Versions Compared

Old Version 1

changes.mady.by.user Eric McDonald (Unlicensed)

Saved on

compared with

New Version 2

changes.mady.by.user Eric McDonald (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Version#

Date

Modified By

Description of Modification

1.006/20/2017Sovann HuynhConverted from a design document into a full user manual
1.11/4/2018Tabassum JafriAdded Exchange Manager GUI
2.002/01/2018Sovann HuynhAdded Certificate Manager and Test Data Loader, deprecated Connection Manager
2.110/22/2018Tabassum JafriAdded Internal Endpoints properties section.
2.211/02/2018Tabassum JafriUpdated User Accounts and Cross-Gateway Query Client section.
2.304/09/2019Eric McDonaldText corrections on Import Wizard.

Table of Contents

Overview

The Admin GUI allows CONNECT administrators to monitor gateway statistics, test the gateway implementation and manage users and gateway configurations. This graphical administrative console includes the following:

...

Info
titleImportant note regarding UDDIConnectionInfo.xml and internalConnectionInfo.xml

As of CONNECT 5.1, both files have been replaced with the more versatile exchangeInfo.xml and internalExchangeInfo.xml files. For users of CONNECT 5.0 and earlier versions, substitute references to these new files with the original uddiConnectionInfo.xml and internalConnectionInfo.xml files

Login

User names are not case-sensitive but passwords are case sensitive. A default admin user is created during initial deployment.

...

Note
titleSession duration

Default session timeout is set to 10 minutes that is configured in session-config property in web.xml. This can be changed per implementation needs.

Gateway Status 

This is the dashboard view since CONNECT 5.1.

The Gateway Status page provides an overview of the gateway health. This page includes two tabs – Dashboard, and Remote Gateway List and will be used by gateway administrators, to monitor gateway configurations.

Gateway Dashboard

The dashboard provides a view of gateway/system specifications

...

The dashboard also provides important system alerts and notifications. Currently, only digital certificate status updates are included.

Remote Gateway List (Deprecated as of CONNECT 5.1)

The Remote Gateway page lists all the gateways that the CONNECT instance has been communicating with and displays the total transaction count by service. 

...

FIELD

DESCRIPTION

Gateway

Remote gateway name as defined in the Exchange Manager.

Count by service

Total gateway transaction count (inbound or outbound for any service) for a given remote gateway

-          PD

Synchronous PD – Displays total number of incoming PD and outgoing PD transactions

-          (Incoming synchronous PD requests from remote gateway + Outgoing synchronous PD requests to the remote gateway)

If gateway supports Deferred transactions ie. for Deferred PD - Displays total number of incoming PD deferred requests and outgoing PD deferred requests

-          (Incoming deferred PD requests from remote gateway + Outgoing deferred PD requests to the remote gateway +

Incoming deferred PD responses from remote gateway + Outgoing deferred PD responses to the remote gateway )

-          QD

Synchronous only – Displays total number of incoming QD and outgoing QD transactions

- (Incoming synchronous QD requests from remote gateway + Outgoing synchronous QD requests to the remote gateway)

-          RD

Synchronous only – Displays total number of incoming RD and outgoing RD transactions

-          (Incoming synchronous RD requests from remote gateway + Outgoing synchronous RD requests to the remote gateway)

-          DS

Synchronous DS – Displays total number of incoming DS and outgoing DS transactions

-          (Incoming synchronous DS requests from remote gateway +Outgoing synchronous DS requests to the remote gateway)

If gateway supports Deferred transactions ie. for Deferred DS - Displays total number of incoming DS deferred requests and outgoing DS deferred requests

-          (Incoming deferred DS requests from remote gateway + Outgoing deferred DS requests to the remote gateway +

Incoming deferred DS responses from remote gateway + Outgoing deferred DS responses to the remote gateway )

-          AD

Synchronous only – Displays total number of incoming AD and outgoing AD transactions

  • (Incoming synchronous AD requests from remote gateway + Outgoing synchronous AD requests  to the remote gateway)

-          Direct

Displays total number of incoming Direct and outgoing Direct transactions 

  • (Incoming Direct messages from any remote sender + Outgoing Direct messages  to any remote recipient)

Account Management

Access to functionality within the Admin GUI is roles driven. Each user is assigned a role that determines access to pages and hence functions within the Admin GUI. Every role needs to be configured with certain privileges for each page i.e., no access or view/edit access. Implementers should use roles to limit access of certain features to specific users. E.g., a user with say an Admin role can access the Account Management->Create user page and create other users, but a user created with 'User' role should not have such privileges.

User Accounts

Selecting the default User Accounts tab under Accounts Management displays the User Accounts, Create User Page to create a user and Manage User page to delete users. 

...

With CONNECT 5.2 and later, the User Accounts screen has 4 new mandatory fields namely: First name, Middle name or Initial, Last name and Transaction Role. These fields will be used to generate SAML assertion for Cross-Gateway Query client.

Image Modified

Manage Roles

Managing roles allows an admin to set access privileges for each user role. For each of the roles that are configured, access levels for No access, Read only and Read Write can be configured by pages of functionality.

...

Access to functionality within the Admin GUI is roles driven. Each user is assigned a role that determines access to pages and hence functions within the Admin GUI. Every role needs to be configured with certain privileges for each page i.e., no access or view/edit access. Implementers should use roles to limit access of certain features to specific users. E.g., a user with say an Admin role can access the Account Management->Create user page and create other users, but a user created with 'User' role should not have such privileges.

User Accounts

Selecting the default User Accounts tab under Accounts Management displays the User Accounts, Create User Page to create a user and Manage User page to delete users. 

Account Management - User Accounts

Certificate Management

Certificate Management interface is for to simplify the process of creating new certificate and managing self-signed certificates, CA-issued SSL certificates within KeyStore and TrustStore. It is divided into three tabs - Manage KeyStore, Manage TrustStore and Import Wizard

Manage KeyStore

Selecting the default Manage KeyStore tab under Certificate Management displays the Manage KeyStore page that shows list of available Keystores from CONNECT configuration. For security purposes, users can only view certificates from KeyStore list.

...

Certificate Management - Manage KeyStore -  View Certificate Details page

Manage TrustStore

The Manage TrustStore page shows list of available Truststores from CONNECT configuration. Users allowed to import a new certificates into Truststore and edit, delete an existing certificates from Truststore.

...

View Chain of Trust shows associated chained certificates. Select a record and click View Chain of Trust to view certificates chain.

Anchor
Import Wizard
Import Wizard
Import Wizard


Info
titleImport Wizard

While replacing the self-sign certificates with the CA certificates imported using Import Wizard, user must exercise caution and verify, before replacing, if they have imported the root, intermediate(s) and leaf certificates.  

Import Wizard interface partly automated the process of creating new certificate and importing CA certs into CONNECT configuration. It is divided into five tabs - Start, Create Certificate, Certificate Signing Request,CA Providers, Import SSL Certificate. Import Wizard functions as below:

  • Allow user to create new certificate 
  • Allow user to create Certificate Signing Request (CSR/PKCS10)
  • User must manually submit the CSR to their Certificate Authority (CA) to get a trusted certificate for their server
  • Allow user to import server Certificate (CSR Reply) and CA certificates (chain of trust)
  • Creates a backup of KeyStore and TrustStore under CONNECT configuration //importWizard/temp
  • Creates a new KeyStore and TrustStore for replacement under CONNECT configuration //importWizard/new
  • After successful Import Wizard process completion, the user must manually:
    • Replace CONNECT server configuration KeyStore and TrustStore  with the files under //importWizard/new
    • Restart the Server
    • Verify the AdminGUI functionality works and Manage KeyStore, Manage TrustStore list new certificate

...

  • Create a new Certificate.
  • Generate CSR for an existing Certificate 
  • Import SSL Certificate 

Create Certificate Page

FieldDetail
Required Fields
  • Alias
  • CN (Common Name or Entrust Reference Number)
  • OU (Organizational Unit Name)
  • O (Organization Name)
  • C (Country Name)

Certificate Type


X509 certificate

  • Subject: CN, OU, O, C
Exchange

Pre-configure value from caauthority.properties. Selection of Exchange prepopulate: OU, O, C

Alias

User can enter new alias or select an existing alias

CN (Reference Number)

Reference Number for new certificate

OU (Organizational Unit Name)Organizational Unit Name representation for new certificate
O (Organization Name)Organization Name representation for new certificate
C (Country Name)County Name representation for new certificate

...

ActionDetail
Create
  1. Copy the KeyStore to Temporary file
  2. Create a new certificate the given alias
CancelCleans up the temporary files generated by the Import Wizard
NextMoves to the next step in the Import Wizard process

Certificate Signing Request (PKCS10) Page

  • Select the Alias to generate CSR.
  • Generate Certificate Signing Request (CSR) PKCS10
  • Copy the CSR Text or Download the CSR File
  • Submit your CSR to CA Authority

...

ActionDetail
Alias Select Alias to generate CSR text
CopyThis button will send the CSR Text to the clipboard;the CSR can be pasted into text file or text field.
DownloadThis button will open a file screen so that the user can download the file as text: alias_yyyyMMdd.csr
CancelCleans up the temporary files generated by the Import Wizard.
NextMoves to the next step in the Import Wizard.

Verify CSR

There are several ways to verify your CSR:  

...

Verify CSR details as below: Signature Algorithm: SHA256withRSA, Public Key: RSA(2,048 bits)

CA Providers Page

  • Each exchange may have different CA Authority/Provider
  • The link(s) provided in the Available CA Providers tab is pulled from the caauthority.properties file.
  • The links will point to information needed to get a server certificate from CA Authority.
  • Your server certificate (CSR Reply) must be issued by the CA Authority: CA Root and CA Intermediate(s) must be part of chain of trust in your certificate

Getting CSR Reply (server certificate)

Getting your server certificate is a manual process with your CA Authority; At this point you should have

...

View CertificateDetail on Export to File

Under Firefox you will see Certificate Hierarchy

CA Root: GlobalSign Root CA - R2

CA Intermediate: Google Internet Authority G3

Select: CA Root > Click: export

Select: CA Intermediate(s) > Click: export


under google-chrome you will see Certificate Path

CA Root: GlobalSign Root CA - R2

CA Intermediate: Google Internet Authority G3

Select: CA Root > Click: View Certificate

  • Goto: Details > Click: Copy to File

Select: CA Intermediate(s) > Click: View Certificate

  • Goto: Details > Click: Copy to File


Import SSL Certificate Page

This page allows user to import server certificate, CA root and CA intermediate for the selected Alias.

...

Import ResultDetail

Expected result from the import certificate (carequality) chain

  • carequality_root
  • carequality_intermediate

Remote AdminGUI with Shared Certificate

  • Exporting the KeyPair (Alias) from gateway-keystore
  • Importing the KeyPair (Alias) into admingui-keystore
  • Importing the CA certificates (chain of trust) into admingui-truststore
Code Block
titleKeytool export and import server certificate
# keystore (gateway.jks) will be know as gateway-keystore.jks
# truststore (cacerts.jks) will be know as gateway-truststore.jks
# keystore (gateway.jks) will be know as admingui-keystore.jks
# truststore (cacerts.jks) will be know as admingui-keystore.jks

# export your KeyPair (server certificate) alias:gateway
$ keytool -importkeystore -srckeystore gateway-keystore.jks -destkeystore server.p12 -deststoretype PKCS12 -alias gateway

# import your KeyPair:server to AdminGUI alias:gateway
# if your alias are not the same under both server; make sure you rename server.p12 (alias)
$ keytool -importkeystore -srckeystore server.p12 -destkeystore admingui-keystore.jks -srcstoretype pkcs12 -alias gateway

# import your CA certificates (chain of trust) under both KeyStore and TrustStore
$ keytool -import -file caIntermediate.pem -keystore admingui-keystore.jks -alias gateway_intermediate
$ keytool -import -file caRoot.pem -keystore admingui-keystore.jks -alias gateway_root

$ keytool -import -file caIntermediate.pem -keystore admingui-truststore.jks -alias gateway_intermediate
$ keytool -import -file caRoot.pem -keystore admingui-truststore.jks -alias gateway_root

Remote AdminGUI with Self-sign Certificate

  • Import CA Certificates into admingui-truststore

...

Code Block
titleKeytool export and import certificate
#import ca certificate into admingui-truststore (only if the ca certificate need to be replace)
$ keytool -import -file caIntermediate.pem -keystore admingui-truststore.jks -alias gateway_intermediate 
$ keytool -import -file caRoot.pem -keystore admingui-truststore.jks -alias gateway_root

#if you are replacing the self-sign certificate it must be trusted by the gateway and admingui
$ keytool -v -export -rfc -keystore admingui-keystore.jks -alias gateway -file adminguiCert.pem
$ keytool -import -file adminguiCert.pem -keystore gateway-truststore.jks -alias admingui_gateway
$ keytool -import -file adminguiCert.pem -keystore admingui-truststore.jks -alias admingui_gateway

Test Data Loader

Creating and managing test data for use with the CONNECT reference implementation can be handled directly through the Admin GUI. This feature manipulates data in the CONNECT database tables that were created as part of the initial CONNECT setup and deployment process. Future enhancements for converting and exporting the data for use in other test systems are under consideration.

Info

The CONNECT reference adapters use a default MPI XML file configuration. The CONNECT Test Data Loader manages data in the CONNECT patient and document database. To configure the reference adapter to query the patient database for patient matching, set the following in AdapterMpiConfig.xml (in the CONNECT properties directory):

<alias alias="mpichecker" name="mpidbjava" />

Patient data

Patients that have already been created are listed based on the defined patient identifier (note that this is not the database logical ID). 

...

To delete a patient record, simply select the patient and click Delete.

Document data

Documents that have already been created are listed based on the defined document identifier (note that this is not the database logical ID). 

...

Info
titleImportant notes regarding document data
  • Each document must belong to an existing patient (in the patient database).
  • When selecting a patient for a document, an additional patient ID is created in the document database in the following format: <PATIENT.IDENTIFER>+<PATIENT.AA>+&iso. The CONNECT reference implementation uses this formatted value to find documents when an actual Document Query is submitted
  • Uploaded documents will be stored in the document database (in the RawData column) as a base64-encoded blob


Direct Configuration

Several aspects of the Direct configuration from domains to certificate storage locations are defined in the Admin UI. Certificates, trust anchors, and trust bundles themselves can be stored using the Admin GUI tool in the configuration service and accessed through the web service interface. CONNECT has leveraged the Direct RI's config web service for these features.

...

Info
titleDirect configuration editor not appearing?
  • Verify that a CONNECT with Direct ear is deployed (as opposed to a CONNECT ear without the Direct war file)
  • Try restarting the server


Domains

The Domains page under Direct Configuration menu on the left navigation pane describes the list of domains that will be managed by the HISP/STA and allows for managing and updating domain configurations.

...

COLUMN

DESCRIPTION

Name

Domain Name

Postmaster

Postmaster email address for the domain

Created

Creation date

Updated

Last updated date

OPTION

DESCRIPTION

Create New Domain

Selecting this option opens up Create New Domain page in a pop-up modal dialog window

Delete

Checking the select check box associated with the domain and selecting this option deletes the selected domain.

Edit DomainChecking the select check box associated with the domain and selecting this option opens up the Edit domain page in a pop-up modal dialog window

Create New Domain

Create new domains for the HISP that are managed by the STA

Direct Configuration - Create Domain screen


Edit Domain

View or edit the configurations for a selected domain.

Domain Name

Edit the domain name associated with the domain.

Direct Configuration - Edit Domain -> Domain Name screen


Addresses

Edit the email addresses associated with the domain.

Direct Configuration - Edit Domain -> Addresses screen


Anchors

Anchors stored in the configuration service are added and maintained in the Anchors tab of the configuration service Edit Domain page.

...

FIELD

DESCRIPTION

Choose Anchor Certificate

Provides the ability to upload a new anchor to the configuration service. See Choose, Upload, Cancel, Add Anchor for detail

Incoming

Selecting the option allows the trust anchor to be utilized for incoming message processing

Outgoing

Selecting the option allows the trust anchor to be utilized for incoming message processing

Status

(Enabled/Disabled).

OPTION

DESCRIPTION

ChooseSelecting this option opens the file explorer window to select the anchor certificate file to upload.This is the DER encoded certificate file that represents the trust anchor
UploadSelecting this option uploads the selected anchor certificate temporarily(See Add Anchor)

Add Anchor

Clicking Add Anchor will add the anchor to the domain and upload the anchor to the configuration service.

CancelCancels out of the form
Trust Bundles

Configured trust bundles can be added to a domain from the Trust Bundles tab of the configuration service Manage Domains page. Each anchor in the bundle is used to create trust between the domain and the system represented by the anchor. Similar to configuring anchors, each bundle can be set to incoming or outgoing to control the direction of trust.

...

FIELD

DESCRIPTION

Add Trust Bundles

Drop down list of available trust bundles that are already configured in the configuration service. Only displays the trust bundles (names) that have not been associated with the selected domain,

that are available to add

Incoming

If checked, the trust bundle will be utilized for incoming message processing

Outgoing

If checked, the trust bundle will be utilized for outgoing message processing

OPTION

DESCRIPTION

Add Trust Bundle

Clicking Add Trust Bundle will assign trust bundle to the domain .

Agent Settings

Note

CONNECT has leveraged the Direct RI version 3.0.1 for the Direct configuration. The CONNECT team has validated these settings using both WS and KEYSTORE configurations for Anchors, public and private certificates and DNS configurations. LDAP configurations were not tested and will be looked at in the future.

...

FIELDDESCRIPTION
NameAgent Setting Name
ValueAgent Setting Value
OPTIONDESCRIPTION
DeleteDeletes the agent setting
Add New Agent SettingOpens up Add New Agent Setting page to enter in setting name value pair.

Anchor Store Agent Settings

Anchors define the certificates that create trust between domains. Each domain must have at least one outgoing or incoming trust anchors. Anchors can be retrieved from different source mediums including the configuration service.

...

SETTING NAME

VALUE/DESCRIPTION

AnchorStoreType

The storage type of the anchor store. Valid types: 
WS (default): Anchors are stored in the configuration service.(see 6.2.1.1)
LDAP: Anchors are stored in an LDAP server.(see 6.2.1.2)
KEYSTORE: Anchors are stored in a local keystore file.(see 6.2.1.2)

AnchorResolverType

The type of the anchor resolver. Valid types:
Uniform: All domains use the same anchors for all addresses.
Multidomain: Each domain defines its own discrete set of trust anchors.

AnchorKeyStoreFile

For keystore store types, the name of the file that contains the certificates. This can be just a file name, a fully qualified path, or a relative path.

AnchorKeyStoreFilePass

For keystore store types, an optional password used to encrypt the file.

AnchorKeyStorePrivKeyPass

For keystore store types, an optional password used to encrypt private keys.

TrustAnchorLDAPUrl

For LDAP store types, the url to the LDAP server. Consists of the protocol, host, and port. Multiple URLs can be define and are comma delimited. Example: ldap://somehost:389

TrustAnchorLDAPUser

For LDAP store types, the user name credential for connecting to the LDAP store. May be empty if the LDAP server allows anonymous binding.

TrustAnchorLDAPPassword

For LDAP store types, The password credential for connecting to the LDAP store

TrustAnchorLDAPConnTimeout

For LDAP store types, an optional timeout in seconds before the connection is failed

TrustAnchorLDAPSearchBase

For LDAP store types, the distinguished name used as the base of LDAP searches.

TrustAnchorLDAPSearchAttr

For LDAP store types, the attribute in the LDAP store that is used to match a search query.

TrustAnchorLDAPCertAttr

For LDAP store types, the attribute in the search query result that holds the certificate file.

TrustAnchorLDAPCertFormat

For LDAP store types, the format of the certificate in the LDAP store. Valid formats: pkcs12, X.509

TrustAnchorLDAPCertPassphrase

For LDAP store types and pkcs12 files, the pass phrase used to encrypt the certificate.

Web Service Anchor storage

Anchors stored in the configuration service are added and maintained in the Anchors tab of the configuration service Manage Domains page.

Non Web Service Anchor Storage

Anchors stored in non web service mediums such as LDAP or a keystore require a list of aliases or search criteria to locate the certificates in the anchor store. Each domain requires one of two entries in the settings component: one for a list of outgoing anchors and/or one for a list of incoming anchors. The settings use the following format:

...

Note

Regardless of the storage mechanism, a domain should always add its own trust anchor to its list or trusted anchors. This is a security precaution to ensure only users with valid certificates signed by the trust anchor can send from the agent's managed domain(s).

Public Certificate Store Agent Settings

Similar to anchors, public certificates can be retrieved from different source mediums. The public certificate storage medium is configured in the Agent settings page.

...

SETTING NAME

VALUE/DESCRIPTION

PublicStoreType



The storage type of the public certificate store. Valid types: 

DNS: Certificates are resolved using DNS.
KEYSTORE: Certificates are stored in a local keystore file. 
WS: Public certificates are stored in the configuration service. (Private and public certificates stored in the configuration service (using WS StoreType) are added and maintained in the Certificates tab of the Direct Configuration page- see section 6.5)
PublicLDAP: Certificates are resolved from publicly accessible LDAP servers. LDAP servers are resolved dynamically using DNS SRV. 

In some cases, multiple store types may be necessary to resolve a public certificate. For example some HISPs use DNS to distributed public CERT while others may use out of band processes and require a HISP to manually import the CERT(s) into the storage medium. Multiple store types are separated by a comma (,). 

Default Value: DNS,PublicLDAP.

PublicStoreFile

For keystore store types, the name of the file that contains the certificates. This can be just a file name, a fully qualified path, or a relative path.

PublicStoreFilePass

For keystore store types, an optional password used to encrypt the file.

PublicStorePrivKeyPass

For keystore store types, an optional password used to encrypt private keys.

Private Certificate Store Agent Settings

The private certificate storage medium is configured in the Agent settings page 

...

SETTING NAME

VALUE/DESCRIPTION

PrivateStoreType

The storage type of the private certificate store. Valid types: 

WS (default): Certificates are stored in the configuration service. (Private and public certificates stored in the configuration service (using WS StoreType) are added and maintained in the Certificates tab of the Direct Configuration page- see section 6.5)
LDAP: Certificates are stored in an LDAP server.
KEYSTORE: Certificates are stored in a local keystore file.

PrivateStoreFile

For keystore store types, the name of the file that contains the certificates. This can be just a file name, a fully qualified path, or a relative path.

PrivateStoreFilePass

For keystore store types, an optional password used to encrypt the file.

PrivateStorePrivKeyPass

For keystore store types, an optional password used to encrypt private keys.

PrivateStoreLDAPUrl

For LDAP store types, the url to the LDAP server. Consists of the protocol, host, and port. Multiple URLs can be define and are comma delimited. Example: ldap://somehost:389

PrivateStoreLDAPUser

For LDAP store types, the user name credential for connecting to the LDAP store. May be empty if the LDAP server allows anonymous binding.

PrivateStoreLDAPPassword

For LDAP store types, The password credential for connecting to the LDAP store.

PrivateStoreLDAPConnTimeout

For LDAP store types, an optional timeout in seconds before the connection is failed.

PrivateStoreLDAPSearchBase

For LDAP store types, the distinguished name used as the base of LDAP searches.

PrivateStoreLDAPSearchAttr

For LDAP store types, the attribute in the LDAP store that is used to match a search query.

PrivateStoreLDAPCertAttr

For LDAP store types, the attribute in the search query result that holds the certificate file.

PrivateStoreLDAPCertFormat

For LDAP store types, the format of the certificate in the LDAP store. Valid formats: pkcs12, X.509

PrivateStoreLDAPCertPassphrase

For LDAP store types and pkcs12 files, the pass phrase used to encrypt the certificate.

Add New Agent Setting

Selecting Add New Agent Setting option in the Agent Settings page opens up this page for adding key value pairs for agent settings.

Direct Configuration - Add New Agent Setting

Trust Bundles

Trust bundles are a collection of trust anchors that are intended to represent a trust community and generally meet a common set of criteria to be included in the bundle. Trust bundles are packaged into a single file using the PKCS7 standard and distributed via a known URL (the location is discovered out of band). Trust bundles are configured in the Trust Bundles tab of the configuration UI tool.

...

COLUMN

DESCRIPTION

Bundle Name

The bundle name

URL

The URL where the bundle is downloaded from

Checksum

A SHA1 hash of the bundle

Created

Time that the bundle was added to the system

Current As Of

The date when the bundle was last updated in the system

Last Refresh

The date and time when the system last checked for an update. If a newer/different bundle was found, the Current As Of date is also updated.

If not updates were found, then the Current As Of date does not change.

Refresh Interval

How often (in hours) updates are automatically checked.

Note

Automatic refresh of trust bundles has not yet been implemented and will be addressed in future releases. However you can always check for updates manually by clicking the Refresh Bundle option on the Trust Bundles screen.


View Anchors

If you would like to see the anchor within a bundle, simply click the View Anchors link under the bundle name. This will display a list with the Distinguished Name of each anchor.

OPTION

DESCRIPTION

Add New Trust Bundle

Selecting this option pops open Add New Trust Bundle modal window that allows for creating a new trust bundle(See section 6.3.1)

Edit Trust Bundle

Selecting this option pops open Edit Trust Bundle modal window that allows for editing trust bundle(See section 6.3.2)

Delete

Checking the box next to the trust bundles and selecting this option removes a bundle from the system.The user is provided with an alert message for confirmation "Are you sure you want to delete the trust bundle? The trust bundle will be deleted for all domains ". If the user selects Yes, the trust bundle is deleted

Note

If you delete a bundle that has been associated to a domain, the association is automatically removed.


Refresh Bundle

During the operation of your HISP, it may be necessary to update bundles in between their configured refresh cycle. To manually refresh/update a bundle, check the box next to the name of the bundles you want to update and select this option.The user is prompted with a "Refreshing trust bundle" status bar while this update operation is in progress.

View Anchors

Selecting the View Anchors link under the bundle name displays an anchor list with the Distinguished Name of each anchor in a popup dialog as shown below

Add New Trust Bundle

Direct Configuration - Add New Trust Bundle screen

...

FIELD

DESCRIPTION

Name(R)

A unique name of the bundle that describes the trust community of the bundle.

Trust Bundle URL(R)

The fully qualified URL where the trust bundle can be retrieved

Note

Per the Implementation Guide for Direct Project Trust Bundle distribution v1.0, signed Trust Bundles must have a .p7m file name extension, unsigned trust bundles are identified by .p7c or .p7b” file name extension


Signing Certificate(O)

If the bundle has been signed, this is the certificate that signed the bundle to validate the integrity of the bundle. NOTE: It is completely optional to validate the bundle integrity against a signing certificate. If the bundle has not been signed, the signing certificate is ignored.

Refresh Interval(hours)

Indicates the frequency that the system will look for updates to the bundle. If this value is 0, then the system will never automatically look for updates, however you can always check for updates manually by clicking the refresh button.

Note

Automatic refresh of trust bundles has not yet been implemented and will be addressed in future releases. However you can always check for updates manually by clicking the Refresh Bundle option on the Trust Bundles screen.


OPTION

DESCRIPTION

Add Trust Bundle

Selecting the option after adding the fields allows you to add a trust bundle to the Direct configuration, displays the trust bundles list page.

Edit Trust Bundle

Direct Configuration - Edit Selected Trust Bundle screen

...

FIELD

DESCRIPTION

Trust Bundle Name(R)

A unique name of the bundle that describes the trust community of the bundle.

Trust Bundle URL(R)

The fully qualified URL where the trust bundle can be retrieved

Refresh Interval(hours)

Indicates the frequency that the system will look for updates to the bundle. If this value is 0, then the system will never automatically look for updates, however you can always check for updates manually by clicking the refresh button. (Automatic refresh of trust bundles will be addressed in future releases)

OPTION

DESCRIPTION

Update

Update the trust bundle

CancelCancel the form

Certificates

Similar to anchors, public certificates can be retrieved from different source mediums.

...

COLUMN

DESCRIPTION

Owner

Owner of the certificate. The owner is automatically populated by the service when the certificate is added.

Private

true/false - indicating if private or public certificate

Thumbprint

Certificate thumbprint

Created

Timestamp when this certificate was uploaded to the configuration service

Start/End

Certificate timestamp for validity

OPTION

DESCRIPTION

Add New Certificate

Selecting the option opens up the Add New Certificate page in a popup modal dialog to allow adding a new certificate to the config service.

Delete

Selecting this option deletes the selected certificate from the service.

Add New Certificate

Direct Configuration - Add New Certificate screen 

...

FIELD

DESCRIPTION

Certificate

Location of the DER encoded certificate file that represents the private or public certificate that is uploaded to the configuration service. See Choose, Upload and Cancel for more details. 

NOTE: Private certificate files should be pkcs12 encoded files with no encryption on both the file and private key stored in the file.

OPTION

DESCRIPTION

ChooseSelecting this option opens the file explorer window to select the public or private certificate file to upload.This is the DER encoded certificate file
UploadSelecting this option uploads the selected certificate temporarily(See Submit)

Submit

Clicking Submit will add the certificate to the configuration service.

CancelCancels out of the form

MessageSettings

The following settings describe the location where processed messages should be stored. This is intended for debug purposes only and should not be set in a production environment.

...

Setting

Description

RawMessageSaveFolder

The folder where raw messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

OutgoingMessageSaveFolder

The folder where outgoing messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

IncomingMessageSaveFolder

The folder where incoming messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

BadMessageSaveFolder

The folder where bad messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

Connection Management

Info

As of CONNECT 5.1, Connection Management is replaced with 113311950

...

FIELD

DESCRIPTION

Organization Information

Organization

Single select drop-down that lists all the remote organizations or business entities configured in the Exchange Manager configuration file.

Selecting any business entity updates the business entity fields and the business service fields below to reflect the parameter values for the organization

Name

Business Entity Name as defined in the Exchange Manager configuration file for the selected Organization

Description

Business Entity description as configured in the Exchange Manager configuration file for the selected Organization

Contact

Contact name as configured in the Exchange Manager configuration file for the selected Organization

HCID

Home Community ID as defined in the Exchange Manager configuration file for the selected Organization

RegionsRegion information configured in the Exchange Manager file for the selected Organization
Service Information
Service NameBusiness service Name for the selected Organization
URLEndpoint for the web service
VersionVersion of the service provided
Ping Status

Default is --. Once ping initiated, values are Pass or Fail

If ping successful - Pass.

If ping is not successful - Fail

Last PingTimestamp for last ping for the web service

OPTION

DESCRIPTION

Ping Service

Selecting this option after selecting a particular service pings the service.

If the ping passed, Ping Status displays Pass

If the ping fails, Ping Status displays Fail. A fail could be indicative of some firewall issue, certificate set up issue or some other issue where in the remote service is down

Note

During the ping, a "Loading" status window is displayed as the service ping can take some time.  Do not try to alter anything on the page during this period or navigate to another page


Refresh ConnectionsRefreshes the front end cache of connection endpoints to reflect current state of the business entity's services.

Anchor
Exchange Management
Exchange Management
Exchange Management

Exchange Management provides a way for user to view/edit Exchange information, refresh/download Exchange information and to view and manage connections to remote partners/gateways. The View Exchange Servcies screen as shown below is a view of the exchange information that are configured in the exchangeInfo file organized by the general exchange information and Organizations  i.e., the remote gateway organization. This screen allows users to configure exchange refresh process, initiate Refresh Exchange, add/delete an Exchange, enable/disable Exchange and to provides a ping utility that pings a particular service/or all services to determine if the service(s) is up and running. This will help system administrators test service endpoints and troubleshoot firewall issues, certification validation issues and other connectivity both before functional testing with remote gateways and organizations and to investigate any issues that may arise in production due to changes in the local or exchange partner's gateway.


Image Modified

External Connection screen fields

FIELD

DESCRIPTION

General Settings
Refresh IntervalDuration used for scheduling the next run of Refresh Exchange process. Expressed in minutes.
Maximum No Of BackupsNumber of Backups, that the exchange refresh process is allowed to keep at a given time.
Default ExchangeA drop down that lists all the available exchanges for user. When selected, it will be used to look up services with a given HCID. If not defined, then the service are looked based on organization HCID only.
Exchanges
NameName of the Exchange
TypeExchange type is a mandatory element and can have three values only, LOCAL, UDDI, FHIR
URLUsed for downloading the web services endpoints.
Last UpdatedLast Updated displays the timestamp when the exchange was last refreshed
Refresh ExchangeA button that Enable/Disable an exchange for refresh.
Organizations
ExchangeSingle select drop-down that's lists all the exchanges configured in the Exchange Manager configuration file.

Organization

Single select drop-down that lists all the remote organizations or business entities, for a selected Exchange, configured in the Exchange Manager configuration file.

Selecting any business entity updates the business entity fields and the business service fields below to reflect the parameter values for the organization

Name

Organization Name as defined in the Exchange Manager configuration file for the selected Organization

Description

Organization description as configured in the Exchange Manager configuration file for the selected Organization

Contact

Contact name as configured in the Exchange Manager configuration file for the selected Organization

HCID

Home Community ID as defined in the Exchange Manager configuration file for the selected Organization

Service Information
Service NameBusiness service Name for the selected Organization
URLEndpoint for the web service
VersionVersion of the service provided
Ping Status

Default is --. Once ping initiated, values are Pass or Fail

If ping successful - Pass.

If ping is not successful - Fail

Last PingTimestamp for last ping for the web service

OPTION

DESCRIPTION

Ping Service

Selecting this option after selecting a particular service pings the service.

If the ping passed, Ping Status displays Pass

If the ping fails, Ping Status displays Fail. A fail could be indicative of some firewall issue, certificate set up issue or some other issue where in the remote service is down

Note

During the ping, a "Loading" status window is displayed as the service ping can take some time.  Do not try to alter anything on the page during this period or navigate to another page


Ping All ServicesClicking on Ping All Services, pings all services for a selected Exchange and Organization.

Exchanges Refresh - Schedule, Manual and Locked

The exchanges refresh automatically on the Refresh-Interval and can be force to refresh manually; during Status:Refresh-in-Progress a lock is placed upon the exchange-manager to prevent the modification to ExchangeInfo.xml.

...

  • Delete
  • Save
  • Refresh Exchanges
  • Enabled
  • Disabled

Image Modified

Refresh Exchanges

Clicking on Refresh Exchanges will initiate the Refresh Exchanges process. This will download web services information for all Enabled Exchanges. Below is a screenshot of Exchange Refresh status. 

...

StageSuccess MessageFailure Message
Downloading from the source exchangeDownload SuccessfulDownload failed
Validating Schema Compliance

Schema Validation successful,

Schema Validation skipped(only for UDDI exchange)

Schema Validation failed
Transformation Complete and exchange information is available to CONNECTExchange refresh successfulExchange refresh failed

Adding an Exchange

User can add an Exchange by clicking on New button in Exchanges section. Following information is required for adding an exchange:

  • Name
  • Type
  • URL



Deleteing an Exchange

User can delete an Exchange by selecting one from Exchanges list.

Configuration Management

CONNECT provides various property files that manage gateway configuration. Traditionally these property files are manually updated by the system administrators by locating these files deployed at time of installation in the server directory and then editing these files. With the new Configuration Management tool under the Admin GUI, system administrators with limited technical knowledge will be able to update these property files through a GUI interface that both allows them to view the current set of the properties along with descriptions of appropriate values and update them instantly. This simplifies the overall process for the system administrator.

A list of the gateway and adapter properties that are configured in CONNECT can be found here - Gateway properties and Adapter properties

Gateway Properties

Configuration Management -> Gateway Properties screen 

...

FIELD

DESCRIPTION

Key

Keys from the gateway.properties file.

Not editable.

Description

Description of the property, defined as comments in the gateway.properties file

Not editable.

Value

Property value

Selecting the value for any property allows you to edit the value.

Once edited the value is updated in the properties file.

The user is presented with an alert message as shown below indicating the property is updated

Adapter Properties

Properties -> Adapter Properties Screen

...

FIELD

DESCRIPTION

Key

Keys from the adapter.properties file.

Not editable

Description

Description of the property, defined as comments in the adapter.properties file

Not editable

Value

Property value

Selecting the value for any property allows you to edit the value.

Once edited the value is updated in the properties file.

The user is presented with an Info alert message indicating the property is updated.

Audit Properties   


Configuration Management -> Audit Properties screen 

...

FIELD

DESCRIPTION

Key

Keys from the audit.properties file.

Not editable

Description

Description of the property, defined as comments in the audit.properties file

Not editable

Value

Property value

Selecting the value for any property allows you to edit the value.

Once edited the value is updated in the properties file.

The user is presented with an Info alert message indicating the property is updated.

Internal Endpoints

This interface allows system administrators to edit internal web-services hosted by CONNECT.

...

FIELD

DESCRIPTION

Name

CONNECT internal web service name. 

Version

web service version

URL

endpoint where the web service is hosted.

Selecting the URL for any service allows you to edit the endpoint.

Once edited the updated URL is saved to internalExchangeInfo.xml file.

The user is presented with an Info alert message indicating the property is updated.

Cross-Gateway Query Client

The Cross-Gateway Query Client is a testing tool that is used to validate and test data exchange services like Patient Discovery, Query for Documents and Retrieve Documents. The client allows the system administrator to run preliminary tests to ensure that a particular remote gateway is up and running and can respond to service requests. The client tool allows the users to search for patients in a targeted remote community and retrieve documents.

Info
titleNot intended for exchange certification testing

Please note that test client should not be used for actual certification testing on any exchange. In addition, this requires a gateway to gateway setup. See the initiating and responding gateway setup instructions for pass by reference testing for an example if you are unfamiliar with this process. Using this client in loopback mode is also possible but requires additional re-configurations.


Search patient

The Patient Search tab is the default tab on this screen which allows the user to search patients by demographics. 

...

COLUMN

DESCRIPTION

Name

Name of the person being searched

Patient ID

Patient ID from the remote community

Organization

Remote community name(as defined in the Exchange Manager configuration file)

OPTION

DESCRIPTION

View Details

Selecting the option opens the Document Search tab allowing the user to enter in document search criteria.

Search/View documents

Selecting the View Details option on the Patient Search screen opens up the Document Search screen where the user can enter in search criteria for the documents. The screen displays the Current Patient Details from the PD response and provides the ability to search documents by document type and creation date ranges.

...

View Document Metadata 


View Document 


Logging

User can search Audit and Failure events through Logging GUI.

Audit Search

Audit search is a tool to view and search/filter audit logging events from the Admin GUI without logging into database to track events. Adopters can take advantage of the Audit Search from the System Administrative Module if they choose the Database Audit Logging Implementation. 

...

View Audit Message XML details:


Failure Logging

The failure logging screen allows user to search for a failure event in a service workflow. The user may then view the details of a given error event to learn more about the cause of the service failure.

...