ATNA is a widely tested profile. This page contains guidelines that address frequently asked questions about testing expectations.
- Important updates to ATNA Documentation in the ITI Technical Framework
- Security (TLS) Policy for 2019 IHE NA and EU Connectathons
- Gazelle Security Suite (GSS) tool for ATNA testing
- Questions about ATNA testing?
The ITI Technical Committee worked on updates to add 3 new options to the ATNA Secure Node & Secure Application actors. The options affect the [ITI-19] Authenticate Node transaction. As of September 2018, these options are now approved and testable at 2019 Connectathons:
- 'FQDN Validation of Server Certificate' option
- 'BCP195 TLS Secure Connection - All TLS Versions' option
- 'BCP195 TLS Secure Connection - TLS 1.2 Floor' option
Please read: CP-ITI-1145 - "Three new options related to [ITI-19]".
IHE is strongly encouraging all vendors to implement and test these new options at 2019 Connectathons. Click here to learn more!
These new options introduce variability in the Connectathon testing environment that did not exist in previous Connectathons. Depending on whether or not a Connectathon test system supports these options, it may be able to support TLS 1.0, TLS 1.1, and/or TLS 1.2, and one or more of several ciphers. On the Connectathon test floor, different systems with a mix of TLS versions and ciphers would be a barrier to connectivity.
So, in order to ensure interoperability between systems testing over TLS, the Connectathon technical managers have selected a TLS version and cipher to use for peer-to-peer tests over TLS. (This is analagous to a hospital mandating similar requirements at a given deployment.)
*** For 2019 IHE NA and EU Connectathons, peer-to-peer testing over TLS (without the new ATNA options) shall be done using:
- TLS 1.2
- cipher TLS_RSA_WITH_AES_128_CBC_SHA
- (Note that we intentionally chose a 'less secure' cipher for 2019 and anticipate choosing one of the recommended ciphers from BCP195 for future IHE Connectathons.)
- A digital certificate, issued by the Gazelle Security Suite (GSS) tool. New certs are needed for 2019 Connectathons. See the next section.
- Note that this policy is compatible with the baseline ATNA requirements in [ITI-19] Authenticate Node, in particular referenced standard RFC 7525.
*** For the 2019 IHE NA and EU Connectathons, we will use the Gazelle Security Suite tool to test the new ATNA options:
- client behavior for a Secure Node/Application supporting the 'FQDN Validation of Server Certificate' option
- the ability of a Secure Node/Application to negotiate down from TLS 1.2 to 1.1 to 1.0 as required by the 'BCP195 TLS Secure Connection -- All TLS Versions' option
- the ability of a Secure Node/Application to require that transactions occur with TLS 1.2 and one of the required ciphers in the 'BCP195 TLS Secure Connection -- TLS 1.2 Floor' option
(i.e. testing of the options will not be peer-to-peer)
Tool-based testing of TLS (node authentication) and of the format and transport of your audit messages is consolidated in one tool - the Gazelle Security Suite (GSS)
- Link to the tool: http://gazelle.ihe.net/gss.
- Instructions for use of the tool are contained in ATNA test descriptions - here.
- Recorded training on the Gazelle Security Suite - here
The Gazelle Security Suite (GSS) tool is the SINGLE PROVIDER OF DIGITIAL CERTIFICATES for both NA and EU Connectathons. As of November 27, 2018, the GSS tool is updated to provide digital certificates for 2019 IHE Connectathons.
To obtain a digital certificate from the GSS tool for pre-Connectathon & Connectathon testing, follow the instructions in pre-Connectathon test 11100.
Some facts about the new digital certificates:
- If you have a digital certificate from a Connectathon in 2018 or earlier, it will not work for 2019 Connectathons.
- If you generated your digital certificate in GSS before Nov 27, 2018, you must generate a new one.
- Your new digital certificate:
- is from a new Certificate Authority (CA) with a stronger key - 2048 length (before Nov 2018, the CA created certificates with 1024 key length). You must add the certificate for the new CA in your trust store.
- will contain the fully-qualified domain name (FQDN) of your test system. When you use GSS to request the certificate, the tool will prompt you for this value. The FQDN value(s) will be in the subjectAltName entry of your digital certificate. (You may need to provide more than one FQDN when you generate your certificate, eg if you will use your system to test TLS connections outside of the Connectathon network, such as with the NIST XDS Tools in your local test lab.)
- Pre-Connectathon test 11100 contains detailed instructions for generating your certificate, including how to get the fully-qualified domain for your test system on the Connectathon network.
- Item (3.b.) means that each system testing TLS transactions during Connectathon week will have a digital certificate that is compatible with the new FQDN validation option in ATNA. Thus, TLS connections with test partners will work whether the client is performing FQDN validation, or not. This is intentional.
Note that the certificates are only for testing purposes and cannot be used outside of the IHE Connectathon context.
Systems testing ATNA are required to complete the ATNA Questionnaire in the GSS tool, ideally during pre-Connectathon testing. Embedded in the questionnaire are Audit Record tests and TLS tests customized for the profiles & actors you will test at Connectathon.
- Follow instructions in pre-Connectathon test 11106.
- Note: You must use TLS 1.2 and the new digital certificates when performing TLS tests in the questionnaire.
Read the Technical Framework; you are responsible for all requirements in Record Audit Event [ITI-20] transaction. We will not repeat the requirements here.
WHICH SCHEMA???: The ITI Technical Framework defines the Record Audit Event [ITI-20] transaction, and specifies use of the DICOM schema for audit messages.
- The DICOM schema is found in DICOM Part 15, Section A.5.1.
- The Gazelle Security Suite tool uses the DICOM schema with IHE modifications:
- For 2019 Connectathons in NA and EU, the schema used by the tool is based on DICOM 2017c here: https://gazelle.ihe.net/XSD/IHE/ATNA/dicom_ihe_ps3.15_a.5.1_2017c.xsd
We expect implementations to be compliant, and we have tested audit messages using the DICOM schema at IHE Connectathons since 2016.
- The GSS tool will only provide validation against the DICOM schema. If you fail that test, it is our signal to you that your audit messages are not compliant with the latest DICOM schema. See pre-Connectathon test 11116.
- We expect peer-to-peer testing at the Connectathon to occur using messages compliant with the DICOM schema.
- Some might be interested in this email exchange on the IT Tech Cmte email list.
SENDING AUDIT MESSAGES: You can send your audit records to the GSS tool simulating an Audit Record Repository See pre-connectathon test 11117.
Contact Lynn Felhofer, Technical Project Manager for the IT Infrastructure domain.