Overview
Troubleshooting is a long process of log analysis and knowing expected exception. Here are quick answers to common knowledge that may or may not solve the issue but provide a starting point to understanding the problems. If the issue is not found below, it may be found under CONNECT Community Forum.
...
Where's the documentation on how to build an adapter?
The reference adapter which come with CONNECT are a great place to start. In general adapters can be developed on three different interfaces; java, web services, and secured web services. You can implement the adapter’s java interface and package your implementation in the CONNECT application (EAR), or go for web services. The WSDLs are in github so if you are familiar with WSDL first web services you can go that route.
...
...
The EAR is built before this state and can be located in the Target folder. You can deploy this EAR file manually to your server and debug it with your IDE of choice. You may then run the SoapUI Validation Suite manually while being able to use breakpoints and step into the methods / or features that are failing.
...
Make sure your container server meets the minimum requirements and you have followed all of the setup instructions.
I deployed CONNECT again, and the deploy failed and it ran out of memory. Why?
This is a known issue with Spring / and Apache CXF. Remove the EAR deployment, restart the server, and redeploy.
...
Auth framework SAML is a little bit of a different flavor than Single Sign On (SSO) SAML - so there isn't a username/password in the exchange SAML. Unless you are only exchanging with a set of predetermined partners, there is no way to know which users will be attempting to query your exchange.
Suggestion: Develop a set of policies to accept or deny messages based on the information that is in the exchange SAML (Subject ID, Subject Organization, Subject Role, Purpose Of Use, Home Community ID, Organization ID, Resource ID (Optional), National Provider Identifier (Optional)), and then implement a custom CONNECT policy engine adapter to enforce these policies. If a message is OK (per your policies) then you would have some assurances and feel safer about using a single username and password to communicate with your service.
How can we implement/Setup MPI?
Message Passing Interface Master Patient Index (MPI) is not part of CONNECT. There are several MPI's available like OpenMPI, MirthMatch, etc NextGen Connect Integration Engine, etc.
You will need to create an Adapter to connect to these MPIs.
...
Try adding the certificate in the CONNECT application keystore (default one is gateway.jks). If the certificate is a self-signed certificate then you may also have to put the certificate in the truststore (default one is cacerts.jks) also. CONNECT uses 2-way SSL authentication, you have to import the CONNECT certificate into your application truststore and also enable 2-way SSL (eHeatlh eHealth exchange WS-Security requirement). Please note the secured Adapter interfaces use the same security polices as that of health exchange.
...
You can reset the GUI accounts by running the supplied SQL scripts to reset the database to its default CONNECTAdmin account.See Adopters Implementation Guidelines for more information.
How do I change the CONNECT Administrator password?
...
Older versions of CONNECT provided default values that could pass SAML validation on most responding gateways but CONNECT 5.1 and later versions encourage implementors to provide more appropriate values for parameters such as subject info since CONNECT does not actually confirm user authenticity.
DNS Certificate issues
CONNECT uses the Direct JAVA RI for retrieving certificates via DNS. The logic used there is that it checks for an individual certificate first, in your case it would be admin.mail.testserver.com, and if this CERT record isn’t found then it will look for the organization certificate at mail.testserver.com.
The PKIX path errors are because one machine doesn't trust the other?
...
This error generally occurs when the saml.properties, signature.properties, and truststore.properties files in the configuration directory are either not found or the values in those files are incorrect/missing.
CONNECT failing to complete SSL Handshake?
Add the system property '-Djavax.net.debug=ssl' to your JVM. This property will output some pretty verbose logging but it's a good way to track the SSL handshake.
...
Code Block |
---|
<datasource jta="true" jndi-name="<<jndi name>>" pool-name="<<data_source name>>" enabled="true" use-ccm="true"> <connection-url>jdbc url</connection-url> <driver-class>com.mysql.jdbc.Driver</driver-class> <driver>mysql-connector-java-5.1.10.jar</driver> <security> <user-name>username</user-name> <password>password</password> </security> <validation> <check-valid-connection-sql>select 1</check-valid-connection-sql> <validate-on-match>false</validate-on-match> <background-validation>true</background-validation> <background-validation-millis>10000</background-validation-millis> </validation> </datasource> |
SOAP Faults
Large Payload testing: "XDS MISSING DOCUMENT" from my submissions?
The payload did not convert correctcorrectly. It The payload should be in base64 encode format from file:///<file path location> .
For example:
your encode value should be simliar like this ZmlsZTovLy9jOi9sYXJnZXBheWxvYWQvb3V0Ym91bmQvdGVzdC50eHQ=
Better response codes for invalid requests
The wrong format in subject:role element, that causes the exception to happen. However, when CONNECT catches any exception, it will throw SOAP fault in response message along with 500 error code in header. The SOAP specification under section 6.2 SOAP HTTP Response (https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383510) indicates that requirement.
Validation Suite issues
How to run SoapUI at a remote location?
Change the endpoint so that the message is sent to the correct location.
...
SoapUI ValidationSuite fails to run correctly?
Make sure your SoapUI has the libraries (FileUtils and MySQL jars) installed to run the ValidationSuite.
...
Make sure your GatewayPropDir
property points to the nhinc
property folder.
Validation tests are failing because of certificate path problems
The keystores were set up for you automatically. If this is the case, your gateway is using self-signed certificates. The Java keystore, gateway.jks, contains your gateway's certificate, which is known by the alias "gateway". This certificate has also been imported into the truststore, cacerts.jks, so that the gateway can make secured connections to itself. You may make secured connections to yourself when testing, so that your local gateway acts as both the requesting and responding gateway, and also at other times depending on your gateway configuration. If you want to send a message to a remote gateway, the same "gateway" certificate must be imported into the remote gateway's truststore.