11109: Authentication Test

Prerequisites for this test

(1) Read the ATNA Testing Resources page before proceeding with this test.

(2) To perform this test, your digital certificate must be set up on your system (server and/or client).  Follow the instructions in test 11000 to obtain digital certificate(s) for your test system(s).

(3) You should create your ATNA Questionnaire (test 11106) prior to running this test.  

  • The ATNA Questionnaire has a "TLS Tests" tab that identifies the inbound /outbound communications you support.  
    • That tab determines which of the "Server" and "Client" tests that you must run below.  
    • You will also record your successful results on that tab.

Overview of the test

In this test, you will use the Gazelle Security Suite (GSS) tool (https://gazelle.ihe.net/gss) to verify that you are able to communicate with TLS clients and servers using digital certificates.

The GSS tool contains multiple client and server simulators that check:

  • transport over TLS v1.2, including protocol (DICOM, HL7/MLLP, HTTPS/WS, or syslog)
  • cipher suite (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, and more....),
  • certificate authentication
    • Digital certificates for pre-Connectathon & Connectathon testing are generated by GSS.  See test 11100.

The TLS simulators available in the GSS tool are listed in Column 1 in the following table, along with notes on which you should use for this test:

 

Simulator Names (keyword) To be tested by...
Simulator configuration

 

-- Server DICOM TLS 1.2 Floor

-- Server HL7 TLS 1.2 Floor

-- Server HTTPS/WS TLS 1.2 Floor

-- Server Syslog TLS 1.2 Floor

Connectathon test system that supports the "STX: TLS 1.2 Floor option" and is a client that...

-- Initiates a TLS connection with DICOM protocol

-- Initiates a TLS connection with MLLP protocol (i.e. HL7 v2 sender)

-- Initiates a TLS connection for a webservices transaction

-- Initiates a TLS connection to send an audit message over TLS syslog

TLS 1.2 with 4 'strong' ciphers: 

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

You may test with just one of the ciphers.

-- Server RAW TLS 1.2 INVALID FQDN

Connectathon test system that is a client supporting the "FQDN Validation of Server Certificate option"

TLS 1.2 with 4 'strong' ciphers; see list above.

Certificate has an invalid value for subjectAltName.

-- Client TLS 1.2 Floor

Connectathon test system that supports the "STX: TLS 1.2 Floor option" and is a server that...

-- Accepts a TLS connection with DICOM protocol

-- Accepts a TLS connection with MLLP protocol (i.e. HL7 v2 responder)

-- Accepts a TLS connection for a webservices transaction

-- Accepts a TLS connection to receive an audit message over TLS syslog

TLS 1.2 with 4 'strong' ciphers; see list above.

 

Location Gazelle Security Suite (GSS) tool:

Log in to the GSS tool

When logging in to GSS, you will use your username & password from Gazelle Test Management for your testing event.  There are separate CAS systems for different instances of Gazelle Test Management, and you will have to take this into account when logging in to GSS:

  • The European CAS is linked to Gazelle Test Management at http://gazelle.ihe.net/TM/ <---This will be used for the 2022 IHE EU/NA Connectathon
  • The North American CAS is linked to Gazelle Test Management at https://gazelle.iheusa.org/gazelle-na/
  • If you don't have an account, you can create a new on the Gazelle Test Management home page.

On the GSS home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  

  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either Gazelle Test Management linked above.

Instructions for outbound transactions (Client side is tested)

If your test system (SUT) does not act as a client (i.e., does not initiate any transactions), then skip this portion of the test and only test the Server side below).

If your SUT acts as a client, you must be able to access to TLS server's public IP. You have to test your client by connecting to Server Simulators in the Gazelle Security Suite tool.

1. On the home page for the Gazelle Security Suite, select menu TLS/SSL-->Simulators-->Servers to find the list of server simulators.  There are servers for different protocls (DICOM, HL7...) and for different ATNA options (e.g., TLS 1.2 Floor...).

  • You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire.

2. Configure your client to connect to the test TLS server.

3. Check that the server is started before trying to connect to it. Click on the link for the server you want and look for status "Running"

4. In your SUT, perform a connection (eg send a query) to the test server. The TLS connection is valid, but at transaction level you will get invalid replies because we are only checking for the TLS connection.

5. You should then get a time-stamped entry in the results list at the bottom of the page.   Blue dot means OK, red NOT OK.

5. For each successful connection, view the result with the icon in the "Action" column.  Copy the Permanent link (URL) to the result into your ATNA Questionnaire, on the "TLS Tests" tab The link must be formatted like https://.../connection.seam?id=...

6. Repeat these steps for each supported protocol (HL7v2 , DICOM, Syslog server ...) : e.g., if your system has no DICOM capabilities, you can skip that portion of the test.

Instructions for inbound transactions (Server side is tested)

If your test system (SUT) does not act as a server (i.e., does not respond to any transactions initiated by others), then skip this portion of the test and only perform the Client test above).

If your SUT acts as a server (i.e. a responder to IHE transactions), your server must be accessible from the outside so that the GSS tool, as a client simulator, can connect to your SUT. 

1. On the home page for the Gazelle Security Suite, select menu TLS/SSL-->Simulators-->Clients to find the list of client simulators. 

2. In the "Start Connection" section of the page, you will have to specify, for each supported protocol :

  • Client type : protocol supported (HL7, DICOM, WS, SYSLOG, or RAW)
    • You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire.
  • Target host : public IP of your server
  • Target port : public port of your server

3. Then click on "Start client".

4. You should then get a time-stamped entry in the results list.   Blue means OK, red NOT OK.

5. For each successful connection, view the result at the bottom of the page using the icon in the "Actions" column.  Copy the Permanent Link (URL) to the result into your ATNA Questionnaire, on the "TLS Tests" tab. The link must be formatted like https://.../connection.seam?id=...

6. Repeat these steps for each supported protocol (HL7v2, DICOM, Syslog client, ...) : e.g., if your system has no DICOM capabilities, you can skip that portion of the test.

Evaluation 

Depending on the testing event, the results of this test may be reviewed in advance.  More typically, it will be reviewed and graded by a Monitor during the test event itself (e.g. during Connectathon week).

The tool reports success or failure for each test you perform.  Your test system must demonstrate successful TLS handshake for each inbound and outbound protocol you support.

If you are performing this test in preparation for an IHE Connectathon, a Connectathon monitor will verify your results as follows. The monitor will:

  1. Access the TLS tests tab in the ATNA Questionnaire.  (The SUT only performs tests for the protocols it supports, and skips the ones not supported.)
  2. For each "SERVER" tested side :
    • The test result must be PASSED.
    • During a Connectathon, these items can also be verified:
      • the SUT host must be the IP specified in the configuration of the system.
      • the SUT port must be the one specified in the configuration of the system for the protocol.
  3. For each "CLIENT" tested side :
    • The connection must succeed (blue dot).
    • During a Connectathon, this item can also be verified:
      • the host in the SUT address must be the IP specified in the configuration of the system. The port is not verified for outbound transactions.
  4. During the Connectathon, the monitor may choose to ask the vendor to re-run a test if the results raise questions about the system's support of TLS.