11099: Read ATNA Resources page

--> Prior to performing ATNA tests, please read this page for guidelines that address frequently asked questions about testing expectations. <--

THIS PAGE APPLIES TO ATNA TESTING AT 2024 IHE CONNECTATHONs. 

• ATNA Requirements
• Gazelle Security Suite (GSS) tool for ATNA testing
• Security Policy (TLS & audit) for the 2022 IHE EU/NA Connectathon
• GSS: Digital Certificates for IHE Connectathons
• GSS: ATNA Questionnaire
• GSS: ATNA Logging Tests - TLS Syslog
• Questions about ATNA testing?
• Evaluation

ATNA Requirements

The ATNA requirements are in the IHE Technical Framework:

• ITI Technical Framework, Vol 1, Section 9 - ATNA Profile.
• ITI Technical Framework Vol 2, for the [ITI-19] and [ITI-20] transactions.
• The RESTful ATNA (Query and Feed) Trial Implementation Supplement specifies additional features.

NOTE:  The folloing options were retired in 2021 via CP-ITI-1247 and are no longer tested at IHE Connectathons:

• STX: TLS 1.0 Floor with AES Option
• STX: TLS 1.0 Floor using BCP195 Option

Gazelle Security Suite (GSS) tool for ATNA testing:

Tool-based testing of TLS (node authentication) and of the format and transport of your audit messages is consolidated in one tool - the Gazelle Security Suite (GSS).

• Link to the tool: http://gazelle.ihe.net/gss.  
• Instructions for use of the tool are contained in ATNA test descriptions - here.

Security Policy (TLS & audit) for the 2024 IHE EU/NA Connecthon

In order to ensure interoperability between systems doing interoperability (peer-to-peer) testing over TLS (e.g. XDS, XCA...) the Connectathon technical managers have selected a TLS version and ciphers to use for interoperability tests during Connectathon week.  (This is analagous to a hospital mandating similar requirements at a given deployment.)

TLS POLICY for [ITI-19]:

*** For the 2022 IHE Connectathon, interoperabily testing over TLS shall be done using:

• TLS 1.2
• cipher suite  - any one of:
  
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• A digital certificate, issued by the Gazelle Security Suite (GSS) tool.  See details below.

AUDIT MESSAGE POLICY for [ITI-20]:

Before 2020, an ATNA Audit Record Repository (ARR) was required to support receiving audit messages in both TLS syslog and UDP syslog.   That meant that all Secure Node/Applications could send their audit messaes to any ARR.

Now, all actors sending and receiving audit messages may choose to support TLS Syslog, UDP Syslog, and/or FHIR Feed for transport.   We expect that the Audit Record Repositories at the NA and EU Connectathons will provide good coverage of the options (TLS, UDP, FHIR), though some ARRs may support a subset.  In particular, the FHIR Feed Option in ITI-20 may have less support because it was new as of 2020.

Connectathon technical managers will not select one transport for all audit records exchanged during Connectathon.  Instead, Secure Node/Applications will choose ARRs for test partners that are compatible with the audit records they send in ITI-20.  Gazelle Test Management will show compatible partners for ITI-20 interoperability tests:  "ATNA_Logging_*.

==> GSS: Digital Certificates for IHE Connectathons

The Gazelle Security Suite (GSS) tool is the SINGLE PROVIDER OF DIGITIAL CERTIFICATES for IHE Connectathons.  

To obtain a digital certificate from the GSS tool for preparatory & Connectathon testing, follow the instructions in test 11100.   That test contains instructions that apply to an IHE Connectathon, whether face-to-face or online.

Some facts about the digital certificates for Connectathon testing:

1. The digital certificate you generate in GSS:
1. is from Certificate Authority (CA) with a key of 2048 length.  You must add the certificate for the new CA in your trust store.
2. will contain the fully-qualified domain name (FQDN) of your Connectathon test system.   When you use GSS to request the certificate, the tool will prompt you for this value.  The FQDN value(s) will be in the subjectAltName entry of your digital certificate.  (You may need to provide more than one FQDN when you generate your certificate, e.g., if you will use your system to test TLS connections outside of the Connectathon network, such as using the NIST XDS Tools in your local test lab.)
2. Test 11100 contains detailed instructions for generating your certificate, including how to get the fully-qualified domain name for your test system.
3. Item (1.b.) means that each system testing TLS transactions during Connectathon week will have a digital certificate that is compatible with the 'FQDN Validation Option' in ATNA.  Thus, TLS connections with test partners will work whether the client is performing FQDN validation, or not.  This is intentional.
4. The certificates are only for testing purposes and cannot be used outside of the IHE Connectathon context.

==> GSS: ATNA Questionnaire

Systems testing ATNA are required to complete the ATNA Questionnaire in the GSS tool, ideally prior to Connectathon week.  Embedded in the questionnaire are Audit Record tests and TLS tests customized for the profiles & actors you registered to test at Connectathon.

• Follow instructions in test 11106.

==> GSS: ATNA Logging Tests - ATX: TLS Syslog Option

Read the Technical Framework documentation; you are responsible for all requirements in Record Audit Event [ITI-20] transaction. We will not repeat the requirements here.

WHICH SCHEMA???:  The Record Audit Event [ITI-20] specifies use of the DICOM schema for audit messages sent using the ATX: TLS Syslog and ATX: UDP Syslog options.  The DICOM schema is found in DICOM Part 15, Section A.5.1.  

• The Gazelle Security Suite tool uses the DICOM schema with IHE modifications.  The schema used by the GSS tool is: https://gazelle.ihe.net/XSD/IHE/ATNA/dicom_ihe_current.xsd

We expect implementations to be compliant; we have tested audit messages using the DICOM schema at IHE Connectathons since 2016.

• The GSS tool will only provide validation against the DICOM schema. If you fail that test, it is our signal to you that your audit messages are not compliant with the latest DICOM schema.  See test 11116.
• We expect interoperability testing at the Connectathon to occur using audit records that are compliant with the DICOM schema.

SENDING AUDIT MESSAGES:   You can send your audit records to the GSS tool simulating an Audit Record Repository.  See test 11117.

Questions about ATNA Testing?

Contact the Technical Project Manager for the IT Infrastructure domain.  Refer to the Contact Us page.

Evaluation 

There is no specific evaluation for this test.  

Create a text file stating that you found and read the page. Upload that text file into Gazelle Test Management as the Log Return file for test 11099.