NIST collaboration and testing CONNECT 4.5
Overview
The CONNECT team has collaborated with the NIST team on testing and validating SOAP-based transport for XDR Document Submission and Direct using the NIST's Transport Testing Tool (TTT). This is part of an ongoing effort to ensure that the CONNECT product meets all compliance requirements that are being tested by various certification bodies including NIST.
Important
The NIST TTT that used for this test is no longer available; NIST ETT may be use but current document reference for NIST TTT. the source for the TTT may be found here.
CONNECT 4.5 Release Testing with NIST TTT
- Latest version tested: CONNECT 4.5 RC1
- XDR Send from the TTT to the CONNECT SUT resulted in successful execution with no errors. Document Submission from the CONNECT SUT to the TTT uncovered a possible specification compliance issue documented in CONN-1532. Ongoing discussions will determine whether or not changes need to be made to the way CONNECT prepends hl7 to the purposeOfUse attributes post 4.4 release. All tests executed on 06/17/2015.
- Direct testing with NIST TTT successful with both SUT and TTT as recipient. Direct Message Validation Reports attached to this page (executed on 06/19/2015)
NIST Edge Testing Tool (https://ttpedge.sitenv.org/ttp/#/home)
As of CONNECT release 4.5, ETT testing for only the following are available:
- XDR Document Submission
- DIRECT
SUT Setup
Set up trust store and key store
- Download the NIST keystore from http://sourceforge.net/projects/iheos/files/SOAP_TEST.zip/download
- Copy the NIST keystore into key store directory (CONNECT Properties)
- Export the NIST certificate from keystore as nist.cer
keytool -export -rfc -alias gateway -file nist.cer -keystore keystore -keypass changeit -storepass changeit
- Import the NIST certificate into cacerts.jks
keytool -import -v -noprompt -trustcacerts -alias HOST1 -file nist.cer -keystore cacerts.jks -storepass changeit
- If the certificate already exists in cacerts.jks, delete the HOST1 certificate and import the NIST certificate:
keytool -delete -alias HOST1 -keystore cacerts.jks keytool -import -v -noprompt -trustcacerts -alias HOST1 -file nist.cer -keystore cacerts.jks -storepass changeit
Configure Direct
- Import the direct.connectopensource.org mail certificate into cacerts.jks (TTT not set up to communicate with direct.connectopensource.net)
- If configdb is not already set up for Direct testing, run PopulateConfigDB-CERTS-anchors.sql
- Download the NIST trust anchor at http://transport-testing.nist.gov/ttt/pubcert/nist.gov.der
- Using AdminGUI, add the trust anchor to the Direct domain
Configure connect to use NIST keystore
Set NIST keystore as the new key store: Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore Set SSL port to 443: <network-listener port="443" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>
Replace org.apache.ws.security.crypto.merlin.file=gateway.jks with: org.apache.ws.security.crypto.merlin.file=keystore
Replace adapterpolicyengineorchestratorsamljava with adapterpolicyengineorchestratorjava: <!-- Beans defined : Adapter Policy Engine Orchestrator --> <alias alias="adapterpolicyengineorchestrator" name="adapterpolicyengineorchestratorjava" />
Restart the application server!
XDR Testing
Set up TTT to send XDR to SUT and send XDR
Provide NIST team with SUT endpoints:
- XDR Send = Document Submission: https://<Hostname or IP address>:443/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service
Send request from TTT to SUT
- Browse to http://transport-testing.nist.gov/ttt/
- Click on XDR Send
- In Environment dropdown, select SOAP_TEST
- Enter local patient ID
- In Select Test Data Set, select anything that has full metadata
- In SAML dropdown, select NHIN SAML
- Check the TLS box
- For Document Recipient, choose the Actor
- Click Run
- Click Inspect Results for detailed test results.
Set up TTT to accept XDR from SUT
Define an Actor Simulator:
- On the Home panel, select the “Simulator Control” in the “Simulators” column
- In the Environment dropdown, select SOAP_TEST
- Select “Document Recipient” from the Actor Type pull-down menu.
- Click “Create Actor Simulator”
- Copy the End Point Displayed in “PnR TLS endpoint”, this is a TLS endpoint, DO NOT USE the PnR endpoint above it, as it is non-TLS. Note/Copy the TLS endpoint displayed in the page which needs to be updated in the uddiConnectionInfo_g1.xml. The endpoint looks like https://ttt.transport-testing.org:8443/ttt/sim/e6bb0458-ee24-42dc-a003-cb28683e3cd2/rec/xdrpr where the bold characters in the URL is the simulator actor data which will change for each simulator actor we create.
- Select the Expected C-CDA Type from the list that you will send to the TTT, this will allow the C-CDA to be sent to the appropriate Validator. This endpoint will always be associated with this type C-CDA, you will create an endpoint for each C-CDA you will send. Select Non-CCDA content (no validation) as Expected CCDA Type for XDR content.
- Enter in the “Name” field the Name you wish to give this connection and save it.
- Click “Save”, this will create a new simulator under the name you entered above. You can continue to create several connections here, give each a different name to reference later. These names can be referenced in the simulator control messages page for filtering.
- To leave the “Sim Control” menu up, click “Home”
Set up SUT to submit a document to TTT
- In validation suite uddiConnectionInfo_g1.xml, for the 2.2 gateway, change the Document Submission endpoint https://<Host Name or IP Address>:8181/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service to the NIST TLS endpoint created above.
- In validation suite internalConnectionInfo_g1.xml, replace all 8181 ports to 443.
- In validation suite - g1 - Document Submission test case request, blank out the content for the <urn1:resource> tag.
- In validation suite - g1 - Document Submission test case request, change the value of Association type for the <urn4:Association> tag to "urn:oasis:names:tc:ebxml-regrep:AssociationType:HasMember".
- In validation suite - g1 - Document Submission test case request, provide a valid urn:oid value for AccessConsentPolicy tag like urn:oid:1.2.3.4.
- In validation suite - g1 - Document Submission test case request, provide a valid urn:oid value for instanceAccessConsentPolicy tag like urn:oid:1.2.3.4.123456789.
Submit a document from SUT to TTT
- In SoapUI, execute the g1 Document Submission test.
- Click on “Simulator Message View” in the NIST toolkit. Select the name from the drop down menu “Simulator”.
- When the message from the messages list is selected, request and response messages, detailed log are displayed. The response contains the validation errors and/or warnings detected by the tool. Additionally, the bottom part contains a log that can be inspected for further insights on the tests performed.
Direct Testing
Register a Direct email address with the TTT
- In TTT Home under Direct, click Registration
- Contact Email Addr*: Email account to receive validation reports - NOT the same as Direct email address
- Click Load/Create Contact
- Direct (From) Email Addr*: Direct email account from where Direct messages will be sent to the TTT and to where the TTT will send Direct messages
- Click Add
Send Direct messages to SUT
- In TTT Home under Direct, click Send Direct Message
- Direct From Address: Enter "test" (mail will be sent from test@transport-testing.nist.gov)
- Direct To Address: Enter the Direct email created in Register steps above
Choose document to be sent as the message content: See table below for a list of documents to send
- Message Format: Always select wrapped
- Signing Certificate: See table below for a list of Signing Certificates to use
- Encryption Certificate: Click Browse and select connectopensourceorg.der
- Click Submit
- In TTT Home under Direct, click View Direct Message Status
- Click Load without selecting a test session. Message will need to be identified based on the time the message was sent. Click Load again to refresh the message status.
- Verify the expected results approximately two minutes after the message was sent
- If an MDN is received by the TTT, check validation report sent from TTT to the contact email address specified in the Register section for any failures or errors
Document | Signing Certificate | Expected Result | Latest Test Results |
---|---|---|---|
CCDA_Inpatient_in_XDM | GOOD_CERT | MDN was received by the TTT (MDN Validation Status is MDN Received) Message Validation Report sent to contact email address | PASSED on 06/19/2015 |
CCDA_Inpatient | GOOD_CERT | MDN was received by the TTT (MDN Validation Status is MDN Received) Message Validation Report sent to contact email address | PASSED on 06/19/2015 |
CCDA_Inpatient_in_XDM | INVALID_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) No Message Validation Report generated | PASSED on 06/19/2015 |
CCDA_Inpatient | INVALID_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) No Message Validation Report generated | PASSED on 06/19/2015 No Message Validation Report |
CCDA_Inpatient_in_XDM | EXPIRED_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) No Message Validation Report generated | PASSED on 06/19/2015 No Message Validation Report |
CCDA_Inpatient | EXPIRED_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) No Message Validation Report generated | PASSED on 06/19/2015 No Message Validation Report |
CCDA_Inpatient_in_XDM | CERT_FROM_DIFFERENT_TRUST_ANCHOR | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) No Message Validation Report generated | PASSED on 06/19/2015 No Message Validation Report |
CCDA_Inpatient | CERT_FROM_DIFFERENT_TRUST_ANCHOR | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) No Message Validation Report generated | PASSED on 06/19/2015 No Message Validation Report |
Send DIRECT messages to TTT
- Send email to each NIST Direct email address in the table below (one at a time)
- Check validation report sent from TTT to the contact email address specified in the Register section for any failures or errors
CCDA_Inpatient.xml and CCDA_Inpatient_in_XDM.zip can both be downloaded from the shared drive in the \shared-folder\nist\4.4_release\documents directory
Direct (To) address | Document to attach | Expected Results | Latest Test Results |
---|---|---|---|
direct-inpatient@transport-testing.nist.gov | CCDA_Inpatient.xml (copy and paste contents of CCDA_Inpatient.xml directly into the email) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 Message Validation Report |
direct-inpatient-xdm@transport-testing.nist.gov | CCDA_Inpatient_in_XDM.zip (attach the entire zip file to the email, leave the email message blank) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 Message Validation Report |
ccda@transport-testing.nist.gov | None (Leave message blank) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 |
ccda@transport-testing.nist.gov | CCDA_Inpatient.xml (copy and paste contents of CCDA_Inpatient.xml directly into the email) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 |
Appendix A: Acronyms
ATL - Authorized Test Laboratories
CDA - Clinical Document Architecture
MDN - Multicast Domain Name System
MU - Meaningful Use
NHIO - National Health Insurance Office
NIST - National Institute of Standards and Technology
PnR - Provide and Register
SAML - Security Assertions Markup Language
SUT - System Under Test
TLS - Transport Level Security
TTT - Transport Testing Tool
Appendix B: Related Links
Transport Testing Tool User Guide
Transport Testing Tool Configuration (source)