Authentication Proxy for the V ist A Hospital Information System
description
Transcript of Authentication Proxy for the V ist A Hospital Information System
![Page 1: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/1.jpg)
Authentication Proxy for the VistA Hospital Information
System
William MajurskiInformation Technology Laboratory
![Page 2: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/2.jpg)
RDOH’98
Department of Veterans Affairs Hospital System
• Serves medical needs of veterans• 170+ medical centers• 400+ outpatient locations• Organized by region
![Page 3: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/3.jpg)
RDOH’98
VistA
• Veterans Health Information Systems and Technology Architecture
• DHCP (Decentralized Hospital Computer Program)
• Server written in M (MUMPS)– Timesharing– Client/Server
• Administration - site/region
![Page 4: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/4.jpg)
RDOH’98
Installed NT Network
• Currently supports administrative functions• Uses NT Domain Model
– Domain Controller– Centralized administration
![Page 5: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/5.jpg)
RDOH’98
Basic Client/Server
ClientWS
M Server Native ORB
![Page 6: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/6.jpg)
RDOH’98
Problem Statement
• User population more mobile– Providers & patients dealing with more than
one site• VistA network of computing services
becoming more tightly integrated.• Current authentication scheme
(userid/password) poses problems.
![Page 7: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/7.jpg)
RDOH’98
Problem Statement (cont.)
• Each user must have account on each system associated with his patients.
• Must remember account names & passwords.
• Repeated authentication is time consuming and distracting.
![Page 8: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/8.jpg)
RDOH’98
Approach
• Authentication Proxy – Network service that bridges security
environments of• Underlying network environment (NT)• Hospital information system
• Solves– Multiple account – Repeated Authentication problems.
![Page 9: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/9.jpg)
RDOH’98
Approach Specifics
• Authentication Proxy that translates NT authentication into VistA authentication
• Map NT user identity -> VistA user identity• Automatically creating map• Event log
![Page 10: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/10.jpg)
RDOH’98
NT Authentication
• NT Domain– Collection of workstations and servers– Identified by domain name– managed from single administrator’s account
• User login– To domain– Servers trust domain controller– Servers can identify user account
![Page 11: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/11.jpg)
RDOH’98
Critical Technology
• Security Support Provider Interface (SSPI)• API to integrated security services• Accessibility:
– direct calls to API– RPC– Distributed Common Object Model (DCOM)
![Page 12: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/12.jpg)
RDOH’98
Authentication Proxy
• Runs on server running NT• Talk SSPI to client via DCOM• Tightly coupled with M Server
![Page 13: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/13.jpg)
RDOH’98
Architecture
ClientWS
AuthenticationProxy
M Server
DCOM
NTNT (maybe)
NT
![Page 14: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/14.jpg)
RDOH’98
Userid/Password
ClientWS
M Server
NT (maybe)
Setup =><= Challenge
Userid/password =><= Valid
![Page 15: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/15.jpg)
RDOH’98
Authenticate with Proxy
ClientWS
AuthenticationProxy
M Server
1. Auth[user] =>
2. Auth(NT user,Token)
NT User -> M User
3. <= Token
4. Token =>
DCOM
Token, NT user, expiration
![Page 16: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/16.jpg)
RDOH’98
User Map Initialization
• NT identity from Authentication Proxy• M Server identity from login/password
![Page 17: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/17.jpg)
RDOH’98
Proxy Initialization
• M Server administrator must trust proxy• On M Server
– Special account with password– Security key (controls access to map object)
• On proxy– Install account/password
![Page 18: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/18.jpg)
RDOH’98
Multiple M Servers
• Authentication Proxy can handle multiple M Servers
• M Server can trust multiple Authentication Proxies
![Page 19: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/19.jpg)
RDOH’98
Event Logging
• Each authentication attempt is logged• Information:
– NT user – M user – Application context (application object)– Patient
![Page 20: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/20.jpg)
RDOH’98
Object Technology +• All the detail protocol handling
– Provided by vendors– Managed by objects.
• Very small amount of code to be maintained– 200 lines M Server– 300 lines Proxy.
• Value of objects - packaging for reuse.
![Page 21: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/21.jpg)
RDOH’98
Object Technology -• Must understand many aspects of object
– methods, initialization, interactions• New uses for old objects
– Documentation from “wrong angle”• Comes with much integration (context)
– Good as long as it is the right integration.• Reuse battle has just begun
![Page 22: Authentication Proxy for the V ist A Hospital Information System](https://reader036.fdocuments.us/reader036/viewer/2022062501/5681678e550346895ddcb574/html5/thumbnails/22.jpg)
RDOH’98
Thank You.