ATNA testing & digital certificates for IHE Connectathons

ATNA is a widely tested profile.  This page contains guidelines that address frequently asked questions about testing expectations.

THIS PAGE APPLIES TO ATNA TESTING AT IHE CONNECTATHONS IN 2020. 

Important updates to ATNA during 2019

(1) The original ATNA requirements are in the IHE Technical Framework.

ALSO... the IHE IT Infrastructure (ITI) Technical Committee worked on several UPDATES during the past year.  As of September 2019, these are now approved and testable at 2020 IHE Connectathons:

(2) UPDATES to [ITI-19] Authentication Node-related options.  These changes are in Final Text CP-ITI-1151.  Read it here.

  • Secure Node and Secure Applictaion actors must support one or more of these Secure Transport (ie "STX") options:
    • STX: No Secure Transport Option 
    • STX: TLS 1.0 Floor with AES Option
    • STX: TLS 1.0 Floor using BCP195 Option
    • STX: TLS 1.2 Floor using BCP195 Option
    • STX: S/MIME
    • STX: WS-Security
  • FQDN Validation of Server Certificate Option (first tested in Jan/Apr 2019)
  • Note:  The STX Options from CP-ITI-1151 *replace* the following options added in 2019; i.e., these are now deprecated:
    • BCP195 TLS Secure Connection - All TLS Versions Option
    • BCP195 TLS Secure Connection - TLS 1.2 Floor Option

(3) UPDATES in the RESTful ATNA Trial Implementation Supplement, Rev 2.3.  Read it here.

  • Now based on HL7 FHIR R4
  • New options for the Secure Node, Secure Application, Audit Record Repository, and Audit Record Forwarded to enable those actors to more precisely specify the Audit Transport (ie "ATX") that they use to send audit messages.  These actors must support one or more of these options:
    • ATX: FHIR Feed Option
    • ATX: TLS Syslog Option
    • ATX: UDP Syslog Option

Security Policy (TLS & audit) for 2020 IHE NA and EU Connectathons

The option described abovce introduce variability in the Connectathon testing environment that did not exist in previous Connectathons.  Depending on the ATNA options a Connectathon test system supports, it may be able to support TLS 1.0, TLS 1.1, and/or TLS 1.2, and one or more of several ciphers.  On the Connectathon test floor, different systems with a mix of TLS versions and ciphers would be a barrier to connectivity. 

So, in order to ensure interoperability between systems doing peer-to-peer testing over TLS (e.g. XDS, XCA...) the Connectathon technical managers have selected a TLS version and  cipher to use for peer-to-peer tests during Connectathon week.  (This is analagous to a hospital mandating similar requirements at a given deployment.)

TLS POLICY for [ITI-19] (same as 2019 Connectathons):

*** For 2020 IHE NA and EU Connectathons, peer-to-peer testing over TLS shall be done using:

    • TLS 1.2
    • cipher TLS_RSA_WITH_AES_128_CBC_SHA
      • (Note that we intentionally chose a 'less secure' cipher for 2019 & 2020 testing and anticipate choosing one of the recommended ciphers from BCP195 for future IHE Connectathons.)
    • A digital certificate, issued by the Gazelle Security Suite (GSS) tool.  See the next section.

We have added pre-Connectathon test 11108.  When you perform that test prior to Connectathon, you confirm that the client or server applications in your test system are configured to support the Connectathon policy.

AUDIT MESSAGE POLICY for [ITI-20]:

Before 2020, an ATNA Audit Record Repository (ARR) was required to support receiving audit messages with TLS syslog, and with UDP syslog.   That meant that all Secure Node/Applications could send their audit messaes to any ARR.

Now, all actors sending and receiving audit messages may choose to support TLS Syslog, UDP Syslog, and/or FHIR Feed for transport.   We expect that the Audit Record Repositories at the NA and EU Connectathons will provide good coverage of the options (TLS, UDP, FHIR), though some ARRs may support a subset.  In particular, the FHIR Feed in ITI-20 may have less support because it is new for 2020.

So, Connectathon technical managers will not select one transport for all audit records exchanged during Connectathon.  Instead, Secure Node/Applications will choose ARRs for test partners that are compatible with the audit records they send in ITI-20.  Gazelle Test Management will show compatible partners for peer-to-peer tests for ITI-20 - test "ATNA_Logging_*.

Gazelle Security Suite (GSS) Tool for ATNA testing:

Tool-based testing of TLS (node authentication) and of the format and transport of your audit messages is consolidated in one tool - the Gazelle Security Suite (GSS).

  • Link to the tool: http://gazelle.ihe.net/gss.  
  • Instructions for use of the tool are contained in ATNA test descriptions - here.
  • Recorded training on the Gazelle Security Suite - here 

*** For the 2020 IHE NA and EU Connectathons, we will use the Gazelle Security Suite tool to specifically test the new ATNA options: 

  • client behavior for a Secure Node/Application supporting the 'FQDN Validation of Server Certificate' option
  • the ability of a Secure Node/Application to negotiate down from TLS 1.2 to 1.1 to 1.0 as required by the 'STX: TLS 1.0 Floor using BCP195' option
  • the ability of a Secure Node/Application to require that transactions occur with TLS 1.2 and one of the required ciphers in the 'STX: TLS 1.2 Floor using BCP195' option
  • pre-Connectathon test 11109 contains instructions for testing with the GSS client & server simulators for the new STX options.

==> GSS: Digital Certificates for IHE Connectathons

The Gazelle Security Suite (GSS) tool is the SINGLE PROVIDER OF DIGITIAL CERTIFICATES for both NA and EU Connectathons.  

To obtain a digital certificate from the GSS tool for pre-Connectathon & Connectathon testing, follow the instructions in pre-Connectathon test 11100.

Some facts about the digital certificates for Connectathon testing:

  1. If you have a digital certificate from an IHE Connectathon in 2018 or earlier, it will not work for 2020 Connectathons.
  2. The digital certificate you generate in GSS:
    1. is from a new Certificate Authority (CA) with a stronger key - 2048 length (before Nov 2018, the CA created certificates with 1024 key length).  You must add the certificate for the new CA in your trust store.
    2. will contain the fully-qualified domain name (FQDN) of your Connectathon test system.   When you use GSS to request the certificate, the tool will prompt you for this value.  The FQDN value(s) will be in the subjectAltName entry of your digital certificate.  (You may need to provide more than one FQDN when you generate your certificate, e.g., if you will use your system to test TLS connections outside of the Connectathon network, such as using the NIST XDS Tools in your local test lab.)
  3. Pre-Connectathon test 11100 contains detailed instructions for generating your certificate, including how to get the fully-qualified domain name for your test system on the Connectathon network.
  4. Item (2.b.) means that each system testing TLS transactions during Connectathon week will have a digital certificate that is compatible with the FQDN validation option in ATNA.  Thus, TLS connections with test partners will work whether the client is performing FQDN validation, or not.  This is intentional.

Note that the certificates are only for testing purposes and cannot be used outside of the IHE Connectathon context.

==> GSS: ATNA Questionnaire

Systems testing ATNA are required to complete the ATNA Questionnaire in the GSS tool, ideally during pre-Connectathon testing.  Embedded in the questionnaire are Audit Record tests and TLS tests customized for the profiles & actors you will test at Connectathon.

  • Follow instructions in pre-Connectathon test 11106.

==> GSS: ATNA Logging Tests - ATX: TLS Syslog Option

Read the Technical Framework documentation; you are responsible for all requirements in Record Audit Event [ITI-20] transaction. We will not repeat the requirements here.

WHICH SCHEMA???:  The ITI Technical Framework defines the Record Audit Event [ITI-20] transaction, and specifies use of the DICOM schema for audit messages sent with the ATX: TLS Syslog Option.  

We expect implementations to be compliant, and we have tested audit messages using the DICOM schema at IHE Connectathons since 2016.

  • The GSS tool will only provide validation against the DICOM schema. If you fail that test, it is our signal to you that your audit messages are not compliant with the latest DICOM schema.  See pre-Connectathon test 11116.
  • We expect peer-to-peer testing at the Connectathon to occur using messages compliant with the DICOM schema.

SENDING AUDIT MESSAGES:   You can send your audit records to the GSS tool simulating an Audit Record Repository  See pre-connectathon test 11117.

Questions about ATNA Testing?

Contact Lynn Felhofer, Technical Project Manager for the IT Infrastructure domain.

AttachmentSize
PDF icon IHE_and_Cybersecurity.pdf158.21 KB
PDF icon CP-ITI-1151-04-ballot54.pdf196.39 KB