The Gazelle project entitled Gazelle-Security-Suite (alias GSS) gathers the following tools used in the context of the security profile IHE ATNA :
Since version 5.0.0 the tool is called Gazelle-Security-Suite and run on JBoss 7. It was prior called Gazelle ATNA Tools and ran on JBoss 5. The main title has changed, but a lot of modules have kept the old name, so do not be surprise to find both names in code sources.
Gazelle-Security-Suite is an open-source project under Apache License Version 2.0. Sources are available via Subversion at https://scm.gforge.inria.fr/anonscm/svn/gazelle/Maven/gazelle-atna/.
The public packaged application of our development trunk can be found here. If you prefer a more stable version, the latest release can be downloaded from our Sonatype Nexus repository (search for gazelle-atna-ear).
If you download the ear from Nexus it will have a name such as gazelle-atna-ear-4.7.12-tls.ear or gazelle-atna-ear-5.0.0-gss.ear, then be sure to rename it to gazelle-tls.ear or gazelle-gss.ear otherwise the deployment will fail.
If you are installing a Gazelle tool for the first time in your environment, make sure to read carefully the general considerations for JBoss7.
If your are installing a version of GSS prior to 5.0.0, you will have to set up a JBoss 5 application server instead.
Bouncycastle, as a security library, is very sensible to the classloader. This library is prepared during GSS build and available here (Jenkins workspace). Depending on which version of JBoss GSS is running, the installation differs.
bcprov library must be installed as a module of the application server.
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="org.bouncycastle">
<resources>
<resource-root path="bcprov-jdk15-1.45.jar"/>
</resources>
<dependencies>
<module name="javax.api" slot="main" export="true"/>
</dependencies>
</module>
The USA government restricts the allowed Java key size by default. It is needed to change the policy of the JVM if you get the error java.security.InvalidKeyException: Illegal key size.
This can be fixed by overwriting policy files in the Java runtime by those provided on the Java download page :
Unzip The 2 files jce/US_export_policy.jar and jce/local_policy.jar and paste them into ${JAVA_HOME}/jre/lib/security/
To check whether it's working, try to create a custom certificate with a key size of 2048 once GSS is installed.
Your database must have a user gazelle
psql -U gazelle
CREATE DATABASE tls OWNER gazelle ENCODING 'UTF-8' ;
psql -U gazelle tls < schema.sql
To deploy Gazelle-Security-Suite :
psql -U gazelle tls < init.sql
If the ATNA-questionnaire is enable (true by default), GSS will need a directory to record Audit Messages and validation results. By default, the application is configured to use /opt/tls/.
sudo mkdir /opt/tls
Be sure this directory can be read/written by JBoss.
sudo chmod -R 775 /opt/tls sudo chown -R jboss:jboss-admin /opt/tls
The update mechanism changed at version 5.1.0. Be careful to strictly follow the process associated to the version you come from.
Due to the update mechanism of the database (the ear is responsible for creating elements, and the update-X.X.X.sql script is responsible for updating or deleting elements), it is important to not skip any version of the application in an overall update. You cannot go directly from 4.7.4 to 4.7.12, you will have to repeat the process from 4.7.4 to 4.7.5, 4.7.6, 4.7.7 and so on.
To update Gazelle-ATNA-tools 4.7.12 to Gazelle-Security-Suite 5.0.0 the process is the same, except that the deployment of the new ear (step 5) must be done on a JBoss7 properly installed for GSS.
Example (version number are hypothetical) : to update GSS from 5.1.0 to 5.1.5 you have to execute 5.1.1, 5.1.2, 5.1.3, 5.1.4 and 5.1.5 update SQL scripts, but you only have to deploy the latest gss 5.1.5 ear.
Basicaly one Gazelle Central Authentication Service provides user authentication for all Gazelle applications in a test bed. However we once had the need to connect one instance of GSS with two test beds. We implemented a feature to answer this need and decide to leave the option available for public. So GSS can be connected with two distinct Authentication Services and users are identified from two databases. GSS concatenates the username and the CAS key to preserve username uniqueness all over the application. Of course the second authentication channel is optional and can be turned off.
Note that every configuration variable related to a user feature is then derivated in two versions and prefixed with main_ or second_. It allows admin to configure options and services for the first or the second test bed.
PKI features of GSS require to define a certificate authority (CA) for :
The certicate authority of the tool can be set in the administration of the application. Set the preference certificate_authority_Id to the id (primary key in database) of the Certificate of the selected CA. GSS requires that the private key of this certificate is stored in the application, otherwise it would not be possible to sign any requests.
There is several way to have a certificate authority stored into the application :
Go to Administration > Create a Certificate Authority, Fill the form and validate. This is the most recommended way.
Depending on the format go to Administration > Import p12 or Import PEM. Import also the private key.
If you import an existing CA, do not use a CA chained to an issuer publicly trusted. GSS provides certificates for testing purpose only, they must not be valid outside of this context.
| Property name | Description | Default value |
|---|---|---|
| application_api_key | riendutoutpourlinstant | |
| application_documentation | The link to the user manual. | https://gazelle.ihe.net/content/gazelle-security-suite |
| application_issue_tracker | The link to the section of the issue tracker where to report issues about Gazelle-Security-Suite | https://gazelle.ihe.net/jra/browse/TLS |
| application_release_notes | The link to the application release notes | https://gazelle.ihe.net/jira/browse/TLS#selectedTab=com.atlassian.jira.plugin.system.project%3Achangelog-panel |
| application_works_without_cas | Specifies if the Central Authentication Service (CAS) is used or not. If no CAS is used, property shall be set to true | true |
| application_url | The URL used by any user to access the tool. The application needs it to build permanent links inside the tool | http://localhost:8080/gss |
| assertion_manager_url | To link tests and validators to assertions, you will need to deploy Assertion Manager in the test bed. Provide its URL here. | http://localhost:8080/AssertionManagerGui |
| atna_mode_enabled | Enable/disable Audit Trail features : ATNA-Questionnaire and Audit-Message validation. | true |
| atna_questionnaire_directory | Directory used to store Audit-Messages samples and validation results linked with a questionnaire. | /opt/tls/questionnaire |
| audit_message_index | Index used to generate next Audit-Message Specification OID. This value is automatically incremented by the system. | 1 |
| audit_message_root_oid | Root OID for Audit Message Specification. This value is concatenated with the index at runtime. | 1.1.1.1.1.1.1. |
| audit_message_validation_xsl | URL to the validation result stylesheet. Must be in the same domaine, otherwise the majority of modern browser will not perform the transformation. A default one is embedded in the application. | http://localhost:8080/gss/resources/stylesheet/auditMessagevalidatorDetailedResult.xsl |
| certificate_authority_Id | Id of the certificate in database of the main certification authority used by the tool to deliver and sign certificates. | 1 |
| crl_url | Base URL to print into certificates as revocation list. The tool will add /crl/{id}/cacrl.crl at runtime. | http://localhost:8080/gss |
| dicom_xsd | Path to the DICOM schema (Audit Message validation). | /opt/tls/dicom_syslog_ext_us.xsd |
| evs_client_url | The URL of the Gazelle EVSClient application. This is required to validate the messages captured by the proxy. | http://localhost:8080/EVSClient |
| ip_login | If the application is not linked to a CAS, you can choose to restraint the access to the administration sections of the application to a subset of IP addresses | false |
| ip_login_admin | Regex to be matched by IP addresses of the users granted as admin if "ip_login" is set to "true" | .* |
| java_cacerts_truststore_pwd | GSS is also using the cacerts JVM truststore to validate certificates (located in ${JAVA_HOME}/jre/lib/security/cacerts). Provide here its password. | changeit |
| main_cas_keyword | Key used to distinct authentication service (maximum length 8). | 1ST |
| main_cas_name | Name of the authentication service displayed in the GUI. | 1st Authentication Service |
| main_cas_url | URL of the first Gazelle Central Authentication Service. | http://localhost:8080/cas |
| main_tm_application_url | URL of Gazelle Test Management linked with the first CAS. | http://localhost:8080/gazelle |
| main_tm_message_ws | URL of the Messages web-service of Gazelle Test Management linked with the first CAS. | http://localhost:8080/gazelle-tm-ejb/GazelleMessageWSService/GazelleMessageWS?wsdl |
| main_tm_pki_admins | List of PKI admins usernames in Gazelle Test Management linked with the first CAS (separated with a coma). They will receive a message alert each time a certificate is requested and require a manual validation. | admin1,admin2,admin3 |
| NUMBER_OF_ITEMS_PER_PAGE | Default number of rows displayed in tables (20, 50 or 100). | 20 |
| pki_automatic_request_signing | By default, all certificate signing requests must be validated by hand by an administrator. If you enable the automatic request signing mode, users will get the signed certificate immediatley after submiting their request. | false |
| pki_mode_enabled | Enable/disable PKI features. | true |
| proxy_oid | This is the OID that uniquely identify the instance of the tool when submitting message validation to EVSClient. | to-define |
| questionnaire_display_access_phi | Enable/disable the Non network means for accessing PHI tab in ATNA Questionnaire | true |
| questionnaire_display_audit_messages | Enable/disable the Audit Messages tab in ATNA Questionnaire | true |
| questionnaire_display_authentication_process | Enable/disable the Authentication process for local users tab in ATNA Questionnaire | true |
| questionnaire_display_inbounds | Enable/disable the Inbound network communications tab in ATNA Questionnaire | true |
| questionnaire_display_outbounds | Enable/disable the Outbound network communications tab in ATNA Questionnaire | true |
| questionnaire_display_tls_tests | Enable/disable the TLS Tests tab in ATNA Questionnaire | true |
| rfc3881_xsd | Path to the RFC3881 schema (Audit Message validation). | /opt/tls/RFC3881.xsd |
| second_cas_enabled | Enable/disable second CAS authentication. | false |
| second_cas_keyword | Key used to distinct authentication service (maximum length 8). | null |
| second_cas_name | Name of the authentication service displayed in the GUI. | null |
| second_cas_url | URL of the second Gazelle Central Authentication Service. | null |
| second_tm_application_url | URL of Gazelle Test Management linked with the second CAS. | null |
| second_tm_message_ws | URL of the Messages web-service of Gazelle Test Management linked with the second CAS. | null |
| second_tm_pki_admins | List of PKI admins usernames in Gazelle Test Management linked with the second CAS (separated with a coma). They will receive a message alert each time a certificate is requested and require a manual validation. | null |
| storage_dicom | Absolute path to the system folder used to store the DICOM datasets | /opt/tls/DICOM |
| time_zone | The time zone used to display the timestamps | Europe/Paris |
| tls_automatic_simulator_address_enabled | SSL/TLS simulators detects their own IP address and host and display it to the GUI. If you prefer manually define the address, set this value to false and set the variable tls_simulator_address with the value of your choice. | true |
| tls_mode_enabled | Enable/disable SSL/TLS simulator features. | true |
| tls_simulator_address | SSL/TLS simulators detects their own IP address and host and display it to the GUI. If you prefer manually define the address, set this value to false and set the variable tls_simulator_address with the value of your choice. | true |
| xua_mode_enabled | Enable/disable XUA assertions validator. | true |
| xua_xsd | Path the XUA schema (Assertion validation) | /opt/tls/saml-schema-assertion-2.0.xsd |