ATNA tests

This section contains test cases performed with the Gazelle Security Suite tool:

Also, please refer to this Connectathon-specific information page about ATNA testing,

11099: Read ATNA Resources page

This is not an actual test, but we want to ensure you find the web page with general information about ATNA testing for Connectathons.

Instructions

Please read the ATNA Testing for Connectathon & digital certificates page.

Evaluation 

There is no specific evaluation for this test.  

Create a text file stating that you found and read the page. Upload that text file into your local gazelle as the Log Return file for pre-Connectathon test 11099.

 

 

11100: Obtain Digital Certificate for TLS Testing

Overview of the test

This test contains instructions for obtaining a digital certificate for your Connectathon test system.   You will obtain your digital certificate(s) from the Gazelle Security Suite tool.

For IHE Connectathons in 2019, all systems testing transactions over TLS **MUST GENERATE A NEW DIGITAL CERTIFICATE**.  Digital Certificates from previous years will not work at 2019 Connectathons.

Prerequisite for this test

(1) If you have not yet read this ATNA Testing Resources page, please do that before proceeding with this test.  That page contains important content for using the digital certificates for pre-Connectathon and Connectathon tests.  The instructions below only tell you how to generate a digital certificate.

(2) When you generate your digital certificate, you will need to know two values:

  1. The hostname of your test system on the Connectathon network.  This is assigned to your test system in the European Gazelle or North American Gazelle for Test Management.  After logging in, select menu Configurations-->System configuration.
  2. The Domain Name of the Connectathon network.  For the NA 2019 Connectathon, it is ihe-us-test.net. For the EU 2019 Connectathon, it is ihe-europe.net

Location Gazelle Security Suite (GSS) tool:

Log in to the tool

There are separate CAS systems for European and North American Connectathons.  The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to http://ihe.wustl.edu/gazelle-na/.   You will use your username & password from Gazelle for either the European or NA Connectathon:

  • On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  
  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either the European or North American instances of Gazelle Test Management linked above

Instructions - Obtain a Certificate

  • Select menu PKI-->Request a certificate
  • Complete the fields on page:
    • Certificate type:  Choose "Client and Server" from dropdown list  (Required field)
    • key size: (optional)
    • Country (C): (required)
    • Organization (O):  Your organization name in Gazelle   (Required field)
    • Common Name (CN):  The Keyword for your test system in Gazelle (eg EHR_MyMedicalCo)  (Required field)
    • Title:  (optional)
    • Given name: (optional)
    • Surname: (optional)
    • Organizational Unit: (optional)
    • eMail:  (optiional) email of a technical contact making the request
    • Subject Alternative Names: <=== New for 2019 Connectathons.  
      • You must enter at least one value in this field -- the fully-qualified domain name of your test system on the Connectathon network.  This is a combination of the hostname assigned in Gazelle to your system and the domain name for the Connectathon test network.  For the 2019 NA Connectathon network, the domain name is ihe-us-test.net.  So, an example of a fully-qualified domain name entered in this field for a digital certificate for the NA Connectathon is acme0.ihe-us-test.net
      • You may optionally enter more than one value.  Multiple values are separated by a comma.  These values will be additional fully-qualified domain name(s) for your test system that is operating in a non-Connectathon environment with a different domain name, eg you are testing with the NIST XDS Tools in your home test lab. 
  • Click the "Request" button.
  • You will then be taken to a page listing all requested certificates.  Find yours on the top of the list, or use the filters at the top.
  • In the "Action" column, click the "View Certificate" (sun) icon.  Your certificate details are displayed.  Use the "Download" menu to download your certificate and/or the Keystore.

It is also possible to find your certificate using the menu:

  • Select menu PKI-->List certificates
  • In the "Requester" column, filter the list by entering your username at the top of the column (the username you used to log in to the tool)
  • Use the icon in the "Action" column to find and download your certificate, as described above.

You are now ready to use this certificate for performing:

  • authentication tests with the Gazelle Security Suite tool
  • peer-to-peer tests with your Connectathon partners

Evaluation 

There is no specific evaluation for this test.  

Create a text file stating that you have requested & received your certificate(s). Upload that text file into your local gazelle as the Log Return file for pre-Connectathon test 11100.

In subsequent tests (eg 11109 Authentication test), you will verify the proper operation of your test system with your digital certificate.

 

11106: ATNA Questionnaire

Overview of the test

In this test you complete a form which collects information that will help us evaluate the Audit Logging and Node Authentication capabilities of your test system during the Connectathon.

The contents of your ATNA Questionnaire are directly linked to the profiles and actors that you have registered to test at a given Connectathon.  You will be asked to validate audit messages for transactions you support.  You will be asked to demonstrate successful TLS connections for the transports you support (eg DICOM, MLLP, HTTP).

Prerequisite for this test

Before you can generate your on-line ATNA questionnaire...

  • You must have a test system registered in Gazelle Test Management for the upcoming NA or EU Connectathon
  • Your test system must be registered to test an ATNA actor, eg. Secure Node, Secure Application, Audit Record Repository...
  • Your test system must have a status of "Completed"
    • This is because the content of the Questionnaire is build based on the profiles & actors you support. We want to know that your registration is complete.
    • To check this, log in to the NA or EU Gazelle Test Management. Select menu Registration->Manage Systems.
    • On the System summary for your system, is the Registration Status set to "Completed"?

Location of the ATNA Tools:  Gazelle Security Suite

Log in to the tool

There are separate CAS systems for European and North American Connectathons.  The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to http://ihe.wustl.edu/gazelle-na/.   You will use your username & password from Gazelle Test management for either the European or NA Connectathon:

  • On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  
  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either the European or North American instances of Gazelle Test Management linked above

Important note:  Because the contents of your ATNA Questionnaire is linked to your Connectathon test system in gazelle for EU or gazelle for NA, your user account in gazelle must be working in the current testing session.  Use menu Gazelle--> Change Testing Session.

Instructions

1. Select menu Audit Trail --> ATNA Questionnaires

2. First, search for any existing questionnaires for your organization. Use the filters at the top of the page to search based on various criteria.  You will only be able to access the questionnaires created for your organization's test systems.  Admins and monitors can access all of them.

Filters

 3. You can use the icons in the right column to:

View the content of the questionnaire

  • Edit it
  • Review it (monitors only)
  • Delete it (administrators only)

Browser entry

 

4. If no questionnaire is available for your test system, you need to create a new one.  

  • Click on the "New ATNA Questionnaire" button
  • From the dropdown list, select the name of your test system.   Note: If your system doesn't appear...
    • ...is your test system registered with status of "Completed"?
    • ...are you registered for ATNA Secure Node or Secure Application?
    • ...is the testing session closed (ie is the connectathon over)?
  • Next, click the "Back to list" button.  Use the filter at the top to find your questionnaire in the list.  Use the "Edit" icon in the "Action" column to begin.

5. Complete the questionnaire.  You are now in the ATNA Questionnaire Editor.

  • In the System details, identify the ATNA actor you support.  Choose either "Secure Node (SN)" or "Secure Application (SA)"
  • Complete the "Inbound network communications" tab
  • Complete the "Outbound network communications" tab
  • Complete the "Authentication process for local users" tab
  • Complete the "Audit messages" tab.  This tab is used with test 11116.
  • Secure Nodes only:  Complete the "Non network means for accessing PHI" tab 
  • Complete the "TLS Tests" tab.  This tab is used with test 11109

6.  Mark your questionnaire "Ready for review"

  • When all tabs in the questionnaire are complete, set the Questionnaire's status to "Ready for review" in the "Questionnaire details" section.

7. Finally, create a text file stating that your questionnaire is ready for review. Upload that text file into your local gazelle as the Log Return file for pre-Connectathon test 11106.


Evaluation

The Technical Project Manager will review your completed form.  Connectathon monitors also refer to this form during the Connectathon.  You cannot get connectathon credit (i.e. a "Pass") for your ATNA Secure Node/Application without completing and submitting this questionnaire.

11109: Authentication Test

Overview of the test

In this test, you will use the Gazelle Security Suite (GSS) tool to verify that you are able to communicate with TLS clients and servers using digital certificates. The tool will validate only the TLS connection. The IHE transaction associated with the TLS connection (eg a specific DICOM, HL7 or webservices transaction) is not validated within this tool. That is done in other Connectathon tests.

The GSS tool checks:

  • transport over TLS v1.2 including protocol 
  • cipher suite (TLS_RSA_WITH_AES_128_CBC_SHA),
  • certificate authentication
    • Digital certificates for pre-Connectathon & Connectathon testing are generated by GSS.  See test 11100.

Prerequisite for this test

(1) If you have not yet read the ATNA Testing Resources page, do that before proceeding with this test.

(2) To perform this test, your Connectathon digital certificates must be set up on your system (server and/or client).  Follow the instructions in test 11000  to obtain digital certificate(s) for your test system(s).

(3) You should complete your ATNA Questionnaire (test 11106) prior to running this test.  

  • The ATNA Questionnaire has a "TLS Tests" tab that identifies the inbound /outbound communications you support.  
    • That tab determines which of the "Server" and "Client" tests that you must run below.  
    • You will also record your successful results on that tab.

Log in to the tool

There are separate CAS systems for European and North American Connectathons.  The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to http://ihe.wustl.edu/gazelle-na/.   You will use your username & password from Gazelle Test Management for either the European or NA Connectathon:

  • On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  
  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either the European or North American instances of gazelle linked above

Instructions inbound transactions (Server side is tested)

If your SUT acts as a server (responder), when performing pre-Connectathon testing, your server must be accessible from the outside so that the tool as a client  simulator, can connect to your SUT. 

1. On the home page of the the Gazelle Security Suite tool, find "Test your TLS Implementation" and "TLS Client Simulators"

1. In the "Start  Connection" section of the page, you will have to specify, for each supported protocol :

  • Client type : protocol supported (HL7, DICOM_ECHO, WEBSERVICE, SYSLOG, or RAW)
    • You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire
  • Target host : public IP of your server
  • Target port : public port of your server

2. Then click on "Start client".

3. You should then get a time-stamped entry in the results list.   Blue means OK, red NOT OK.

4. For each successful connection, view the result at the bottom of the page using the icon in the "Actions" column.  Copy the URL to the result into your ATNA Questionnaire, on the "TLS Tests" tab. The link must be formatted like http://.../connection.seam?id=...

5. Repeat these steps for each supported protocol (HL7v2, DICOM, Syslog client, ...) : e.g., if you system has no DICOM capabilities, you can skip that portion of the test.

Instructions outbound transactions (Client side is tested)

If your SUT acts as a client, you must be able to access to TLS servers public IP. You have to test your client by connecting to test servers of TLS tools.

1. On the home page for the TLS Tools for your connectathon, find the list of server simulators, one per protocol.

  • You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire

2. Configure your client to connect to the test TLS server.

3. Check that the server is started before trying to connect to it. Click on the link for the server you want and look for status "Running"

4. In your SUT, perform a connection (eg send a query) to the test server. The TLS connection is valid, but at transaction level, you will get invalid replies, as we are only checking for the TLS connections.

5. You should then get a timestamped entry in the results list.   Blue means OK, red NOT OK.

5. For each successful connection, view the result with the icon in the "Action" column.  Copy the URL to the result into your ATNA Questionnaire, on the "TLS Tests" tab The link must be formatted like http://.../connection.seam?id=...

6. Repeat these steps for each supported protocol (HL7v2 , DICOM, Syslog server ...) : e.g., if your system has no DICOM capabilities, you can skip that portion of the test.

 Evaluation 

The tool reports success or failure for each test you perform.  Your test system must demonstrate successful TLS handshake for each inbound and outbound protocol you support.

If you are performing this test in preparation for a Connectathon, a Connectathon monitor will verify your results as follows. The monitor will:

  1. Access the TLS tests tab in the ATNA questionnaire.  You will only do the tests for the protocols your test system supports, and skip the ones you don't support.
  2. For each "SERVER" tested side :
    • The test result must be PASSED.
    • In the connection detail, the cipher suite must be TLS_RSA_WITH_AES_128_CBC_SHA
    • The protocol must be TLS 1.2.
    • During a connectathon, these items can also be verified:
      • the SUT host must be the IP specified in the configuration of the system.
      • the SUT port must be the one specified in the configuration of the system for the protocol.
  3. For each "CLIENT" tested side :
    • The connection must succeed (blue circle).
    • The cipher suite must be TLS_RSA_WITH_AES_128_CBC_SHA.
    • The protocol must be TLS 1.2
    • During a connectathon, this item can also be verified:
      • the host in the SUT address must be the IP specified in the configuration of the system. The port is not verified for outbound transactions.
  4. The monitor may choose to ask the vendor to re-run a test during the Connectathon if the results raise questions about the system's support TLS.

 

11110: Authentication error cases

Overview of the test

This test exercises several error cases.  You will use the ATNA TLS Tool as a simulated client, trying to connect to a Secure Node (SN) or Secure Application (SA) acting as a server.

*** If your SN/SA is only a client (ie it only initiates transactions), then this test case is not applicable for you.  Skip it. ***

Prerequisite for this test

Run test 11109 Authentication Test before running this 'error cases' test.

Location of the ATNA Tools:  Gazelle Security Suite

Log in to the tool

There are separate CAS systems for European and North American Connectathons.  The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to http://ihe.wustl.edu/gazelle-na/.   You will use your username & password from gazelle for either the European or NA Connectathon:

  • On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  
  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either the European or North American instances of Gazelle Test Management linked above

Instructions

  1. Select menu TLS/SSL-->Testing-->Test Cases
  2. Run each of the error test cases listed:
    1. IHE_ErrorCase_Corrupted
    2. IHE_ErrorCase_Expired
    3. IHE_ErrorCase_Revoked
    4. IHE_ErrorCase-Self-Signed
    5. IHE_ErrorCase_Unknown
    6. IHE_ErrorCase_Without_Authentication
    7. IHE_ErrorCase_Wrong_Key
  3. Once you are on the 'Run a test' page, use the 'Client type' dropdown list to select the transport supported on your server (HL7v2, DICOM, HL7, DICOM_ECHO, WEBSERVICE, SYSLOG, or RAW)
  4. Input the host / IP address and port of your system and click on 'Run'.
  5. If you implement several transports as a server, you should mix message types over those error test cases in order to have at least one implemented protocol covered by one step.   It is not necessary to run each of the test cases for each transport.
  6. After each test case, find your result in the list of Test Executions
  7. Capture the permanent links to your PASSED results.  Copy/paste the links into the chat window in gazelle for pre-Connectathon test 11110 or Connectathon test ATNA_Authenticate_Error_Cases

Evaluation

Each error case must have a result of 'PASSED'. 

Each transport type (HL7v2, DICOM, HL7, DICOM_ECHO, WEBSERVICE, SYSLOG, or RAW) implemented by your system as a server must have been tested at least one time in the list of error cases.

If you are performing this test in preparation for a Connectathon, a Connectathon monitor will verify your results pasted into each test step.

11116: Audit message check

Overview of the test

In this test, a Secure Node or Secure Application tests audit messages it sends.  

  • We use a tool to test the content of the audit message against the schema and against requirements documented in the IHE Technical Framework for some transactions.  
  • Here, we do not test the transport of the audit message 

The tool provides the ability to validate against the DICOM schema.  We are not longer testing the RFC 3881 schema; the ATNA profile requires support for the DICOM schema.

Location of the ATNA Tools:  Gazelle Security Suite

Log in to the tool

There are separate CAS systems for European and North American Connectathons.  The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to http://ihe.wustl.edu/gazelle-na/.   You will use your username & password from Gazelle Test Management for either the European or NA Connectathon:

  • On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  
  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either the European or North American instances of Gazelle Test Management linked above

Instructions

You may perform this test directly in the ATNA Questionnaire **or** you may use the Gazelle EVSClient tool.  

If you are preparing for a Connectathon, you should use the instructions below for the ATNA Questionnaire.

---->Instructions for checking audit messages using the ATNA Questionnaire:

  1. Create a new ATNA Questionnaire for your connectathon test system using the instructions for test 11106.
  2. Find the Audit Messages tab in the questionnaire.  That tab contains "Instructions" and enables you to upload and validate audit messages directly on that tab.   You should validate all messages that you have marked "Implemented".
  3. When you are done, find the Permanent Link to the your ATNA Questionnaire.  Copy/paste that link into the chat window in Gazelle Test Management for pre-Connectathon test 11116, and change the status of the test to "Verified by vendor".  

---->Instructions for checking audit messages using the EVSClient tool:

  1. In the Gazelle EVSClient, select menu IHE-->Audit messages-->Validate
  2. Select the Add button, and upload the XML file for your audit message
  3. From the Model based validation dropdown list, select the entry that matches your audit message. (Note that additional validations will be added over time.)
  4. Select the Validate button.  
  5. You should validate all audit messages associated with functionality & transactions supported by your test system.
  6. In the Validation Results displayed, find the Permanent Link to the results.  Copy/paste the link(s) into the chat window in Gazelle Test Management for pre-Connectathon test 11116, and change the status of the test to "Verified by vendor".

Evaluation

The tool reports the results of the validation of your messages.  We are looking for PASSED results.

11117: Send audit or event message to Syslog Collector

Overview of the test

In this test, a client sends audit records or event reports using transaction [ITI-20] Record Audit Event to the Syslog Collector tool acting as an Audit Record Repository or Event Repository.   The Syslog Collector is one of the tools embedded in the Gazelle Security Suite.  

This test is performed by an ATNA Secure Node, Secure Application or Audit Record Forwarder.  It is also performed by a SOLE Event Reporter.

Note that this test checks the transport of audit messages.  The content of your audit message is verified in a different test.   

Location of the ATNA Tools:  Gazelle Security Suite (GSS)

Instructions

  • Access the Syslog Collector in GSS under menu Audit Trail --> Syslog Collector.  This page displays the tool's IP address and UPD and TCP-TLS ports.
  • Configure your application to send your audit messages (event reports) to the Syslog Collector.
  • Then trigger any event that initiate an ITI-20 transaction. This event may be an IHE transaction or other system activity (eg system start/stop or one of the SOLE events). Your system should finally send the message to the Syslog Collector.

Evaluation

You must check that your audit message has been received by the Syslog Collector and that the protocol SYSLOG is correctly implemented.

  • Go to Gazelle Security Suite, on page Audit Trail > Syslog Collector.
  • Filter the list of received messages by the host or the IP of the sender, and find the message you sent according to the timestamps.
  • Click on the magnifying glass to display the message details.
  • If the protocol is UDP or TLS, if there is a message, a message content, no errors and RFC5424 parsing succeeeded, then the test is successful.  There is an example screenshot below.
  • Copy the URL to your successful result and paste it into your local Gazelle Test Management as the Log Return file for pre-Connectathon test 11117.  
  • Do not forget to stop sending audit-messages to the Syslog Collector once you’ve finished the test. If your system sends a large amount of messages, administrators of the tool may decide to block all your incoming transactions to prevent spam.

Tips

TCP Syslog is using the same framing requirement as TLS Syslog. You can first use the TCP port of Syslog Collector to debug your implementation. Keep in mind that the IHE ATNA Profile expects at least UDP or TLS for actors that produce SYSLOG messages.

.