MESA/Secure Node Deprecated
These are tests for Secure Nodes/Secure apps that were defined for Radiology Basic Security. We are parking them on this page so as not to clutter the supported test definitions. This is mainly for the test developers to use as reference.
Secure App/Secure Node Test Software
Secure Node Tests
Integration Profiles and Test Procedures
IHE Secure Nodes combine one or more IHE actors with secure communications. Secure communications implies the following:
- The Secure Node uses and requires authentication of network operations using TLS
- The Secure Node sends audit records to the Audit Record Repository
For the purposes of this document, we will classify nodes as clients or servers. A client is one that initiates a network connection; a server listens for and accepts a network connection. Many systems may operate as both a client and as a server. This term is not used in the IHE Technical Framework.
This document will describe tests for both client and server applications.
Introduction
Each test is run using the same procedure. We assume you are using an interactive terminal or terminal emulator and are logged on to the MESA test system. Change directory to $MESA_TARGET/mesa_tests/iti/actors/secure_node. Make sure the $MESA_TARGET and $MESA_STORAGE environment variables are set properly.
Integration Profiles and Test Procedures
This document lists a number of tests for Secure Node Systems. You may not be responsible for all of these tests.
Please refer to the Connectathon web tool to list the required tests for your system. The web address of this tool depends on the year and project manager. Please contact the appropriate project manager to obtain this information.
Message Attributes
This section is applicable for other actors and other tests. Expect that all fields of X.509 certificates and IHE Audit (syslog) messages are subject to evaluation.
Message Values
This section is applicable for other actors and other tests.
Configuration
The Secure Node scripts described below use an ASCII configuration file to identify parameters such as host names and port numbers. The configuration file is named secure_test.cfg and is included in the directory $MESA_TARGET/mesa_tests/rad/actors/secure_node. Edit the file and change entries (host name, port number) that pertain to your system. Your system is identified by entries that begin with TEST.
The table below gives parameters for MESA servers that will receive messages from your system.
| Application | Certificate | Port |
|---|---|---|
| MESA Syslog Server | NA | 4000 (UDP) |
| TLS TCP Server | Self signed | 4100 |
| TLS TCP Server | Self signed, unregistered | 4101 |
| TLS TCP Server | Self signed, expired | 4102 |
| Order Placer (HL7 V2 MLLP) | CA signed | 2101 |
| Order Filler (HL7 V2 MLLP) | CA signed | 2201 |
| Order Filler (DICOM MWL) | CA signed | 2251 |
| Patient Demographics Supplier (HL7 V2 MLLP, PDQ queries) | CA signed | 3701 |
| Patient ID Cross Reference Manager (HL7 V2 MLLP, ITI-8, PIX Query) | CA signed | 3601 |
Read the Runtime Notes section of the Installation Guide to determine the proper settings for the MESA runtime environment.
Starting the MESA Servers
MESA servers are started from a DOS/CMD window or a terminal emulator. Follow these steps:
- Unix, unsigned certificates
- cd $MESA_TARGET/mesa_tests/iti/actors/secure_node
- scripts/start_mesa_servers.csh [loglevel]
- Unix, signed certificates
- cd $MESA_TARGET/mesa_tests/iti/actors/secure_node
- scripts/start_ca_signed.csh
- Windows, unsigned certificates
- cd %MESA_TARGET%\mesa_tests\iti\actors\secure_node
- scripts\start_mesa_servers.bat [loglevel]
- Windows, signed certificates
- cd %MESA_TARGET%\mesa_tests\iti\actors\secure_node
- scripts\start_ca_signed.bat [loglevel]
To stop the servers:
- Unix, unsigned certificates: scripts/stop_mesa_servers.csh [loglevel]
- Unix, signed certificates: scripts/stop_ca_signed.csh [loglevel]
- Windows, unsigned certificates: scripts\stop_mesa_servers.bat [loglevel]
- Windows, signed certificates: scripts\stop_ca_signed.bat [loglevel]
Log files are stored in $MESA_TARGET/logs.
External Audit Record Repositories
This does not apply for the 2006-2007 cycle. Reliable syslog has been placed on hold.
The MESA tools are shipped with an Audit Record Repository that supports the BSD Syslog protocol (UDP). Reliable Syslog is handled using products from different systems. This release of the software relies on a Knoppix CD made available by HIPAAT, Inc. To send audit messages using the Reliable Syslog protocol, you will need to download the ISO image of the Knoppix CD or request a CD from the Project Manager.
There is a separate document from HIPAAT that describes how to start/run the CD. The CD is shipped assuming you will use DHCP to obtain an IP address. You can modify the network setup to give the PC a fixed IP address.
Self-signed Digital Certificates
Some MESA tests use self-signed digital certificates.
Self-signed digital certificates for testing are located in the directory $MESA_TARGET/runtime/certificates. Included in the directory are pairs of files for the private key and public certificate. This is not a secure way to distribute these, but the goal is to work on the technology of certificates.
Your system should use the private key and certificate found in the files starting with test_sys_1. Import these into your system using whatever configuration is necessary.
The MESA client and server applications will use certificates found in the file mesa_list.cert. Use this as the list of all certificates that MESA may use when communicating with your system.
Do not use your own certificates for these tests or try to configure the MESA tools with different certificates. If there are issues with the certificates, please log a bug report.
CA-Signed Digital Certificates
Some MESA tests use certificates signed by a CA. In these tests, you will need to configure your system with the private key/certificate for your system and the public certifidcate of the CA. You will only need the CA certificate when accepting MESA certificates. This is testing the case where you do not receive a copy of the peer certificate in advance. You do have the certificate of the CA, and you rely on the CA signature to validate the peer certificate.
For NA 2011, signed certificates have been issued for all systems. You can use that signed certificate for your system or the private key/certificate found in $MESA_TARGET/runtime/certs-ca-signed/test_sys_1.....pem. The public certificate for the CA is $MESA_TARGET/runtime/certs-ca-signed/cacert.pem.
If you are using these tools and choose the test_sys_1....pem files, you will need the challenge phrase to use the certificate. The challenge phrase is:
| MESA Version | Challenge Phrase |
|---|---|
| 14.x | Does not apply. There was no challenge phrase |
| 13.x | NA2010 |
| 12.x and below | Does not apply. There was no challenge phrase |
Ciphers
ITI TF 2:3.19.6.2 defines the ciphers that must be supported for the Authenticate Node transaction. Starting with MESA version 14.0, the MESA tools will support the single cipher listed in the ITI Technical Framework:
- TLS_RSA_WITH_AES_128_CBC_SHA
For more information on ciphers.
Basic Secure Node (Client or Server)
Each section below describes one test that is appropriate for a Secure Node in the Basic Security Integration Profile that is configured as either a client node or a server node. Later sections will list tests that are specific to client operations or server operations.
Test Instructions: 120x Tests
Each test is independent of the others. You must collect the results of one test before starting a new test. You do not have to run the tests in the order listed. Each of the tests in the 120x section are designed for the IHE Radiology Basic Security Profile. This uses the provisional schema and UDP messaging to the MESA Audit Record Repository.
Enter the Secure Node directory: mesa_tests/rad/actors/secure_node. Remember the MESA servers were started according to the directions in section 1.5.
Follow the test instructions for each test found in the next sections of this document.
1200: SEC List Audit Messages
This is a documentation procedure where you list all of the audit messages that your system is required to produce. The purpose of the test is for you to provide that list to the Project Manager so that the manager can determine if your system is producing the proper set of messages. This test result is due 3 weeks in advance of the normal test deadlines. This will give you time to recover in the event that you are missing audit events required of your system.
Create a text file named: grade_1200.txt. Content of the file should be as listed below.
- Line 1: Company Name
- Line 2: System Name
- Line 3 and following: List of all Integration Profile/Actor combinations for this system.
Following lines: List all audit events for which your system produces an audit message. Submit the text file to the Project Manager for evaluation.
1201: Actor Start
This sequence tests your ability to send an audit record to the MESA Audit Record Repository. This test covers the basic functionality of transmitting the message and the proper XML format of the message. The Actor Start message is chosen as that is required of all actors and is independent of other IHE transactions. This can be run using the IETF or INTERIM audit record format.
If not already done, start the MESA servers according to the directions in section 1.5.
By whatever means you use, “start” your actor such that it generates the actor-start-stop audit record message. This should be sent to the MESA Audit Record Repository.
Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Actor-start-stop and it should verify the content of that record against the IHE XML schema:
perl 1201/eval_client_1201.pl <log> <INTERIM or IETF>
<log> is a log level (1 – 4). The results file 1201/grade_client_1201.txt) should show 0 failures.
Run the evaluation at log level 4 and submit the test results to the Project Manager.
1202: System Configuration
This sequence tests your ability to send an audit record to the MESA Audit Record Repository. This test covers the basic functionality of transmitting the message and the proper XML format of the message. The Actor-config message is chosen.
If not already done, start the MESA servers according to the directions in section 1.5.
By whatever means you use, configure or reconfigure your actor such that it generates the IHE Actor-config audit record message. This should be sent to the MESA Audit Record Repository. For example, you might change the host name.
Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Actor-config and it should verify the content of that record against the IHE XML schema:
perl 1202/eval_client_1202.pl
The results file (1202/grade_client_1202.txt) should show 0 failures.
Submit the test results to the Project Manager.
1203: User Authenticated
This sequence tests your ability to send an audit record to the MESA Audit Record Repository. This test covers the basic functionality of transmitting the message and the proper XML format of the message. The User-Authenticated message is chosen.
If not already done, start the MESA servers according to the directions in section 1.5.
By whatever means you use, configure or reconfigure your actor such that it generates the IHE User-Authenticated audit record message. This should be sent to the MESA Audit Record Repository. For example, you might change the host name.
Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Actor-config and it should verify the content of that record against the IHE XML schema:
perl 1203/eval_client_1203.pl
The results file (1203/grade_client_1203.txt) should show 0 failures.
Submit the test results to the Project Manager.
1205: Unspecified Records
Tests 1201 through 1204 cover specific events that defined by the MESA documentation. For test 1205, the system under test is asked to send three or more Audit Record messages to the MESA Audit Record Repository. These messages are evaluated by the MESA software, and the user collects the messages and sends them to the Project Manager for distribution to other systems.
You are welcome to use the events that are specified for tests 1201 through 1204. You might want to use other events so that your software is more fully tested.
If not already done, start the MESA servers according to the directions in section 1.5.
By whatever means you use, configure or reconfigure your actor such that it generates the IHE User-Authenticated audit record message. This should be sent to the MESA Audit Record Repository. For example, you might change the host name.
Clear the MESA Audit Record Repository of existing messages:
perl scripts/clear_db.pl
Generate three (3) or more Audit Record messages and send these to the MESA Audit Record Repository.
Run the evaluation script to examine all audit records sent during this test:
perl 1205/eval_client_1205.pl
perl 1203/eval_client_1203.pl
Collect all of the files (tar/zip) in $MESA_TARGET/logs/syslog and submit these to the Project Manager.
1211: Time Synchronization
Refer to the tests for Consistent Time/Time Client
Secure Client Node Tests
Test 1221 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
Each section below lists one test for a Secure Client Node. The test authors define a Secure Node Client as a client system in the traditional client/server model where the client initiates a network connection. These tests in this section assume the Secure Node is initiating such a connection.
1221: Client Certificate Exchange with Valid Certificate
In this test, your client application requests a network connection with a MESA server using the standard X.509 (unexpired) certificates. The MESA server will complete the TLS handshake, read data from the socket and then disconnect after 2 seconds. Therefore, this test demonstrates your ability to implement the basic TLS handshake with the cyphersuite:
TLS_RSA_WITH_NULL_SHA
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Start one MESA tls_server executable that uses a valid certificate. This will print certificate and debug information to the terminal emulator:
- scripts/start_registered.csh
- scripts\start_registered.bat
3. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
4. Open a network connection with the MESA TLS server listening at port 4100. We assume this means you have to initiate an IHE transaction; this transaction will fail because the MESA TLS server does not respond beyond the TLS handshake.
5. After the TLS handshake and aborted message sequence, you will see debug and other information printed by the tls_server. That should indicate a successful connection. Perform a screen capture or direct the server to send the output to a text file.
6. Create a file named SYSTEM_1221.xxx (txt, bmp, jpg) that shows evidence you have completed this test. Submit this file to the Project Manager (kudu or gazelle tool).
1222: Client Certificate Exchange with Unregistered Certificate
Test 1222 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
In this test, your client application requests a network connection with a MESA server using the standard X.509 certificates. The MESA server will attempt the TLS handshake by offering an unregistered certificate. You are expected to abort the network connection and log an audit record message with the MESA Audit Record Repository (at port 4000 on the MESA system).
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Start one MESA tls_server executable that uses an unregistered certificate. This will print certificate and debug information to the terminal emulator:
- scripts/start_unregistered.csh
- scripts\start_unregistered.bat
3. (Optional) Clear the log files of prior messages. You will need a separate terminal emulator for this. The server started in step 2 runs in the foreground.
perl scripts/clear_logs.pl
4. Open a network connection with the MESA TLS server listening at port 4101. We assume this means you have to initiate an IHE transaction; the server will attempt the TLS handshake with an unregistered certificate.
5. After the TLS handshake and aborted message sequence, examine the output from the tls_server. It is printed to the terminal emulator you used to start the server. This should indicate a connection attempt from your system and an aborted connection.
6. Copy the output of the tls_server that shows evidence you attempted the connection and submit that as part of the evaluation (submit file to Kudu / Gazelle tool).
7. Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Node-Authentication failure and it should verify the content of that record against the IHE XML schema:
perl 1222/eval_client_1222.pl IETF (or) perl 1222/eval_client_1222.pl INTERIM
8. The results file 1222/grade_client_1222.txt should show 0 failures.
9. Submit the grade file to the Project Manager (Kudu/Gazelle tool).
1223: Client Certificate Exchange with Expired Certificate
Test 1223 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
In this test, your client application requests a network connection with a MESA server using the standard X.509 certificates. The MESA server will attempt the TLS handshake by offering an unregistered certificate. You are expected to abort the network connection and log an audit record message with the MESA Audit Record Repository (at port 4000 on the MESA system).
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Start one MESA tls_server executable that uses an expired certificate. This will print certificate and debug information to the terminal emulator:
- scripts/start_expired.csh
- scripts\start_expired.bat
3. (Optional) Clear the log files of prior messages. You will need a separate terminal emulator for the step. The tls_server started in step 2 runs in the foreground.
perl scripts/clear_logs.pl
4. Open a network connection with the MESA TLS server listening at port 4102. We assume this means you have to initiate an IHE transaction; the server will attempt the TLS handshake with an expired certificate.
5. After the TLS handshake and aborted message sequence, examine the output sent by the tls_server to the terminal emulator. This should show the connection request. Capture the output (screen capture, direct the output to a text file) and submit that output to the Kudu/Gazelle tool as evidence that you made a connection.
6. Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Node-Authentication failure and it should verify the content of that record against the IHE XML schema:
perl 1223/eval_client_1223.pl IETF (or)
perl 1223/eval_client_1223.pl INTERIM
7. The results file 1223/grade_client_1223.txt should show 0 failures.
8. Submit the grade file to the Project Manager.
1224: Client TLS Handshake for 3DES
Do not run this test for the 2006-2007 cycle
1226: DICOM Verification with TLS
This test is for DICOM client applications that are lacking a fully integrated MESA test sending data with TLS. In this test, your actor establishes a TLS connection with a MESA server and sends a DICOM C-Echo command (Verification class). If your actor has a fully integrated MESA test that exercises TLS and DICOM, you can skip this test.
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
3. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
4. Establish a DICOM/TLS connection with the MESA server running on port 2350. DICOM AE titles are ignored. Send a C-Echo request to that server.
5. This should run to completion with no errors. If you encounter an error, you will need to correct the communication problem and rerun the test.
6. When you have successfully completed the C-Echo request, there will be log information stored in the MESA Image Manager log: $MESA_TARGET/logs/imgmgr.log. Submit that log file to the Project Manager as the output of this test.
7. The most typical problem is using the wrong certificate. Start the MESA servers with the highest log level. If you cannot get a C-Echo command to work, examine the MESA Image Manager log file.
1226: DICOM Verification with TLS: Unregistered Certificate
In this test, your actor establishes a TLS connection with a MESA server that has a certificate that is not registered with your system. That is, your system should attempt to establish a DICOM connection, determine that the MESA system is using a certificate that is not known to you, and abort/terminate the network connection.
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
3. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
4. Establish a DICOM/TLS connection with the MESA server running on port 2351. DICOM AE titles are ignored. Send a C-Echo request to that server.
5. Your system should not complete the DICOM association negotiation.
6. When you have successfully completed the test, there will be log information stored in the MESA Image Manager log: $MESA_TARGET/logs/imgmgr.log. Submit that file to the Project Manager.
7. This is a rather difficult test as it is designed to make something fail on purpose. Whether your system closes the connection gracefully or merely exits depends on your design and software.
1226: DICOM Verification with TLS: Expired Certificate
In this test, your actor establishes a TLS connection with a MESA server that has a certificate that is expired. That is, your system should attempt to establish a DICOM connection, determine that the MESA system is using a certificate that is expired, and abort/terminate the network connection.
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
3. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
4. Establish a DICOM/TLS connection with the MESA server running on port 2352. DICOM AE titles are ignored. Send a C-Echo request to that server.
5. Your system should not complete the DICOM association negotiation.
6. When you have successfully completed the test, there will be log information stored in the MESA Image Manager log: $MESA_TARGET/logs/imgmgr.log. Submit that file to the Project Manager.
7. This is a rather difficult test as it is designed to make something fail on purpose. Whether your system closes the connection gracefully or merely exits depends on your design and software.
Supplemental Information
The certificate used by the Image Manager for this test is located in $MESA_TARGET/runtime/certificates/expired.cert. You should try to configure your system to know that this is the peer certificate. This is to make sure you are testing for expired certificates rather than unregistered certificates.
Secure Server Node Tests
Each section below lists one test for a Secure Server Node.
1221: Server Certificate Exchange with Valid Certificate
In this test, a MESA client application requests a network connection with your server using the standard X.509 (unexpired) certificates. The MESA client will complete the TLS handshake and then disconnect after 2 seconds. Therefore, this test demonstrates your ability to implement the basic TLS handshake with the cyphersuite:
TLS_RSA_WITH_NULL_SHA
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Make sure the configuration file secure_test.cfg accurately describes your system.
3. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
4. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
5. Instruct the MESA client to open a connection with your server:
perl 1221/1221_server_test.pl
6. After the TLS handshake and aborted message sequence, examine the MESA log file in $MESA_TARGET/logs/tls_client.txt. This should indicate a successful TLS handshake.
7. Cut/paste the entry from the MESA log file. Create a file named SYSTEM_1221.log, enter the log information and submit that file to the Project Manager.
1222: Server Certificate Exchange with Unregistered Certificate
In this test, a MESA client application requests a network connection with your server using the standard X.509 certificates. The MESA server will attempt the TLS handshake by offering an unregistered certificate. You are expected to abort the network connection and log an audit record message with the MESA Audit Record Repository (at port 4000 on the MESA system).
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA servers are configured to recognize this certificate.
2. Make sure the configuration file secure_test.cfg accurately describes your system.
3. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
4. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
5. Instruct the MESA client to open a connection with your server:
perl 1222/1222_server_test.pl
6. After the TLS handshake and aborted message sequence, examine the MESA log file in $MESA_TARGET/logs/tls_client.txt This should indicate the aborted network connection.
7. After the TLS handshake and aborted message sequence, examine the MESA log file in $MESA_TARGET/logs/tls_client.txt. This should indicate a successful TLS handshake.
8. Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Node-Authentication failure and it should verify the content of that record against the IHE XML schema:.
perl 1222/eval_server_1222.pl IETF (or)
perl 1222/eval_server_1222.pl INTERIM
9. The results file 1222/grade_server_1222.txt should show 0 failures.
1223: Server Certificate Exchange with Expired Certificate
In this test, a MESA client application requests a network connection with your server using the standard X.509 certificates. The MESA server will attempt the TLS handshake by offering an expired certificate. You are expected to abort the network connection and log an audit record message with the MESA Audit Record Repository (at port 4000 on the MESA system).
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA applications are configured to recognize this certificate.
2. Make sure the configuration file secure_test.cfg accurately describes your system.
3. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
4.(Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
5. Instruct the MESA client to open a connection with your server:
perl 1223/1223_server_test.pl
6. After the TLS handshake and aborted message sequence, examine the MESA log file in $MESA_TARGET/logs/tls_client.txt This should indicate the aborted network connection.
7. After the TLS handshake and aborted message sequence, examine the MESA log file in $MESA_TARGET/logs/tls_client.txt. This should indicate a successful TLS handshake.
8. Run the evaluation script to examine the last audit record sent by your system to the MESA Audit Record Repository. It should find the last audit record was for Node-Authentication failure and it should verify the content of that record against the IHE XML schema:.
perl 1223/eval_server_1223.pl
9. The results file 1223/grade_server_1223.txt should show 0 failures.
1224: Server TLS Handshake for 3DES
Do not perform this test for the 2006-2007 cycle.
1226: Server DICOM Verification with TLS
This test establishes a TLS connection with your server and sends a DICOM C-Echo command (Verification class) to your system.
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA applications are configured to recognize this certificate.
2. Make sure the configuration file secure_test.cfg accurately describes your system.
3. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
4. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
5. Instruct the MESA client to open a connection with your server:
perl 1226/1226_server_test.pl
6. This should run to completion with no errors. If you encounter an error, you will need to correct the communication problem and rerun the test
7. When the test is working successfully, run the test and redirect the output to a file. Submit that file to the Project Manager for evaluation.
1227: Server DICOM Verification with TLS: Unregistered Certificate
This test attempts to establish a TLS connection with your server using an unregistered certificate. Should you accept the connection, the MESA application sends a DICOM C-Echo command (Verification class) to your system. The proper behavior is that your system refuses the TLS connection.
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA applications are configured to recognize this certificate.
2. Make sure the configuration file secure_test.cfg accurately describes your system.
3. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
4. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
5. Instruct the MESA client to open a connection with your server:
perl 1227/1227_server_test.pl
6. This should run to completion and indicate that a connection was not completed. If the script completes a DICOM verification this indicates an error that should be corrected.
7. When the test is working successfully, run the test and redirect the output to a file. Submit that file to the Project Manager for evaluation.
1228: Server DICOM Verification with TLS: Expired Certificate
This test attempts to establish a TLS connection with your server using an expired certificate. Should you accept the connection, the MESA application sends a DICOM C-Echo command (Verification class) to your system. The proper behavior is that your system refuses the TLS connection.
References
Instructions
1. Configure your system using the X.509 certificate assigned to you ($MESA_TARGET/runtime/certificates/test_sys_1). The MESA applications are configured to recognize this certificate.
2. Make sure the configuration file secure_test.cfg accurately describes your system.
3. Make sure the MESA servers have been started. See Starting the MESA Servers for details.
4. (Optional) Clear the log files of prior messages:
perl scripts/clear_logs.pl
5. Instruct the MESA client to open a connection with your server:
perl 1228/1228_server_test.pl
6. This should run to completion and indicate that a connection was not completed. If the script completes a DICOM verification this indicates an error that should be corrected.
7. When the test is working successfully, run the test and redirect the output to a file. Submit that file to the Project Manager for evaluation.
Supplemental Information
The certificate used by the Image Manager for this test is located in $MESA_TARGET/runtime/certificates/expired.cert. You should try to configure your system to know that this is the peer certificate. This is to make sure you are testing for expired certificates rather than unregistered certificates.
ATNA Secure Node (Client or Server)
Each section below describes one test that is appropriate for a Secure Node in the ATNA Integration Profile that is configured as either a client node or a server node.
ATNA Tests for Client Applications
The tests in this section are for ATNA applications that initiate TLS connections. In that sense, these are considered client applications.
11141: Client ATNA Certificate Exchange with Valid Certificate
Test 11141 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
References
Instructions
Run test 1221 described in this document.
Rename the grade file grade_11141.txt.
Submit the grade file to the Project Manager.
11142: Client ATNA Certificate Exchange with Unregistered Certificate
Test 11142 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
References
Instructions
Run test 1222 described in this document.
Rename the grade file grade_11142.txt.
Submit the grade file to the Project Manager.
11143: Client ATNA Certificate Exchange with Expired Certificate
Test 11143 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
References
Instructions
Run test 1223 described in this document.
Rename the grade file grade_11143.txt.
Submit the grade file to the Project Manager.
11141: ATNA Certificate Exchange with Valid Certificate
Test 11141 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
References
Instructions
Run test 1221 described in this document. Rename the grade file grade_11141.txt. Submit the grade file to the Project Manager.
Supplemental Information
11142: ATNA Certificate Exchange with Unregistered Certificate
Test 11142 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
References
Instructions
Run test 1222 described in this document. Rename the grade file grade_11142.txt. Submit the grade file to the Project Manager. Submit the grade file to the Project Manager.
Supplemental Information
11143: ATNA Certificate Exchange with Expired Certificate
Test 11143 is deprecated. It is replaced by tests that use a defined communication protocol rather than just making a TCP connection with a certificate.
References
Instructions
Run test 1223 described in this document. Rename the grade file grade_11143.txt. Submit the grade file to the Project Manager. Submit the grade file to the Project Manager.
Supplemental Information