11109: Authentication Test

Prerequisite for this test

(1) If you have not yet read the ATNA Testing Resources page, do that before proceeding with this test.

(2) To perform this test, your Connectathon digital certificates must be set up on your system (server and/or client).  Follow the instructions in test 11000  to obtain digital certificate(s) for your test system(s).

(3) You should create your ATNA Questionnaire (test 11106) prior to running this test.  

  • The ATNA Questionnaire has a "TLS Tests" tab that identifies the inbound /outbound communications you support.  
    • That tab determines which of the "Server" and "Client" tests that you must run below.  
    • You will also record your successful results on that tab.

Overview of the test

In this test, you will use the Gazelle Security Suite (GSS) tool to verify that you are able to communicate with TLS clients and servers using digital certificates.

The GSS tool contains multiple client and server simulators that check:

  • transport over TLS v1.0 or TLS v1.2, including protocol (DICOM, HL7/MLLP, HTTPS/WS, or syslog)
  • cipher suite (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, and more....),
  • certificate authentication
    • Digital certificates for pre-Connectathon & Connectathon testing are generated by GSS.  See test 11100.

The TLS simulators available in the GSS tool are listed in Column 1 in the following table, along with notes on which you should use for this test:

 

Simulator Names (keyword) To be tested by...
Simulator config

 

 

-- Server DICOM TLS 1.0 Floor

-- Server HL7 TLS 1.0 Floor

-- Server HTTPS/WS TLS 1.0 Floor

-- Server Syslog TLS 1.0 Floor

Connectathon test system that supports the "STX: TLS 1.0 Floor option" and is a client that...

-- Initiates a TLS connection with DICOM protocol

-- Initiates a TLS connection with MLLP protocol (i.e. HL7 v2 sender)

-- Initiates a TLS connection for a webservices transaction

-- Initiates a TLS connection to send an audit message over TLS syslog

TLS 1.0 with a 'weak' cipher

 

-- Server DICOM TLS 1.2 Floor

-- Server HL7 TLS 1.2 Floor

-- Server HTTPS/WS TLS 1.2 Floor

-- Server Syslog TLS 1.2 Floor

Connectathon test system that supports the "STX: TLS 1.2 Floor option" and is a client that...

-- Initiates a TLS connection with DICOM protocol

-- Initiates a TLS connection with MLLP protocol (i.e. HL7 v2 sender)

-- Initiates a TLS connection for a webservices transaction

-- Initiates a TLS connection to send an audit message over TLS syslog

TLS 1.2 with 4 'strong' ciphers.  You may test with just one of the ciphers.

-- Server RAW TLS INVALID FQDN

Connectathon test system that is a client supporting the "FQDN Validation of Server Certificate option"

TLS 1.2 with cipher TLS_RSA_WITH_AES_128_CBC_SHA.

Certificate has an invalid value for subjectAltName.

-- Client TLS 1.0 Floor

Connectathon test system that supports the "STX: TLS 1.0 Floor option" and is a server that...

-- Accepts a TLS connection with DICOM protocol

-- Accepts to a TLS connection with MLLP protocol (i.e. HL7 v2 responder)

-- Accepts a TLS connection for a webservices transaction

-- Accepts a TLS connection to recieve an audit message over TLS syslog

TLS 1.0 with a 'weak' cipher

-- Client RAW TLS 1.1 BCP195

Connectathon test systems that support the "STX:TLS 1.0 with BCP195 option" and is a server that...

-- Accepts a TLS connection with DICOM protocol

-- Accepts a TLS connection with MLLP protocol (i.e. HL7 v2 responder)

-- Accepts a TLS connection for a webservices transaction

-- Accepts a TLS connection to receive an audit message over TLS syslog

TLS 1.1 with 4 'strong' ciphers.  You may test with just one of the ciphers.

-- Client TLS 1.2 Floor

Connectathon test system that supports the "STX: TLS 1.2 Floor option" and is a server that...

-- Accepts a TLS connection with DICOM protocol

-- Accepts a TLS connection with MLLP protocol (i.e. HL7 v2 responder)

-- Accepts a TLS connection for a webservices transaction

-- Accepts a TLS connection to receive an audit message over TLS syslog

TLS 1.2 with 4 'strong' ciphers.  You may test with just one of the ciphers.

 

Log in to the GSS tool

There are separate CAS systems for European and North American Connectathons.  The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to https://gazelle.iheusa.org/gazelle-na/.   You will use your username & password from Gazelle Test Management for either the European or NA Connectathon:

  • On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.  
  • Select either "European Authentication" or "North American Authentication"
  • Enter the username and password from either the European or North American instances of Gazelle linked above

Instructions for outbound transactions (Client side is tested)

If your test system (SUT) does not act as a client (i.e., does not initiate any transactions), then skip this portion of the test and only test the Server side below).

If your SUT acts as a client, you must be able to access to TLS server's public IP. You have to test your client by connecting to Server Simulators in the Gazelle Security Suite tool.

1. On the home page for the Gazelle Security Suite, select menu TLS/SSL-->Simulators-->Servers to find the list of server simulators.  There are servers for different protocls (DICOM, HL7...) and for different ATNA options (TLS 1.2 Floor...).

  • You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire.
  • You may choose either the TLS 1.0 or TLS 1.2 servers.  You don't need to use all for this test (but you may choose to do so).

2. Configure your client to connect to the test TLS server.

3. Check that the server is started before trying to connect to it. Click on the link for the server you want and look for status "Running"

4. In your SUT, perform a connection (eg send a query) to the test server. The TLS connection is valid, but at transaction level you will get invalid replies because we are only checking for the TLS connection.

5. You should then get a timestamped entry in the results list at the bottom of the page.   Blue dot means OK, red NOT OK.

5. For each successful connection, view the result with the icon in the "Action" column.  Copy the Permanent link (URL) to the result into your ATNA Questionnaire, on the "TLS Tests" tab The link must be formatted like https://.../connection.seam?id=...

6. Repeat these steps for each supported protocol (HL7v2 , DICOM, Syslog server ...) : e.g., if your system has no DICOM capabilities, you can skip that portion of the test.

Instructions for inbound transactions (Server side is tested)

If your test system (SUT) does not act as a server (i.e., does not respond to any transactions initiated by others), then skip this portion of the test and only perform the Client test above).

If your SUT acts as a server (i.e. a responder to IHE transactions), your server must be accessible from the outside so that the GSS tool, as a client simulator, can connect to your SUT. 

1. On the home page for the Gazelle Security Suite, select menu TLS/SSL-->Simulators-->Clients to find the list of client simulators. 

2. In the "Start  Connection" section of the page, you will have to specify, for each supported protocol :

  • Client type : protocol supported (HL7, DICOM, WS, SYSLOG, or RAW)
    • You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire.
    • You may choose either the TLS 1.0 or TLS 1.2 client.  You don't need to use both for this test (but you may choose to do so).
  • Target host : public IP of your server
  • Target port : public port of your server

3. Then click on "Start client".

4. You should then get a time-stamped entry in the results list.   Blue means OK, red NOT OK.

5. For each successful connection, view the result at the bottom of the page using the icon in the "Actions" column.  Copy the Permanent Link (URL) to the result into your ATNA Questionnaire, on the "TLS Tests" tab. The link must be formatted like https://.../connection.seam?id=...

6. Repeat these steps for each supported protocol (HL7v2, DICOM, Syslog client, ...) : e.g., if your system has no DICOM capabilities, you can skip that portion of the test.

Evaluation 

The tool reports success or failure for each test you perform.  Your test system must demonstrate successful TLS handshake for each inbound and outbound protocol you support.

If you are performing this test in preparation for a Connectathon, a Connectathon monitor will verify your results as follows. The monitor will:

  1. Access the TLS tests tab in the ATNA questionnaire.  You will only do the tests for the protocols your test system supports, and skip the ones you don't support.
  2. For each "SERVER" tested side :
    • The test result must be PASSED.
    • During a connectathon, these items can also be verified:
      • the SUT host must be the IP specified in the configuration of the system.
      • the SUT port must be the one specified in the configuration of the system for the protocol.
  3. For each "CLIENT" tested side :
    • The connection must succeed (blue dot).
    • During a connectathon, this item can also be verified:
      • the host in the SUT address must be the IP specified in the configuration of the system. The port is not verified for outbound transactions.
  4. During the Connectathon, the monitor may choose to ask the vendor to re-run a test if the results raise questions about the system's support of TLS.