Overview of the test
In this test, you will use the Gazelle Security Suite (GSS) tool to verify that you are able to communicate with TLS clients and servers using digital certificates. The tool will validate only the TLS connection. The IHE transaction associated with the TLS connection (eg a specific DICOM, HL7 or webservices transaction) is not validated within this tool. That is done in other Connectathon tests.
The GSS tool checks:
- transport over TLS v1.2 including protocol
- cipher suite (TLS_RSA_WITH_AES_128_CBC_SHA),
- certificate authentication
- Digital certificates for pre-Connectathon & Connectathon testing are generated by GSS. See test 11100.
Prerequisite for this test
(1) If you have not yet read the ATNA Testing Resources page, do that before proceeding with this test.
(2) To perform this test, your Connectathon digital certificates must be set up on your system (server and/or client). Follow the instructions in test 11000 to obtain digital certificate(s) for your test system(s).
(3) You should complete your ATNA Questionnaire (test 11106) prior to running this test.
- The ATNA Questionnaire has a "TLS Tests" tab that identifies the inbound /outbound communications you support.
- That tab determines which of the "Server" and "Client" tests that you must run below.
- You will also record your successful results on that tab.
Log in to the tool
There are separate CAS systems for European and North American Connectathons. The European CAS is linked to http://gazelle.ihe.net/EU-CAT/ and the North American CAS is linked to http://ihe.wustl.edu/gazelle-na/. You will use your username & password from Gazelle Test Management for either the European or NA Connectathon:
- On the tool home page (http://gazelle.ihe.net/gss) find the "Login" link at the upper right of the page.
- Select either "European Authentication" or "North American Authentication"
- Enter the username and password from either the European or North American instances of gazelle linked above
Instructions inbound transactions (Server side is tested)
If your SUT acts as a server (responder), when performing pre-Connectathon testing, your server must be accessible from the outside so that the tool as a client simulator, can connect to your SUT.
1. On the home page of the the Gazelle Security Suite tool, find "Test your TLS Implementation" and "TLS Client Simulators"
1. In the "Start Connection" section of the page, you will have to specify, for each supported protocol :
- Client type : protocol supported (HL7, DICOM_ECHO, WEBSERVICE, SYSLOG, or RAW)
- You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire
- Target host : public IP of your server
- Target port : public port of your server
2. Then click on "Start client".
3. You should then get a time-stamped entry in the results list. Blue means OK, red NOT OK.
4. For each successful connection, view the result at the bottom of the page using the icon in the "Actions" column. Copy the URL to the result into your ATNA Questionnaire, on the "TLS Tests" tab. The link must be formatted like http://.../connection.seam?id=...
5. Repeat these steps for each supported protocol (HL7v2, DICOM, Syslog client, ...) : e.g., if you system has no DICOM capabilities, you can skip that portion of the test.
Instructions outbound transactions (Client side is tested)
If your SUT acts as a client, you must be able to access to TLS servers public IP. You have to test your client by connecting to test servers of TLS tools.
1. On the home page for the TLS Tools for your connectathon, find the list of server simulators, one per protocol.
You will test only the protocols you support -- those listed on the "TLS Tests" tab of your ATNA questionnaire
2. Configure your client to connect to the test TLS server.
3. Check that the server is started before trying to connect to it. Click on the link for the server you want and look for status "Running"
4. In your SUT, perform a connection (eg send a query) to the test server. The TLS connection is valid, but at transaction level, you will get invalid replies, as we are only checking for the TLS connections.
5. You should then get a timestamped entry in the results list. Blue means OK, red NOT OK.
5. For each successful connection, view the result with the icon in the "Action" column. Copy the URL to the result into your ATNA Questionnaire, on the "TLS Tests" tab The link must be formatted like http://.../connection.seam?id=...
6. Repeat these steps for each supported protocol (HL7v2 , DICOM, Syslog server ...) : e.g., if your system has no DICOM capabilities, you can skip that portion of the test.
The tool reports success or failure for each test you perform. Your test system must demonstrate successful TLS handshake for each inbound and outbound protocol you support.
If you are performing this test in preparation for a Connectathon, a Connectathon monitor will verify your results as follows. The monitor will:
- Access the TLS tests tab in the ATNA questionnaire. You will only do the tests for the protocols your test system supports, and skip the ones you don't support.
- For each "SERVER" tested side :
- The test result must be PASSED.
- In the connection detail, the cipher suite must be TLS_RSA_WITH_AES_128_CBC_SHA
- The protocol must be TLS 1.2.
- During a connectathon, these items can also be verified:
- the SUT host must be the IP specified in the configuration of the system.
- the SUT port must be the one specified in the configuration of the system for the protocol.
- For each "CLIENT" tested side :
- The connection must succeed (blue circle).
- The cipher suite must be TLS_RSA_WITH_AES_128_CBC_SHA.
- The protocol must be TLS 1.2
- During a connectathon, this item can also be verified:
- the host in the SUT address must be the IP specified in the configuration of the system. The port is not verified for outbound transactions.
- The monitor may choose to ask the vendor to re-run a test during the Connectathon if the results raise questions about the system's support TLS.