ATNA Testing for Connectathon & digital certificates

ATNA is a widely tested profile.  This page contains guidelines that address frequently asked questions about testing expectations.

Important updates to ATNA in the ITI Technical Framework

The ITI Technical Committee worked on updates to add 3 new options to the ATNA Secure Node & Secure Application actors.  The options affect the [ITI-19] Authenticate Node transaction.  As of September 2018, these options are now approved and testable at 2019 Connectathons:

  • 'FQDN Validation of Server Certificate' option
  • 'BCP195 TLS Secure Connection - All TLS Versions' option
  • 'BCP195 TLS Secure Connection - TLS 1.2 Floor' option

Please read:  CP-ITI-1145 - "Three new options related to [ITI-19]".

==> Why add enhanced cybersecurity to your product?

IHE is strongly encouraging all vendors to implement and test these new options at 2019 Connectathons.  Click here to learn more!   

Security (TLS) Policy for 2019 IHE NA and EU Connectathons

These new options introduce variability in the Connectathon testing environment that did not exist in previous Connectathons.  Depending on whether or not a Connectathon test system supports these options, it may be able to support TLS 1.0, TLS 1.1, and/or TLS 1.2, and one or more of several ciphers.  On the Connectathon test floor, different systems with a mix of TLS versions and ciphers would be a barrier to connectivity. 

So, in order to ensure interoperability between systems testing over TLS, the Connectathon technical managers have selected a TLS version and cipher to use for peer-to-peer tests over TLS.  (This is analagous to a hospital mandating similar requirements at a given deployment.)

*** For 2019 IHE NA and EU Connectathons, peer-to-peer testing over TLS (without the new ATNA options) shall be done using:

  • TLS 1.2
  • cipher TLS_RSA_WITH_AES_128_CBC_SHA
    • (Note that we intentionally chose a 'less secure' cipher for 2019 and anticipate choosing one of the recommended ciphers from BCP195 for future IHE Connectathons.)
  • A digital certificate, issued by the Gazelle Security Suite (GSS) tool.  New certs are needed for 2019 Connectathons.  See the next section.
  • Note that this policy is compatible with the baseline ATNA requirements in [ITI-19] Authenticate Node, in particular referenced standard RFC 7525.

*** For the 2019 IHE NA and EU Connectathons, we will use the Gazelle Security Suite tool to test the new ATNA options:

  • client behavior for a Secure Node/Application supporting the 'FQDN Validation of Server Certificate' option
  • the ability of a Secure Node/Application to negotiate down from TLS 1.2 to 1.1 to 1.0 as required by the 'BCP195 TLS Secure Connection -- All TLS Versions' option
  • the ability of a Secure Node/Application to require that transactions occur with TLS 1.2 and one of the required ciphers in the 'BCP195 TLS Secure Connection -- TLS 1.2 Floor' option

(i.e. testing of the options will not be peer-to-peer)

Gazelle Security Suite (GSS) Tool for ATNA testing:

Tool-based testing of TLS (node authentication) and of the format and transport of your audit messages is consolidated in one tool - the Gazelle Security Suite (GSS)

  • Link to the tool: http://gazelle.ihe.net/gss.  
  • Instructions for use of the tool are contained in ATNA test descriptions - here.
  • Recorded training on the Gazelle Security Suite - here

==> GSS: Digital Certificates for IHE Connectathons

The Gazelle Security Suite (GSS) tool is the SINGLE PROVIDER OF DIGITIAL CERTIFICATES for both NA and EU Connectathons.   As of November 27, 2018, the GSS tool is updated to provide digital certificates for 2019 IHE Connectathons.

To obtain a digital certificate from the GSS tool for pre-Connectathon & Connectathon testing, follow the instructions in pre-Connectathon test 11100.

Some facts about the new digital certificates:

  1. If you have a digital certificate from a Connectathon in 2018 or earlier, it will not work for 2019 Connectathons.
  2. If you generated your digital certificate in GSS before Nov 27, 2018, you must generate a new one.
  3. Your new digital certificate:
    1. is from a new Certificate Authority (CA) with a stronger key - 2048 length (before Nov 2018, the CA created certificates with 1024 key length).  You must add the certificate for the new CA in your trust store.
    2. will contain the fully-qualified domain name (FQDN) of your test system.   When you use GSS to request the certificate, the tool will prompt you for this value.  The FQDN value(s) will be in the subjectAltName entry of your digital certificate.  (You may need to provide more than one FQDN when you generate your certificate, eg if you will use your system to test TLS connections outside of the Connectathon network, such as with the NIST XDS Tools in your local test lab.)
  4. Pre-Connectathon test 11100 contains detailed instructions for generating your certificate, including how to get the fully-qualified domain for your test system on the Connectathon network.
  5. Item (3.b.) means that each system testing TLS transactions during Connectathon week will have a digital certificate that is compatible with the new FQDN validation option in ATNA.  Thus, TLS connections with test partners will work whether the client is performing FQDN validation, or not.  This is intentional.

Note that the certificates are only for testing purposes and cannot be used outside of the IHE Connectathon context.

==> GSS: ATNA Questionnaire

Systems testing ATNA are required to complete the ATNA Questionnaire in the GSS tool, ideally during pre-Connectathon testing.  Embedded in the questionnaire are Audit Record tests and TLS tests customized for the profiles & actors you will test at Connectathon.

  • Follow instructions in pre-Connectathon test 11106.
  • Note: You must use TLS 1.2 and the new digital certificates when performing TLS tests in the questionnaire.

==> GSS: ATNA Logging Tests

Read the Technical Framework; you are responsible for all requirements in Record Audit Event [ITI-20] transaction. We will not repeat the requirements here.

 

WHICH SCHEMA???:  The ITI Technical Framework defines the Record Audit Event [ITI-20] transaction, and specifies use of the DICOM schema for audit messages.  

We expect implementations to be compliant, and we have tested audit messages using the DICOM schema at IHE Connectathons since 2016.

  • The GSS tool will only provide validation against the DICOM schema. If you fail that test, it is our signal to you that your audit messages are not compliant with the latest DICOM schema.  See pre-Connectathon test 11116.
  • We expect peer-to-peer testing at the Connectathon to occur using messages compliant with the DICOM schema.
  • Some might be interested in this email exchange on the IT Tech Cmte email list.

SENDING AUDIT MESSAGES:   You can send your audit records to the GSS tool simulating an Audit Record Repository  See pre-connectathon test 11117.

Questions about ATNA Testing?

Contact Lynn Felhofer, Technical Project Manager for the IT Infrastructure domain.

AttachmentSize
PDF icon IHE_and_Cybersecurity.pdf158.21 KB