Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The CONNECT team collaborated with the NIST team on testing and validating SOAP based transport for Document Submission. This is part of an ongoing effort to ensure that the product meets all compliance requirements that are being tested by various certification bodies including NIST. The team is tracking all ongoing work with the NIST team using the Epic story CONN-558. As new use cases for SOAP based transport are introduced in the NIST testing tools, the team will continue to work with the NIST team to ensure and validate CONNECT's compliance. 

Details on how the NIST's Transport Testing Tool (TTT) was utilized and the tests performed can be found below - 

NIST Transport Testing Tool (http://transport-testing.nist.gov/ttt/)

We are focusing only on the TTT for sending/receiving:

  • XDR Send
  • FindDocuments - Not available yet
  • GetDocuments - Not available yet
  • RetrieveDocument - Not available yet

Set up trust store and key store

keytool -export -rfc -alias gateway -file nist.cer -keystore keystore -keypass changeit -storepass changeit
  • Import the NIST certificate into cacerts.jks 
keytool -import -v -noprompt -trustcacerts -alias HOST1 -file nist.cer -keystore cacerts.jks -storepass changeit

If the certificate already exists in cacerts.jks, delete the certificate HOST1:

  • From the c:\glassfish3\glassfish\domains\domain1\config directory, run the command java -jar C:\app\portecle-1.7\portecle-1.7\portecle.jar
  • Open cacerts.jks file
  • Give the password (changeit)
  • Right click on HOST1 certificate and delete it.
  • Perform the keytool -import command (step 3). 

Update C:\glassfish3\glassfish\domains\domain1\config\domain.xml to accept NIST keystore as the new key store

Replace -Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/gateway.jks with:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore

Update the SSL port in C:\glassfish3\glassfish\domains\domain1\config\domain.xml

Replace <network-listener port="8181" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>
<network-listener port="443" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>

Update C:\glassfish3\glassfish\domains\domain1\config\nhin\signature.properties to accept NIST keystore as the new key store

Replace org.apache.ws.security.crypto.merlin.file=gateway.jks with:
org.apache.ws.security.crypto.merlin.file=keystore

Change the orchestrator from SAML to JAVA implementation in the PolicyEngineProxyConfig.xml file under nhin directory.

Replace adapterpolicyengineorchestratorsamljava with adapterpolicyengineorchestratorjava
adapterpolicyengineorchestratorjava


Restart app server

Set up TTT to send messages to SUT

Provide NIST team with SUT endpoints:

  • XDR Send = Document Submission:  https://<Hostname or IP address>:443/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service

Send request from TTT to SUT

  1. Browse to http://ttt.transparenthealth.org/ttt/
  2. Click on XDR Send
  3. In Environment dropdown, select SOAP_TEST
  4. Enter local patient ID
  5. In Select Test Data Set, select anything that has full metadata
  6. In SAML dropdown, select NHIN SAML
  7. Check the TLS box
  8. For Document Recipient, choose the Actor
  9. Click Run
  10. Click Inspect Results for detailed test results.

Set up TTT to accept messages from SUT

Define an Actor Simulator:

  1. On the Home panel, select the “Simulator Control” in the “Simulators” column
  2. In the Environment dropdown, select SOAP_TEST
  3. Select “Document Recipient” from the Actor Type pull-down menu.
  4. Click “Create Actor Simulator”
  5. Copy the End Point Displayed in “PnR TLS endpoint”, this is a TLS endpoint, DO NOT USE the PnR endpoint above it, as it is non-TLS. Note/Copy the TLS endpoint displayed in the page which needs to be updated in the uddiConnectionInfo_g1.xml. The endpoint looks like https://ttt.transport-testing.org:8443/ttt/sim/e6bb0458-ee24-42dc-a003-cb28683e3cd2/rec/xdrpr where the bold characters in the URL is the simulator actor data which will change for each simulator actor we create.
  6. Select the Expected C-CDA Type from the list that you will send to the TTT, this will allow the C-CDA to be sent to the appropriate Validator. This endpoint will always be associated with this type C-CDA, you will create an endpoint for each C-CDA you will send. Select Non-CCDA content (no validation) as Expected CCDA Type for XDR content.
  7. Enter in the “Name” field the Name you wish to give this connection and save it.
  8. Click “Save”, this will create a new simulator under the name you entered above. You can continue to create several connections here, give each a different name to reference later. These names can be referenced in the simulator control messages page for filtering.
  9. To leave the “Sim Control” menu up, click “Home”

Set up SUT to send messages to TTT

  1. In validation suite uddiConnectionInfo_g1.xml, for the 2.2 gateway, change the Document Submission endpoint https://<Host Name or IP Address>:8181/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service to the NIST TLS endpoint created above.
  2. In validation suite internalConnectionInfo_g1.xml, replace all 8181 ports to 443.
  3. In validation suite - g1 - Document Submission test case request, blank out the content for the <urn1:resource> tag.
  4. In validation suite - g1 - Document Submission test case request, change the value of Association type for the <urn4:Association> tag to "urn:oasis:names:tc:ebxml-regrep:AssociationType:HasMember".
  5. In validation suite - g1 - Document Submission test case request, provide a valid value for AccessConsentPolicy tag like urn:oid:1.2.3.4.
  6. In validation suite - g1 - Document Submission test case request, provide a valid value for instanceAccessConsentPolicy tag like 1.2.3.4.123456789.

Send the Message to TTT

  1. In SoapUI, execute the g1 Document Submission test.
  2. Click on “Simulator Message View” in the NIST toolkit. Select the name from the drop down menu “Simulator”.
  3. When the message from the messages list is selected, request and response messages, detailed log are displayed. The response contains the validation errors and/or warnings detected by the tool. Additionally, the bottom part contains a log that can be inspected for further insights on the tests performed.

Acronyms

ATL - Authorized Test Laboratories
CDA - Clinical Document Architecture
MDN - Multicast Domain Name System
MU  - Meaningful  Use
NHIO - National Health Insurance Office
NIST - National Institute of Standards and Technology
PnR - Provide and Register
SAML - Security Assertions Markup Language
SUT - System Under Test 
TLS - Transport Level  Security
TTT - Transport Testing Tool

Related Links

TTT User Guide
TTT - Tool Kit
TTT - Configuration


The CONNECT team collaborated with the NIST team on testing and validating SOAP based transport for Document Submission. This is part of an ongoing effort to ensure that the product meets all compliance requirements that are being tested by various certification bodies including NIST. The team is tracking all ongoing work with the NIST team using the Epic story CONN-558. As new use cases for SOAP based transport are introduced in the NIST testing tools, the team will continue to work with the NIST team to ensure and validate CONNECT's compliance. 

Details on how the NIST's Transport Testing Tool (TTT) was utilized and the tests performed can be found below - 

NIST Transport Testing Tool (http://transport-testing.nist.gov/ttt/)

We are focusing only on the TTT for sending/receiving:

  • XDR Send
  • FindDocuments - Not available yet
  • GetDocuments - Not available yet
  • RetrieveDocument - Not available yet

Set up trust store and key store

keytool -export -rfc -alias gateway -file nist.cer -keystore keystore -keypass changeit -storepass changeit
  • Import the NIST certificate into cacerts.jks 
keytool -import -v -noprompt -trustcacerts -alias HOST1 -file nist.cer -keystore cacerts.jks -storepass changeit

If the certificate already exists in cacerts.jks, delete the certificate HOST1:

  • From the c:\glassfish3\glassfish\domains\domain1\config directory, run the command java -jar C:\app\portecle-1.7\portecle-1.7\portecle.jar
  • Open cacerts.jks file
  • Give the password (changeit)
  • Right click on HOST1 certificate and delete it.
  • Perform the keytool -import command (step 3). 

Update C:\glassfish3\glassfish\domains\domain1\config\domain.xml to accept NIST keystore as the new key store

Replace -Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/gateway.jks with:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore

Update the SSL port in C:\glassfish3\glassfish\domains\domain1\config\domain.xml

Replace <network-listener port="8181" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>
<network-listener port="443" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>

Update C:\glassfish3\glassfish\domains\domain1\config\nhin\signature.properties to accept NIST keystore as the new key store

Replace org.apache.ws.security.crypto.merlin.file=gateway.jks with:
org.apache.ws.security.crypto.merlin.file=keystore

Change the orchestrator from SAML to JAVA implementation in the PolicyEngineProxyConfig.xml file under nhin directory.

Replace adapterpolicyengineorchestratorsamljava with adapterpolicyengineorchestratorjava
adapterpolicyengineorchestratorjava


Restart app server

Set up TTT to send messages to SUT

Provide NIST team with SUT endpoints:

  • XDR Send = Document Submission:  https://<Hostname or IP address>:443/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service

Send request from TTT to SUT

  1. Browse to http://ttt.transparenthealth.org/ttt/
  2. Click on XDR Send
  3. In Environment dropdown, select SOAP_TEST
  4. Enter local patient ID
  5. In Select Test Data Set, select anything that has full metadata
  6. In SAML dropdown, select NHIN SAML
  7. Check the TLS box
  8. For Document Recipient, choose the Actor
  9. Click Run
  10. Click Inspect Results for detailed test results.

Set up TTT to accept messages from SUT

Define an Actor Simulator:

  1. On the Home panel, select the “Simulator Control” in the “Simulators” column
  2. In the Environment dropdown, select SOAP_TEST
  3. Select “Document Recipient” from the Actor Type pull-down menu.
  4. Click “Create Actor Simulator”
  5. Copy the End Point Displayed in “PnR TLS endpoint”, this is a TLS endpoint, DO NOT USE the PnR endpoint above it, as it is non-TLS. Note/Copy the TLS endpoint displayed in the page which needs to be updated in the uddiConnectionInfo_g1.xml. The endpoint looks like https://ttt.transport-testing.org:8443/ttt/sim/e6bb0458-ee24-42dc-a003-cb28683e3cd2/rec/xdrpr where the bold characters in the URL is the simulator actor data which will change for each simulator actor we create.
  6. Select the Expected C-CDA Type from the list that you will send to the TTT, this will allow the C-CDA to be sent to the appropriate Validator. This endpoint will always be associated with this type C-CDA, you will create an endpoint for each C-CDA you will send. Select Non-CCDA content (no validation) as Expected CCDA Type for XDR content.
  7. Enter in the “Name” field the Name you wish to give this connection and save it.
  8. Click “Save”, this will create a new simulator under the name you entered above. You can continue to create several connections here, give each a different name to reference later. These names can be referenced in the simulator control messages page for filtering.
  9. To leave the “Sim Control” menu up, click “Home”

Set up SUT to send messages to TTT

  1. In validation suite uddiConnectionInfo_g1.xml, for the 2.2 gateway, change the Document Submission endpoint https://<Host Name or IP Address>:8181/Gateway/DocumentSubmission/2_0/DocumentRepositoryXDR_Service to the NIST TLS endpoint created above.
  2. In validation suite internalConnectionInfo_g1.xml, replace all 8181 ports to 443.
  3. In validation suite - g1 - Document Submission test case request, blank out the content for the <urn1:resource> tag.
  4. In validation suite - g1 - Document Submission test case request, change the value of Association type for the <urn4:Association> tag to "urn:oasis:names:tc:ebxml-regrep:AssociationType:HasMember".
  5. In validation suite - g1 - Document Submission test case request, provide a valid value for AccessConsentPolicy tag like urn:oid:1.2.3.4.
  6. In validation suite - g1 - Document Submission test case request, provide a valid value for instanceAccessConsentPolicy tag like 1.2.3.4.123456789.

Send the Message to TTT

  1. In SoapUI, execute the g1 Document Submission test.
  2. Click on “Simulator Message View” in the NIST toolkit. Select the name from the drop down menu “Simulator”.
  3. When the message from the messages list is selected, request and response messages, detailed log are displayed. The response contains the validation errors and/or warnings detected by the tool. Additionally, the bottom part contains a log that can be inspected for further insights on the tests performed.

Acronyms

ATL - Authorized Test Laboratories
CDA - Clinical Document Architecture
MDN - Multicast Domain Name System
MU  - Meaningful  Use
NHIO - National Health Insurance Office
NIST - National Institute of Standards and Technology
PnR - Provide and Register
SAML - Security Assertions Markup Language
SUT - System Under Test 
TLS - Transport Level  Security
TTT - Transport Testing Tool

Related Links

TTT User Guide
TTT - Tool Kit
TTT - Configuration


  • No labels