ROSS Migration/Registration Contents IQSweb V3.0.1 ROSS Connection Requirements... 2 Test Agency Network Connectivity to ROSS... 3 FIREWALL Exceptions... 3 FIREWALL Exception Justification... 4 ROSS Interface Migration... 4 Installing the ROSS SSL Certificate... 5 ROSS User Accounts... 14 ROSS Registration... 15 Test IQSweb to ROSS connection... 15 Register Your IQSweb System with ROSS... 16 Disable Pre-Registration Script... 19 Synchronize IQSweb with ROSS... 21 IQSweb ROSS Management Send Updates... 22 Page 1 of 22
IQSweb V3.0.1 ROSS Connection Requirements IQSweb V2.0 and higher uses web services to pass information between IQS and ROSS (Resource Ordering and Status System). The legacy method for uploading data to ROSS via XML files will be disabled March 18, 2013. In order to communicate directly between your IQSweb V3.0.1 application server and ROSS the following actions will be required. Requirement 1. Test agency network connectivity to ROSS When to do this See section Test ROSS Connectivity below for the specific steps to test the connectivity. If the test passes, you will NOT need to create the firewall exceptions in #2 below. 2. Create Firewall Exceptions This step will need to be done by your state IT department and could require a lengthy approval process. See section FIREWALL Exceptions below for the specific exception rules to be set up. For more details that could help justify this request to your State s IT department, see section Firewall Exception Justification. This step must be complete prior to installing the security certificate. 3. Install ROSS SSL Certificate. Specific instructions for getting and installing the security certificate are found below in Installing the ROSS SSL Security Certificate. The certificate was created using Open ssl 1024 bit encryption, using x509, converted to DER format. Page 2 of 22
Test Agency Network Connectivity to ROSS The following URL should be accessible from the IQSweb application server. Please copy the link into your browser address bar to conduct this test. You will receive a security alert, select Yes to proceed. PROD ESB IQS: https://esb01.nwcg.gov:15556/soap/ross If the test is successful, the result will be a page of xml similar to the page shown below. A successful test means you do not need to create any firewall exceptions SAMPLE Successful ROSS Connection Page If the test fails, you will see the Page Cannot Be Displayed in your browser. A test failure means that you will need to work with your IT department to create a fire wall exception. FIREWALL Exceptions In order to communicate directly between your IQSweb application server and ROSS the following firewall exceptions may need to be set up: 1. Static IP address - when a firewall exception is setup, the exception can target the IQS computer specifically. 2. ROSS Production - Firewall rule created to open an outbound connection on port 15556 over TCP to the IP address 162.79.25.30. 3. No inbound connection is needed since IQSweb initiates all communication with ROSS. 4. Run the ROSS Connectivity test again to ensure the firewall exceptions are correctly applied. This test must pass before IQSweb to ROSS communication can be established. Page 3 of 22
FIREWALL Exception Justification The Resource Ordering and Status System (ROSS, http://ross.nwcg.gov ), is a critical part of National Incident Management and the data from IQSweb is a major contributor to ROSS. Due to changes in ROSS, some of which are driven by Department of Homeland Security requirements, as well as desired improvements in ROSS integration within IQSweb, the interface to ROSS and the data transport involved, are changing. These changes may require some minor changes to your agency s firewall / proxy configuration to facilitate the continued transfer of data between your IQSweb system and ROSS. The integrated ROSS interface in IQSweb 3.0.1 uses an SSL tunnel that relies on a ROSS provided SSL Certificate. This Certificate is already funded, so there are no initial or recurring costs for using this Certificate. The SSL Certificate will need to be installed on the IQSweb Application server. A specific TCP/IP network transport TCP port will need to be available to the IQSweb Application server for the data transfer through the SSL tunnel to occur. Technical details of these requirements are listed below. As of March 18, 2013 agencies that interact with ROSS must implement these changes. The changes required include the conversion to IQSweb 3.0.1 or higher, installation of the SSL Certificate, and the network transport changes listed above. Of course, it is important to work on these changes now. We understand that some agencies have considerable work to do, with multiple levels of organizational approval needed, to accomplish these tasks. An agency s personnel, who currently have ROSS IDs and interact with ROSS, can request the SSL Certificate by calling the ROSS Helpdesk. Agency IT personnel will have to coordinate with these individuals when they are ready to implement the SSL certificate on the IQSweb Application server. ROSS Interface Migration Install or upgrade to the latest version of IQSweb. When you are ready to switch to the ROSS interface send an email request for the ROSS security certificate to the ROSS Help Desk (866 224-7677) at helpdesk@dms.nwcg.gov. You email request must contain: 1. Subject and Body: Copy and paste the following template with your specific information into the email Subject. 2. Attach Report: Go into IQSweb, run the report Dispatch and Provider by Org level to identify personnel to be merged with existing ROSS records. This report should be saved as a PDF and attached to this email request. If you have not yet identified dispatch and providers for all your resources, then proceed with this step by sending the email without the report attachment. Page 4 of 22
Follow-up later by running this report after you have entered dispatch and providers and then email the report to the help desk or clearinghouse data stewards. Copy and paste the following into your email request: Subject: ROSS Certificate Request for IQS-ROSS Interface Body: The State of (state name) or Dispatch Center (Unit ID of Dispatch Center) is requesting a certificate to permit the use of the Enterprise Service Bus (ESB) from IQSweb to ROSS Production. IQS Unit Contact Name: Phone Number: Email: Availability for the next 3-5 days: <work hours, time zone> Name of agency being migrated :<State Unit Name and NWCG Code>, <Dispatch Name(s) and NWCG Code(s) example: Orange County ECC CA-OSCC. Number of records in IQS database? IQS IT Contact Name: Phone Number: Email: Availability for the next 3-5 days: <work hours, time zone> End of copy You will receive an acknowledging email with a Trouble-Ticket (TT) number from the Help Desk usually within a day. This starts the process of switching everyone in your state to the interface method of communicating to ROSS. Someone from ROSS will contact you directly to schedule the day to install the ROSS security certificate Installing the ROSS SSL Certificate The ROSS SSL Security Certificate must be installed as an administrator on the computer where you have installed the IQSweb Application. If you are using a multi-server configuration, install the certificate on the IQSweb Application Server. On the scheduled cutover date you will receive instructions on how to obtain the ROSS SSL Certificate. Please Note: If you are logged in with a normal computer account, it may appear that the certificate is successfully installed, but it may only be available to that account. If Page 5 of 22
you want the certificate available to all users (and to IQSweb) it must be installed by a user logged in an administrator account. Follow the steps below to install the security certificate: 1. Obtain the ROSS SSL Security Certificate and file it in an accessible drive location. 2. On the computer where you have installed the IQSweb application, log in as an administrator. Go to Start->Run. Type in certmgr.msc and click OK. 3. The Certificates Manager will appear, expand the folder titled "Trusted Root Certification Authorities". Right-click on the Certificates folder. Select "All Tasks", then select "Import". Page 6 of 22
4. The Certificate Import Wizard screen is displayed. Click Next to continue. Page 7 of 22
5. Browse to the location of the certificate. You will not see the certificate until you change the "Files of Type" dropdown list of 'All Files (".") Click Open. Page 8 of 22
6. Click "Next". Page 9 of 22
7. Make sure the "Place all certificates in the following store" radio button is selected. The certificate store should be "Trusted Root Certification Authorities". If this is not the certificate store, then click Browse to find and select Trusted Root Certification Authorities. Click Next to continue. Page 10 of 22
8. Make sure the Show physical stores checkbox is selected. Then expand the Trusted Root Certification Authorities item and select Local Computer. Click OK. Page 11 of 22
9. Back in the Certificate Import Wizard, click Finish. Page 12 of 22
10. You will see a prompt that states that the import was successful. Page 13 of 22
ROSS User Accounts Those IQSweb users who will be responsible for moving records from IQS to ROSS will need a ROSS user account. In addition to the basic user rights, the user will need additional rights granted to them by their specific ROSS dispatch center. If you are not a current ROSS user, you will need to apply for a new ROSS user account. o o o Specific instructions on creating a new user account can be found on the ROSS website at http://ross.nwcg.gov/user_support.html and a user reference card for creating a new account can be found http://ross.nwcg.gov/quick_ref/qf_how_to_request_a_nap_user_account.pdf You will need a unique email address for each ROSS user and You will need contact information for the ROSS dispatch center manager who will verify your account with the ROSS help desk. If you are a current ROSS user, you will need to have some modifications made to your user account. Contact your ROSS dispatch center manager to ensure your account has the correct permissions. Provide your dispatch center with specific instructions for setting up a ROSS Account for an IQSweb user that can be found on the ROSS website at http://ross.nwcg.gov/quick_ref/qf_ross_accounts_for_iqsweb_2011_0203.pdf ***CRITICAL STEP - ALL ROSS USERS*** Before you begin the process to register the IQSweb interface with ROSS, please be sure that your ROSS username and password are current. If your password has expired or you have a new ROSS username and password, you will need to use the NAP application portal to reset your password. The following quick reference cards will help you to create an account and reset your password. http://ross.nwcg.gov/quick_ref/qf_how_to_request_a_nap_user_account.pdf http://ross.nwcg.gov/quick_ref/retrieving_a_forgotten_user_id_or_password.pdf Please click the following link to access the NAP: https://nap.nwcg.gov/nap/ Page 14 of 22
ROSS Registration To begin using the IQSweb ROSS Management through web services, you must have successfully installed IQSweb V3.0.1 or higher and the ROSS security certificate. In addition, your IQSweb server must have the correct ports opened for ROSS communications with IQSweb. You must also have a valid ROSS user id and password with the appropriate roles to send messages from IQSweb to ROSS. Test IQSweb to ROSS connection Prior to registering your system with ROSS, test the IQS-ROSS connection. This check is performed when the user clicks on the About link on the lower left corner of their IQSweb screen. The results of the check are displayed to the user on the About IQSweb screen to the right of the ROSS Connection label. The items being tested include: Validate that the certificate has been installed in the correct location. Validate the network connectivity is working. Validate that the firewall allows the connection to ROSS. Unsuccessful Connection Message Successful Connection Message If you receive an unsuccessful connection message you will need to work with your IT department to rectify the problem. Page 15 of 22
Register Your IQSweb System with ROSS When IQSweb V3.0.1 is registered with ROSS, a unique system id is created for the IQSweb database. Every IQSweb database that will be used to communicate with ROSS needs to register this unique id with ROSS. Registering system can be done by an IQS Manager or Data Entry person that has a valid ROSS username and password with and the ROSS role of Data Manager or Services Access Only. The system registration is only performed one time for an IQSweb database. The Register System command is accessed from the ROSS Management/Send Updates screen and must be successfully sent before any other ROSS updates can be processed. The filters are not active on the ROSS Management/Send Updates screen until the system has been successfully registered. Steps: 1. Select ROSS Management from the ROSS menu. The Send Updates tab is displayed and you will see a message on the screen Register System. No other Updates can be processed until the System is Registered with ROSS. 2. From the Send Updates tab, enter your ROSS Username and Password at the bottom and click Send Updates. 3. You will see the IQS Processing banner. Once the banner is gone, you should see the Update Pending message added to the main area of the screen indicating that your request has been successfully sent to ROSS for processing. Page 16 of 22
4. Click on the Retrieve Results tab to complete the system registration. 5. Enter your ROSS username and Password and click the Retrieve Results button. Page 17 of 22
6. Once the IQS is Processing banner is gone, you will see the Success message on your screen indicating a successful system registration. 7. DO NOT click the refresh button! 8. Contact ROSS Help Desk when System registration is complete and state that ROSS connectivity was successful and the Trouble Ticket (TT) can be closed. 9. IMPORTANT! Go to the next section to proceed with the registration process. To complete this step, you will have to have your agency IT person run an SQL script that disables the ROSS preregistration process that was used by the other states. NOTE: If you did click the refresh button or clicked on the Send Updates tab, you may see several records that appear to need processed. The script that is run in the next steps removes those records. Please proceed to the next section before processing any records in ROSS Management. Page 18 of 22
Disable Pre-Registration Script A majority of IQS users converted to ROSS management in 2010. At that time users were allowed to pre-register their resources with the Resource Clearinghouse. This option is no longer available. An SQL script must be run against your IQSweb database to disable preregistration. Follow the steps below to run the script: 1. Download the file StopPreregistration.zip from www.vdatasys.com. To perform the following steps, the person will need to have access to SQL Server Management Studio and be able to log into the IQSweb database. 2. Navigate to the location where the StopPreregistration.zip file was downloaded. Unzip the file. Double-click on the file StopPreregistration.sql. Microsoft SQL Server Management Studio should open. (If Microsoft SQL Server Management Studio does not open, right-click on StopPreregistration.sql, select Open With, and click on Microsoft SQL Server Management Studio. 3. When prompted to connect to a database engine, select SQL Server Authentication in the Authentication dropdown and enter the IQSweb database username and password. Click Connect. 4. Look for a dropdown window that lists available databases. (When the mouse hovers over the dropdown a label called Available Databases is displayed.) Change the selected database to the IQSweb database. Page 19 of 22
5. Go to the Query menu and select Execute. Page 20 of 22
6. After a second or so delay, a new message window will appear at the bottom of Microsoft SQL Server Management Studio Express that displays (XXXX row(s) affected). In addition, in the status bar, a message will appear displaying Query executed successfully. Synchronize IQSweb with ROSS To synchronize IQSweb resources with ROSS it is necessary to send an update of the information for each ROSS IQSweb resource to ROSS so that the data in IQSweb and ROSS is synchronized. Contact your IQSweb regional representative to verify you have your data ready to be synchronized with ROSS. www.vdatasys.com Contact information, IQS Projects Contacts. You must coordinate with the ROSS Data Stewards before continuing with your ROSS registrations through IQSweb. Before going any further contact Mary Toews at the email or phone below. Mary Toews ROSS Clearinghouse mtoews@fs.fed.us office: 208-387-5493 Page 21 of 22
After coordinating with Mary, proceed with sending registering your persons in ROSS through the IQSweb interface. IQSweb ROSS Management Send Updates Updating ROSS is basically a 2 step process. First the update is sent to ROSS and then the results need to be retrieved. The first 2 tabs in the ROSS Management interface are used to accomplish these 2 steps. If errors occur, they are handled by the Unresolved Results tab. Refer to IQSweb help for specific instructions on using the IQSweb ROSS Management interface. A person in IQSweb must be checked as a ROSS resource in the Person/Org screen and have current valid qualifications before that individual will appear in your ROSS/Management Send Updates tab. Once you have ensured the appropriate individuals in your database have been marked as ROSS resources, go to the ROSS Management screen. Those individuals will be listed in the Send Updates tab with an update type of Register. Enter your ROSS username and password and click the send updates button. Next, go to the retrieve results tab and enter your username and password to retrieve results. Some results retrieved may indicate the resource clearinghouse has detected a possible duplicate with the resource you are registering. For example, a duplicate could be detected between a resource you are registering and a resource that was either directly entered into ROSS or uploaded using the IQS legacy method. You will need to go to the Get Notifications tab to get notifications such as the clearinghouse ID information for a resource you are registering. The Resource Clearinghouse data stewards will contact you with further questions and instructions if the duplicate cannot be resolved. It is important that you work through any unresolved results until all of your ROSS management tabs are clear of resources. After completing a successful registration for a resource, the person will be listed in the Send Updates tab with an update type of Create to send their profile and qualification information to ROSS. You may also see other update types listed, such as Delete, depending on how some of your errors were resolved. All these updates are processed in the same way that you will continue to process ROSS updates over time. Note: When uploading a person using ROSS management you will need to cycle through Send Updates for the following: Register, Create, Update qualifications. Follow the steps above for each of these. Note: Once you begin using ROSS Management in IQS, all your ROSS records will have IQS as the source record. These qualifications must be updated in IQS and can no longer be updated using ROSS. Page 22 of 22