Admin GUI User Manual
Version# | Date | Modified By | Description of Modification |
|---|---|---|---|
1.0 | 06/20/2017 | Sovann Huynh | Converted from a design document into a full user manual |
1.1 | 1/4/2018 | Tabassum Jafri | Added Exchange Manager GUI |
2.0 | 02/01/2018 | Sovann Huynh | Added Certificate Manager and Test Data Loader, deprecated Connection Manager |
2.1 | 10/22/2018 | Tabassum Jafri | Added Internal Endpoints properties section. |
2.2 | 11/02/2018 | Tabassum Jafri | Updated User Accounts and Cross-Gateway Query Client section. |
2.3 | 04/09/2019 | Eric McDonald | Text corrections on Import Wizard. |
- 1 Overview
- 2 Login
- 3 Gateway Status
- 4 Account Management
- 4.1 User Accounts
- 4.2 Manage Roles
- 4.3 User Accounts
- 5 Certificate Management
- 5.1 Manage KeyStore
- 5.2 Manage TrustStore
- 5.3 Import Wizard
- 6 Test Data Loader
- 6.1 Patient data
- 6.2 Document data
- 7 Connection Management
- 8 Exchange Management
- 9 Configuration Management
- 10 Cross-Gateway Query Client
- 10.1 Search patient
- 10.2 Search/View documents
- 11 Logging
- 11.1 Audit Search
- 11.2 Failure Logging
Overview
The Admin GUI allows CONNECT administrators to monitor gateway statistics, test the gateway implementation and manage users and gateway configurations. This graphical administrative console includes the following:
Controlled user access
Basic system overview
User accounts management
Certificate management
Connectivity testing
Property files management
Gateway to gateway messaging
Direct service configuration*
* CONNECT leverages the Direct configuration module from the ONC-sponsored JAVA Direct Reference Implementation (RI) v 3.01.
Important note regarding UDDIConnectionInfo.xml and internalConnectionInfo.xml
As of CONNECT 5.1, both files have been replaced with the more versatile exchangeInfo.xml and internalExchangeInfo.xml files. For users of CONNECT 5.0 and earlier versions, substitute references to these new files with the original uddiConnectionInfo.xml and internalConnectionInfo.xml files
Login
User names are not case-sensitive but passwords are case sensitive. A default admin user is created during initial deployment.
Logging in for the first time?
When Admin GUI is first deployed, log in as ConnectAdmin using the password password. Be sure to change this immediately after logging in for the first time.
Gateway Administrative Console - Login
Session duration
Default session timeout is set to 10 minutes that is configured in session-config property in web.xml. This can be changed per implementation needs.
Gateway Status
This is the dashboard view since CONNECT 5.1.
The Gateway Status page provides an overview of the gateway health. This page includes two tabs – Dashboard, and Remote Gateway List and will be used by gateway administrators, to monitor gateway configurations.
Gateway Dashboard
The dashboard provides a view of gateway/system specifications
Gateway Status
Gateway status parameters
Parameter | Description |
|---|---|
Operating system | Operating System that CONNECT software is running on |
Total Inbound messages | The total number of messages received by the gateway |
Total Outbound messages | The total number of messages sent by the gateway |
Memory used | Memory utilized by the gateway instance. |
Java Version | Java version CONNECT is running on |
Application server | Application server/version that CONNECT is running on. |
Alerts and notifications
The dashboard also provides important system alerts and notifications. Currently, only digital certificate status updates are included.
Remote Gateway List (Deprecated as of CONNECT 5.1)
The Remote Gateway page lists all the gateways that the CONNECT instance has been communicating with and displays the total transaction count by service.
Gateway Status - Remote Gateway
Remote Gateway List Display parameters
FIELD | DESCRIPTION |
|---|---|
Gateway | Remote gateway name as defined in the Exchange Manager. |
Count by service | Total gateway transaction count (inbound or outbound for any service) for a given remote gateway |
- PD | Synchronous PD – Displays total number of incoming PD and outgoing PD transactions - (Incoming synchronous PD requests from remote gateway + Outgoing synchronous PD requests to the remote gateway) If gateway supports Deferred transactions ie. for Deferred PD - Displays total number of incoming PD deferred requests and outgoing PD deferred requests - (Incoming deferred PD requests from remote gateway + Outgoing deferred PD requests to the remote gateway + Incoming deferred PD responses from remote gateway + Outgoing deferred PD responses to the remote gateway ) |
- QD | Synchronous only – Displays total number of incoming QD and outgoing QD transactions - (Incoming synchronous QD requests from remote gateway + Outgoing synchronous QD requests to the remote gateway) |
- RD | Synchronous only – Displays total number of incoming RD and outgoing RD transactions - (Incoming synchronous RD requests from remote gateway + Outgoing synchronous RD requests to the remote gateway) |
- DS | Synchronous DS – Displays total number of incoming DS and outgoing DS transactions - (Incoming synchronous DS requests from remote gateway +Outgoing synchronous DS requests to the remote gateway) If gateway supports Deferred transactions ie. for Deferred DS - Displays total number of incoming DS deferred requests and outgoing DS deferred requests - (Incoming deferred DS requests from remote gateway + Outgoing deferred DS requests to the remote gateway + Incoming deferred DS responses from remote gateway + Outgoing deferred DS responses to the remote gateway ) |
- AD | Synchronous only – Displays total number of incoming AD and outgoing AD transactions
|
- Direct | Displays total number of incoming Direct and outgoing Direct transactions
|
Account Management
Access to functionality within the Admin GUI is roles driven. Each user is assigned a role that determines access to pages and hence functions within the Admin GUI. Every role needs to be configured with certain privileges for each page i.e., no access or view/edit access. Implementers should use roles to limit access of certain features to specific users. E.g., a user with say an Admin role can access the Account Management->Create user page and create other users, but a user created with 'User' role should not have such privileges.
User Accounts
Selecting the default User Accounts tab under Accounts Management displays the User Accounts, Create User Page to create a user and Manage User page to delete users.
Account Management - User Accounts
With CONNECT 5.2 and later, the User Accounts screen has 4 new mandatory fields namely: First name, Middle name or Initial, Last name and Transaction Role. These fields will be used to generate SAML assertion for Cross-Gateway Query client.
Manage Roles
Managing roles allows an admin to set access privileges for each user role. For each of the roles that are configured, access levels for No access, Read only and Read Write can be configured by pages of functionality.
Account Management - Manage Roles Screen
Future releases will allow for creating new roles capability. The default access is defined below, which can be changed through the Manage User Roles screen.
Default page level access
| Account Management | Direct Config | Audit Search | Connection Management | Universal Client | CONNECT Properties | FHIR Resources |
|---|---|---|---|---|---|---|---|
Admin | Read Write | Read Write | Read Write | Read Write | Read Write | Read Write | Read Write |
Super User | No Access | Read Write | Read Write | Read Write | Read Write | Read Write | Read Write |
User | No Access | Read Write | Read Write | Read Write | Read Write | Read Write | Read Write |
Manage User Roles screen fields
FIELD | DESCRIPTION |
|---|---|
Edit Page Level Access | Select the role that is being configured (Current options: ADMIN, SUPER USER, USER) |
Page Name | Pages are listed to configure the access rights by role for each page.
|
Page Level Access |
Currently Read only and Read Write both function in the same way ie., both have the same access (read/write). This will be refined in future iterations. |
Access to functionality within the Admin GUI is roles driven. Each user is assigned a role that determines access to pages and hence functions within the Admin GUI. Every role needs to be configured with certain privileges for each page i.e., no access or view/edit access. Implementers should use roles to limit access of certain features to specific users. E.g., a user with say an Admin role can access the Account Management->Create user page and create other users, but a user created with 'User' role should not have such privileges.
User Accounts
Selecting the default User Accounts tab under Accounts Management displays the User Accounts, Create User Page to create a user and Manage User page to delete users.
Account Management - User Accounts
Certificate Management
Certificate Management interface is for to simplify the process of creating new certificate and managing self-signed certificates, CA-issued SSL certificates within KeyStore and TrustStore. It is divided into three tabs - Manage KeyStore, Manage TrustStore and Import Wizard
Manage KeyStore
Selecting the default Manage KeyStore tab under Certificate Management displays the Manage KeyStore page that shows list of available Keystores from CONNECT configuration. For security purposes, users can only view certificates from KeyStore list.
Certificate Management - Manage KeyStore page
Certificate Management - Manage KeyStore - View Certificate Details page
Manage TrustStore
The Manage TrustStore page shows list of available Truststores from CONNECT configuration. Users allowed to import a new certificates into Truststore and edit, delete an existing certificates from Truststore.
Certificate Management - Manage TrustStore page
Certificate Management - Manage KeyStore - Import Certificate page
From the Manage TrustStore tab, click on Import. In Import child window, click Choose and browse to the desired certificate. Be sure to click Upload, change Alias name for the newly uploaded certificate and click Import to complete the import process.
Certificate Management - Manage TrustStore - Delete Certificate
To delete a certificate from the Truststore, select the certificate and click Delete. Certificate will be deleted once after providing the password. Note that, Certificate manager will not allow deletion of its own public certificate.
Certificate Management - Manage TrustStore - View and edit Certificate
Select a certificate from the list and click View. In the view Certificate Details window, user allowed to edit only Alias name and click Update Certificate for changes to take place.
Certificate Management - Manage TrustStore - Refresh certificates
Truststore list can be refreshed after certificate changes have been made without a server restart. Click on the Refresh button to enable the updates.
Certificate Management - Manage TrustStore - View Chain of Trust
View Chain of Trust shows associated chained certificates. Select a record and click View Chain of Trust to view certificates chain.
Import Wizard
Import Wizard
While replacing the self-sign certificates with the CA certificates imported using Import Wizard, user must exercise caution and verify, before replacing, if they have imported the root, intermediate(s) and leaf certificates.
Import Wizard interface partly automated the process of creating new certificate and importing CA certs into CONNECT configuration. It is divided into five tabs - Start, Create Certificate, Certificate Signing Request,CA Providers, Import SSL Certificate. Import Wizard functions as below:
Allow user to create new certificate
Allow user to create Certificate Signing Request (CSR/PKCS10)
User must manually submit the CSR to their Certificate Authority (CA) to get a trusted certificate for their server
Allow user to import server Certificate (CSR Reply) and CA certificates (chain of trust)
Creates a backup of KeyStore and TrustStore under CONNECT configuration //importWizard/temp
Creates a new KeyStore and TrustStore for replacement under CONNECT configuration //importWizard/new
After successful Import Wizard process completion, the user must manually:
Replace CONNECT server configuration KeyStore and TrustStore with the files under //importWizard/new
Restart the Server
Verify the AdminGUI functionality works and Manage KeyStore, Manage TrustStore list new certificate
Cancel Info
After CSR Reply (real server certificate), Do not use the Cancel button (on New Certificates). This action will delete the temporary copy and remove the PrivateKey associated with the new certificate
Start Tab
There are three links in the Import Wizard that the user can start:
Create a new Certificate.
Generate CSR for an existing Certificate
Import SSL Certificate
Create Certificate Page
Field | Detail |
|---|---|
Required Fields |
|
Certificate Type
| X509 certificate
|
Exchange | Pre-configure value from caauthority.properties. Selection of Exchange prepopulate: OU, O, C |
Alias | User can enter new alias or select an existing alias |
CN (Reference Number) | Reference Number for new certificate |
OU (Organizational Unit Name) | Organizational Unit Name representation for new certificate |
O (Organization Name) | Organization Name representation for new certificate |
C (Country Name) | County Name representation for new certificate |
Action | Detail |
|---|---|
Create |
|
Cancel | Cleans up the temporary files generated by the Import Wizard |
Next | Moves to the next step in the Import Wizard process |
Certificate Signing Request (PKCS10) Page
Select the Alias to generate CSR.
Generate Certificate Signing Request (CSR) PKCS10
Copy the CSR Text or Download the CSR File
Submit your CSR to CA Authority
Field | Detail |
|---|---|
CSR Type | Certificate Signing Request type. Import wizard will create PKCS10 format |
Alias | Selected alias used to generate CSR text |
CSR Text | Once the selected CSR is created: Copy and Download buttons enabled |
Next | After Copy or Download Next button enabled |
Action | Detail |
|---|---|
Alias | Select Alias to generate CSR text |
Copy | This button will send the CSR Text to the clipboard;the CSR can be pasted into text file or text field. |
Download | This button will open a file screen so that the user can download the file as text: alias_yyyyMMdd.csr |
Cancel | Cleans up the temporary files generated by the Import Wizard. |
Next | Moves to the next step in the Import Wizard. |
Verify CSR
There are several ways to verify your CSR:
CSR Decoder
openssl
Keytool or keystore explorer
Verify CSR details as below: Signature Algorithm: SHA256withRSA, Public Key: RSA(2,048 bits)
CA Providers Page
Each exchange may have different CA Authority/Provider
The link(s) provided in the
Available CA Providerstab is pulled from thecaauthority.propertiesfile.The links will point to information needed to get a server certificate from CA Authority.
Your server certificate (CSR Reply) must be issued by the CA Authority: CA Root and CA Intermediate(s) must be part of chain of trust in your certificate
Getting CSR Reply (server certificate)
Getting your server certificate is a manual process with your CA Authority; At this point you should have
Created self-signed certificate (X509)
Created certificate signing request (CSR/PKCS10)
You will need to submit your CSR to your CA Authority to get CSR reply (X509/your server certificate)
You need to view your server certificate with Keystore Explorer or Keytool
View Certificate | Detail on Export to File |
|---|---|
| Under Firefox you will see Certificate Hierarchy CA Root: CA Intermediate: Select: CA Root > Click: export Select: CA Intermediate(s) > Click: export
|
| under google-chrome you will see Certificate Path CA Root: CA Intermediate: Select: CA Root > Click: View Certificate
Select: CA Intermediate(s) > Click: View Certificate
|