. Conditional display of myPay link in AMS based on active Federal Staff who exist in EHRP (to exclude Public Health Service Commissioned Corps (PHSCC) 2. For each of the ActiveSyncs configured in AMS, send a status email with the results of the ActiveSync run after completion. 3. Update ITAS ActiveSync to remove any exception roles that were manually created using the Role Assignment Service when the ITAS account is terminated in ITAS 4. Update EWITS ActiveSync to remove any exception roles for Transhare, Parking, and EWITS users that were manually created using the Role Assignment Service when the EWITS account is terminated in EWITS

Defects 1. A defect in OpenSSO was caching EHRP Realm values as Realm=/eOPF when a user attempted to access EHRP using an incorrect URL.

I. Document References:  2012-04-25_HSPD-12_ContdImplementation_AMS_4 2_AMS-BIIS_Integration_Requirements and Design V1 0.docx (https://portal.hhs.gov:443/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/http;/collab.h hs.gov;11930/collab/do/document/overview?projID=27154&folderID=748638 )  2012-04-27_HSPD-12_AMS_4 2_AMS-GovNET-NG_Integration_Requirements and Design V1_0.docx (https://portal.hhs.gov:443/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/http;/collab.hhs.gov;11930/co llab/do/document/overview?projID=27154&folderID=750424 )  2012-06-04_HSPD-12__AMSV4_2-HEAR_Int_Requirements_and_Design_(Ref_AMS-HEAR- 01) .docx (https://portal.hhs.gov:443/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/http;/collab.hhs.gov;11930/coll ab/do/document/overview?projID=27154&folderID=749551 )  2012-04-19_HSPD-12_AMSV4_2_MACCS_Integration_Requirements and Design (Ref AMS- MACCS-01) V 1.0 FINAL.docx (https://portal.hhs.gov:443/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/htt p;/collab.hhs.gov;11930/collab/do/document/overview?projID=27154&folderID=749272 )  2012-06-04 HSPD-12 AMS V4 2 ArcSight Integration Req and Design.docx (https://portal.hhs.gov:44 3/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/http;/collab.hhs.gov;11930/collab/do/document/overview?projID=271 54&folderID=750566 )  2012-05-03 HSPD-12_ContdImpl_AMS_4 2_AMS-BIIS EHRP Data Synchronization_Solution and Design.docx (https://portal.hhs.gov:443/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/http;/collab.hhs.gov;1 1930/collab/do/document/overview?projID=27154&folderID=750434 )  2012_05_11_HSPD-12_AMS_4-2_Enhancements_Req_and_Design_(Ref AMS4_2_RAD).doc (https://portal.hhs.gov:443/portal/server.pt/gateway/PTARGS_32_0_215_0_-1_47/http;/collab.hhs.gov;11930/collab/do/docum ent/overview?projID=27154&folderID=758664 )

II. Summary of Changes: 1. Business Intelligence Information Systems (BIIS) Integration  BIIS is a reporting application used by HHS to create Provide Simplified Sign-on access to BIIS – HHS’s reporting application.  BIIS application will be integrated for SSO via policy agent. The end user must first authenticate to AMS via one of the available authentication methods prior to accessing BIIS.  Access to the BIIS application is through Open SSO and is initiated from AMS by the passing of the BIIS Username.  On-going BIIS account linking and maintenance in AMS will be performed using the Role Assignment Services. BIIS application has identified a set of administrators who will have access to the Role Assignment Services in AMS and who will be responsible for BIIS account linking/ maintenance in AMS.

2. HHS Enterprise Architecture (HEAR) Integration  HEAR is HHS’s planning application to manage IT investment portfolio.  HEAR application will be integrated for SSO via policy agent. The end user must first authenticate to AMS via one of the available authentication methods prior to accessing BIIS.  Access to the HEAR application is through Open SSO and is initiated from AMS by the passing of the AMS Username.  On-going HEAR account linking and maintenance in AMS will be performed using the Role Assignment Services. HEAR application has identified a set of administrators who will have access to the Role Assignment Services in AMS and who will be responsible for HEAR account linking/ maintenance in AMS.

3. Managing Accounting Credit Card System (MACCS) Integration  MACCS is HHS’s credit card management tool.  MACCS application will be integrated for SSO via policy agent. The end user must first authenticate to AMS via one of the available authentication methods prior to accessing MACCS.

 Access to the MACCS application is through Open SSO and is initiated from AMS by the passing of the user’s HHSID.  On-going MACCS account linking and maintenance in AMS will be performed using the Role Assignment Services. MACCS application has identified a set of administrators who will have access to the Role Assignment Services in AMS and who will be responsible for MACCS account linking/ maintenance in AMS.

4. GovNET-NG Integration  GovNET-NG is HHS’s data mining application.  GovNET-NG application will be integrated for SSO via policy agent. The end user must first authenticate to AMS via one of the available authentication methods prior to accessing GovNET-NG.  Access to the GovNET-NG application is through Open SSO and is initiated from AMS by the passing of the user’s HHSID.  On-going GovNET-NG account linking and maintenance in AMS will be performed using the Role Assignment Services. GovNET-NG application has identified a set of administrators who will have access to the Role Assignment Services in AMS and who will be responsible for BIIS account linking/ maintenance in AMS.

5. Optimization of Validation for Certificate Revocation List (CRL)  Optimized certificate revocation list (CRL) validation to improve AMS systems’ performance during peak PIV authentications.  A Certificate Revocation List (CRL) is a list of certificate serial numbers of revoked certificates and associated data (e.g., revocation reason)  To address the insufficient memory resulting from too many concurrent PIV authentications, custom code will be developed to process and manage CRLs with reduced memory usage

6. Accept externally-issued and approved HSPD-12 Personal Identity Verification (PIV) card  The existing PIV authentication module will be enhancement to allow and accept externally- issued and approved HSPD-12 PIV card. For this release, only GSA PIV cards are accepted for authentication.  For the one time registration to be successful a user should be inducted in SCMS and their profile should be created in AMS. Externally-issued PIV HSPD-12 access cards are only accepted for internal HHS Staff in this release.  A first-time registration workflow will be presented to the GSA PIV card holder to link their PIV card to their AMS profile. Following successful registration process, a new suffix will be created in AMS LDAP to store certificate information of users who login to AMS using GSA PIV card and whose CA is trusted by AMS.

7. Provide authentication logs to ArcSight, HHS’s behavioral analysis system.  ArcSight is a behavioral analysis system that HHS uses to manage its security infrastructur e by detecting anomalous IT behavior (e.g., multiple log-in attempts, unauthorized attempts to log-in, etc.)  The ArcSight detection engine will be provided with the login information logged by AMS through an hourly automated process that pulls incremental data AMS login audit data and then transfers it on an hourly basis to a server maintained by CSIRC using Secure File Transfer Protocol (SFTP).  The Hyperic monitoring capability will check the latest log file on a regularly scheduled basi s with resulting status notifications for predefined failures.

8. New BIIS-AMS data synchronization.  A three step process including downloading the BIIS feed file to a data table from a BIIS server; synchronizing this data with AMS through ActiveSync to update matching AMS profiles with the EHRP Employee ID (EMPLID) and Retirement codes based on full SSN; uploading the updated BIIS data back to the same BIIS server via an upload script which

includes, among other attributes, HHSID and email address of all AMS profiles that have an EHRP employee ID in AMS  As an enhancement to the current BIIS-AMS feed file download process, the new BIIS-AMS upload feed file process includes providing the HHSID and email address back to BIIS while updating AMS profiles with the EHRP Employee ID (EMPLID = EHRP Employee ID) and the Retirement Code.  A script will be deployed on AMS to periodically retrieve the BIIS-AMS feed file, parse it and import it into a staging table.  AMS will read from the table and extract EHRP employee identity attributes which are then synchronized in AMS using full SSN as the correlation key.

9. Other enhancements

1. Conditional display of myPay link in AMS based on active Federal Staff who exist in EHRP (to exclude Public Health Service Commissioned Corps (PHSCC). The myPay hyperlink will be visible on AMS homepage to EHRP federal "employee" when they are authenticated using AMS but will exclude the Public Health Service Commissioned Corps, employees who don’t have HHS employee ID (EHRP EMPLID). 2. For each of the ActiveSyncs configured in AMS, a status email is sent to identified recipients with the results of the ActiveSync run after completion. 3. Update ITAS ActiveSync to remove any exception roles that were manually created using the Role Assignment Service when the ITAS account is terminated in ITAS. If a PIV exception role was assigned to an ITAS user who turns inactive in ITAS following the PIV exception role assignment, the ITAS ActiveSync will remove the PIV exception role in addition to removing the ITAS specific application role. Audit entries will also be captured. 4. Update EWITS ActiveSync to remove any exception roles for Transhare, Parking, and EWITS users that were manually created using the Role Assignment Service when the EWITS account is terminated in EWITS. If a PIV exception role was assigned to an EWITS user, Transhare and Parking when those users turn inactive in EWITS following the PIV exception role assignment, the EWITS ActiveSync will remove the PIV exception role in addition to removing the EWITS specific application role. Audit entries will also be captured.

III. Summary of Defect Fixes:

1. A defect in OpenSSO that incorrectly caches EHRP realm values as Realm=/eOPF was discovered. The fix was to correct the incorrect realm value being passed into OpenSSO as Realm=/.

AMS 4.2 Release Notes Version 1.0 06112012 Page 5