Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Version#

Date

Modified By

Description of Modification

1.006/20/2017Sovann HuynhConverted from a design document into a full user manual
1.11/4/2018Tabassum JafriAdded Exchange Manager GUI
2.002/01/2018Sovann HuynhAdded Certificate Manager and Test Data Loader, deprecated Connection Manager
2.110/22/2018Tabassum JafriAdded Internal Endpoints properties section.
2.211/02/2018Tabassum JafriUpdated User Accounts and Cross-Gateway Query Client section.
2.304/09/2019Eric McDonaldText corrections on Import Wizard.


Overview

The Admin GUI allows CONNECT administrators to monitor gateway statistics, test the gateway implementation and manage users and gateway configurations. This graphical administrative console includes the following:

  • Controlled user access
  • Basic system overview
  • User accounts management
  • Certificate management
  • Connectivity testing
  • Property files management
  • Gateway to gateway messaging
  • Direct service configuration*

* CONNECT leverages the Direct configuration module from the ONC-sponsored JAVA Direct Reference Implementation (RI) v 3.01.

Important note regarding UDDIConnectionInfo.xml and internalConnectionInfo.xml

As of CONNECT 5.1, both files have been replaced with the more versatile exchangeInfo.xml and internalExchangeInfo.xml files. For users of CONNECT 5.0 and earlier versions, substitute references to these new files with the original uddiConnectionInfo.xml and internalConnectionInfo.xml files

Login

User names are not case-sensitive but passwords are case sensitive. A default admin user is created during initial deployment.

Logging in for the first time?

When Admin GUI is first deployed, log in as ConnectAdmin using the password password. Be sure to change this immediately after logging in for the first time.


Gateway Administrative Console - Login 


Session duration

Default session timeout is set to 10 minutes that is configured in session-config property in web.xml. This can be changed per implementation needs.

Gateway Status 

This is the dashboard view since CONNECT 5.1.

The Gateway Status page provides an overview of the gateway health. This page includes two tabs – Dashboard, and Remote Gateway List and will be used by gateway administrators, to monitor gateway configurations.

Gateway Dashboard

The dashboard provides a view of gateway/system specifications

Gateway Status


Gateway status parameters

ParameterDescription
Operating systemOperating System that CONNECT software is running on
Total Inbound messages

The total number of messages received by the gateway

Total Outbound messages

The total number of messages sent by the gateway

Memory used

Memory utilized by the gateway instance.

Java Version

Java version CONNECT is running on

Application server

Application server/version that CONNECT is running on.

Alerts and notifications

The dashboard also provides important system alerts and notifications. Currently, only digital certificate status updates are included.

Remote Gateway List (Deprecated as of CONNECT 5.1)

The Remote Gateway page lists all the gateways that the CONNECT instance has been communicating with and displays the total transaction count by service. 

Gateway Status - Remote Gateway


Remote Gateway List Display parameters

FIELD

DESCRIPTION

Gateway

Remote gateway name as defined in the Exchange Manager.

Count by service

Total gateway transaction count (inbound or outbound for any service) for a given remote gateway

-          PD

Synchronous PD – Displays total number of incoming PD and outgoing PD transactions

-          (Incoming synchronous PD requests from remote gateway + Outgoing synchronous PD requests to the remote gateway)

If gateway supports Deferred transactions ie. for Deferred PD - Displays total number of incoming PD deferred requests and outgoing PD deferred requests

-          (Incoming deferred PD requests from remote gateway + Outgoing deferred PD requests to the remote gateway +

Incoming deferred PD responses from remote gateway + Outgoing deferred PD responses to the remote gateway )

-          QD

Synchronous only – Displays total number of incoming QD and outgoing QD transactions

- (Incoming synchronous QD requests from remote gateway + Outgoing synchronous QD requests to the remote gateway)

-          RD

Synchronous only – Displays total number of incoming RD and outgoing RD transactions

-          (Incoming synchronous RD requests from remote gateway + Outgoing synchronous RD requests to the remote gateway)

-          DS

Synchronous DS – Displays total number of incoming DS and outgoing DS transactions

-          (Incoming synchronous DS requests from remote gateway +Outgoing synchronous DS requests to the remote gateway)

If gateway supports Deferred transactions ie. for Deferred DS - Displays total number of incoming DS deferred requests and outgoing DS deferred requests

-          (Incoming deferred DS requests from remote gateway + Outgoing deferred DS requests to the remote gateway +

Incoming deferred DS responses from remote gateway + Outgoing deferred DS responses to the remote gateway )

-          AD

Synchronous only – Displays total number of incoming AD and outgoing AD transactions

  • (Incoming synchronous AD requests from remote gateway + Outgoing synchronous AD requests  to the remote gateway)

-          Direct

Displays total number of incoming Direct and outgoing Direct transactions 

  • (Incoming Direct messages from any remote sender + Outgoing Direct messages  to any remote recipient)

Account Management

Access to functionality within the Admin GUI is roles driven. Each user is assigned a role that determines access to pages and hence functions within the Admin GUI. Every role needs to be configured with certain privileges for each page i.e., no access or view/edit access. Implementers should use roles to limit access of certain features to specific users. E.g., a user with say an Admin role can access the Account Management->Create user page and create other users, but a user created with 'User' role should not have such privileges.

User Accounts

Selecting the default User Accounts tab under Accounts Management displays the User Accounts, Create User Page to create a user and Manage User page to delete users. 

Account Management - User Accounts

With CONNECT 5.2 and later, the User Accounts screen has 4 new mandatory fields namely: First name, Middle name or Initial, Last name and Transaction Role. These fields will be used to generate SAML assertion for Cross-Gateway Query client.

Manage Roles

Managing roles allows an admin to set access privileges for each user role. For each of the roles that are configured, access levels for No access, Read only and Read Write can be configured by pages of functionality.

Account Management - Manage Roles Screen

Future releases will allow for creating new roles capability. The default access is defined below, which can be changed  through the Manage User Roles screen.

Default page level access


Account ManagementDirect ConfigAudit SearchConnection ManagementUniversal ClientCONNECT PropertiesFHIR Resources
AdminRead WriteRead WriteRead WriteRead WriteRead WriteRead WriteRead Write
Super UserNo AccessRead WriteRead WriteRead WriteRead WriteRead WriteRead Write
UserNo AccessRead WriteRead WriteRead WriteRead WriteRead WriteRead Write


Manage User Roles screen fields

FIELD

DESCRIPTION

Edit Page Level Access

Select the role that is being configured (Current options: ADMIN, SUPER USER, USER)
Page Name

Pages are listed to configure the access rights by role for each page.

  • Account Management
  • Direct Configuration
Page Level Access
  • No access
  • Read only
  • Read Write

Currently Read only and Read Write both function in the same way ie., both have the same access (read/write). This will be refined in future iterations.

Access to functionality within the Admin GUI is roles driven. Each user is assigned a role that determines access to pages and hence functions within the Admin GUI. Every role needs to be configured with certain privileges for each page i.e., no access or view/edit access. Implementers should use roles to limit access of certain features to specific users. E.g., a user with say an Admin role can access the Account Management->Create user page and create other users, but a user created with 'User' role should not have such privileges.

User Accounts

Selecting the default User Accounts tab under Accounts Management displays the User Accounts, Create User Page to create a user and Manage User page to delete users. 

Account Management - User Accounts

Certificate Management

Certificate Management interface is for to simplify the process of creating new certificate and managing self-signed certificates, CA-issued SSL certificates within KeyStore and TrustStore. It is divided into three tabs - Manage KeyStore, Manage TrustStore and Import Wizard

Manage KeyStore

Selecting the default Manage KeyStore tab under Certificate Management displays the Manage KeyStore page that shows list of available Keystores from CONNECT configuration. For security purposes, users can only view certificates from KeyStore list.

Certificate Management - Manage KeyStore page

Certificate Management - Manage KeyStore -  View Certificate Details page

Manage TrustStore

The Manage TrustStore page shows list of available Truststores from CONNECT configuration. Users allowed to import a new certificates into Truststore and edit, delete an existing certificates from Truststore.

Certificate Management - Manage TrustStore page

Certificate Management - Manage KeyStore -  Import Certificate page

From the Manage TrustStore tab, click on Import. In Import child window, click Choose and browse to the desired certificate. Be sure to click Upload, change Alias name for the newly uploaded certificate and click Import to complete the import process.

Certificate Management - Manage TrustStore -  Delete Certificate

To delete a certificate from the Truststore, select the certificate and click Delete. Certificate will be deleted once after providing the password. Note that, Certificate manager will not allow deletion of its own public certificate.

Certificate Management - Manage TrustStore -  View and edit Certificate

Select a certificate from the list and click View.  In the view Certificate Details window, user allowed to edit only Alias name and click Update Certificate for changes to take place.

Certificate Management - Manage TrustStore -  Refresh certificates

Truststore list can be refreshed after certificate changes have been made without a server restart. Click on the Refresh button to enable the updates.

Certificate Management - Manage TrustStore -  View Chain of Trust 

View Chain of Trust shows associated chained certificates. Select a record and click View Chain of Trust to view certificates chain.

Import Wizard


Import Wizard

While replacing the self-sign certificates with the CA certificates imported using Import Wizard, user must exercise caution and verify, before replacing, if they have imported the root, intermediate(s) and leaf certificates.  

Import Wizard interface partly automated the process of creating new certificate and importing CA certs into CONNECT configuration. It is divided into five tabs - Start, Create Certificate, Certificate Signing Request,CA Providers, Import SSL Certificate. Import Wizard functions as below:

  • Allow user to create new certificate 
  • Allow user to create Certificate Signing Request (CSR/PKCS10)
  • User must manually submit the CSR to their Certificate Authority (CA) to get a trusted certificate for their server
  • Allow user to import server Certificate (CSR Reply) and CA certificates (chain of trust)
  • Creates a backup of KeyStore and TrustStore under CONNECT configuration //importWizard/temp
  • Creates a new KeyStore and TrustStore for replacement under CONNECT configuration //importWizard/new
  • After successful Import Wizard process completion, the user must manually:
    • Replace CONNECT server configuration KeyStore and TrustStore  with the files under //importWizard/new
    • Restart the Server
    • Verify the AdminGUI functionality works and Manage KeyStore, Manage TrustStore list new certificate

Cancel Info

After CSR Reply (real server certificate), Do not use the Cancel button (on New Certificates).  This action will delete the temporary copy and remove the PrivateKey associated with the new certificate

Start Tab

There are three links in the Import Wizard that the user can start:

  • Create a new Certificate.
  • Generate CSR for an existing Certificate 
  • Import SSL Certificate 

Create Certificate Page

FieldDetail
Required Fields
  • Alias
  • CN (Common Name or Entrust Reference Number)
  • OU (Organizational Unit Name)
  • O (Organization Name)
  • C (Country Name)

Certificate Type


X509 certificate

  • Subject: CN, OU, O, C
Exchange

Pre-configure value from caauthority.properties. Selection of Exchange prepopulate: OU, O, C

Alias

User can enter new alias or select an existing alias

CN (Reference Number)

Reference Number for new certificate

OU (Organizational Unit Name)Organizational Unit Name representation for new certificate
O (Organization Name)Organization Name representation for new certificate
C (Country Name)County Name representation for new certificate
ActionDetail
Create
  1. Copy the KeyStore to Temporary file
  2. Create a new certificate the given alias
CancelCleans up the temporary files generated by the Import Wizard
NextMoves to the next step in the Import Wizard process

Certificate Signing Request (PKCS10) Page

  • Select the Alias to generate CSR.
  • Generate Certificate Signing Request (CSR) PKCS10
  • Copy the CSR Text or Download the CSR File
  • Submit your CSR to CA Authority

FieldDetail
CSR Type

Certificate Signing Request type. Import wizard will create PKCS10 format

Alias

Selected alias used to generate CSR text

CSR TextOnce the selected CSR is created: Copy and Download buttons enabled
NextAfter Copy or Download Next button enabled
ActionDetail
Alias Select Alias to generate CSR text
CopyThis button will send the CSR Text to the clipboard;the CSR can be pasted into text file or text field.
DownloadThis button will open a file screen so that the user can download the file as text: alias_yyyyMMdd.csr
CancelCleans up the temporary files generated by the Import Wizard.
NextMoves to the next step in the Import Wizard.

Verify CSR

There are several ways to verify your CSR:  

  • CSR Decoder
  • openssl
  • Keytool or keystore explorer

Verify CSR details as below: Signature Algorithm: SHA256withRSA, Public Key: RSA(2,048 bits)

CA Providers Page

  • Each exchange may have different CA Authority/Provider
  • The link(s) provided in the Available CA Providers tab is pulled from the caauthority.properties file.
  • The links will point to information needed to get a server certificate from CA Authority.
  • Your server certificate (CSR Reply) must be issued by the CA Authority: CA Root and CA Intermediate(s) must be part of chain of trust in your certificate

Getting CSR Reply (server certificate)

Getting your server certificate is a manual process with your CA Authority; At this point you should have

  • Created self-signed certificate (X509)
  • Created certificate signing request (CSR/PKCS10)

You will need to submit your CSR to your CA Authority to get CSR reply (X509/your server certificate)

You need to view your server certificate with Keystore Explorer or Keytool

View CertificateDetail on Export to File

Under Firefox you will see Certificate Hierarchy

CA Root: GlobalSign Root CA - R2

CA Intermediate: Google Internet Authority G3

Select: CA Root > Click: export

Select: CA Intermediate(s) > Click: export


under google-chrome you will see Certificate Path

CA Root: GlobalSign Root CA - R2

CA Intermediate: Google Internet Authority G3

Select: CA Root > Click: View Certificate

  • Goto: Details > Click: Copy to File

Select: CA Intermediate(s) > Click: View Certificate

  • Goto: Details > Click: Copy to File


Import SSL Certificate Page

This page allows user to import server certificate, CA root and CA intermediate for the selected Alias.

Note# if your CA Certificates (Root and Intermediates) are not expired or still in used you do not need to replace your CA-Root and CA-Intermediate(s)

FieldDetails

Required fields

  • Alias
  • Server Certificate

Replacing your chain-of-trust

  • CA Root
  • CA Intermediate(s)

Certificates will be imported for the selected alias

AliasSelect the certificate that you wish to replace.
Server Certificate

Upload your server Certificate

CA Root

Upload your CA Root Certificate

CA Intermediate(s)

Upload your CA Intermediate Certificate(s)

ActionDetail
Choose

Select the file that you wish to upload.

  • File will be uploaded for Server Certificate and CA Root.
Upload

Click Upload is required for the Intermediate(s) since the files are added to the list

The same filename will only count as one file since the file gets replaced

Clear (intermediate)

Clear action will empty the CA Intermediate list.

This will allow the user to empty the list. If a file gets into the list by mistake.

Clear (form)Clear action will empty the input form for new input
Import

Commits the changes to the temporary keystore file.

  • Server Certificate (Alias) publicKey will get replaced
  •  If CA Root and CA Intermediate gets uploaded the new chain-of-trust (alias_root, alias_intermediate_n) will be added
Complete

Create new KeyStore , TrustStore under //importWizard/new folder and this ends the Import Wizard process

User must manually copy the files from new folder to CONNECT server configuration folder to use new certificates

New Certificates view via KeyStore Explorer

Import ResultDetail

Expected result from the import:carequality

  • carequality(publicKey) to be replaced by new certificate

if CA Root and CA intermediate are uploaded

  • old certificates chain to be deleted
  • new certificates chain will be created
  • carequality_root: CA Root certificate
  • carequality_intermediate: CA intermediate
Import ResultDetail

Expected result from the import certificate (carequality) chain

  • carequality_root
  • carequality_intermediate

Remote AdminGUI with Shared Certificate

  • Exporting the KeyPair (Alias) from gateway-keystore
  • Importing the KeyPair (Alias) into admingui-keystore
  • Importing the CA certificates (chain of trust) into admingui-truststore
Keytool export and import server certificate
# keystore (gateway.jks) will be know as gateway-keystore.jks
# truststore (cacerts.jks) will be know as gateway-truststore.jks
# keystore (gateway.jks) will be know as admingui-keystore.jks
# truststore (cacerts.jks) will be know as admingui-keystore.jks

# export your KeyPair (server certificate) alias:gateway
$ keytool -importkeystore -srckeystore gateway-keystore.jks -destkeystore server.p12 -deststoretype PKCS12 -alias gateway

# import your KeyPair:server to AdminGUI alias:gateway
# if your alias are not the same under both server; make sure you rename server.p12 (alias)
$ keytool -importkeystore -srckeystore server.p12 -destkeystore admingui-keystore.jks -srcstoretype pkcs12 -alias gateway

# import your CA certificates (chain of trust) under both KeyStore and TrustStore
$ keytool -import -file caIntermediate.pem -keystore admingui-keystore.jks -alias gateway_intermediate
$ keytool -import -file caRoot.pem -keystore admingui-keystore.jks -alias gateway_root

$ keytool -import -file caIntermediate.pem -keystore admingui-truststore.jks -alias gateway_intermediate
$ keytool -import -file caRoot.pem -keystore admingui-truststore.jks -alias gateway_root

Remote AdminGUI with Self-sign Certificate

  • Import CA Certificates into admingui-truststore

replacing the AdminGUI (certificate)

  • Export certificate from admingui-keystore
  • Import certificate into gateway-truststore
  • Import certificate into admingui-truststore
Keytool export and import certificate
#import ca certificate into admingui-truststore (only if the ca certificate need to be replace)
$ keytool -import -file caIntermediate.pem -keystore admingui-truststore.jks -alias gateway_intermediate 
$ keytool -import -file caRoot.pem -keystore admingui-truststore.jks -alias gateway_root

#if you are replacing the self-sign certificate it must be trusted by the gateway and admingui
$ keytool -v -export -rfc -keystore admingui-keystore.jks -alias gateway -file adminguiCert.pem
$ keytool -import -file adminguiCert.pem -keystore gateway-truststore.jks -alias admingui_gateway
$ keytool -import -file adminguiCert.pem -keystore admingui-truststore.jks -alias admingui_gateway

Test Data Loader

Creating and managing test data for use with the CONNECT reference implementation can be handled directly through the Admin GUI. This feature manipulates data in the CONNECT database tables that were created as part of the initial CONNECT setup and deployment process. Future enhancements for converting and exporting the data for use in other test systems are under consideration.

The CONNECT reference adapters use a default MPI XML file configuration. The CONNECT Test Data Loader manages data in the CONNECT patient and document database. To configure the reference adapter to query the patient database for patient matching, set the following in AdapterMpiConfig.xml (in the CONNECT properties directory):

<alias alias="mpichecker" name="mpidbjava" />

Patient data

Patients that have already been created are listed based on the defined patient identifier (note that this is not the database logical ID). 

Creating and editing patient data is intuitive via the Admin GUI. Click New to add a new patient or select an existing patient and click View/Edit to view and/or edit the data. Be sure to save the data entered in each accordion section separately.

To delete a patient record, simply select the patient and click Delete.

Document data

Documents that have already been created are listed based on the defined document identifier (note that this is not the database logical ID). 

Creating and editing document data is intuitive via the Admin GUI. Click New to add a new document or select an existing document and click View/Edit to view and/or edit the data. Be sure to save the data entered in each accordion section separately.

To delete a document record, simply select the document and click Delete.

Important notes regarding document data

  • Each document must belong to an existing patient (in the patient database).
  • When selecting a patient for a document, an additional patient ID is created in the document database in the following format: <PATIENT.IDENTIFER>+<PATIENT.AA>+&iso. The CONNECT reference implementation uses this formatted value to find documents when an actual Document Query is submitted
  • Uploaded documents will be stored in the document database (in the RawData column) as a base64-encoded blob


Direct Configuration

Several aspects of the Direct configuration from domains to certificate storage locations are defined in the Admin UI. Certificates, trust anchors, and trust bundles themselves can be stored using the Admin GUI tool in the configuration service and accessed through the web service interface. CONNECT has leveraged the Direct RI's config web service for these features.

Configuration is separated into five component:

  • Domains - The list of domains managed by the STA agent.
  • Certificates - Private and optionally public certificate storage.
  • Trust Anchors - Trust anchor certificate storage for coarse grain anchor configuration.
  • Trust Bundles - Collections of anchors published by trust communities.
  • Settings - Configuration settings for numerous components of a HISP. These are generally higher level configuration settings. 

NOTE - Domains, certificates, trust anchors, and trust bundles have specific configuration elements stored in the settings component.

Direct configuration editor not appearing?

  • Verify that a CONNECT with Direct ear is deployed (as opposed to a CONNECT ear without the Direct war file)
  • Try restarting the server


Domains

The Domains page under Direct Configuration menu on the left navigation pane describes the list of domains that will be managed by the HISP/STA and allows for managing and updating domain configurations.

Fig 6: Direct Configuration - Domains screen

The domains list displays all domains associated with the HISP.

Table 6 - Domain List screen display

COLUMN

DESCRIPTION

Name

Domain Name

Postmaster

Postmaster email address for the domain

Created

Creation date

Updated

Last updated date

OPTION

DESCRIPTION

Create New Domain

Selecting this option opens up Create New Domain page in a pop-up modal dialog window

Delete

Checking the select check box associated with the domain and selecting this option deletes the selected domain.

Edit DomainChecking the select check box associated with the domain and selecting this option opens up the Edit domain page in a pop-up modal dialog window

Create New Domain

Create new domains for the HISP that are managed by the STA

Direct Configuration - Create Domain screen


Edit Domain

View or edit the configurations for a selected domain.

Domain Name

Edit the domain name associated with the domain.

Direct Configuration - Edit Domain -> Domain Name screen


Addresses

Edit the email addresses associated with the domain.

Direct Configuration - Edit Domain -> Addresses screen


Anchors

Anchors stored in the configuration service are added and maintained in the Anchors tab of the configuration service Edit Domain page.

Direct Configuration - Edit Domain -> Anchor screen


Adding an anchor

Be sure to click "Add Anchor" after it has finished uploading


Edit Domain - Stored Anchors

COLUMN

DESCRIPTION

Trusted Domain/User

Name of anchor for trusted domain

ThumbprintThumbprint of the anchor certificate
Upload DateDate when certificate was uploaded
Issue DateIssue date of anchor certificate
Expiration DateDate of expiration of anchor certificate
StatusEnabled or Disabled
Incoming(True/False) Indicates whether trust anchor should be utilized for incoming message processing
Outgoing(True/False) Indicates whether trust anchor should be utilized for outgoing message processing

OPTION

DESCRIPTION

DeleteSelecting the Delete option will remove the selected anchor certificate for the domain (from the configuration service)

Edit Domain - Add Another Anchor

FIELD

DESCRIPTION

Choose Anchor Certificate

Provides the ability to upload a new anchor to the configuration service. See Choose, Upload, Cancel, Add Anchor for detail

Incoming

Selecting the option allows the trust anchor to be utilized for incoming message processing

Outgoing

Selecting the option allows the trust anchor to be utilized for incoming message processing

Status

(Enabled/Disabled).

OPTION

DESCRIPTION

ChooseSelecting this option opens the file explorer window to select the anchor certificate file to upload.This is the DER encoded certificate file that represents the trust anchor
UploadSelecting this option uploads the selected anchor certificate temporarily(See Add Anchor)

Add Anchor

Clicking Add Anchor will add the anchor to the domain and upload the anchor to the configuration service.

CancelCancels out of the form
Trust Bundles

Configured trust bundles can be added to a domain from the Trust Bundles tab of the configuration service Manage Domains page. Each anchor in the bundle is used to create trust between the domain and the system represented by the anchor. Similar to configuring anchors, each bundle can be set to incoming or outgoing to control the direction of trust.

Direct Configuration - Edit Domain -> Trust Bundles screen

Assigned Trust Bundles panel lists the trust bundles that are associated with the selected domain

Edit Domain - Assigned Trust Bundles 

COLUMN

DESCRIPTION

Name

Trust Bundle Name

URL

The fully qualified URL where the trust bundle can be retrieved. For trust bundle URLs referencing HTTPS , the appropriate CA or public certs to access the URL have to be trusted by CONNECT application, i.e. imported to the CONNECT application Trust Store. 

ChecksumA SHA1 hash of the bundle

Incoming

(True/False) Indicates whether trust bundle should be utilized for incoming message processing

Outgoing

(True/False) Indicates whether trust bundle should be utilized for for outgoing message processing

OPTION

DESCRIPTION

DeleteSelecting the Delete option will remove the selected anchor certificate for the domain (from the configuration service)


Edit Domain - Add Another Trust Bundle

FIELD

DESCRIPTION

Add Trust Bundles

Drop down list of available trust bundles that are already configured in the configuration service. Only displays the trust bundles (names) that have not been associated with the selected domain,

that are available to add

Incoming

If checked, the trust bundle will be utilized for incoming message processing

Outgoing

If checked, the trust bundle will be utilized for outgoing message processing

OPTION

DESCRIPTION

Add Trust Bundle

Clicking Add Trust Bundle will assign trust bundle to the domain .

Agent Settings

CONNECT has leveraged the Direct RI version 3.0.1 for the Direct configuration. The CONNECT team has validated these settings using both WS and KEYSTORE configurations for Anchors, public and private certificates and DNS configurations. LDAP configurations were not tested and will be looked at in the future.


Direct Configuration - Agent Settings Screen


Agent Settings

FIELDDESCRIPTION
NameAgent Setting Name
ValueAgent Setting Value
OPTIONDESCRIPTION
DeleteDeletes the agent setting
Add New Agent SettingOpens up Add New Agent Setting page to enter in setting name value pair.

Anchor Store Agent Settings

Anchors define the certificates that create trust between domains. Each domain must have at least one outgoing or incoming trust anchors. Anchors can be retrieved from different source mediums including the configuration service.

The anchor storage medium is configured in the settings page of the configuration UI. All settings are configured as simple name/value pairs as defined below

Note – Trust bundles are defined using web services ONLY. Trust anchors can be configured using WS and LDAP, Keystore

Anchor Store Agent Settings parameters

SETTING NAME

VALUE/DESCRIPTION

AnchorStoreType

The storage type of the anchor store. Valid types: 
WS (default): Anchors are stored in the configuration service.(see 6.2.1.1)
LDAP: Anchors are stored in an LDAP server.(see 6.2.1.2)
KEYSTORE: Anchors are stored in a local keystore file.(see 6.2.1.2)

AnchorResolverType

The type of the anchor resolver. Valid types:
Uniform: All domains use the same anchors for all addresses.
Multidomain: Each domain defines its own discrete set of trust anchors.

AnchorKeyStoreFile

For keystore store types, the name of the file that contains the certificates. This can be just a file name, a fully qualified path, or a relative path.

AnchorKeyStoreFilePass

For keystore store types, an optional password used to encrypt the file.

AnchorKeyStorePrivKeyPass

For keystore store types, an optional password used to encrypt private keys.

TrustAnchorLDAPUrl

For LDAP store types, the url to the LDAP server. Consists of the protocol, host, and port. Multiple URLs can be define and are comma delimited. Example: ldap://somehost:389

TrustAnchorLDAPUser

For LDAP store types, the user name credential for connecting to the LDAP store. May be empty if the LDAP server allows anonymous binding.

TrustAnchorLDAPPassword

For LDAP store types, The password credential for connecting to the LDAP store

TrustAnchorLDAPConnTimeout

For LDAP store types, an optional timeout in seconds before the connection is failed

TrustAnchorLDAPSearchBase

For LDAP store types, the distinguished name used as the base of LDAP searches.

TrustAnchorLDAPSearchAttr

For LDAP store types, the attribute in the LDAP store that is used to match a search query.

TrustAnchorLDAPCertAttr

For LDAP store types, the attribute in the search query result that holds the certificate file.

TrustAnchorLDAPCertFormat

For LDAP store types, the format of the certificate in the LDAP store. Valid formats: pkcs12, X.509

TrustAnchorLDAPCertPassphrase

For LDAP store types and pkcs12 files, the pass phrase used to encrypt the certificate.

Web Service Anchor storage

Anchors stored in the configuration service are added and maintained in the Anchors tab of the configuration service Manage Domains page.

Non Web Service Anchor Storage

Anchors stored in non web service mediums such as LDAP or a keystore require a list of aliases or search criteria to locate the certificates in the anchor store. Each domain requires one of two entries in the settings component: one for a list of outgoing anchors and/or one for a list of incoming anchors. The settings use the following format:

  • <domainName>IncomingAnchorAliases
  • <domainName>OutgoingAnchorAliases

The value for each setting is a comma delimited list of the aliases or search criteria that identify the anchor in the anchor store. 

Example settings for the domain direct.connectopensource.org using a keystore:

SETTING NAME

VALUE

direct.connectopensource.orgIncomingAnchorAliases

direct.sitenv.org_ca,microsoft.com

direct.connectopensource.orgOutgoingAnchorAliases

direct.sitenv.org_ca,microsoft.com

Regardless of the storage mechanism, a domain should always add its own trust anchor to its list or trusted anchors. This is a security precaution to ensure only users with valid certificates signed by the trust anchor can send from the agent's managed domain(s).

Public Certificate Store Agent Settings

Similar to anchors, public certificates can be retrieved from different source mediums. The public certificate storage medium is configured in the Agent settings page.

Public Certificate Store Agent  Settings parameters

SETTING NAME

VALUE/DESCRIPTION

PublicStoreType



The storage type of the public certificate store. Valid types: 

DNS: Certificates are resolved using DNS.
KEYSTORE: Certificates are stored in a local keystore file. 
WS: Public certificates are stored in the configuration service. (Private and public certificates stored in the configuration service (using WS StoreType) are added and maintained in the Certificates tab of the Direct Configuration page- see section 6.5)
PublicLDAP: Certificates are resolved from publicly accessible LDAP servers. LDAP servers are resolved dynamically using DNS SRV. 

In some cases, multiple store types may be necessary to resolve a public certificate. For example some HISPs use DNS to distributed public CERT while others may use out of band processes and require a HISP to manually import the CERT(s) into the storage medium. Multiple store types are separated by a comma (,). 

Default Value: DNS,PublicLDAP.

PublicStoreFile

For keystore store types, the name of the file that contains the certificates. This can be just a file name, a fully qualified path, or a relative path.

PublicStoreFilePass

For keystore store types, an optional password used to encrypt the file.

PublicStorePrivKeyPass

For keystore store types, an optional password used to encrypt private keys.

Private Certificate Store Agent Settings

The private certificate storage medium is configured in the Agent settings page 

Private Certificate Store Agent  Settings parameters

SETTING NAME

VALUE/DESCRIPTION

PrivateStoreType

The storage type of the private certificate store. Valid types: 

WS (default): Certificates are stored in the configuration service. (Private and public certificates stored in the configuration service (using WS StoreType) are added and maintained in the Certificates tab of the Direct Configuration page- see section 6.5)
LDAP: Certificates are stored in an LDAP server.
KEYSTORE: Certificates are stored in a local keystore file.

PrivateStoreFile

For keystore store types, the name of the file that contains the certificates. This can be just a file name, a fully qualified path, or a relative path.

PrivateStoreFilePass

For keystore store types, an optional password used to encrypt the file.

PrivateStorePrivKeyPass

For keystore store types, an optional password used to encrypt private keys.

PrivateStoreLDAPUrl

For LDAP store types, the url to the LDAP server. Consists of the protocol, host, and port. Multiple URLs can be define and are comma delimited. Example: ldap://somehost:389

PrivateStoreLDAPUser

For LDAP store types, the user name credential for connecting to the LDAP store. May be empty if the LDAP server allows anonymous binding.

PrivateStoreLDAPPassword

For LDAP store types, The password credential for connecting to the LDAP store.

PrivateStoreLDAPConnTimeout

For LDAP store types, an optional timeout in seconds before the connection is failed.

PrivateStoreLDAPSearchBase

For LDAP store types, the distinguished name used as the base of LDAP searches.

PrivateStoreLDAPSearchAttr

For LDAP store types, the attribute in the LDAP store that is used to match a search query.

PrivateStoreLDAPCertAttr

For LDAP store types, the attribute in the search query result that holds the certificate file.

PrivateStoreLDAPCertFormat

For LDAP store types, the format of the certificate in the LDAP store. Valid formats: pkcs12, X.509

PrivateStoreLDAPCertPassphrase

For LDAP store types and pkcs12 files, the pass phrase used to encrypt the certificate.

Add New Agent Setting

Selecting Add New Agent Setting option in the Agent Settings page opens up this page for adding key value pairs for agent settings.

Direct Configuration - Add New Agent Setting

Trust Bundles

Trust bundles are a collection of trust anchors that are intended to represent a trust community and generally meet a common set of criteria to be included in the bundle. Trust bundles are packaged into a single file using the PKCS7 standard and distributed via a known URL (the location is discovered out of band). Trust bundles are configured in the Trust Bundles tab of the configuration UI tool.

These bundles as wholistic objects and CONNECT does not support exclusion of anchors within the bundle. This is partly because the definition of a bundle indicates that each anchor within the bundle meets the same minimal requirements. The decision to include a bundle becomes a simple binary decision, you either trust the bundle or you don't.

Bundles are configured separately from domains as opposed to the importing of anchors per domain. Each bundle is identified by a name and it’s URL.

Select Trust Bundles tab to display a list of bundles that are imported into the configuration.

Direct Configuration - Trust Bundles screen

Trust Bundles

COLUMN

DESCRIPTION

Bundle Name

The bundle name

URL

The URL where the bundle is downloaded from

Checksum

A SHA1 hash of the bundle

Created

Time that the bundle was added to the system

Current As Of

The date when the bundle was last updated in the system

Last Refresh

The date and time when the system last checked for an update. If a newer/different bundle was found, the Current As Of date is also updated.

If not updates were found, then the Current As Of date does not change.

Refresh Interval

How often (in hours) updates are automatically checked.

Automatic refresh of trust bundles has not yet been implemented and will be addressed in future releases. However you can always check for updates manually by clicking the Refresh Bundle option on the Trust Bundles screen.

View Anchors

If you would like to see the anchor within a bundle, simply click the View Anchors link under the bundle name. This will display a list with the Distinguished Name of each anchor.

OPTION

DESCRIPTION

Add New Trust Bundle

Selecting this option pops open Add New Trust Bundle modal window that allows for creating a new trust bundle(See section 6.3.1)

Edit Trust Bundle

Selecting this option pops open Edit Trust Bundle modal window that allows for editing trust bundle(See section 6.3.2)

Delete

Checking the box next to the trust bundles and selecting this option removes a bundle from the system.The user is provided with an alert message for confirmation "Are you sure you want to delete the trust bundle? The trust bundle will be deleted for all domains ". If the user selects Yes, the trust bundle is deleted

If you delete a bundle that has been associated to a domain, the association is automatically removed.

Refresh Bundle

During the operation of your HISP, it may be necessary to update bundles in between their configured refresh cycle. To manually refresh/update a bundle, check the box next to the name of the bundles you want to update and select this option.The user is prompted with a "Refreshing trust bundle" status bar while this update operation is in progress.

View Anchors

Selecting the View Anchors link under the bundle name displays an anchor list with the Distinguished Name of each anchor in a popup dialog as shown below

Add New Trust Bundle

Direct Configuration - Add New Trust Bundle screen

The Add New Trust Bundle dialog will display the following information:

Add New Trust Bundles screen fields

FIELD

DESCRIPTION

Name(R)

A unique name of the bundle that describes the trust community of the bundle.

Trust Bundle URL(R)

The fully qualified URL where the trust bundle can be retrieved

Per the Implementation Guide for Direct Project Trust Bundle distribution v1.0, signed Trust Bundles must have a .p7m file name extension, unsigned trust bundles are identified by .p7c or .p7b” file name extension

Signing Certificate(O)

If the bundle has been signed, this is the certificate that signed the bundle to validate the integrity of the bundle. NOTE: It is completely optional to validate the bundle integrity against a signing certificate. If the bundle has not been signed, the signing certificate is ignored.

Refresh Interval(hours)

Indicates the frequency that the system will look for updates to the bundle. If this value is 0, then the system will never automatically look for updates, however you can always check for updates manually by clicking the refresh button.

Automatic refresh of trust bundles has not yet been implemented and will be addressed in future releases. However you can always check for updates manually by clicking the Refresh Bundle option on the Trust Bundles screen.

OPTION

DESCRIPTION

Add Trust Bundle

Selecting the option after adding the fields allows you to add a trust bundle to the Direct configuration, displays the trust bundles list page.

Edit Trust Bundle

Direct Configuration - Edit Selected Trust Bundle screen

The Edit Trust Bundle dialog will display the following information:

Edit Selected Trust Bundle screen fields

FIELD

DESCRIPTION

Trust Bundle Name(R)

A unique name of the bundle that describes the trust community of the bundle.

Trust Bundle URL(R)

The fully qualified URL where the trust bundle can be retrieved

Refresh Interval(hours)

Indicates the frequency that the system will look for updates to the bundle. If this value is 0, then the system will never automatically look for updates, however you can always check for updates manually by clicking the refresh button. (Automatic refresh of trust bundles will be addressed in future releases)

OPTION

DESCRIPTION

Update

Update the trust bundle

CancelCancel the form

Certificates

Similar to anchors, public certificates can be retrieved from different source mediums.

The public certificate storage medium is configured in the settings page of the configuration UI.

The private certificate storage medium is configured in the settings page of the configuration UI.

 Private and public certificates stored in the configuration service (WS StoreType) are added and maintained in the Certificates tab of the Direct Configuration page       

Direct Configuration - Certificates screen     

       

Edit Selected Trust Bundle screen fields                  

COLUMN

DESCRIPTION

Owner

Owner of the certificate. The owner is automatically populated by the service when the certificate is added.

Private

true/false - indicating if private or public certificate

Thumbprint

Certificate thumbprint

Created

Timestamp when this certificate was uploaded to the configuration service

Start/End

Certificate timestamp for validity

OPTION

DESCRIPTION

Add New Certificate

Selecting the option opens up the Add New Certificate page in a popup modal dialog to allow adding a new certificate to the config service.

Delete

Selecting this option deletes the selected certificate from the service.

Add New Certificate

Direct Configuration - Add New Certificate screen 

Add New Certificate screen fields

FIELD

DESCRIPTION

Certificate

Location of the DER encoded certificate file that represents the private or public certificate that is uploaded to the configuration service. See Choose, Upload and Cancel for more details. 

NOTE: Private certificate files should be pkcs12 encoded files with no encryption on both the file and private key stored in the file.

OPTION

DESCRIPTION

ChooseSelecting this option opens the file explorer window to select the public or private certificate file to upload.This is the DER encoded certificate file
UploadSelecting this option uploads the selected certificate temporarily(See Submit)

Submit

Clicking Submit will add the certificate to the configuration service.

CancelCancels out of the form

MessageSettings

The following settings describe the location where processed messages should be stored. This is intended for debug purposes only and should not be set in a production environment.

MessageTypes:

  • Raw: The raw message that entered the SMTP agent.
  • Outgoing: If the message is determined to be an outgoing message, the security and trust processed outgoing message.
  • Incoming: If the message is determined to be an incoming message, the security and trust processed incoming message.
  • Bad: Messages that failed to be processed or caused other errors to be the thrown.

Table 20 - Message Setting values

Setting

Description

RawMessageSaveFolder

The folder where raw messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

OutgoingMessageSaveFolder

The folder where outgoing messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

IncomingMessageSaveFolder

The folder where incoming messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

BadMessageSaveFolder

The folder where bad messages will be stored. If the folder does not exist, the system will automatically created it as long as the agent's process has permission to do so.

Connection Management

As of CONNECT 5.1, Connection Management is replaced with 113311950

Connection Management provides the administrator the option to view and manage connections to remote partners/gateways. The View External Connections screen as shown below is a view of the connections that are configured in the Web services registry or the exchangeInfo file organized by the Business entity i.e., the remote gateway organization. This screen allows for a ping utility that pings a particular service to determine if the service is up and running. This will help system administrators test service endpoints and troubleshoot firewall issues, certification validation issues and other connectivity both before functional testing with remote gateways and organizations and to investigate any issues that may arise in production due to changes in the local or exchange partner's gateway.

Connection Management -> View External Connections screen 


External Connection screen fields

FIELD

DESCRIPTION

Organization Information

Organization

Single select drop-down that lists all the remote organizations or business entities configured in the Exchange Manager configuration file.

Selecting any business entity updates the business entity fields and the business service fields below to reflect the parameter values for the organization

Name

Business Entity Name as defined in the Exchange Manager configuration file for the selected Organization

Description

Business Entity description as configured in the Exchange Manager configuration file for the selected Organization

Contact

Contact name as configured in the Exchange Manager configuration file for the selected Organization

HCID

Home Community ID as defined in the Exchange Manager configuration file for the selected Organization

RegionsRegion information configured in the Exchange Manager file for the selected Organization
Service Information
Service NameBusiness service Name for the selected Organization
URLEndpoint for the web service
VersionVersion of the service provided
Ping Status

Default is --. Once ping initiated, values are Pass or Fail

If ping successful - Pass.

If ping is not successful - Fail

Last PingTimestamp for last ping for the web service

OPTION

DESCRIPTION

Ping Service

Selecting this option after selecting a particular service pings the service.

If the ping passed, Ping Status displays Pass

If the ping fails, Ping Status displays Fail. A fail could be indicative of some firewall issue, certificate set up issue or some other issue where in the remote service is down

During the ping, a "Loading" status window is displayed as the service ping can take some time.  Do not try to alter anything on the page during this period or navigate to another page

Refresh ConnectionsRefreshes the front end cache of connection endpoints to reflect current state of the business entity's services.

Exchange Management

Exchange Management provides a way for user to view/edit Exchange information, refresh/download Exchange information and to view and manage connections to remote partners/gateways. The View Exchange Servcies screen as shown below is a view of the exchange information that are configured in the exchangeInfo file organized by the general exchange information and Organizations  i.e., the remote gateway organization. This screen allows users to configure exchange refresh process, initiate Refresh Exchange, add/delete an Exchange, enable/disable Exchange and to provides a ping utility that pings a particular service/or all services to determine if the service(s) is up and running. This will help system administrators test service endpoints and troubleshoot firewall issues, certification validation issues and other connectivity both before functional testing with remote gateways and organizations and to investigate any issues that may arise in production due to changes in the local or exchange partner's gateway.


External Connection screen fields

FIELD

DESCRIPTION

General Settings
Refresh IntervalDuration used for scheduling the next run of Refresh Exchange process. Expressed in minutes.
Maximum No Of BackupsNumber of Backups, that the exchange refresh process is allowed to keep at a given time.
Default ExchangeA drop down that lists all the available exchanges for user. When selected, it will be used to look up services with a given HCID. If not defined, then the service are looked based on organization HCID only.
Exchanges
NameName of the Exchange
TypeExchange type is a mandatory element and can have three values only, LOCAL, UDDI, FHIR
URLUsed for downloading the web services endpoints.
Last UpdatedLast Updated displays the timestamp when the exchange was last refreshed
Refresh ExchangeA button that Enable/Disable an exchange for refresh.
Organizations
ExchangeSingle select drop-down that's lists all the exchanges configured in the Exchange Manager configuration file.

Organization

Single select drop-down that lists all the remote organizations or business entities, for a selected Exchange, configured in the Exchange Manager configuration file.

Selecting any business entity updates the business entity fields and the business service fields below to reflect the parameter values for the organization

Name

Organization Name as defined in the Exchange Manager configuration file for the selected Organization

Description

Organization description as configured in the Exchange Manager configuration file for the selected Organization

Contact

Contact name as configured in the Exchange Manager configuration file for the selected Organization

HCID

Home Community ID as defined in the Exchange Manager configuration file for the selected Organization

Service Information
Service NameBusiness service Name for the selected Organization
URLEndpoint for the web service
VersionVersion of the service provided
Ping Status

Default is --. Once ping initiated, values are Pass or Fail

If ping successful - Pass.

If ping is not successful - Fail

Last PingTimestamp for last ping for the web service

OPTION

DESCRIPTION

Ping Service

Selecting this option after selecting a particular service pings the service.

If the ping passed, Ping Status displays Pass

If the ping fails, Ping Status displays Fail. A fail could be indicative of some firewall issue, certificate set up issue or some other issue where in the remote service is down

During the ping, a "Loading" status window is displayed as the service ping can take some time.  Do not try to alter anything on the page during this period or navigate to another page

Ping All ServicesClicking on Ping All Services, pings all services for a selected Exchange and Organization.

Exchanges Refresh - Schedule, Manual and Locked

The exchanges refresh automatically on the Refresh-Interval and can be force to refresh manually; during Status:Refresh-in-Progress a lock is placed upon the exchange-manager to prevent the modification to ExchangeInfo.xml.

When the Exchange-Manager is Status:Refresh-in-Progress the following functions will be disable:

  • Delete
  • Save
  • Refresh Exchanges
  • Enabled
  • Disabled

Refresh Exchanges

Clicking on Refresh Exchanges will initiate the Refresh Exchanges process. This will download web services information for all Enabled Exchanges. Below is a screenshot of Exchange Refresh status. 

If Refresh Exchange for an exchange is not successful for any reason, the Exchange name will be displayed in Red.


Following is a list of  Refresh Exchange Stages and the associated statues displayed on Exchange Refresh Status screen:

StageSuccess MessageFailure Message
Downloading from the source exchangeDownload SuccessfulDownload failed
Validating Schema Compliance

Schema Validation successful,

Schema Validation skipped(only for UDDI exchange)

Schema Validation failed
Transformation Complete and exchange information is available to CONNECTExchange refresh successfulExchange refresh failed

Adding an Exchange

User can add an Exchange by clicking on New button in Exchanges section. Following information is required for adding an exchange:

  • Name
  • Type
  • URL



Deleteing an Exchange

User can delete an Exchange by selecting one from Exchanges list.

Configuration Management

CONNECT provides various property files that manage gateway configuration. Traditionally these property files are manually updated by the system administrators by locating these files deployed at time of installation in the server directory and then editing these files. With the new Configuration Management tool under the Admin GUI, system administrators with limited technical knowledge will be able to update these property files through a GUI interface that both allows them to view the current set of the properties along with descriptions of appropriate values and update them instantly. This simplifies the overall process for the system administrator.

A list of the gateway and adapter properties that are configured in CONNECT can be found here - Gateway properties and Adapter properties

Gateway Properties

Configuration Management -> Gateway Properties screen 


Gateway Properties screen fields

FIELD

DESCRIPTION

Key

Keys from the gateway.properties file.

Not editable.

Description

Description of the property, defined as comments in the gateway.properties file

Not editable.

Value

Property value

Selecting the value for any property allows you to edit the value.

Once edited the value is updated in the properties file.

The user is presented with an alert message as shown below indicating the property is updated

Adapter Properties

Properties -> Adapter Properties Screen


Adapter Properties screen fields

FIELD

DESCRIPTION

Key

Keys from the adapter.properties file.

Not editable

Description

Description of the property, defined as comments in the adapter.properties file

Not editable

Value

Property value

Selecting the value for any property allows you to edit the value.

Once edited the value is updated in the properties file.

The user is presented with an Info alert message indicating the property is updated.

Audit Properties   


Configuration Management -> Audit Properties screen 

Audit Properties screen fields

FIELD

DESCRIPTION

Key

Keys from the audit.properties file.

Not editable

Description

Description of the property, defined as comments in the audit.properties file

Not editable

Value

Property value

Selecting the value for any property allows you to edit the value.

Once edited the value is updated in the properties file.

The user is presented with an Info alert message indicating the property is updated.

Internal Endpoints

This interface allows system administrators to edit internal web-services hosted by CONNECT.


Internal Endpoints Properties screen fields

FIELD

DESCRIPTION

Name

CONNECT internal web service name. 

Version

web service version

URL

endpoint where the web service is hosted.

Selecting the URL for any service allows you to edit the endpoint.

Once edited the updated URL is saved to internalExchangeInfo.xml file.

The user is presented with an Info alert message indicating the property is updated.

Cross-Gateway Query Client

The Cross-Gateway Query Client is a testing tool that is used to validate and test data exchange services like Patient Discovery, Query for Documents and Retrieve Documents. The client allows the system administrator to run preliminary tests to ensure that a particular remote gateway is up and running and can respond to service requests. The client tool allows the users to search for patients in a targeted remote community and retrieve documents.

Not intended for exchange certification testing

Please note that test client should not be used for actual certification testing on any exchange. In addition, this requires a gateway to gateway setup. See the initiating and responding gateway setup instructions for pass by reference testing for an example if you are unfamiliar with this process. Using this client in loopback mode is also possible but requires additional re-configurations.


Search patient

The Patient Search tab is the default tab on this screen which allows the user to search patients by demographics. 

Patient Search Screen


Patient Search screen fields                  

FIELD

DESCRIPTION

Organization

Single select drop-down that lists all the remote organizations or business entities configured in the Exchange Manager configuration file

Purpose of Patient/Document RequestFrom CONNECT 5.2, this feature is available. A drop-down list used to populate assertion-->userInfo→ roleCoded element in the Entity Request.

First Name

First name of the person being searched (Required)

Last Name

Last name of the person being searched (Required)

Date of Birth

Date of birth of the person being searched (Required)

Gender

Single select drop-down for gender of the person being searched (Required)

OPTION

DESCRIPTION

Search

Selecting the option triggers a patient discovery (PD) request targeted to the remote community identified in the Organization field.

  • If any of the fields are not populated the user is prompted with an alert message e.g. 'First Name required'
  • If user do not have valid assertion data, an error message is displayed "ERROR: <username> does not have valid assertion data."
  • Searching Patient progress bar is displayed while the search is in progress.

 Patient search results table is displayed when patients are returned in the PD response.(See Fig 25)

If no patients are returned, the user is presented with a message ' Patient Not Found'

Clear

Selecting this option removes all the data that has been entered on the screen so that the search fields can be entered in again.


Patient Search Results

Patient Search results fields                  

COLUMN

DESCRIPTION

Name

Name of the person being searched

Patient ID

Patient ID from the remote community

Organization

Remote community name(as defined in the Exchange Manager configuration file)

OPTION

DESCRIPTION

View Details

Selecting the option opens the Document Search tab allowing the user to enter in document search criteria.

Search/View documents

Selecting the View Details option on the Patient Search screen opens up the Document Search screen where the user can enter in search criteria for the documents. The screen displays the Current Patient Details from the PD response and provides the ability to search documents by document type and creation date ranges.

Document Search screen

Document Search screen fields                  

FIELD

DESCRIPTION

Current Patient Details:

Name

First name and last name of the of the patient

Patient ID

Patient ID from the remote community

Organization

Remote community name(as defined in the Exchange Manager configuration file)

Gender

Patient gender

Date of Birth

Patient date of birth

PhonePatient phone
Document Search Criteria:
Document Type (optional)

Multiple select options for document types to be searched for the patient(Optional).

Available document types are loaded from the <nhinc.properties.dir>/documentTypes.properties property file. Based on the use cases, the adopter can configure this file with the supported document types for their implementation.

Document Creation Date Range (optional)From and To Times for Document Creation Date. A creation specifies the date a document was created and stored electronically - not necessarily the date of a patient's visit.

OPTION

DESCRIPTION

Search

Selecting the option triggers a query for documents (QD) request targeted to the remote community.

  • Getting Document progress bar is displayed while the search is in progress.

Document search results table is displayed for the documents returned in the QD response.(Fig 27)

If no documents are returned, the user is presented with a message ' No Documents Found'

Clear

Selecting this option removes all the data that has been entered on the screen so that the search fields can be entered in again.

Document Query Results

Document Query results 

COLUMN

DESCRIPTION

Document IDUnique document ID metadata value associated with the document
Document TypeDocument Entry Type Code description associated with the document

Content Type

Mime Type metadata value associated with the document

Title

Title metadata value associated with the document

Creation Tine

Creation Time metadata value associated with the document

SizeSize metadata value associated with the document

OPTION

DESCRIPTION

Metadata

Selecting the option opens up a metadata modal window that displays the document metadata associated with the document.(Fig 28).

The Document metadata page lists some key metadata values associated with the Document Entry returned in the query response

Open

Selecting the option triggers a Retrieve document (RD) request to the remote community and displays the document in a modal window (Fig 29)

For CDA document, a style sheet is used to render the document in html form

Start OverSelecting this option on the screen will allow the user to start a new patient search

View Document Metadata 


View Document 


Logging

User can search Audit and Failure events through Logging GUI.

Audit Search

Audit search is a tool to view and search/filter audit logging events from the Admin GUI without logging into database to track events. Adopters can take advantage of the Audit Search from the System Administrative Module if they choose the Database Audit Logging Implementation. 

The audit search on this screen which allows the user to search audit events by providing Audit query parameters.


Audit Search Screen

Audit Search screen fields                  

FIELD

DESCRIPTION

Start Time

Start time of Event transaction. Start time specifies begin transaction time. (optional)

End Time

End time of Event transaction. User can view status of transactions performed over the period by choosing Start time and End time. (optional)

Requester/User

Name of the user that initiated the transaction. (Ex: kskagerb or CN=localhost) optional)

Service

Service name for NwHIN transactions. (Ex: PatientDiscovery, DocumentQuery ) (optional)

Organization

Single select drop-down that lists all the remote organizations or business entities configured in the Exchange Manager configuration file. (optional)

Message IDIt is the request messageId of Synchronous services and Deferred Request services. (optional)
Relates ToRelatesTo is the messageId of original Deferred request message.(optional)

OPTION

DESCRIPTION

Search

Selecting the option triggers audit search based on the search parameters provided.

Audit search results table is displayed when audit records found.(See Fig 31).

If no search criteria entered, then all the available audit transactions will be displayed.

If no Audit transaction rows are returned, the user is presented with a message ' Audit Records not Found'

Reset

Selecting this option removes all the data that has been entered on the screen so that the search fields can be entered in again.


Audit Search Results

Audit Search Results

COLUMN

DESCRIPTION

DateDate and time when the audit transaction performed.
ServiceService name of the NwHIN transaction. (Ex: PD,PDDefReq,PDDefResp,QD,RD,DS,DSDefReq,DSDefResp,AD,X12RealTime..)

Org Name

Name of the organization that performed the audit transaction. The value locates from Exchange Manager Configuration under "businessEntity>name"

Requester

User that initiated the transaction.

Direction

Audit direction related to that particular transaction. (Ex: Inbound, Outbound)

Message IDRequest messageId of Synchronous services and Deferred Request services.
Relates ToRelatesTo is the messageId of original Deferred request message.

OPTION

DESCRIPTION

View XML

Selecting the option opens up a child modal window that displays audit blob message xml details associated with the transaction.(Fig 32).

For Audit Blob xml message, a style sheet is used to show the details in html format.

View Audit Message XML details:


Failure Logging

The failure logging screen allows user to search for a failure event in a service workflow. The user may then view the details of a given error event to learn more about the cause of the service failure.


Failure Logging Screen

FIELD

DESCRIPTION

Services (optional)

The service to filter results by

Exception (optional)

The exception type that was thrown by the service

Start Time (optional)

filter events that are on or after Start Time

End Time (optional)

filter events that are on or before End Time

OPTION

DESCRIPTION

Search

Search based on the Options parameter or return all the exceptions from events if no filter is provided.

Search results table is displayed when event record found.

If no event records are returned, the user is presented with a message '0 event records found.'

Reset

Clears the search parameters.


Failure Logging – Search Results

COLUMN

DESCRIPTION

DateDate and time of when the exception was caught.
ServiceService name of the NwHIN transaction. 

Version

Service Version (If provided by the service, otherwise "N/A")

Exception

The java exception that was thrown

OPTION

DESCRIPTION

View

View full detail description of the error event.


Error Event – full technical details

This view will show various details about the Error Event, such as the time in which the exception was caught, the exception message, the class and method that the failure occurred in, as well as the exception thrown accompanied by the full stack trace.

  • No labels