WIXLIB

Symantec VIP Integration Guide for Epic Hyperspace

Symantec VIP Integration Guide for Epic HyperspaceTable of ContentsUsing Symantec VIP with the EPCS workflow in Epic Hyperspace. 3System requirements. 4Integrating VIP with Epic Hyperspace. 5Configure VIP Enterprise Gateway.5Configure the VIP Epic plug-in.6Install the VIP Epic plug-in. 7Configure Hyperspace. 7Troubleshooting the VIP integration with Epic Hyperspace. 8Copyright statement. 122

Symantec VIP Integration Guide for Epic HyperspaceUsing Symantec VIP with the EPCS workflow in EpicHyperspaceSymantec VIP is a cloud-based authentication service that lets enterprises securely authenticate online transactions, meetcompliance standards, and reduce fraud risk through multi-factor authentication. VIP is based on OATH open standards,an industry-wide consortium working with other groups to promote widespread strong authentication.In the Electronic Prescription of Controlled Substances (EPCS) workflow, medical professionals must provide secondaryauthentication when prescribing controlled substances. Integrating VIP with Epic Hyperspace lets a medical professionaluse a VIP authenticator to generate a security code as the secondary authentication. The VIP authenticator can be a VIPAccess mobile app or desktop app, a security token or key, or a security card.EPCS workflowEPCS transaction authentication workflow illustrates VIP multi-factor authentication as part of the EPCS workflow for amedical professional.3

Symantec VIP Integration Guide for Epic HyperspaceIn this illustration, the doctor has signed into the Epic EHR client application (Hyperspace) and completed a prescriptiononline using the EPCS online workflow. When the doctor submits the request, Hyperspace authenticates the doctor beforeit submits the order for processing:1. Hyperspace prompts the doctor for a security code.Using a VIP authenticator that is registered to the doctor through the VIP Service, the doctor generates a security codeand enters the security code at the prompt.2. Hyperspace sends the security code and a user ID to VIP Enterprise Gateway.3. The VIP Enterprise Gateway validation server authenticates the user ID and security code with the VIP Service.The VIP Service sends an authentication response to VIP Enterprise Gateway.4. If VIP Service successfully authenticates the user ID and security code, then VIP Enterprise Gateway returns anAccess-Accept Authentication response to Hyperspace.Based on the Access-Accept Authentication response, Hyperspace submits the order for processing.Refer to the following topics to learn more about the integration requirements and how the integration works: System requirements Integrating VIP multi-factor authentication into the EPCS workflow in Epic HyperspaceSystem requirementsThe environment that is supported in this integration is based on the following software:Table 1: System requirementsProductDescriptionPartner ProductEpic 2017, Epic 2018VIP Enterprise GatewayVersion 9.8 or laterAuthentication Method SupportedUser ID – Security CodeSupported PlatformsOperating system: Windows 8, 10 (32-bit) Windows 8, 10 (64-bit) Windows server 2012 R2 Windows server 2016Applications: For Windows 8, 10 (32-bit), install Visual C 2012 x86Update 4 Redistributable For all others, install Visual C 2012 x64 Update 4Redistributable4

Symantec VIP Integration Guide for Epic HyperspaceIntegrating VIP with Epic HyperspaceTo integrate VIP multi-factor authentication into the EPCS workflow on Epic Hyperspace, complete the followingprocedures. See the Galaxy documentation, or contact your Client System Hyperspace and Desktop TS or EpicApplication TS, for the most up-to-date procedures for configuring Hyperspace. Configure VIP Enterprise GatewayConfigure the VIP Epic plug-inInstall the VIP Epic plug-inConfigure HyperspaceConfigure VIP Enterprise GatewayComplete the following steps to add a Validation server to your VIP Enterprise Gateway instance:1. Log on to VIP Enterprise Gateway and click the Validation tab.2. Click Add Server. The Add RADIUS Validation server dialog box appears.3. Configure the RADIUS validation parameters:FieldActionVendorSelect Epic Systems from the drop-down list.Application NameSelect the vendor’s application that you use, Hyperspace 2017 .Authentication ModeSelect UserID – Security code. In this authentication mode, your Epic client application validatesthe first-factor (user name and password). VIP Enterprise Gateway validates the second-factor (username and security code) with the VIP Service. Ensure that your first-factor validation works beforeselecting this authentication mode.4. Click Continue to add the Validation server.Continue with the next steps:5

Symantec VIP Integration Guide for Epic Hyperspace Configure the VIP Epic plug-in Install the VIP Epic plug-in Configure HyperspaceConfigure the VIP Epic plug-inComplete the following steps to configure the VIP Epic plug-in:1. Log into VIP Manager and download the following software packages: Account Download files Third Party Integrations Enterprise Gateway 9.8 Tools.zip. This packagecontains the camouflage utility you use to mask shared secret values in RADIUS configuration files. Account Download files Third Party Integrations Enterprise Gateway 9.8 VIP EPIC.zip. Thispackage contains the VIP Epic plug-in and the troubleshooting utility.2. Unzip the Tools.zip file that you downloaded in the previous step to a temporary location and use the camouflageutility to prepare a masked RADIUS shared secret.Symantec recommends that you run the camouflage tool on the system where the configuration file that requires itresides. However, if other users can watch the commands that this user runs and potentially retrieve the argumentsthat are sent to commands, you may choose to run this utility on a different system (such as a dedicated administratorworkstation). Additionally, you should stop or pause saving of your command history or purge your command historyafter completion of this task to prevent retrieval of the shared secret by another party with access to this system. On Windows:– Select the appropriate utility based on your operating system architecture:Operating System Architecture64-bitUtilityTools\windows8 xe– In the directory containing the appropriate version of the utility, enter the following command to mask theRADIUS shared secret:camouflage sharedsecret Where sharedsecret is the RADIUS shared secret to mask. The RADIUS shared secret can contain all thespecial characters except for the following:" On Linux:– Select the appropriate utility based on your operating system architecture:Operating System Architecture64-bit32-bitUtilityTools/linux x86-64/camouflageTools/linux/camouflage– Enter the following commands to mask the RADIUS shared secret and write it to a .txt file: cd Tools/linux/camouflage touch secret; chmod 600 secret; cat secret sharedsecret cat secret ./camouflage - sharedsecret.txtWhere sharedsecret is the RADIUS shared secret to mask. The RADIUS shared secret can contain all thespecial characters except for the following:" 6

Symantec VIP Integration Guide for Epic Hyperspace3. Unzip the VIP EPIC.zip file that you downloaded at the beginning of these procedures and configure the Epic plug-in.In a standard text editor, modify EpicConfig.txt. Replace the following values as appropriate.Do not modify the default values for RequestTimeOut or RequestRetries.Valuevalidation server ip 1portencrypted secretSendDomainNameDescriptionIP address of your VIP Enterprise Gateway Validation server.Port number on which your VIP Enterprise Gateway Validation server listens.The masked RADIUS shared secret you generated in the previous step.Enable multiple domain name support from Epic Hyperspace: Set to 0 to disable multiple domain names (this is the default). Set to 1 to enable multiple domain names.Continue with the next steps: Install the VIP Epic plug-in Configure HyperspaceInstall the VIP Epic plug-inYou must install the VIP Epic plug-in on each of the client computers that host Epic Hyperspace. To install the plug-in, runthe VIP Enterprise Gateway Epic Device.msi file as a user with administrator rights. The VIP Enterprise GatewayEpic Device.msifile is in the VIP EPIC.zip file that you downloaded earlier. You can run the file on the client computer manually, or use a group push. During installation, provide the EpicConfig.txt file that you modified earlier.Continue with the next step:Configure HyperspaceConfigure HyperspaceYou must configure Hyperspace to add Symantec VIP multi-factor authentication in EPCS workflows.The following procedures are accurate at the time of this writing. However, see the Galaxy documentation, or contact yourClient System Hyperspace and Desktop TS or Epic Application TS, for the most up-to-date procedures for configuringHyperspace.1. In Chronicles, access the Authentication Devices (E0G) master file and go to Enter Data Create/Edit Device. Enter a name for the device, such as Symantec VIP MFA. Enter a new ID of 100000 or greater. On the General Settings screen, fill out the following fields:– Description: Enter a description of the device, if desired.– Platform: Enter 1-Desktop. On the Desktop Settings screen, enter SymcVIP.LoginDevice in the ProgID field. Use this ProgID for anyauthentication workflow or transaction workflow to which you add VIP multi-factor authentication.2. Ensure that you have an Authentication Configuration Record defined: In Chronicles, go to d %ZeUSTBL Hyperspace Miscellaneous Security Settings. Ensure that there is an entry for Authentication Configuration Record.7

Symantec VIP Integration Guide for Epic Hyperspace3. If no Authentication Configuration Record is defined, then create and define one: In Chronicles, go to d e e0a Enter Data Create Configuration.Enter a unique ID and name for your Authentication Configuration record.In the Config Type field enter Authentication Device Settings.Repeat step 2 but this time, enter the name of your Authentication Configuration record into the AuthenticationConfiguration Record field.4. Open Hyperspace and go to Authentication Administration (Epic option Admin Access Management Authentication Administration). Accept the active record (typically the Authentication Configuration record that you either verified or created). Select the desired configuration level (such as System, Service Area, or Workstation). In the Context field, select the first context for the workflow to which you are adding multi-factor authentication. Inthis example, it is E-Prescribing Controlled Medications - First Context. Set the first authentication method you want users to be prompted with as the Primary Device. Typically this method is the standard user name and password workflow, Default Login.In the Context field, select the second context to which you are adding multi-factor authentication. In this example,it is E-Prescribing Controlled Medications - Second Context.Set Symantec VIP MFA as the Primary Device.Click Accept.5. Close and re-launch Hyperspace to allow the new configuration to take effect.Troubleshooting the VIP integration with Epic HyperspaceThe VIP Epic integration package includes a troubleshooting utility to test the connection to the VIP Service. Run thisutility to verify that the VIP Service can properly authenticate a security code that is sent manually from a client computer.Note that this utility does not test the connection to Epic Hyperspace.1. In a temporary location on an Epic client computer that has access to the Internet, unzip the TestApp.zip file, locatedin the VIP EPIC.zip file that you downloaded from VIP Manager.2. Copy the file StandAloneNETTester.exe from the temporary location to the location on this machine where youhave installed the Epic Hyperspace DLLs (for example, C:\Program Files (x86)\Common Files\Epic\Interfaces).3. Run the following command:StandAloneNETTester.exe8