CONNECT OpenSSO Installation and Configuration Manual

88  Download (0)

Full text

(1)

CONNECT OpenSSO Installation and

Configuration Manual

Version 4.0 CONNECT Release 2.4

(2)

CONNECT_OpenSSO_Manual i Release 2.4 3/18/10

REVISION HISTORY

REVISION DATE DESCRIPTION

1.0 7 July 2009 Initial Release

2.0 29 September 2009 Updated to reflect CONNECT Release 2.2 3.0 05 January 2010 Updated to reflect CONNECT Release 2.3 4.0 18 March 2010 Updated to reflect CONNECT Release 2.4

(3)

CONNECT_OpenSSO_Manual ii Release 2.4 3/18/10 TABLE OF CONTENTS 1.0 INTRODUCTION ... 1 1.1 PURPOSE... 1 1.2 SCOPE... 1 1.3 DOCUMENT DESCRIPTION... 1 2.0 REFERENCED DOCUMENTS ... 1

3.0 CONNECT INSTALLATION CHECKLIST... 2

3.1 INSTALLATION AND CONFIGURATION CHECKLIST... 3

4.0 TEST DEPLOYMENT FOOTPRINT ... 3

4.1 HARDWARE REQUIREMENTS... 3

4.2 SOFTWARE REQUIREMENTS... 4

5.0 INSTALLATION AND CONFIGURATION... 5

5.1 OBTAIN MEDIA/ SOFTWARE... 5

5.2 INSTALL/DEPLOY OPENSSO INTO GLASSFISH... 6

5.3 CONFIGURE OPENSSO ... 8

5.4 CREATE A TEST USER... 11

5.5 INSTALL OPENSSOCOMMAND LINE TOOLS... 16

5.6 TEST THE OPENSSO INSTALLATION... 19

5.7 TEST THE OPENSSO INSTALLATION WITH THE OPENSSO API SAMPLES... 22

5.8 INSTALL GENERIC POLICY DECISION POINT REQUEST HANDLER IN TO OPENSSO .. 53

5.9 TEST THE GENERIC POLICY DECISION POINT REQUEST HANDLER... 69

5.10 CONFIGURE THE CONNECT GATEWAY MACHINE... 72

6.0 ACRONYMS ... 76

APPENDIX A ... A-1 A.1 CREATE A CONSUMER PREFERENCES DOCUMENT ... A-2 A.2 ALTERNATE CONSUMER PREFERENCES DOCUMENT CREATION A-6 LIST OF FIGURES FIGURE 3.0-1: INSTALLATION WORKFLOW... 2 FIGURE A.1-1:LOG INTO THE CPPGUI ...A-2 FIGURE A.1-2: SELECT DEFINE PATIENT AUTHORIZATION ACTIVITY...A-3 FIGURE A.1-3: ENTER SEARCH CRITERIA...A-4 FIGURE A.1-4: UPDATE PATIENT AUTHORIZATION...A-5 FIGURE A.1-5:DEFINE PATIENT AUTHORIZATION...A-6 FIGURE A.2-1: CREATE CPP DOCUMENT...A-7 FIGURE A.2-2: VERIFY CPP DOCUMENT...A-8

(4)

CONNECT_OpenSSO_Manual 1 Release 2.4 3/18/10

1.0 INTRODUCTION 1.1 Purpose

This document is the installation and configuration manual for installing the OpenSSO single sign-on application which may be used by the National Health Information Network (NHIN) CONNECT software as one of the options to help orchestrate and enforce security and consent policies for an NHIN participant. The CONNECT software uses the OpenSSO application as a “policy engine” to make security enforcement decisions for all incoming and outgoing electronic request or response messages for patient data.

1.2 Scope

The procedures in this document are applicable to all CONNECT users who wish to use the OpenSSO policy engine.

1.3 Document Description

This document includes the following sections. • Section 1.0 Introduction

• Section 2.0 Referenced Documents

• Section 3.0 CONNECT Installation Checklist • Section 4.0 Test Deployment Footprint • Section 5.0 Installation and Configuration • Section 6.0 Acronyms

2.0 REFERENCED DOCUMENTS

The following documents are referenced in this document:

• CONNECT System Installation and Configuration Full Binary Manuals

http://developer.connectopensource.org/display/NHINR24/Binary+Install+%28Windo ws%29

http://developer.connectopensource.org/display/NHINR24/Solaris+Release • CONNECT System Installation and Configuration Source Code Manuals

http://developer.connectopensource.org/display/NHINR24/Source+Code+Install+%2 8Windows%29

http://developer.connectopensource.org/display/NHINR24/Source+Code+Install+%2 8Linux%29

(5)

CONNECT_OpenSSO_Manual 2 Release 2.4 3/18/10

3.0 CONNECT INSTALLATION CHECKLIST

The following is an overall NHINC workflow/checklist that guides the reader through the steps required to install the CONNECT software and join the NHIN. Most of the steps in this flow are contained in the CONNECT installation and configuration documents available on the CONNECT website and are only repeated here for reference. This document will focus on the “Perform Installation” workflow item as it pertains to the installation of the OpenSSO application.

Figure 3.0-1: Installation Workflow Ensure to secure hardware that meets the hardware and software requirements

provided for the appropriate platform.

Select an installation method: Manual, install from a zip or install a VM Gateway image.

As applicable, download the Gateway VM software, Gateway Software zip or tar file

Follow the installation instructions for

zip or tar as appropriate.

Instructions on how to request and install the SSL the CONNECT gateway.

Step to be executed by Agency Step executed by Agency & CONNECT Team Step executed by Agency & CSC Configure the Gateway Obtain Media/ Software Perform Installation Request and Install SSL

Configure the specific gateway properties

depending on the Agency’s needs and platform selected

Submit a request for an OID for each gateway being configured.

Determine Installation Method Assess Hardware Requirements OID Request Process

(6)

CONNECT_OpenSSO_Manual 3 Release 2.4 3/18/10

3.1 Installation and Configuration Checklist

The following checklist provides a quick reference of the steps involved with installing the OpenSSO application with the NHINC software.

Item Procedural Step

1 Download the CONNECT-OpenSSO zip file from the CONNECT web site. See section 5.1.

2 Install/Deploy the OpenSSO application war file into the Glassfish application server. See section 5.2.

3 Configure OpenSSO. See section 5.3.

4 Setup/Create a test user for later testing. See section 5.4 5 Install the OpenSSO Command Line Tools. See section 5.5 6 Test the OpenSSO installation. See section 5.6.

7 Test the OpenSSO API examples. See section 5.7

8 Install the generic Policy Decision Point Request Handler. See section 5.8.

9 Test the generic Policy Decision Point Request Hander. See section 5.9

10 Configure the CONNECT Gateway machine. See section 5.10

4.0 TEST DEPLOYMENT FOOTPRINT

4.1 Hardware Requirements

This section describes the recommended minimum hardware component infrastructure including processor performance, disk space, and RAM for the NHINC application server platform. This is provisional information subject to change based on continued development.

(7)

CONNECT_OpenSSO_Manual 4 Release 2.4 3/18/10

Item Version

Processor Minimum dual 2GHz CPU

RAM Minimum of 4 GB

Hard Disk Size Application Dependent on the deployment

configuration. For sizing purposes, assume 100K per CCD record, 1K per audit log record.

Hard Disk Speed Minimum of 7200 RPM and 10000 RPM preferred. Network Interface 100MB Ethernet

acceptable; 1GB Ethernet desirable

4.2 Software Requirements

This section describes any dependent software products.

Item Description

Operating System

Use of the same operating system as needed by the Glassfish v2.1and GlassfishESB v2.1 applications is required. For additional information, refer to the specific installation instructions for Windows or Solaris. Java-JRE/JDK Java SDK 1.6 Update 16 (32-bit

version) Application Server Glassfish v2.1 Communication Stack Metro v1.5 Network Protocol TCP/IP Relational Database

Any ANSI SQL92 compliant relational database. For example, MySQL 5.1, Oracle, and DB2

Recommended Dev

Environment (Optional)

NetBeans IDE 6.7.1 build 20090407

Recommended Test Tools (Optional)

(8)

CONNECT_OpenSSO_Manual 5 Release 2.4 3/18/10

5.0 INSTALLATION AND CONFIGURATION

There are two phases to the OpenSSO installation and configuration. The first phase will install and test the initial OpenSSO application by deploying the opensso.war file into the Glassfish web application server. The second phase will install and test a generic Policy Decision Point component for use with the openSSO application.

As introduced at the beginning of this document, OpenSSO is used by the CONNECT software as a “policy engine”. The policy engine is used to make policy decisions for all incoming and outgoing messages to the CONNECT software. The Policy Enforcement Point (PEP) is responsible for orchestrating the policy engine calls to the Policy Information Point (PIP) to retrieve information such as the patient opt-in status to build into access (XACML) request messages. These messages are provided to the Policy Decision Point (PDP) whereupon a decision of Permit or Deny is made.

The PEP capability is provided by the CONNECT software component, “AdapterPEPEJB” which depends upon the classes within another CONNECT software component called the “AdapterPEPLib”. A Proxy Component is also defined and provided by the AdapterPEPProxy and the AdapterPEPProxyImpl software components, allowing a switch to be in place for a Java only solution or a Web Service implementation.

The PDP is handled by OpenSSO components and is dependent upon a customized RequestHandler being placed within the OpenSSO deployment (see section 5.7).

5.1 Obtain Media/ Software

Download the CONNECT OpenSSO component packages from the CONNECT Site.

Step Action Input Expected Result

1 Download the

NHIN_Connect_OpenSSO_2.4.x.xxx .zip file from the NHIN CONNECT release site.

The file is now located on your computer.

2 Unzip the above file to the hard drive of your machine.

NOTE: These instructions will assume that the OpenSSO components will have been unzipped to the root directory of the windows c:\ drive.

The OpenSSO components will be extracted onto your hard drive.

(9)

CONNECT_OpenSSO_Manual 6 Release 2.4 3/18/10

Step Action Input Expected Result

3 Downlaod

NHIN_Connect_OpenSSO_Adapter PEPWS_Test.zip.

The file is now located on your computer.

4 Unzip the above file to the hard drive of your machine.

NOTE: These instructions will assume that the OpenSSO Adapter PEPWS zip file will have been unzipped to the following directory:

C:\NHINC\ThirdPartyTools\OpenSS O

The OpenSSO components will be extracted onto your hard drive.

5.2 Install/Deploy OpenSSO into Glassfish

The following steps outline the procedures to deploy the OpenSSO application war file into the same Glassfish application server as used by the CONNECT software.

Step Action Input Expected Result

1 Start the Glassfish application server. The Glassfish application server should start without error. 2 Open your preferred web browser (e.g., Firefox)

and navigate to the Glassfish administration web page.

http://localhost:4848

The Glassfish administration web page is displayed.

3 Login to the Glassfish administration application. Unless previously altered, the user name and password as used during the CONNECT software installation process will be:

User Name: admin Password: adminadmin

Login credentials will be accepted and the Glassfish administration web page will be

(10)

CONNECT_OpenSSO_Manual 7 Release 2.4 3/18/10

Step Action Input Expected Result

4 Under the “Deployment" section of the web page, select Deploy Web Application (.war).

The “Deploy Enterprise

Applications/Modul es” web page will be displayed.

5 In the “Location” field, select the "Packaged file to be uploaded to the server" radio button and fill in the file name as:

c:\NHINC\ThirdPartyTools\OpenSSO\opensso.war

A “File Upload” dialog box will appear allowing you to navigate to the opensso.war file.

(11)

CONNECT_OpenSSO_Manual 8 Release 2.4 3/18/10

Step Action Input Expected Result

6 Leave the rest of the fields in their default values and click on the “OK” button.

The OpenSSO application will be deployed.

5.3 Configure OpenSSO

The following steps outline the procedures to configure the OpenSSO application.

Step Action Input Expected Result

1 With the Glassfish application server already running and the OpenSSO application deployed, navigate to the following location using your preferred web browser:

http://localhost:8080/opensso

NOTE: Internet Explorer web browser users were known to experience difficulties when configuring

The OpenSSO administration web page will be

(12)

CONNECT_OpenSSO_Manual 9 Release 2.4 3/18/10

Step Action Input Expected Result

OpenSSO. You may choose to use the Firefox web browser.

2 Login to OpenSSO using the following credentials: NOTE: Login is not required the first time

OpenSSO is run. This user account is created as part of the configuration process.

User Name: amAdmin Password: adminadmin

A successful OpenSSO login.

3 Select the "Create Default Configuration" link. An “OpenSSO Configurator” window will be displayed.

(13)

CONNECT_OpenSSO_Manual 10 Release 2.4 3/18/10

Step Action Input Expected Result

4 Enter and confirm the password for the amAgent and UrlAccessAgent users:

amAgent Password: adminadmin UrlAccessAgent Password: password

Click on the “Create Configuration” button.

The amAgent and UrlAccessAgent passwords will be submitted, and the OpenSSO default configuration process will be started.

5 Click on the “Proceed to Login” link to continue. The configuration will be complete, and you will be

(14)

CONNECT_OpenSSO_Manual 11 Release 2.4 3/18/10

Step Action Input Expected Result

taken to the OpenSSO login web page.

5.4 Create a Test User

A test user will need to be created at this point in order to successfully execute the tests outlined later in this document. The following steps describe how this process is accomplished.

Step Action Input Expected Result

1 Open a web browser and login to the OpenSSO administration console

(http://localhost:8080/opensso ).

User Name: amAdmin Password: adminadmin

A successful login will result in the display of the OpenSSO

administration web page.

(15)

CONNECT_OpenSSO_Manual 12 Release 2.4 3/18/10

Step Action Input Expected Result

2 Select the “Access Control” tab. The Access Control web page will be displayed.

3 Click on the “/ (Top level Realm)” link. The web page displaying the general properties of the “/ (Top Level Realm)” will be displayed.

(16)

CONNECT_OpenSSO_Manual 13 Release 2.4 3/18/10

Step Action Input Expected Result

4 Click on the “Subjects” tab. The “Subjects” property tab will be displayed.

5 Click on the “New” button. The “New User” web page will be displayed.

(17)

CONNECT_OpenSSO_Manual 14 Release 2.4 3/18/10

Step Action Input Expected Result

6 Enter the following information on this page: • ID: user1

• First Name: One • Last Name: User • Full Name: User, One • Password: password

• Password (confirm): password • User Status: Active

The user1 test user will be created and

displayed in the list of users on the “Subjects” tab.

(18)

CONNECT_OpenSSO_Manual 15 Release 2.4 3/18/10

Step Action Input Expected Result

Click on the “OK” button.

7 Click on the “Back to Access Control” button. The “Access Control” web page will be displayed.

(19)

CONNECT_OpenSSO_Manual 16 Release 2.4 3/18/10

Step Action Input Expected Result

8 Click on the “LOG OUT” button.

Click on the “OK” button if presented with another dialog box regarding the need to close other associated windows.

The OpenSSO logout page will be displayed.

5.5 Install OpenSSO Command Line Tools

The following steps outline the procedures to install the OpenSSO command line tools.

Step Action Input Expected Result

1 With the Glassfish application server already running and the OpenSSO application deployed, open a command window and navigate to the

A command line interface window should be

(20)

CONNECT_OpenSSO_Manual 17 Release 2.4 3/18/10

Step Action Input Expected Result

following location on your hard drive:

C:\NHINC\ThirdPartyTools\OpenSSO\ssoAdminT ools

displayed in the directory listed on the left.

2 Execute the OpenSSO command line tools setup program by entering the command, “setup” and pressing the enter key.

The setup command utility will start

3 Enter the path to the config files of the OpenSSO server by substituting “<user-home>” with the folder name associated with your user on your machine. For a username of bob, the following directories would be used on various operating systems:

Windows XP: C:\Documents and Settings\bob Vista: C:\Users\bob

<user-home>\opensso

The path to your machine’s OpenSSO

configuration files will be set.

4 Enter the path to the OpenSSO debug directory on your machine by substituting “<you-user>” with the folder name associated with your user on your machine. The directory will be created for you if it does not already exist.

<user-home>\opensso\opensso\debug

The path to the OpenSSO debug directory on your machine will be set.

5 Enter the path to the OpenSSO log directory on your machine by substituting “<you-user>” with the folder name associated with your user on your machine.

<user-home>\opensso\opensso\log

The path to the OpenSSO log directory on your machine will be set. The setup command will complete and you will see a similar output on your command window

(21)

CONNECT_OpenSSO_Manual 18 Release 2.4 3/18/10

Step Action Input Expected Result

as the following:

The scripts are properly set up under directory: C:\NHINC\ThirdPa rtyTools\ssoAdmin Tools\opensso Debug directory is c:\Documents and Settings\Admin\op ensso\opensso\de bug. Log directory is c:\Documents and Settings\Admin\op ensso\opensso\log .

The version of this

tools.zip is: Express Build 7(2009-April-10 08:05) The version of your server instance is: Express Build 7(2009-April-10 08:05)

6 Add the following to your system path environment variable:

C:\NHINC\ThirdPartyTools\OpenSSO\ssoAdminT ools\opensso\bin

NOTE: Remember to include the separator character between path entries.

The system path environment variable will be updated to include the directory listed to the left.

(22)

CONNECT_OpenSSO_Manual 19 Release 2.4 3/18/10

5.6 Test the OpenSSO Installation

The following steps outline the procedures to test your OpenSSO installation.

Step Action Input Expected Result

1 Start the Glassfish application server if it is not already running.

The Glassfish web service application should be running.

2 Login to the Glassfish administration application

http://localhost:4848

User Name: admin Password: adminadmin

The Glassfish administration web page should be displayed.

3 Click on the “Deploy Web Application (.war) button.

The “Deploy Enterprise

Applications/Modul es web page will be displayed.

(23)

CONNECT_OpenSSO_Manual 20 Release 2.4 3/18/10

Step Action Input Expected Result

4 Ensure the “Packaged file to be uploaded to the server” radio button is selected, then click on “Browse” to find the following file:

C:\NHINC\ThirdPartyTools\OpenSSO\ IdSvcsClient.war The IdSvcsClient.war file will be deployed in the Glassfish web server.

(24)

CONNECT_OpenSSO_Manual 21 Release 2.4 3/18/10

Step Action Input Expected Result

Then click the ”OK” button.

5 Navigate to the following using your preferred web browser:

http://localhost:8080/IdSvcsClient/index.jsp

A web page will be displayed allowing you to enter a username and password. 6 Fill in the username and password using the

following values:

Username: user1 Password: password

The user1 name and password will have been entered into the

IdSvcsClient web page.

(25)

CONNECT_OpenSSO_Manual 22 Release 2.4 3/18/10

Step Action Input Expected Result

7 Test the OpenSSO web service authentication method by clicking on the “WS” button

A web page displaying the following text similar to the following: "Successful Authentication using Web Services (SOAP/WSDL)" With a corresponding result token. 8 Click on the web browser’s “back” button The web page

prompting for a username and password should be displayed as shown in step 6. 9 Enter the user name and password again and

click the "REST" button.

You should see a similar "Successful Authentication using REST" message with an associated token.

5.7 Test the OpenSSO Installation with the OpenSSO API Samples

The following steps outline the procedures to test the OpenSSO installation using the OpenSSO API samples.

Step Action Input Expected Result

1 Start the Glassfish application server if it is not already running.

The Glassfish web service application should be running.

(26)

CONNECT_OpenSSO_Manual 23 Release 2.4 3/18/10

Step Action Input Expected Result

2 Open the following file with your preferred text editor:

c:\NHINC\ThirdPartyTools\

OpenSSOXACMLExample\resources\AMConfig.p roperties.

The AMConfig.properties file will be opened in your preferred text editor.

3 Search for the line that contains the following text:

"com.iplanet.services.debug.directory"

And ensure that the debug directory is pointed to the correct name of your user directory on your machine (i.e., replace the “<user-home>” text in the following example):

<user-home>/opensso/opensso/debug

The property setting listed on the left should have a value that corresponds to the value entered in step 4 in section 5.5.

4 Save the file. The AMConfig.properties

file will be updated and saved on your hard drive. 5 Make sure the following directory exists and is

empty:

C:\NHINC\ThirdPartyTools\

OpenSSOXACMLExample\classes

The directory on the left exists and is empty.

6 Open a new command window and change directories to:

C:\NHINC\ThirdPartyTools\ OpenSSOXACMLExample

The new command window will be in the directory listed to the left.

7 Enter the following command from that directory to compile the examples (the compiled classes will be placed into the classes sub-directory referred to in step 5):

scripts\compile-samples

The OpenSSO API example classes will be compiled.

8 Login Sample Test

Open a new command window, change to the

The login example program will begin

(27)

CONNECT_OpenSSO_Manual 24 Release 2.4 3/18/10

Step Action Input Expected Result

“C:\NHINC\ThirdPartyTools\

OpenSSOXACMLExample” directory and enter the following command to test the login example:

scripts\Login

execution.

9 Press the return key when prompted for a “Realm” (i.e., just leave the value blank forcing the

program to use the default value).

The default realm value will be used.

10 When prompted, enter the following text at the “Login module name (e.g. DataStore or LDAP):” prompt

DataStore

The “DataStore” value will be used as the module name.

11 Enter the following at the “Login locale (e.g. en_US or fr_FR):” prompt:

en_US

The English US locale value will be used in this test.

12 Enter “user1” at the “User Name:” prompt. The user1 test user will be used for this test.

13 Enter “password” at the “Password:” prompt. The user1’s password value will be used for this test.

14 Verify that the text values,

“Login succeeded." and "Logged Out!!"

are displayed in the command window.

Verification of a successful login test.

15 CommandLineSSO Sample

From a new command line window, change to the “C:\NHINC\ThirdPartyTools\

OpenSSOXACMLExample” directory and enter the command:

Scripts\CommandLineSSO

The CommandLineSSO program will begin execution and the following text will be displayed in the command window:

(28)

CONNECT_OpenSSO_Manual 25 Release 2.4 3/18/10

Step Action Input Expected Result

Organization: /

DataStore: Obtained login context

User Name:

16 Enter “user1” and “password” when prompted. The user1 test user will be used for this test.

17 Verify the following text is displayed in the command line window:

“Successful authentication …"

with some other lines of information printed.

A successful test completion.

18 CommandLineIdRepo Sample

From a new command line window, change to the “C:\NHINC\ThirdPartyTools\

OpenSSOXACMLExample” directory and enter the following command:

scripts\CommandLineIdRepo

The commandLineIdRepo program will begin.

19 Enter the following values at the appropriate prompts:

Userid [amAdmin]: amAdmin

Userid amadmin's password [openssoxxx]: adminadmin

Realm [/]: (leave this field blank - just hit enter).

The appropriate values will be entered for this test.

20 Verify that the command line displays the following text:

"==>Authentication SUCCESSFUL for user amadmin"

Enter option “7” to exit.

(29)

CONNECT_OpenSSO_Manual 26 Release 2.4 3/18/10

Step Action Input Expected Result

21 CommandLineLogging Sample

From a new command line window, change to the “C:\NHINC\ThirdPartyTools\

OpenSSOXACMLExample” directory and enter the following command:

scripts\CommandLineLogging

The

CommandLineLogging program will begin.

22 Enter the following values at the appropriate prompts:

Subject Userid [user1]: (leave this field blank - just hit enter)

Subject Userid user1's password [user1password]: password

Log file [TestLog]: (leave this field blank - just hit enter)

Log message [Test Log Record]: (leave this field blank - just hit enter)

LoggedBy Userid [amadmin]: (leave this field blank - just hit enter)

LoggedBy Userid's password [amadminpswd]: adminadmin

Realm [/]: (leave this field blank - just hit enter)

The appropriate values will be entered for this test.

23 Verify that the command line displays the following text:

"==>Authentication SUCCESSFUL for user user1" followed by "==>Authentication SUCCESSFUL for user amdadmin", followed by "LogSample:

Logging Successful!!!”

A successful test.

You should also see a new log file in your log file directory called TestLog with log entries in it. (Log file directory would be: C:\Documents and

Settings\<your-user>\opensso\opensso\lo g.)

24 Policy Evaluation Sample

Create a policy by using the OpenSSO admin

The OpenSSO login page will be displayed.

(30)

CONNECT_OpenSSO_Manual 27 Release 2.4 3/18/10

Step Action Input Expected Result

console at:

http://localhost:8080/opensso

25 Login to the OpenSSO admin console.

User: amAdmin

Password: adminadmin

The OpenSSO

administration web page will be displayed.

26 Click on the "Access Control" tab. The Access Control web page will be displayed.

27 Click on the “/ (Top level Realm)” link. The web page displaying the general properties of the “/ (Top Level Realm)” will be displayed.

(31)

CONNECT_OpenSSO_Manual 28 Release 2.4 3/18/10

Step Action Input Expected Result

28 Click on the "Policies" tab. The Policies properties web page will be displayed.

29 Click on the “New Policy…” button The “New Policy” web page will be displayed.

(32)

CONNECT_OpenSSO_Manual 29 Release 2.4 3/18/10

Step Action Input Expected Result

30 Enter the following information:

Name: PolicyTest Description: Policy Test

The new policy name and description fields will be populated.

31 Click on the “New…” button under the “Rules” section.

The new rules wizard will begin.

(33)

CONNECT_OpenSSO_Manual 30 Release 2.4 3/18/10

Step Action Input Expected Result

32 Click on "URL Policy Agent (with resource name)" radio button and then click "Next".

The new rules wizard Step 2 web page will be

displayed.

33 Enter the following information and then click on the “Finish” button:

The values specified on the left should be entered

(34)

CONNECT_OpenSSO_Manual 31 Release 2.4 3/18/10

Step Action Input Expected Result

Name: Banner URL Rule Resource Name:

http://www.sample.com:80/banner.html

Check "GET" and "ALLOW"

Check "POST" and "ALLOW" action values.

on the form, and the “New Policy” web page will be redisplayed.

34 Click on the “New…” button under the “Subjects” section.

Step 1 of the New Subject wizard web page will be displayed.

(35)

CONNECT_OpenSSO_Manual 32 Release 2.4 3/18/10

Step Action Input Expected Result

35 Select "OpenSSO identify Subject" radio button and then click on the "Next" button.

The New Subjects Step 2 web page will be

(36)

CONNECT_OpenSSO_Manual 33 Release 2.4 3/18/10

Step Action Input Expected Result

36 Enter “Policy Test Users” in the Name field. The new subject rule will be named.

37 Click on the drop-down filter button to highlight the “User” value, and then click on the “Search”

button.

A list of available users will be displayed under the “Available:” section. 38 Select the “amAdmin” and “user1” users, and then

click on the “Add” button.

The amAdmin and user1 users will be added as subjects.

(37)

CONNECT_OpenSSO_Manual 34 Release 2.4 3/18/10

Step Action Input Expected Result

39 Click on the “Finish” button. The “New Policy” web page will be redisplayed. 40 Click the “OK” button to save this new policy The new policy will be

saved and the “Policies” web page will be displayed with the new policy listed. 41 Open a new command line window, change

directories to the

C:\NHINC\ThirdPartyTools\OpenSSOXACMLExa mple and enter the following command:

scripts\run-policy-evaluation-sample

As there are no prompts to enter information, the following should be

displayed in the command window: Using properties file:policyEvaluationSampl e sample properties: user.password:adminadmi n service.name:iPlanetAMW

(38)

CONNECT_OpenSSO_Manual 35 Release 2.4 3/18/10

Step Action Input Expected Result

ebAgentService user.name:amadmin resource.name:http://www. sample.com:80/banner.ht ml action.name:GET ---: Entering getSSOToken():userName =amadmin,password=adm inadmin TokenID:AQIC5wM2LY4Sf cw+SYheSbNCiv0IrGf8P1t B3xLtOFeq2QM=@AAJT SQACMDE=# returning from getSSOToken() Entering getPolicyDecision():resour ceName=http://www.sampl e.com:80/banner.html,serv iceName=iPlanetAMWebA gentService,actionName= GET policyDecision:<PolicyDeci sion> <ResponseAttributes> </ResponseAttributes> <ActionDecision timeToLive="1242414937 297"> <AttributeValuePair> <Attribute name="GET"/> <Value>allow</Value> </AttributeValuePair>

(39)

CONNECT_OpenSSO_Manual 36 Release 2.4 3/18/10

Step Action Input Expected Result

<Advices> </Advices> </ActionDecision> </PolicyDecision> returning from getPolicyDecision() 42 XACML Example

NOTE: You must have already set up the policy rule in the previous example before you can run this example.

Login to the OpenSSO administrative console: URL: http://localhost:8080/opensso

User Name: amAdmin Password: adminadmin

The OpenSSO

administration web page will be displayed.

43 Click on the “Configuration” tab. The configuration web page will be displayed.

(40)

CONNECT_OpenSSO_Manual 37 Release 2.4 3/18/10

Step Action Input Expected Result

44 Click on the “Global” sub-tab. The OpenSSO Global Configuration web page will be displayed.

45 Click on the “SAML v2 SOAP Binding” link. The SAML v2 SAOP Binding global attributes web page will be

(41)

CONNECT_OpenSSO_Manual 38 Release 2.4 3/18/10

Step Action Input Expected Result

46 Click on the “New” button. The “New Request

Handler” web page will be displayed.

47 Enter the following information:

Key: /xacmlPdp Class:

The new SOAP binding information will be created.

(42)

CONNECT_OpenSSO_Manual 39 Release 2.4 3/18/10

Step Action Input Expected Result

com.sun.identity.xacml.plugins.XACMLAuthzDecis ionQueryHandler

And click on the “OK” button.

48 Click on the “Save” button. The new SOAP Binding information will be saved.

49 Click on the "Back to Service Configuration" button.

The Global configuration web page will be

(43)

CONNECT_OpenSSO_Manual 40 Release 2.4 3/18/10

Step Action Input Expected Result

50 Open a new command line window and go to the following directory:

C:\NHINC\ThirdPartyTools\ OpenSSOXACMLExample

A new command window will be opened in the location listed on the left.

51 Enter the command:

ssoadm create-cot -t xacml-pdp-cot -u amadmin -f password.txt

The command window will display the following:

Circle of trust, xacml-pdp-cot was created.

52 Enter the command:

ssoadm create-metadata-templ -y xacmlPdpEntity -p /xacmlPdp -m xacmlPdp.xml -x xacmlPdp-x.xml -u amadmin -f password.txt

The command window will display the following:

Hosted entity configuration was written to xacmlPdp-x.xml.

Hosted entity descriptor was written to

xacmlPdp.xml. 53 Enter the command:

ssoadm import-entity -t xacml-pdp-cot -m

xacmlPdp.xml -x xacmlPdp-x.xml -u amadmin -f

The command window will display the following:

(44)

CONNECT_OpenSSO_Manual 41 Release 2.4 3/18/10

Step Action Input Expected Result

password.txt Import file,

xacmlPdp-x.xml. 54 Enter the command:

ssoadm create-cot -t xacml-pep-cot -u amadmin -f password.txt

The command window will display the following:

Circle of trust, xacml-pep-cot was created.

55 Enter the command:

ssoadm create-metadata-templ -y xacmlPepEntity -e /xacmlPep -m xacmlPep.xml -x xacmlPep-x.xml -u amadmin -f password.txt

The command window will display the following:

Hosted entity configuration was written to xacmlPep-x.xml.

Hosted entity descriptor was written to

xacmlPep.xml. 56 Enter the command:

ssoadm import-entity -t xacml-pep-cot -m

xacmlPep.xml -x xacmlPep-x.xml -u amadmin -f password.txt

The command window will display the following:

Import file, xacmlPep.xml. Import file, xacmlPep-x.xml.

57 Login to the OpenSSO administrative console:

URL: http://localhost:8080/opensso User Name: amAdmin

Password: adminadmin

The OpenSSO

administration web page will be displayed.

58 Click on the “Federation” tab. The Federation web page will be displayed.

(45)

CONNECT_OpenSSO_Manual 42 Release 2.4 3/18/10

Step Action Input Expected Result

59 Click on the "xacml-pdp-cot" link under “Circle of Trust” section.

The “Edit Circle of Trust” web page will be displayed for the “xacml-pdp-cot” entry.

(46)

CONNECT_OpenSSO_Manual 43 Release 2.4 3/18/10

Step Action Input Expected Result

60 Highlight xacmlPepEntity SAMLv2" in the "Available" box and click on the "Add >" button.

The xacmlPepEntity SAMLv2 entry will move from the list of available items to the selected list.

61 Click on the “Save” button. The changes to the xacml-pdp-cot circle of trust entry will be saved.

(47)

CONNECT_OpenSSO_Manual 44 Release 2.4 3/18/10

Step Action Input Expected Result

62 Click on the “Back” button. The “Circle of Trust Configuration” web page will be redisplayed.

(48)

CONNECT_OpenSSO_Manual 45 Release 2.4 3/18/10

Step Action Input Expected Result

63 Click on the "xacml-pep-cot" link under “Circle of Trust” section.

The “Edit Circle of Trust” web page for the “xacml-pep-cot” entry will be displayed.

(49)

CONNECT_OpenSSO_Manual 46 Release 2.4 3/18/10

Step Action Input Expected Result

64 Highlight "xacmlPdpEntity SAMLv2" in the "Available" box and click on the "Add >" button.

The xacmlPepEntity SAMLv2 entry will move from the list of available items to the selected list.

(50)

CONNECT_OpenSSO_Manual 47 Release 2.4 3/18/10

Step Action Input Expected Result

65 Click on the “Save” button. The changes to the xacml-pep-cot circle of trust entry will be saved.

(51)

CONNECT_OpenSSO_Manual 48 Release 2.4 3/18/10

Step Action Input Expected Result

66 Click on the “Back” button. The “Circle of Trust Configuration” web page will be redisplayed.

(52)

CONNECT_OpenSSO_Manual 49 Release 2.4 3/18/10

Step Action Input Expected Result

67 Open a new command line window, change directories to the

C:\NHINC\ThirdPartyTools\OpenSSOXACMLExa mple and enter the following command:

scripts\run-xacml-client-sample

As there are no prompts to enter information, the following should be

displayed in the command window: Using properties file:xacmlClientSample sample properties: resource.servicename.dat atype:http://www.w3.org/2 001/XMLSchema#string resource.id:http://www.sa mple.com:80/banner.html action.id.datatype:http://w ww.w3.org/2001/XMLSche ma#string

(53)

CONNECT_OpenSSO_Manual 50 Release 2.4 3/18/10

Step Action Input Expected Result

resource.id.datatype:http:// www.w3.org/2001/XMLSc hema#string action.id:GET subject.id:id=user1,ou=us er,dc=opensso,dc=java,dc =net ---: subject.id.datatype:urn:oa sis:names:tc:xacml:1.0:dat a-type:x500Name pdp.entityId:xacmlPdpEntit y resource.servicename:iPla netAMWebAgentService subject.category:urn:oasis: names:tc:xacml:1.0:subjec t-category:access-subject pep.entityId:xacmlPepEntit y testProcessRequest():xac mlRequest: <xacml-context:Request xmlns:xacml-context="urn:oasis:names: tc:xacml:2.0:context :schema:os" xmlns:xsi="http://www.w3. org/2001/XMLSchema-instance" xsi:schemaLocation="urn: oasis:names:tc:xacml:2.0: context:schema:os http://docs.oasis-open.org

(54)

/xacml/access_control-CONNECT_OpenSSO_Manual 51 Release 2.4 3/18/10

Step Action Input Expected Result

xacml-2.0-context-schema-os.xsd"> <Subject SubjectCategory="urn:oasi s:names:tc:xacml:1.0:subj ect-category:access-subject"> <Attribute AttributeId="urn:oasis:nam es:tc:xacml:1.0:subject:su bject-id" DataType="urn:oasis:nam es:tc:xacml:1.0:data-type:x500Name" > <AttributeValue>id=user 1,ou=user,dc=opensso, dc=java,dc=net</Attribut eValue> </Attribute> </Subject> <xacml-context:Resource> <Attribute AttributeId="ResourceId " DataType="http://www. w3.org/2001/XMLSche ma#s tring" > <AttributeValue>http://w ww.sample.com:80/ban ner.html</AttributeValue > </Attribute> <Attribute AttributeId="urn:sun:na mes:xacml:2.0:resource: target-service" DataTyp e="http://www.w3.org/20 01/XMLSchema#string"

(55)

CONNECT_OpenSSO_Manual 52 Release 2.4 3/18/10

Step Action Input Expected Result

> <AttributeValue>iPlanet AMWebAgentService</ AttributeValue> </Attribute> </xacml-context:Resource> <xacml-context:Action> <Attribute AttributeId="urn:oasis:n ames:tc:xacml:1.0:actio n:action-id" DataType= "http://www.w3.org/2001 /XMLSchema#string" > <AttributeValue>GET</ AttributeValue> </Attribute> </xacml-context:Action> <xacml-context:Environment></ xacml-context:Environment> </xacml-context:Request> testProcessRequest():x acmlResponse: <xacml-context:Response xmlns:xacml-context="urn:oasis:nam es:tc:xacml:2.0:contex t:schema:os" > <xacml-context:Result ResourceId="http://www.s ample.com:80/banner.html ">

(56)

CONNECT_OpenSSO_Manual 53 Release 2.4 3/18/10

Step Action Input Expected Result

<xacml-context:Decision>Permit</ xacml-context:Decision> <xacml-context:Status> <xacml-context:StatusCode Value="urn:oasis:names:tc :xacml:1.0:status:ok"></xa cml -context:StatusCode> <xacml-context:StatusMessage>o k</xacml-context:StatusMessage> <xacml-context:StatusDetail xmlns:xacml-context="urn:oasis:names: tc:xacml:2.0:co ntext:schema:cd:04"><xac ml-context:StatusDetail/></xa cml-context:StatusDetail> </xacml-context:Status> </xacml-context:Result> </xacml-context:Response>

5.8 Install Generic Policy Decision Point Request Handler in to OpenSSO The following steps outline the procedures to install a generic Policy Decision Point (PDP) request handler into OpenSSO. A PDP request handler is required in order for the CONNECT software to correctly enforce consent policies and protect patient data.

Step Action Input Expected Result

1 Copy the following file from:

C:\NHINC\ThirdpartyTools\OpenSSO\XSPAXACM

A copy of the XSPAXACMLAuth zDecisionQueryHa

(57)

CONNECT_OpenSSO_Manual 54 Release 2.4 3/18/10

Step Action Input Expected Result

LAuthzDecisionQueryHandler.class

To:

C:\Sun\AppServer\domains\domain1\applications\j

2ee-modules\opensso\WEB-INF\classes\com\sun\identity\xacml\plugins NOTE: You may need to create this directory

ndler.class file is in the Glassfish directory listed to the left.

2 Start the Glassfish application server if it is not already running.

The Glassfish web service application should be running. 3 Open a web browser and login to the OpenSSO

administration console.

URL: http://localhost:8080/opensso

User Name: amAdmin Password: adminadmin

The OpenSSO administration web page will be

(58)

CONNECT_OpenSSO_Manual 55 Release 2.4 3/18/10

Step Action Input Expected Result

4 Click on the “Configuration” tab. The Configuration web page will be displayed.

5 Click on the “Global” sub-tab. The Global

configuration web page will be displayed.

(59)

CONNECT_OpenSSO_Manual 56 Release 2.4 3/18/10

Step Action Input Expected Result

6 Click on the SAML v2 SOAP Binding link. The SAML v2 SOAP Binding Global properties web page will be displayed.

(60)

CONNECT_OpenSSO_Manual 57 Release 2.4 3/18/10

Step Action Input Expected Result

7 Click on the “New…” button. The New Request Handler web page will be displayed.

8 Enter the following information:

Key: /openssoPdp Class:

com.sun.identity.xacml.plugins.XSPAXACMLAuth zDecisionQueryHandler

Then Click on the “OK” button.

The new request handler values will be entered.

9 Click on the “Save” button. The new request handler

information will be saved.

(61)

CONNECT_OpenSSO_Manual 58 Release 2.4 3/18/10

Step Action Input Expected Result

10 Click on the “Back to Service Configuration” button.

The Global

configuration web page will be redisplayed.

11 Open a new command line window and change the directory to:

C:\nhinc\ThirdPartyTools\OpenSSO\AdapterPDP OpenSSO\conf

A new command line window will be opened in the directory specified on the left.

12 Execute the following command:

ssoadm create-cot -t opensso-pdp-cot -u amadmin -f password.txt

The ssoadm program will execute and the command window will display:

“Circle of trust, opensso-pdp-cot was created.”

(62)

CONNECT_OpenSSO_Manual 59 Release 2.4 3/18/10

Step Action Input Expected Result

13 Execute the following command:

ssoadm create-metadata-templ -y ConnectOpenSSOPdpEntity -p /openssoPdp -m openssoPdp.xml -x openssoPdp-x.xml -u amadmin -f password.txt The ssoadm program will execute and the command window will display: “Hosted entity configuration was written to openssoPdp-x.xml. Hosted entity descriptor was written to openssoPdp.xml.” 14 Execute the following command:

ssoadm import-entity -t opensso-pdp-cot -m openssoPdp.xml -x openssoPdp-x.xml -u amadmin -f password.txt

The ssoadm program will execute and the command window will display: “Import file, openssoPdp.xml. Import file, openssoPdp-x.xml.” 15 Execute the following command:

ssoadm create-cot -t opensso-pep-cot -u amadmin -f password.txt

The ssoadm program will execute and the command window will display:

“Circle of trust, opensso-pep-cot was created.” 16 Execute the following command: The ssoadm

(63)

CONNECT_OpenSSO_Manual 60 Release 2.4 3/18/10

Step Action Input Expected Result

ssoadm create-metadata-templ -y

ConnectOpenSSOPepEntity -e /openssoPep -m openssoPep.xml -x openssoPep-x.xml -u

amadmin -f password.txt

program will execute and the command window will display: “Hosted entity configuration was written to openssoPep-x.xml. Hosted entity descriptor was written to openssoPep.xml.” 17 Execute the following command:

ssoadm import-entity -t opensso-pep-cot -m openssoPep.xml -x openssoPep-x.xml -u amadmin -f password.txt

The ssoadm program will execute and the command window will display: “Import file, openssoPep.xml. Import file, openssoPep-x.xml.” 18 From the OpenSSO administration web page,

click on the “Federation” tab.

The Federation configuration web page will be displayed.

(64)

CONNECT_OpenSSO_Manual 61 Release 2.4 3/18/10

Step Action Input Expected Result

19 Click on the “open-sso-pdp-cot” link under “Circle of Trust” section.

The Edit Circle of Trust web page will be displayed for the open-sso-pdp-cot entry.

(65)

CONNECT_OpenSSO_Manual 62 Release 2.4 3/18/10

Step Action Input Expected Result

20 Highlight the ConnectOpenSSOPepEntity SAMLv2 Available item.

The item will be selected.

(66)

CONNECT_OpenSSO_Manual 63 Release 2.4 3/18/10

Step Action Input Expected Result

21 Click on the “Add” button. The selected item will move from the list of “Available” items to the list of “Selected” items, and the profile will be saved.

(67)

CONNECT_OpenSSO_Manual 64 Release 2.4 3/18/10

Step Action Input Expected Result

Then click on the “Save” button.

22 Click on the “Back” button. The Federation configuration web page will be redisplayed.

(68)

CONNECT_OpenSSO_Manual 65 Release 2.4 3/18/10

Step Action Input Expected Result

23 Click on the “open-sso-pep-cot” link under “Circle of Trust” section.

The Edit Circle of Trust web page will be displayed for the open-sso-pep-cot entry.

(69)

CONNECT_OpenSSO_Manual 66 Release 2.4 3/18/10

Step Action Input Expected Result

24 Highlight the “ConnectOpenSSOPdpEntity SAMLv2” item under the “Available” section and click on the “Add” button.

The selected item will be moved from the list of available items to the list of selected items and the profile will be updated and saved.

(70)

CONNECT_OpenSSO_Manual 67 Release 2.4 3/18/10

Step Action Input Expected Result

Then click on the “Save” button.

25 Click on the “Back” button. The Federation configuration web page will be redisplayed.

(71)

CONNECT_OpenSSO_Manual 68 Release 2.4 3/18/10

Step Action Input Expected Result

26 Logout of the OpenSSO Administrative web console and restart Glassfish.

The Glassfish application server will be restarted.

(72)

CONNECT_OpenSSO_Manual 69 Release 2.4 3/18/10

Step Action Input Expected Result

5.9 Test the Generic Policy Decision Point Request Handler

There are several SoapUI tests provided to test the functionality of the PEP to PDP communication. These tests are provided in the

NHIN_CONNECT_OPENSSO_AdapterPEPWS_2_4.zip file found on the OpenSSO web page on the CONNECT web site (see section 5.1). . In addition, you will need a consent document for a test patient stored in the document repository (see appendix section A.1 for instructions).

In order to run the tests contained in this soapUI project, all of the CONNECT

components mentioned in the CONNECT installation manual will have to be already deployed into the Glassfish web application server.

As the soapUI project mentioned above contains many tests, the following steps are provided as an example to assist you with your testing should you choose to execute more than the one listed below.

Step Action Input Expected Result

1 Open the soapUI application. The soapUI application will start.

2 From the File menu item, click on the “Import Project” sub-menu item.

The “Select

(73)

CONNECT_OpenSSO_Manual 70 Release 2.4 3/18/10

Step Action Input Expected Result

dialog window will be displayed.

3 Enter “C:\NHINC\ThirdPartyTools\OpenSSO\ AdapterPEPWS-soapui-project.xml” as the filename

Click on the “Open” button.

The

AdapterPEPWS-soapui-project.xml file will be

imported into your soapUI

application.

4 From the AdapterPEPWS project node, expand the “AdapterPEPBindingSoap11” and

“CheckPolicy” nodes.

The soapUI application will expand the nodes similar to the screen shot shown to the left.

(74)

CONNECT_OpenSSO_Manual 71 Release 2.4 3/18/10

Step Action Input Expected Result

5 Double click on the “DocumentQueryIn” node. The

DocumentQueryIn request and

response window will open inside soapUI.

6 Click on the green arrow near the top, left corner of the DocumentQueryIn window as shown below (the green arrow has a red circle around it).

SoapUI will execute the

request and return a response.

(75)

CONNECT_OpenSSO_Manual 72 Release 2.4 3/18/10

Step Action Input Expected Result

7 Verify that the response contained the text, “Permit” similar to the screen shot below.

A successful response as indicated to the left.

5.10 Configure the CONNECT Gateway machine

The CONNECT gateway software will come pre-configured to send the PIP and PEP to a non-enterprise message security implementation always returning a "Permit" value for patient record requests. In order to change this behavior, you will need to modify the “AdapterPEPConfig.xml”, “AdapterPIPConfig.xml “,

“AdapterPolicyEngineProxyConfig.xml”,

“AdapterPolicyEngineOrchestratorProxyConfig.xml” and the “gateway.properties” files on the CONNECT gateway machine. As referenced in other CONNECT installation

(76)

CONNECT_OpenSSO_Manual 73 Release 2.4 3/18/10

manuals, the location of this file is referenced by the ”NHINC_PROPERTIES_DIR” environment variable.

Since Release 2.2, both a Java and WebService implementation have been provided for most of the services, including the Policy Engine. The following steps can be used to configure the use of the Java implementation. The Java implementation is

recommended for configuration where the Policy Engine projects are co-located. The steps to modify the “AdapterPEPConfig.xml” file are as follows:

Step Action Input Expected Result

1 Open the “AdapterPEPConfig.xml” file in your preferred text editor on the CONNECT

gateway machine. The above file is located in the directory referenced by the

NHINC_PROPERTIES_DIR environment variable as mentioned above.

The “AdapterPEPConfig.xml” file will be opened in your preferred text editor.

2 Search for the following line: <bean id="adapterpep"

class="gov.hhs.fha.nhinc.policyengine.adapte rpep.proxy.AdapterPEPProxyNoOpImpl"/>

Your preferred text editor will find the search text listed to the left.

3 Comment out this line by adding the following text at the beginning of the line

“<!—“ And “-->”

At the end of this same line.

The

AdapterPEPProxyNoOpImpl entry will be disabled.

4 UnComment the following line: <!-- <bean id="adapterpep"

class="gov.hhs.fha.nhinc.policyengine.adapte rpep.proxy.AdapterPEPJavaProxy"/> --> by removing the “<!—“ from the beginning of the line

and removing the “-->”

from the end of the line.

The AdapterPEPJavaproxy entry will be enabled.

The steps to modify the “AdapterPIPConfig.xml” file are as follows: This file may already be set correctly.

Step Action Input Expected Result

1 Open the “AdapterPIPConfig.xml” file in your preferred text editor on the CONNECT

gateway machine. The above file is located in the directory referenced by the

NHINC_PROPERTIES_DIR environment variable as mentioned above.

The “AdapterPIPConfig.xml” file will be opened in your preferred text editor.

(77)

CONNECT_OpenSSO_Manual 74 Release 2.4 3/18/10

Step Action Input Expected Result

2 Search for the following line: <bean id=”adapterpip”

class=”gov.hhs.fha.nhinc.policyengine.adapte rpip.proxy.AdatperPIPProxyNoOpImpl”/>

Your preferred text editor will find the search text listed to the left.

3 Comment out this line by adding the following text at the beginning of the line

“<!—“ And “-->”

At the end of this same line.

The AdapterPIPProxyNoOpImpl entry will be disabled.

4 UnComment the following line: <!-- <bean id=”adapterpip”

class=”gov.hhs.fha.nhinc.policyengine.adapte rpip.proxy.AdapterPIPJavaProxy”/> -->

The AdapterPIPJavaProxy entry will be enabled.

The steps to modify the “AdapterPolicyEngineOrchestratorProxyConfig.xml” file are as follows:

Step Action Input Expected Result

1 Open the

“AdapterPolicyEngineOrchestratorProxyConfi g.xml” file in your preferred text editor on the CONNECT gateway machine. The above file is located in the directory referenced by the NHINC_PROPERTIES_DIR environment variable as mentioned above.

The

“AdapterPolicyEngineOrchestrat orProxyConfig.xml” file will be opened in your preferred text editor.

2 Search for the following line:

<bean id="adapterpolicyengineorchestrator" class="gov.hhs.fha.nhinc.policyengine.adapte rpolicyengineorchestrator.proxy.AdapterPolicy EngineOrchestratorPermitNoOpImpl"/>

Your preferred text editor will find the search text listed to the left.

3 Comment out this line by adding the following text at the beginning of the line:

“<!—“ And “-->”

At the end of this same line.

The

AdapterPolicyEngineOrchestrat orPermitNoOpImpl entry will be disabled.

4 UnComment the following line: <!-- <bean

id="adapterpolicyengineorchestrator"

class="gov.hhs.fha.nhinc.policyengine.adapte

The

AdapterPolicyEngineOrchestrat orJavaProxy entry will be enabled.

(78)

CONNECT_OpenSSO_Manual 75 Release 2.4 3/18/10

Step Action Input Expected Result

rpolicyengineorchestrator.proxy.AdapterPolicy EngineOrchestratorJavaProxy"/> -->

by removing the “<!—“ from the beginning of the line.

The steps to modify the “AdapterPolicyEngineProxyConfig.xml” file are as follows:

Step Action Input Expected Result

1 Open the

“AdapterPolicyEngineProxyConfig.xml” file in your preferred text editor on the CONNECT gateway machine. The above file is located in the directory referenced by the

NHINC_PROPERTIES_DIR environment variable as mentioned above.

The

“AdapterPolicyEngineProxyConf ig.xml” file will be opened in your preferred text editor.

2 Search for the following line: <bean id="adapterpolicyengine"

class="gov.hhs.fha.nhinc.policyengine.adapte rpolicyengine.proxy.AdapterPolicyEnginePer mitNoOpImpl"/>

Your preferred text editor will find the search text listed to the left.

3 Comment out this line by adding the following text at the beginning of the line:

“<!—“ And “-->”

At the end of this same line.

The

AdapterPolicyEnginePermitNoO pImpl entry will be disabled.

4 UnComment the following line: <!-- <bean id="adapterpolicyengine"

class="gov.hhs.fha.nhinc.policyengine.adapte rpolicyengine.proxy.AdapterPolicyEngineJava Proxy"/> -->

by removing the “<!—“ from the beginning of the line.

The

AdapterPolicyEngineJavaProxy entry will be enabled.

The steps to modify the “gateway.properties” file are as follows:

Step Action Input Expected Result

1 Open the “gateway.properties” file in your preferred text editor on the CONNECT

gateway machine. The above file is located in the directory referenced by the

NHINC_PROPERTIES_DIR environment

The “gateway.properties” file will be opened in your preferred text editor.

(79)

CONNECT_OpenSSO_Manual 76 Release 2.4 3/18/10

Step Action Input Expected Result

variable as mentioned above.

2 Search for the text, “PdpEntityName” Your editor will locate the text on the left.

3 Set the PdpEntityName property value to PdpEntityName=ConnectOpenSSO Comment out any other entries for this property in the file by placing a “#” at the beginning of the line.

The ConnectOpenSSO PDP mechanism will be enabled.

4 Save the file. The gateway.properties file will be saved.

Restart GlassFish after the configuration files have been modified. Rerun the DocumentQueryIn SoapUI test to verify that the policy engine is functioning and “Permit” is returned in the response.

6.0 ACRONYMS

CA Certificate Authority

CAC Common Access Card

CD Compact Disk

CDC Centers for Disease Control & Prevention CMS Centers for Medicare & Medicaid Services DAT Digital Audio Tape

DOD Department of Defense

DURSA Data Use and Reciprocal Support Agreement DVD Digital Video Disc

EHR Electronic Health Record EMR Electronic Medical Record ESB Enterprise Service Bus FHA Federal Health Architecture

GB Gigabyte

HDD Hard Disk Drive

HITSP Healthcare Information Technology Standards Panel IDE Integrated Drive Electronics

(80)

CONNECT_OpenSSO_Manual 77 Release 2.4 3/18/10

IPv6 Internet Protocol Version 6

MB Megabyte

MPI Master Patient Index NCI National Cancer Institute

NDMS National Disaster Medical System NHIE NHIN Health Information Exchange NHIN Nationwide Health Information Network

NIST National Institute of Standards and Technology OID Object Identifier or Home Community ID

ONC Office of the National Coordinator

OS Operating System

QA Quality Assurance

RAID Redundant Array of Inexpensive Disks

RAM Random Access Memory

SCSI Small Computer System Interface SDK Software Development Kit

SSA Social Security Administration SSL Secure Sockets Layer

TBD To Be Determined

USB Universal Serial Bus

(81)

CONNECT_OpenSSO_Manual A-1 Release 2.4 3/18/10

(82)

CONNECT_OpenSSO_Manual A-2 Release 2.4 3/18/10

A.1 CREATE A CONSUMER PREFERENCES DOCUMENT

NOTE: The CPP GUI application is not supported as of CONNECT Release 2.4. Until this application is available, follow the steps outlined in Appendix A.2 to create a CPP document rather than as outlined in this section.

Perform the following steps to create a CPP document using the provided CPP GUI:

NOTE: The assigningAuthorityId property in adapter.properties must be set to the appropriate Assigning Authority OID (in most cases this will be the same value as the home community id OID).

1. On the server running the Adapter components, deploy the Consumer Preferences Profile GUI (if not deployed).

2. Bring up a web browser and navigate the following url: http://localhost:8080/ConsumerPreferencesProfileGUI/

(83)

CONNECT_OpenSSO_Manual A-3 Release 2.4 3/18/10

3. Log into the CPP GUI using the account setup during the OpenSSO installation (default user1/password).

Figure A.1-2: Select Define Patient Authorization Activity

4. Enter in your search criteria for the patient. These criteria will be used to search for a patient currently in the MPI. For example: Younger for the last name will return all of the entries in the MPI that have a last name of Younger.

(84)

CONNECT_OpenSSO_Manual A-4 Release 2.4 3/18/10

Figure A.1-3: Enter Search Criteria

5. Select the specific patient Id to modify the patient’s profile settings. Change or verify that Gallow Younger has the NHIN Opt-In preference set.

(85)

CONNECT_OpenSSO_Manual A-5 Release 2.4 3/18/10

Figure A.1-4: Update Patient Authorization

(86)

CONNECT_OpenSSO_Manual A-6 Release 2.4 3/18/10

Figure A.1-5: Define Patient Authorization

A.2 ALTERNATE CONSUMER PREFERENCES DOCUMENT CREATION Until the CPP GUI is functional, this process may be used to create a consumer preferences profile document.

A SoapUI test is available for creating a CPP document. This test uses the following assumptions:

• CONNECT is running on the same machine as the test is run.

• The patient identifier for the test patient, Gallow Younger, is “D123401”.

Using the same test located in NHIN_CONNECT_OPENSSO_AdapterPEPWS_2_4.zip, open and run the test AdapterPEPWS -> AdapterPIPBindingSoap11 -> StorePtConsent -> StorePatientConsent as shown in the following image.

(87)

CONNECT_OpenSSO_Manual A-7 Release 2.4 3/18/10

Figure A.2-1: Create CPP Document

Next, verify that the document was stored successfully by running the test AdapterPEPWS -> AdapterPIPBindingSoap11 -> RetrievePtConsentByPtId -> RetrievePatientConsent as shown in the following image.

(88)

CONNECT_OpenSSO_Manual A-8 Release 2.4 3/18/10

Figure

Updating...

References

Related subjects :