NIST collaboration and testing CONNECT 4.5
Overview
The CONNECT team has collaborated with the NIST team on testing and validating SOAP-based transport for XDR Document Submission and Direct using the NIST's Transport Testing Tool (TTT). This is part of an ongoing effort to ensure that the CONNECT product meets all compliance requirements that are being tested by various certification bodies including NIST.
Important
The NIST TTT that used for this test is no longer available; NIST ETT may be use but current document reference for NIST TTT. the source for the TTT may be found here.
CONNECT 4.5 Release Testing with NIST TTT
Latest version tested: CONNECT 4.5 RC1
XDR Send from the TTT to the CONNECT SUT resulted in successful execution with no errors. Document Submission from the CONNECT SUT to the TTT uncovered a possible specification compliance issue documented in CONN-1532. Ongoing discussions will determine whether or not changes need to be made to the way CONNECT prepends hl7 to the purposeOfUse attributes post 4.4 release. All tests executed on 06/17/2015.
Direct testing with NIST TTT successful with both SUT and TTT as recipient. Direct Message Validation Reports attached to this page (executed on 06/19/2015)
NIST Edge Testing Tool (https://ttpedge.sitenv.org/ttp/#/home)
As of CONNECT release 4.5, ETT testing for only the following are available:
XDR Document Submission
DIRECT
SUT Setup
Set up trust store and key store
Download the NIST keystore from http://sourceforge.net/projects/iheos/files/SOAP_TEST.zip/download
Copy the NIST keystore into key store directory (CONNECT Properties)
Export the NIST certificate from keystore as nist.cer
keytool -export -rfc -alias gateway -file nist.cer -keystore keystore -keypass changeit -storepass changeitImport the NIST certificate into cacerts.jks
keytool -import -v -noprompt -trustcacerts -alias HOST1 -file nist.cer -keystore cacerts.jks -storepass changeitIf the certificate already exists in cacerts.jks, delete the HOST1 certificate and import the NIST certificate:
keytool -delete -alias HOST1 -keystore cacerts.jks
keytool -import -v -noprompt -trustcacerts -alias HOST1 -file nist.cer -keystore cacerts.jks -storepass changeitConfigure Direct
Import the direct.connectopensource.org mail certificate into cacerts.jks (TTT not set up to communicate with direct.connectopensource.net)
If configdb is not already set up for Direct testing, run PopulateConfigDB-CERTS-anchors.sql
Download the NIST trust anchor at http://transport-testing.nist.gov/ttt/pubcert/nist.gov.der
Using AdminGUI, add the trust anchor to the Direct domain
Configure connect to use NIST keystore
domain.xml
Set NIST keystore as the new key store:
Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore
Set SSL port to 443:
<network-listener port="443" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>signature.properties
Replace org.apache.ws.security.crypto.merlin.file=gateway.jks with:
org.apache.ws.security.crypto.merlin.file=keystorePolicyEngineProxyConfig.xml
Replace adapterpolicyengineorchestratorsamljava with adapterpolicyengineorchestratorjava:
<!-- Beans defined : Adapter Policy Engine Orchestrator -->
<alias alias="adapterpolicyengineorchestrator" name="adapterpolicyengineorchestratorjava" />Restart the application server!
XDR Testing
Set up TTT to send XDR to SUT and send XDR
Provide NIST team with SUT endpoints:
XDR Send = Document Submission: https://<Hostname or IP address>:443/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service
Send request from TTT to SUT
Browse to http://transport-testing.nist.gov/ttt/
Click on XDR Send
In Environment dropdown, select SOAP_TEST
Enter local patient ID
In Select Test Data Set, select anything that has full metadata
In SAML dropdown, select NHIN SAML
Check the TLS box
For Document Recipient, choose the Actor
Click Run
Click Inspect Results for detailed test results.
Set up TTT to accept XDR from SUT
Define an Actor Simulator:
On the Home panel, select the “Simulator Control” in the “Simulators” column
In the Environment dropdown, select SOAP_TEST
Select “Document Recipient” from the Actor Type pull-down menu.
Click “Create Actor Simulator”
Copy the End Point Displayed in “PnR TLS endpoint”, this is a TLS endpoint, DO NOT USE the PnR endpoint above it, as it is non-TLS. Note/Copy the TLS endpoint displayed in the page which needs to be updated in the uddiConnectionInfo_g1.xml. The endpoint looks like https://ttt.transport-testing.org:8443/ttt/sim/e6bb0458-ee24-42dc-a003-cb28683e3cd2/rec/xdrpr where the bold characters in the URL is the simulator actor data which will change for each simulator actor we create.
Select the Expected C-CDA Type from the list that you will send to the TTT, this will allow the C-CDA to be sent to the appropriate Validator. This endpoint will always be associated with this type C-CDA, you will create an endpoint for each C-CDA you will send. Select Non-CCDA content (no validation) as Expected CCDA Type for XDR content.
Enter in the “Name” field the Name you wish to give this connection and save it.
Click “Save”, this will create a new simulator under the name you entered above. You can continue to create several connections here, give each a different name to reference later. These names can be referenced in the simulator control messages page for filtering.
To leave the “Sim Control” menu up, click “Home”
Set up SUT to submit a document to TTT
In validation suite uddiConnectionInfo_g1.xml, for the 2.2 gateway, change the Document Submission endpoint https://<Host Name or IP Address>:8181/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service to the NIST TLS endpoint created above.
In validation suite internalConnectionInfo_g1.xml, replace all 8181 ports to 443.
In validation suite - g1 - Document Submission test case request, blank out the content for the <urn1:resource> tag.
In validation suite - g1 - Document Submission test case request, change the value of Association type for the <urn4:Association> tag to "urn:oasis:names:tc:ebxml-regrep:AssociationType:HasMember".
In validation suite - g1 - Document Submission test case request, provide a valid urn:oid value for AccessConsentPolicy tag like urn:oid:1.2.3.4.
In validation suite - g1 - Document Submission test case request, provide a valid urn:oid value for instanceAccessConsentPolicy tag like urn:oid:1.2.3.4.123456789.
Submit a document from SUT to TTT
In SoapUI, execute the g1 Document Submission test.
Click on “Simulator Message View” in the NIST toolkit. Select the name from the drop down menu “Simulator”.
When the message from the messages list is selected, request and response messages, detailed log are displayed. The response contains the validation errors and/or warnings detected by the tool. Additionally, the bottom part contains a log that can be inspected for further insights on the tests performed.
Direct Testing
Register a Direct email address with the TTT
In TTT Home under Direct, click Registration
Contact Email Addr*: Email account to receive validation reports - NOT the same as Direct email address
Click Load/Create Contact
Direct (From) Email Addr*: Direct email account from where Direct messages will be sent to the TTT and to where the TTT will send Direct messages
Click Add
Send Direct messages to SUT
In TTT Home under Direct, click Send Direct Message
Direct From Address: Enter "test" (mail will be sent from test@transport-testing.nist.gov)
Direct To Address: Enter the Direct email created in Register steps above
Choose document to be sent as the message content: See table below for a list of documents to send
Message Format: Always select wrapped
Signing Certificate: See table below for a list of Signing Certificates to use
Encryption Certificate: Click Browse and select connectopensourceorg.der
Click Submit
In TTT Home under Direct, click View Direct Message Status
Click Load without selecting a test session. Message will need to be identified based on the time the message was sent. Click Load again to refresh the message status.
Verify the expected results approximately two minutes after the message was sent
If an MDN is received by the TTT, check validation report sent from TTT to the contact email address specified in the Register section for any failures or errors
Document | Signing Certificate | Expected Result | Latest Test Results |
|---|---|---|---|
CCDA_Inpatient_in_XDM | GOOD_CERT | MDN was received by the TTT (MDN Validation Status is MDN Received) | PASSED on 06/19/2015 |
CCDA_Inpatient | GOOD_CERT | MDN was received by the TTT (MDN Validation Status is MDN Received) | PASSED on 06/19/2015 |
CCDA_Inpatient_in_XDM | INVALID_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) | PASSED on 06/19/2015 |
CCDA_Inpatient | INVALID_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) | PASSED on 06/19/2015 |
CCDA_Inpatient_in_XDM | EXPIRED_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) | PASSED on 06/19/2015 |
CCDA_Inpatient | EXPIRED_CERT | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) | PASSED on 06/19/2015 |
CCDA_Inpatient_in_XDM | CERT_FROM_DIFFERENT_TRUST_ANCHOR | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) | PASSED on 06/19/2015 |
CCDA_Inpatient | CERT_FROM_DIFFERENT_TRUST_ANCHOR | No MDN was received by the TTT (MDN Validation Status stays at Waiting for MDN) | PASSED on 06/19/2015 |
Send DIRECT messages to TTT
Send email to each NIST Direct email address in the table below (one at a time)
Check validation report sent from TTT to the contact email address specified in the Register section for any failures or errors
CCDA_Inpatient.xml and CCDA_Inpatient_in_XDM.zip can both be downloaded from the shared drive in the \shared-folder\nist\4.4_release\documents directory
Direct (To) address | Document to attach | Expected Results | Latest Test Results |
|---|---|---|---|
CCDA_Inpatient.xml (copy and paste contents of CCDA_Inpatient.xml directly into the email) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 | |
CCDA_Inpatient_in_XDM.zip (attach the entire zip file to the email, leave the email message blank) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 | |
None (Leave message blank) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 | |
CCDA_Inpatient.xml (copy and paste contents of CCDA_Inpatient.xml directly into the email) | Automatic MDN from TTT is received by the Sending Edge and Validation report shows no failures or errors | PASSED on 06/19/2015 |
Appendix A: Acronyms
ATL - Authorized Test Laboratories
CDA - Clinical Document Architecture
MDN - Multicast Domain Name System
MU - Meaningful Use
NHIO - National Health Insurance Office
NIST - National Institute of Standards and Technology
PnR - Provide and Register
SAML - Security Assertions Markup Language
SUT - System Under Test
TLS - Transport Level Security
TTT - Transport Testing Tool
Appendix B: Related Links
Transport Testing Tool User Guide
Transport Testing Tool Configuration (source)