IHE North American Connectathon 2014

Home
Tech Framework
Schedule
Registration
Logistics
Technical Prep
Training
Showcase
Contacts

ATNA Resources & Digital Certificates

For those of you that tested at the January 2013 Connectathon, these guidelines are the same as last year.

Digital Certificates

If you registered to test ATNA, you must generate your own digital certificate for your tests system for pre-Connectathon & Connectathon testing (same cert used for both).

Additional notes:

  • If you think you want to load the certificates of all of the peers rather than just the CA, you are doing something wrong. STOP! Contact Steve Moore.
  • Each certificate has a CN that does not map to a real host name. Some of you will say that this does not match standard practice. However, this does match how the ATNA profile is written. If your software automatically checks to see that the hostname of the network connection matches that in the certificate, you need to disable that (don't ask us how; we don't know your software). If you have questions about this configuration, contact Steve Moore.
  • You may use the same certificates for pre-Connectathon testing and Connectathon testing. You may also generate different certificates.
  • The certificates are intended to identify the system as registered in Gazelle. If your system is implemented with multiple computers (virtual or real), we believe you only need one certificate and can use that same certificate for each of your computers.
    • However, given that this is now self-service and there is no charge for certificates, you are able to generate individual certificates if needed.

Acceptable Ciphers for NA2014 Connectathon

Please refer to ITI TF-2a: 3.19.6.2. Note that CP-ITI-478 retired ATNA encryption as an option, and ITI-19 (Authenticate Node transaction) requires support for encryption.

Protocol

Cipher

Technical Framework Reference

DICOM

TLS_RSA_WITH_AES_128_CBC_SHA
for all protocols

ITI TF-2a:3.19.6.2

HL7 V2 MLLP

HTTP

Syslog / TLS 1.0

Web Services (HL7 V3, XDS.b, XDR, XDS-I.b…)

 

ATNA Logging Requirements

You are responsible for all requirements in ITI-20 (Record Audit Event transaction) . We will not repeat the requirements here, except to remind you that ITI TF-2a: 3.20.6.1 specifies:

  1. Secure Node & Secure Application actors shall CHOOSE ONE of the following transports for audit messages:
  2. The Audit Record Repository shall support BOTH transports:

IMPORTANT NOTE 1: For 2014 connectathons, the Syslog Collector is transitioning from validating against the RFC-3881 schema to the DICOM RNC schema. Read details here: http://ihewiki.wustl.edu/wiki/index.php/Syslog_Collector#Transition_from_RFC-3881_schema_to_DICOM_schema

IMPORTANT NOTE 2: ITI TF-2a: 3.20.6.3.3 indicates that, although RFC 5424 states that this MUST be TLS 1.2, the ITI TF relaxes the requirement to specify that the transport MUST be TLS, but 1.2 is RECOMMENDED.

  • Because TLS 1.2 is not widely implemented, ***for the Connectathon*** implementers must use TLS 1.0.

Use of BOM in Syslog Messages

The ATNA profile relies on RFC 5424 that discusses UTF-8 and a Byte Order Mark (BOM). As I (Steve) read the RFC, I find the language confusing. A common event during the pre-Connectathon process is that the Project Managers will make unilateral decisions to allow us to give clear instructions to the Connectathon participants:

  1. For the Jan 2014 Connectathon, Secure Nodes/Applications (those that send Syslog messages) will be allowed to send messages either with or without the BOM.
  2. We will ask Audit Record Repositories to be agile and be prepared to accept either format.

ATNA Pre-Connectathon Test Rqmts for NA2014

  1. The tests listed in this section are on your pre-Connectathon list of 'test to do' in gazelle; this is an overview of those tests.
  2. Secure Node and Secure Application systems are required to complete the ATNA questionnaire. This is pre-Connectathon test 11106.
  3. The ATNA Tools: the Syslog Sender and Syslog Message Browser and TLS tool are ready. Secure Node/Applications will be able to test their audit messages with the syslog browser, test 11107. Audit Record Repositories will be able to receive audit messages from the syslog sender in test 11108. Secure Node/Applications will test their TLS connections using HL7v2, DICOM and/or webservices protocols in test 11109.

ATNA Connectathon Testing

At the January 2014 Connectathon , we will only give credit for successfully testing ATNA to Secure Node / Secure Application actors who complete:

  1. the ATNA TLS requirements:
    • tests ATNA_Authenticate_Client and ATNA_Authenticate_Server: Two no-peer test. We will check your TLS connection with all transports you support (DICOM, HLv2/MLLP, Webservices) as both a client/initator & server/responder
    • those tests will point you to the TLS tools (http://gazelle.ihe.net/tls-na/).
      • You will use these tools in advance with pre-Connectathon test 11109.
      • The tool is configured with the NA2014 connectathon certificates
      • Log in to the tool using your NA2014 gazelle user name & password
    • you will also test TLS connections for transactions in peer-to-peer tests for profiles that require that you also implement ATNA (XDS.b, XCA, & others)
  2. the logging requirements using the protocols listed in the Audit Logging section above:
    • test ATNA_Logging: Three peer-to-peer tests. Send your audit messages to three different vendors' Audit Record Repositories.
    • test ATNA_Audit_Msg_Check: One no-peer test. We will check at least one of your audit messages with the new Syslog Message Browser tool. This was pre-Connectathon test 11107, if you completed that, this one will be easy. This tool performs 3 levels of evaluation:
      • You must send your audit message to the tool on the TLS port: syslog protocol (RFC 5424) over TLS (RFC 5425) (except for a small number of 'grandfathered' systems that still use UDP -syslog protocol (RFC 5424) over UDP (RFC5426)
      • You must pass validation of the XML (RFC 3881)
      • For many IHE transactions, the Technical Framework defines the attributes to be sent in the audit message associated with that transaction. We will run schematron against the transaction-specific portion of your audit message.
  3. the ATNA_Questionnaire. One no-peer test. This is also pre-Connectathon test 11106, so you can (should) finish this before arriving at the Connectathon.

ATNA FAQ

Members of the community have contributed to an ATNA FAQ on this wiki page: ATNA FAQ.

Questions about material on this page?

Send a question to Steve Moore (certificate provider).