Preparing to test ATNA at the IHE NA Connectathon

[Lynn Felhofer]

The Audit Trail and Node Authentication (ATNA) Profile is supported by many tests systems at the IHE North American Connectathon.  

If this applies to your system, please read on...

In 2019 the IT Infrastructure Technical Committee approved changes to TLS and audit-related options in ATNA.  During your Connectathon preparation in February, please review the following information:

• Please read this ATNA Resources page.  It contains details about the new ATNA options, obtaining digital certificaes for Connectathon, and the approach for testing TLS and audit message exchange.    The information on that page applies to ATNA testing at IHE Connectathons in North America & Europe in 2021.
• Find your Pre-Connectathon tests in Gazelle Test Management under menu Connectathon—>Pre-Connectathon—>Pre-Connectathon Testing.  The tests and tools are ready for you to get started.
• You should obtain your digital certificate now for pre-Connectathon testing (eg with Gazelle Security Suite tool or the NIST XDS Tools).   Instructions for getting your digital certificate are in pre-Connectathon test 11100. The same digital certificates are used for both pre-Connectathon and Connectathon testing.

Your advance preparation for ATNA will have a big payoff during Connectathon week in March.   If you complete the ATNA Pre-Connectathon tests during February using the Gazelle Security Suite (GSS) tool, including your ATNA Questionnaire, you will have a big set Connectathon week ATNA testing already done and ready for monitors to evaluate in March.

If you have questions about the ATNA requirements, ATNA testing, or the GSS tool, please contact me.  I’m happy to help.

Best regards, 

Lynn Felhofer

IHE Technical Project Manager - ITI & RAD Domains

[Lynn Felhofer]

Attention ATNA testers,

Last week I sent information (below) about ATNA testing that included information about testing TLS, both with the Gazelle Security Suite tool and for peer-to-peer testing during Connectathon week.

• Gazelle Security Suite enables you to test various TLS configurations (TLS versions and different cipher suites) as both a client and server
• For peer-to-peer testing during Connectathon week, for the past 2-3 years at both NE and EU Connectathons, we have selected TLS 1.2 with TLS_RSA_WITH_AES_128_CBC_SHA.   We selected that cipher suite for prior Connectathons because some participants were using software libraries that did not support the stronger cipher suites specified in the new ATNA options with BCP195

CURRENT ISSUE:  I have a report from one Connectahon participant that the more recent software libraries they are using no longer have support for TLS_RSA_WITH_AES_128_CBC_SHA, so it is impossible for them to configure that cipher suite with TLS 1.2     If that is true for one test system, it probably is true for others.

QUESTION:    During Connectathon week, for peer-to-peer testing using TLS (eg XDS transactions, others…), if we specified using TLS 1.2 with one of the following stronger cipher suites...

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

...would that be a problem for you?

If you could investigate this and send me an email identifying your test system name and — “problem", or "no problem" -- I’d like to confirm this and make a decision on this early next week.

Thanks for your support in avoiding a “Monday TLS surprise”

Lynn