Transcript CONNECT 3.0 Release

CONNECT:
Release 3.0 Webinar
June 29th, 2010
CONNECT Architecture Overview
Les Westberg
2
CONNECT Architecture
Message from NHIN
3
CONNECT Architecture
Message to NHIN
4
CONNECT Development Environment
Version 3.0
5
Item
Version
Java JRE/JDK
1.6 Update 16 (32-bit version)
GlassFish
2.1.1
NetBeans
6.7.1
Metro
1.5
MySQL
5.1.41
SoapUI
3.0.1
Major Changes in 3.0
 Soap Version 1.2 Upgrade
 Deferred Messaging Support
• Patient Discovery
• Document Submission
 Redaction Engine
 Database Independence
 LiFT Support
 Administrative Distribution Service
Design
 CONNECT Direct
 IDE Neutral Build Scripts
 OCSP Support
 Secured & Unsecured Interfaces
6
Soap Version 1.2 Upgrade
Sai Valluripalli
7
Soap Version 1.2 Upgrade
• CONNECT release 3.0 now has all Web services upgraded to
soap 1.2 version.
• Before 3.0, the Gateway used SOAP 1.2 to communicate
between gateways, but most if not all of the internal web service
interfaces used SOAP 1.1.
• All internal interfaces including Entity and Adapter are now
SOAP 1.2.
• This may break compatibility with adapter interfaces that have
been created before CONNECT 3.0 release. Those adapter
interfaces that have been created for use with CONNECT will
need to be changed to use SOAP 1.2 under CONNECT 3.0.
8
Support of the Updated NHIN Specifications
Deferred Messaging
Jon Hoppesch/ Les Westberg
9
Deferred Messaging Services
• Asynchronous messaging using two two-way services
• Request/Response on separate HTTP sockets
• Allows for long-latencies between request/response
– Hours/days/weeks/months
• Both request/response have application ACK
– Ensures that the message was received
– Important for long latencies
• Makes use of WS-Addressing
– Support for “ReplyTo” value of: http://www.w3.org/2005/08/addressing/anonymous
– MessageId to track message through CONNECT services
• New web services on initiating/responding gateway per service
• Designed in conjunction with NHIN Spec Factory
10
Deferred Messaging Services Diagram
11
Deferred Messaging
NHIN Specification:
Messaging Platform, Patient Discovery, and Document
Submission specifications are currently being updated
by the NHIN Spec Factory to support Deferred
Messaging
• Messaging Platform Specification version 2.0.0.5 (5/10/2010)
• Patient Discovery Specification version 1.0.0.5 (5/10/2010)
• Document Submission Specification version 1.1.0.6 (5/13/2010)
12
Deferred Patient Discovery:
Request Transaction
PD
Request
PD
Request
Initiating
GW
App Ack
PD
Request
Responding
GW
App Ack
Patient
Discovery
Request I/F
Patient
Discovery
Error I/F
App Ack
Patient
Discovery
Queue I/F
• New Patient Discovery Service added to support Deferred Request
–
Includes new Entity, Nhin, and Adapter Service WSDL Interfaces
• Additional Adapter Interfaces were created in order to support Deferred Messaging
–
Error Interface allows the Adapter to decide what is the appropriate action when an error occurs
and when to send back that response
–
Queue Interface allows the Adapter to decide when a request is processed, but still take
advantage of the Gateway’s capabilities
• Patient Discovery Request Interface on the Adapter is for pass-through mode
13
A
D
A
P
T
E
R
Deferred Patient Discovery:
Response Transaction
PD
Response
PD
Response
Initiating
GW
App Ack
Patient
Discovery
Request I/F
Responding
GW
App Ack
Patient
Discovery
Queue I/F
PD
Response
App Ack
PD
Request
Adapter
App Ack
• New Patient Discovery Service added to support Deferred Request
–
Includes new Entity, Nhin, and Adapter Service WSDL Interfaces
• Additional Adapter Interfaces were created in order to support Deferred Messaging
14
–
Queue interface is used by adapter to resume orchestration of the message when in
orchestrated mode.
–
Patient Discovery Response I/F is used to send a response when in pass-through mode
Deferred Patient Discovery:
Use Cases
Man In The Loop
• In certain situations a Patient Discovery Request cannot
be processed until a person approves the request
• Adapter ends up receiving all requests on one of the
Adapter Interfaces and is responsible for initiating when a
response is sent back
Batch Processing
• In certain situations Patient Discovery requests might not
be processed by organizations as soon as they are
received
• This allows for “batch” processing during off hours in order
to maximize resources
15
Deferred Patient Discovery:
Adapter Responsibilities
• Adapter software determines when a request
is processed
• Adapter software is responsible for setting
the MessageID WS-Addressing field in the
Patient Discovery Request Message
• Adapter software is responsible for setting the
corresponding RelatesTo WS-Addressing field
in the Patient Discovery Response Message
• Adapter software is responsible for keeping
track of missing responses
16
Deferred Patient Discovery:
Gateway Features
• Patient Discovery still has the ability to process
Patient Discovery Requests and Responses
– Decision of “when” to process these messages is up to the Adapter
– Message correlation capability to be able to process responses
– Decision is still up to the user on whether to have the Gateway handle
this service or to just pass-through messages to the adapter software.
• Gateway will ensure WS-Addressing fields are
maintained throughout the transaction
17
Deferred Document Submission:
3.0 Changes
• Interim solution was provided in
CONNECT Release 2.4
• Under release 3.0 this solution has been
brought in line with the new draft NHIN
specifications for deferred document
submission
• Main differences between the two solutions
– ebXML Registry Response message is used for
the application acknowledgement instead of
CONNECT-defined acknowledgement
– WS-Addressing MessageID and RelatesTo fields
are now used
18
More Information on WIKI
• Asynchronous messaging white
papers/proposalshttp://developer.connectopensource.org/display/CONNECT
WIKI/Asynchronous+Messaging
• Generic asynchronous
designhttp://developer.connectopensource.org/display/CONNECTWIKI/Gener
ic+Asynchronous+Communication
• Patient discovery service (added to original
design)http://developer.connectopensource.org/display/CONNECTWIKI/Patie
nt+Discovery+Service
• Document submission service (added to original
design)http://developer.connectopensource.org/display/CONNECTWIKI/XDR
+Service
19
Redaction Engine
Neil Webb
20
Redaction Engine
Usage
– Redaction Engine added to the process for document query and document
retrieve
– Document query and document retrieve services call the redaction prior to
returning results
– Removes documents from response messages based on patient preferences
– Currently only uses Document Type Code for filtering
– The redaction engine is a new component on the adapter service bus
Access
– A Component Proxy is used to access the redaction engine
– Default implementation is “no-op” so the redaction engine is turned off by default
21
Database Independence
Ralph Saunders
22
Database Independence
• Hibernate Provides Database Independence
– Handles differences between databases and different versions of the
same database through the use of Dialect Objects that are configured in
Hibernates *.cfg.xml files.
• Reserved Words
– Each database defines it’s own set of reserved words.
– Hibernate mapping files allow column and table names to be changed
without having to change source code.
• Name Length Restrictions
– MySQL allows a maximum of 64 characters on table and column names.
– Oracle allows a maximum of 30 characters on table and column names.
23
Database Independence
• Differences in Syntax
– SQL files for creating tables and
loading data need to be created for
each database.
• Blobs
– Blobs are implemented differently
by each database vendor.
– Hibernate provides good support
for Blobs, supporting both Java
Blob objects and Java byte arrays.
24
Large Image File Transfer (LiFT)
Vicky Vickers
25
Large Image File Transfer (LiFT)
Cool acronym! But what is it?
• Used to move large files from one gateway to another out-of-band.
• Initial implementation was donated by the community
• Code has been stewarded in by the CONNECT team
• LiFT is currently a CONNECT only implementation
– CONNECT must be used for the initiating and responding sides
– LiFT capabilities must be enabled for both sides
• Plans to submit specifications to NHIN Spec Factory
• Currently tested on Windows Non-FIPS platform only
• Future work to be done in 3.1
26
Large Image File Transfer (LiFT)
Deferred Document Submission
Adapter
1
3
Initiating
Gateway
File
Store
4
7
Adapter
Responding
Gateway
6
2
5
File
Store
1.
Adapter sends Deferred Document Submission Request to the Entity Interface indicating the file URL.
2.
Gateway retrieves the file to be transferred and makes it available on a File Server.
3.
Deferred Document Submission Request is sent to targeted Gateway with the LiFT Payload.
4.
Responding Gateway establishes a secure TCP\IP Socket connection and using the information in the
LiFT payload requests the file transfer
5.
After verifying the secured connection request, the file is transferred.
6.
Retrieved file is written to the configured file store location
7.
Gateway sends the Deferred Document Submission Request to the Adapter Interface indicating the
URL of the retrieved file.
27
Large Image File Transfer (LiFT)
Need more information?
Visit the Design Document
and Installation Guide
http://developer.connectopensource.org/display/CONNECTWIKI/Large+Im
age+File+Transfer+%28LiFT%29+Component
http://developer.connectopensource.org/display/NHINR30/Large+Image+F
ile+Transfer+%28LiFT%29
28
Support of the Updated NHIN Specifications
Administrative Distribution Service
Kieran Dunne
29
Administrative Distribution
NHIN Specification
• Administrative Distribution v1.0 Dated: 10/26/2009
Underlying Specifications
• HITSP/T63 Emergency Message Distribution Element
Transaction, Version 1.1
• OASIS Emergency Data Exchange Language (EDXL)
Distribution Element (DE), Version 1.0
30
Administrative Distribution
Service Design
Purpose of the Administrative Distribution Service
• Used to “push” one or more available documents or sets of discrete data
• A “document” refers to the form of data as it is transferred between NHIOs,
not as it is stored in an NHIO
Service Highlights
• Data is non-patient centric
• One-way push mechanism. There is no response sent from the receiver
• Allows for multiple documents in a single distribution
• Allows for multiple targets
31
Administrative Distribution
Service Design
Notes
• Design only.
• To be implemented in a future release.
Reference
http://developer.connectopensource.org/display/CONNECT
WIKI/Administrative+Distribution+Service
32
Performance Testing
Jason Ray
33
Performance Testing
Create set of reusable performance test
• 3.0 Goal: “show how the performance of the gateway varies from
build-to-build, providing a basis to recognize when software changes
have a performance impact”
• Utilize soapui, ant
• Test are run automatically as part of CI process
• http://developer.connectopensource.org/display/CONNECTWIKI/Perfor
mance+Testing+Overview
34
Performance Testing (Results)
Release 3.0 Performance Summary
Test Name
Entity Doc Query
Entity Doc Query
Entity Doc Query
Entity Doc Retrieve
Entity Doc Retrieve
Entity Doc Retrieve
Entity Doc Retrieve
Entity Patient Discovery
Entity Patient Discovery
Entity Patient Discovery
NHIN Doc Query (no results)
NHIN Doc Query (1 result)
NHIN Doc Query (3 results)
NHIN Doc Query (many results)
NHIN Doc Retrieve (1 document)
NHIN Doc Retrieve (1 document)
NHIN Doc Retrieve (1 document, 2 threads)
NHIN Doc Retrieve (1 document, 4 threads)
NHIN Doc Retrieve (sequential requests for multiple documents)
NHIN Doc Retrieve (single request for multiple documents)
NHIN Patient Discovery (no results)
NHIN Patient Discovery
35
Notes:
‐ Run = # of iterations through the test case
‐ Avg = Average time in seconds per transaction
Runs
10
20
50
1
10
20
50
10
20
50
50
50
50
50
50
500
50
50
50
50
50
50
Avg
1.7
1.4
1.4
8.5
1.3
1.3
1.3
1.2
1.3
1.2
1.1
1.1
1.1
1.1
1.3
1.3
1.8
2.6
6.4
1.9
0.9
1
http://developer.connectopensource.org/download/attachments/32768184/release+3.0+perf+summary.pdf
IDE Neutral Build Scripts
Srikanth Vadlamani
36
IDE Neutral Build Scripts
• IDE neutral build scripts replaced build scripts that had dependency on NetBeans
IDE generated ant scripts
• Apache Ivy used to manage dependencies.
• CONNECT can be build using command line or any IDE that supports Ant Builder
• Backward compatible - NetBeans IDE users use IDE features like debug and etc.
• New features: code coverage, check style, execution of SoapUI tests
• Support execution of SoapUI tests: ValidationTestSuite, RegressionTestSuite*,
DevelopmentTestSuite*
http://developer.connectopensource.org/display/CONNECTWIKI/IDE+Neutral+Build+Scripts
*
37
require soapUI Pro
Support for Online Certificate
Status Profile
Sai Valluripalli
38
OCSP Support
• Each NHIN initiating and responding gateway MUST implement either Online
Certificate Status Protocol (OCSP) based x.509 certificate revocation checking or
use CRLs against an NHIN-governed CA to determine the revocation status of
each certificate as per NHIN policy.
• OCSP can be enabled by modifying java.security file under
$JAVA_HOME/jre/lib/security/ path. Edit this file and search for ocsp.
ocsp.enable=true property will be commented by default. Uncomment this
property and ocsp.responderURL=http://ocsp.example.net:80 property.
• Ocsp.responderURL property should have the ocsp service endpoint url. If the
certificate already includes this URL in AIA (Authority Informaton Access) section
then we don’t have to set this property.
• To get OCSP functionality working we need to first enable checkRevocation jvmoption. -Dcom.sun.net.ssl.checkRevocation=true.
39
Secure & Unsecured Interfaces
Neil Webb
40
Secured & Unsecured Interfaces
• Security needs
– Different implementations have different security needs for Gateway/
Adapter messaging.
– Some need secured and some cannot or would prefer not to use secure
messaging between the gateway and adapter.
• Structure
– Component proxy used to reference secured or unsecured web service client.
– Patient Discovery completed as a pilot.
• Changes required
– Move some web services (e.g. Move unsecured entity web service from
AdapterWeb to GatewayWeb).
– Create new component proxy implementations and rename others.
41
Support Items
Ralph Saunders and Visu Patlolla
42
Support Items
FIPS Compliance on Sparc Solaris with Glassfish
• FIPS (Federal Information Processing Standards) publication 140-2 defines the Security
Requirements for Cryptographic Modules.
• Cryptographic modules used in CONNECT should be FIPS 140-2 compliant in order to
meet Federal Government requirements.
•
Network Security Services (NSS) libraries are used for implementing cryptography.
•
NSS libraries are implemented in C and they are platform dependent.
•
NSS libraries are integrated into Glassfish using SunPKCS security provider dynamically.
• Instructions to set up CONNECT in FIPS mode on Solaris is available at
http://developer.connectopensource.org/display/CONNECTWIKI/Instructions+to+set+up+CO
NNECT+in+FIPS+mode+on+Sparc+Solaris+environment
43
FIPS Compliance on Linux with JBOSS
FIPS Compliance on Linux with JBOSS
•
NSS is used to implement FIPS compliance.
• NSS libraries are configured statically using SunPKCS security provider. SunPKCS
provider should be defined in java.security file.
•
SSL Provider should be updated to refer to SunPKCS provider in the java.security file.
•
Instructions to set up CONNECT in FIPS mode on Linux/JBOSS is available at
http://developer.connectopensource.org/display/CONNECTWIKI/FIPS+validation+on+JBoss
RedHat Linux Using JBOSS
•
44
Incorrect drivers will produce misleading error messages if Blobs are used
Overview of 3.1 Plans
Les Westberg
45
CONNECT 3.1 Planned Features
Released on 9.15.10
3.1 Feature
Description
CONNECT CORE Gateway
Refactoring
•
•
•
•
•
•
Deferred Document Retrieve
Services
• Document Retrieve will be enhanced to support Deferred Messaging Services.
• Deferred Messaging enables a service to defer the processing of a message for an indefinite
amount of time, allowing for minutes, hours, days, weeks, or even months to transpire before
sending a response to a message.
Large Image & File Transfer
(LiFT) for Document Retrieve
& HIEM**
Java Library Architecture Enhancements
Separation of Web Services and Business Logic via component proxies in Spring Framework
Enables CONNECT portability to many environments in the future.
Enables the use of other technologies in the future e.g. REST, XMPP, etc.).
Improves CONNECT performance when the adapter and gateway reside on the same machine.
Reduces the number of web service calls
•
•
•
•
Mechanism to send and receive files in excess of 1GB over the NHIN.
Transfer of large files between gateways using an Out-Of-Band transfer Mechanism.
Enhancements will apply to Document Retrieve & **possibly HIEM in 3.1.
The out-of-band connection information is communicated using NHIN services. When the
responding gateway receives the message, it is able to determine that the data is to be
transferred using the out-of-band mechanism. Information in the message is used to retrieve the
file across a separate secured HTTP connection (2-way SSL).
• Solution to be proposed to NHIN.
Performance Testing
Enhancements
• Enhancements will continue to the automated performance testing framework introduced in
Release 3.0.
Automate Conformance
Tests
• All Tests that have been provided by the NHIN testing group will be added to the CONNECT
automate testing process.
46
Release 3.1 Priorities are subject to change at any time.
CONNECT 3.1 Change Requests
Pending CRs
Pending CR
Who
Description
Secure & Unsecure
Options Between Gateway
and Adapter Services
CMS
Ability to support a secure or an unsecure interface between the gateway and the adapter for
all services.
Large File Support for
Document Retrieve
SSA
Ability to support files in excess of 100MBs using Document Retrieve.
SSA
• Support logging enhancements for the requestor initiating the following services on the
CONNECT Gateway:
• Patient Discovery,
• Query for Documents,
• Retrieve Document.
• Add the ability to add a transaction identifier for each Patient Discovery, Query for
Documents, Retrieve Document request that would be added to log entries for that
individual request.
• Group log entries associated with Requests.
CMS
• NHIN-Connect for distribution of Administrative Documents, e.g., PQRI feedback reports
for providers
• PQRI: Patient Quality Reporting Initiative.
• Feedback reports inform participating providers about the results from processing
submitted clinical documents and provide a periodic analysis of their participation in
the quality improvement initiative.
• CMS can distribute via HIEs administrative documents to providers participating in
programs such as the OCSQ PQRI program.
Logging Enhancements
Administrative Distribution
Documents (e.g. PQRI
feedback reports)
Approval of a CR may impact priorities and deliverables for the release.
47
Release 3.1 Priorities are subject to change at any time.
CONNECT Release 3.0
Release 3.0 is
currently available
for download
http://developer.connectopensource.org/display
/NHINR30/Release+3.0+Home
48
Questions?
Thank you for joining.
Please Participate in a Short Survey!
http://www.surveymonkey.com/s/LTLLVF3
50