OASIS Specification Template



[pic]

Cross-Enterprise Security and Privacy Authorization (XSPA) Version 2.0 Implementation Guide to the Nationwide Health Information Network (NwHIN) - AdapterPolicyEngine

OASIS Examples of Use

11 March 2012

Specification URIs:

This Version:



Previous Version:

xspa-nwhin-adapter-guide.doc

Latest Version:

xspa-nwhin-adapter-guide.doc

Technical Committee:

OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) TC

Chair(s):

Anil Saldhana, Red Hat

Editor(s):

Duane DeCouteau, Department of Veterans Affairs (Edmond Scientific)

Related work:

XSPA version 2.0

Declared XML Namespace(s):

urn:oasis:names:tc:xacml:2.0

urn:oasis:names:tc:xspa:1.0

urn:oasis:names:tc:saml:2.0

urn:oasis:names:tc:wssx:1.3

Abstract:

This example of use document describes how the cross-enterprise security and privacy authorization (XSPA) can/is being utilized in the Nationwide Health Information Network (NwHIN) a US realm specific implementation.

Status:

This a committee draft, please send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at .

For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page ().

Notices

Copyright © OASIS® 2010. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.

OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.

OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.

The names "OASIS", “SAML” and “XSPA” are trademarks of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see for above guidance.

Table of Contents

1 Introduction 5

1.1 Terminology 5

1.2 References 5

2 XSPA - NwHIN Implementation 7

2.1 Development Requirements 7

2.1.1 Development IDE 7

2.1.2 Connect Source Code 7

2.1.3 Java Libraries 7

2.2 AdapterPolicyEngine 7

2.2.1 AdapterPolicyEngine Netbeans Project 7

2.2.2 Translating CheckPolicyRequestType For XSPA Use 8

2.2.3 Example AdapterPolicyEngineImpl 11

2.2.4 Example AdapterPolicyEngineSecuredImpl 14

2.3 Deployment Considerations 16

2.3.1 InternalConnectionInfo.xml 16

2.3.2 PolicyEngineConfigProxy.xml 16

2.3.3 AdapterPolicyEngine.properties 16

2.4 Validation Testing 16

A. Revision History 17

Table of Figures

No table of figures entries found.

Table of Tables

Table 1 - Java Libraries 7

Table 2 - XSPA Subject Values 9

Table 3 - XSPA Resource Values 9

Table 4 - *XSPA Resource Name 10

Introduction

This document describes how to implement XSPA within a CONNECT 3.2 or AURION 4.0 NwHIN environment.

1 Terminology

Attributes - Attributes are information related to user location, role, purpose of use, and requested resource requirements and actions necessary to make an access control decision. This terminology is used by the SAML and XACML specifications and is equivalent in concept to claims.

Object – An object is an entity that contains or receives information. The objects can represent information containers (e.g., files or directories in an operating system, and/or columns, rows, tables, and views within a database management system) or objects can represent exhaustible system resources, such as printers, disk space, and central processing unit (CPU) cycles. ANSI RBAC (American National Standards Institute Role Based Access Control)

Operation - An operation is an executable image of a program, which upon invocation executes some function for the user. Within a file system, operations might include read, write, and execute. Within a database management system, operations might include insert, delete, append, and update. An operation is also known as an action or privilege. ANSI RBAC

Permission - An approval to perform an operation on one or more RBAC protected objects. ANSI RBAC

Structural Role - A job function within the context of an organization whose permissions are defined by operations on workflow objects. ASTM (American Society for Testing and Materials) E2595-2007

Service Provider (SP) - The service provider represents the system providing a protected resource and relies on the provided security service.

Service User - The service user represents any individual entity [such as on an Electronic Health Record (EHR)/Personal Health Record (PHR) system] that needs to make a service request of a Service Provider.

Web Service - A Web Service is a software component that is described via WSDL and is capable of being accessed via standard network protocols such as but not limited to SOAP over HTTP.

2 References

[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, , IETF RFC 2119, March 1997.

[SAMLPROF] OASIS Standard, “Profiles for the OASIS Security Assertion Markup Language, v2.0,” March 2005.

[ASTM E1986-09 (2009)] Standard Guide for Information Access Privileges to Health Information.

[ASTM E2595 (2007)] Standard Guide for Privilege Management Infrastructure

[SAML] OASIS Standard,“Security Assertion Markup Language (SAML) v2.0”, March 2005.

[HL7-PERM] HL7 Security Technical Committee, HL7 Version 3 Standard: Role-based Access Control Healthcare Permission Catalog, (Available through ), Release 1, Designation: ANSI/HL7 V3 RBAC, R1-2008, Approval Date 2/20/2008.

[HL7-CONSENT] HL7 Consent Related Vocabulary Confidentiality Codes Recommendation, , from project submission:

[WS-TRUST] OASIS Standard, “WS-Trust, Version 1.3”, March 2007. .

[XSPA-SAML-INTRO]

OASIS Committee Working Draft, “XSPA Introduction to Profile of SAML for Healthcare”, December 2008.

[XSPA-PROFILES]

OASIS Standard for Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML) v2.0 For Healthcare Version 1.0.



OASIS Standard for Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of eXtensible Access Control Markup Language (XACML) v2.0 For Healthcare Version 1.0.



OASIS Standard for Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of WS-Trust v1.3 For Healthcare Version 1.0.



XSPA - NwHIN Implementation

The document will provide the reader recommendations on how to implement an XSPA compliant AdapterPolicyEngine utilizing the CONNECT 3.2 stack as the source implementation. These examples are based on the author’s previous work related to RSA2008, HIMSS 2009, RSA2010, HIMSS 2011 Interoperability Demonstrations. And NwHIN related projects, U.S. Dept. of Defense Military Health Systems (MHS) Virtual Lifetime Electronic Record (VLER) v1.a, Dept. of Veterans Affairs Veterans Authorizations and Preferences VAP v1.0 and a large scale private health organizations recent deployment based on the Aurion 4.0 stack.

1 Development Requirements

1 Development IDE

This example was developed using Netbeans version 7.0.1, and the JAVA JDK 1.6.0_21. Netbeans can be download at . Java JDK can be downloaded at . You may just choose to download the Netbeans 7.0.1 that bundles Java with it.

2 Connect Source Code

The CONNECT version utilized in this examples document is available at .

3 Java Libraries

|Provider |Library |

|CONNECT |Common-logging.jar |

| |Common-types.jar |

| |Core-lib.jar |

|Oracle – Java |Javee-web-api-6.0.jar |

| |Jaxws-rt-2.2.jar |

| |Jaxws-tools-2.2.jar |

| |Log4j12-1.2.jar |

|Your Policy Engine ContextHandler interface libraries|YourContextHandler.jar |

|or Web Service client. | |

Table 1 - Java Libraries

2 AdapterPolicyEngine

1 AdapterPolicyEngine Netbeans Project

The following are steps for setting up your AdapterPolicyEngine Netbeans project. In this project we will assume that you are implementing this as a Web Service

Step 1.) Create a new Netbeans Web Application Project, name it AdapterPolicyEngine

Step 2.) Copy the gov.hhs.nhinc.policyengine.adapter package from the NwHIN Connect ConnectAdapterWeb project. This package has for classes in it, AdapterPolicyEngine, AdapterPolicyEngineImpl, AdapterPolicyEngineSecured, AdapterPolicyEngineSecuredImpl.

Step 3.) Paste the package on the src tree our your AdapterPolicyProject.

Step 4.) Under WEB-INF create a wsdl folder

Step 5.) Under wsdl folder create 3 folders AdapterPolicyEngine, AdapterPolicyEngineSecured, and schemas folder.

Step 6.) From the NHINC/”version”/Product/Production/Common/interfaces/src/wsdl copy the AdapterPolicyEngine.wsdl, and AdapterPolicyEngineSecured.wsdl into their respestive folders.

Step 7.) From the NHINC/”version”/Product/Production/Common/interfaces/src/schemas folder copy and paste to your schemas folder the following folders; Endpoint, HL7V3, docs.oasis-, ebRS, ihe, mural, nhin, nhinc, oasis, uddi, , xmalsoap.

Step 8.) Include all the libraries stated in previous sections.

There some basic things the AdapterPolicyEngine does, they are;

1. Consumes the request to “checkPolicy” from the requesting adapter.

2. Gets the AssertionType from the CheckPolicyRequestType object.

3. Creates the XSPASubject object

4. Creates the XSPAResource object.

5. Translates ws-resource to something PolicyEngine and User will easily understand

6. Determines if the request is Inbound or Outbound

7. Communicates with the ContextHandler

8. Brokers policy decision back to requesting Adapter (PatientDiscovery, DocumentQuery).

There are only two (2) of the NHINC classes you need to modify to accomplish the above, ApdaterPolicyEngineImpl, and AdapterPolicyEngineSecuredImpl.

2 Translating CheckPolicyRequestType For XSPA Use

|Data Source - AssertionType |XSPA Mapping |Comments |

|getHomeCommunity().getHomeCommunityId() |XSPASubject.setSubjectLocality() | |

|getUserInfo().getOrg().getName() |XSPASubject.setOrganization() | |

|getHomeCommunity().getHomeCommunityId() |XSPASubject.setOrganizationId() |This was originally the facility in XSPA |

| | |v1.0, In version 2.0, this becomes the |

| | |urn:oid value for the child organization if|

| | |any. For now just repeat homeCommunityId. |

|UserType.getUserName() |XSPASubject.setSubjectNPI() |This is for the CMS provided National |

| | |Provider Identifier, NPI, since this is |

| | |not fully available at this time just |

| | |populate with users name. |

|UserType.getUserName() |XSPASubject.setSubjectId() |NwHIN is consistently passing this and it |

| | |should be part of the audit log of |

| | |authorization events. Don’t perform policy|

| | |decisions on this it is not unique, use NPI|

| | |if available. |

|UserType.getUserName() |XSPASubject.setSubjectEmailAddress() |Again this is not clearly mapped on the |

| | |NwHIN side so just populate username here. |

|getPurposeOfDisclosureCode().getCode() |XSPASubject.setPurposeOfUse() |getCode() on the NwHIN return the Display |

| | |name of the PurposeOfUse here. You will |

| | |most likely write your XACML policy to |

| | |utilize its name not numeric representation|

| | |(because that’s what people will |

| | |understand). |

|getRoleCoded().getDisplayName() |XSPASubject.setStructuredRole() |Again DisplayName is used as policy will |

| | |reference display value not code value. |

| | |Your policy attributes will need to handle |

| | |different value same meaning, i.e., ASTM |

| | |“MD/Allopath” is same as SNOMED-CT |

| | |“Doctor”. |

|getMessageId() |XSPASubject.setMessageId() |This is the NwHIN implementation unique |

| | |message identifier. You will use this to |

| | |cross reference back the authorization |

| | |event to initial request for auditing |

| | |purposes. |

Table 2 - XSPA Subject Values

|Data Source – AssertionType |XSPA Resource |Comments |

| |XSPAResource.setResourceAction() |Default value to “Execute” |

|getSAMLAuthzDecisionStatement().getResource |XSPAResource.setResourceType() | |

|*You must calculate this |XSPAResource.setResourceName() |Validate values are PatientDiscoveryIn, |

| | |PatientDiscoveryOut, DocumentQueryIn, |

| | |DocumentQueryOut, DocumentRetrieveIn, |

| | |DocumentRetrieveOut, |

| | |Document SubmissionIn, |

| | |DocumentSubmissionOut |

|**You must calculate this |XSPAResource.setResourceId() |Unique Patient Identifier |

Table 3 - XSPA Resource Values

*Note: There are many message types that relate to an actionable policy decision. To simplify the implementation for individuals responsible to creating XACML policySets and policy attributes. Review Table 3 which maps ws-resource value to enforceable policy resource names. Additionally you must also determine if the request is inbound “In” or outbound “Out”.

**Note: Your patient consent policy repository may not identify the patient utilizing the full NwHIN uniquePatientId, if so you must extract the patientId from the uniquePatientId, example the patientId from “1004^^^1.1.1.1.1.0” would be 1004. The example code snippet address this.

private String getUniquePatientIdentifier(AssertionType assertion) {

String res = "";

String nhinpatient = assertion.getUniquePatientId().get(0).

try {

StringTokenizer st = new StringTokenizer(nhinpatient, "^");

res = st.nextToken();

}

catch (Exception ex) {

log.warn("Error in Processing uniguePatientId",ex);

}

return res;

}

|XSPAResource |ws-resource |

|Name | |

|PatientDiscove|urn:gov:hhs:fha:nhinc:adapterpatientdiscoverysecured:RespondingGateway_PRPA_IN201305UV02RequestSecuredMessage |

|ry |urn:gov:hhs:fha:nhinc:adapterpatientdiscovery:RespondingGateway_PRPA_IN201305UV02RequestMessage |

| |urn:gov:hhs:fha:nhinc:adapterpatientdiscoverysecuredasyncreq:ProcessPatientDiscoveryAsyncReqAsyncRequest |

| |urn:gov:hhs:fha:nhinc:adapterpatientdiscoveryasyncreq:ProcessPatientDiscoveryAsyncReqAsyncRequest |

| |urn:gov:hhs:fha:nhinc:entitypatientdiscoverysecuredasyncreq:AddPatientDiscoveryAsyncReqRequestMessage |

| |urn:gov:hhs:fha:nhinc:entitypatientdiscoveryasyncreqqueue:AddPatientDiscoveryAsyncReqAsyncRequest |

| |urn:gov:hhs:fha:nhinc:entitypatientdiscoverysecuredasyncreq:ProcessPatientDiscoveryAsyncReqRequestMessage |

| |urn:gov:hhs:fha:nhinc:entitypatientdiscoveryasyncreq:ProcessPatientDiscoveryAsyncReqAsyncRequest |

| |urn:hl7-org:v3:PRPA_IN201305UV02:Deferred:CrossGatewayPatientDiscoveryurn:hl7-org:v3:PRPA_IN201305UV02:CrossGatewayPatientDisco|

| |very |

| |urn:gov:hhs:fha:nhinc:nhincproxypatientdiscoverysecuredasyncreq:Proxy_ProcessPatientDiscoveryAsyncReqRequestMessage |

| |urn:gov:hhs:fha:nhinc:nhincproxypatientdiscoveryasyncreq:Proxy_ProcessPatientDiscoveryAsyncReqRequest |

| |urn:gov:hhs:fha:nhinc:nhincproxypatientdiscoverysecured:Proxy_PRPA_IN201305UVProxyRequestMessage |

| |urn:gov:hhs:fha:nhinc:nhincproxypatientdiscovery:Proxy_PRPA_IN201305UVProxyRequest |

|DocumentQuery |urn:ihe:iti:2007:CrossGatewayQuery |

| |urn:gov:hhs:fha:nhinc:nhincproxydocquerydeferredrequestsecured:CrossGatewayQueryRequest |

| |urn:gov:hhs:fha:nhinc:nhincproxydocquerydeferredrequest:CrossGatewayQueryRequest |

| |urn:gov:hhs:fha:nhinc:nhincproxydocquerysecured:RespondingGateway_CrossGatewayQueryRequestSecuredMessage |

| | |

| |urn:gov:hhs:fha:nhinc:nhincproxydocquery:RespondingGateway_CrossGatewayQueryRequestMessage |

|DocumentRetrie|urn:ihe:iti:xds-b:2007:Deferred:CrossGatewayRetrieve_Message |

|ve |urn:ihe:iti:2007:CrossGatewayRetrieve |

| |urn:gov:hhs:fha:nhinc:nhincproxydocretrievedeferredsecuredrequest:CrossGatewayRetrieveRequestMessage |

| |urn:gov:hhs:fha:nhinc:nhincproxydocretrievedeferredrequest:CrossGatewayRetrieveRequestMessage |

| |urn:gov:hhs:fha:nhinc:nhincproxydocretrievesecured:RespondingGateway_CrossGatewayRetrieveRequest |

| |urn:gov:hhs:fha:nhinc:nhincproxydocretrieve:RespondingGateway_CrossGatewayRetrieveRequest |

|DocumentSubmis|urn:ihe:iti:xdr:2007:Deferred:XDRRequestInputMessage urn:ihe:iti:xdr:2007:ProvideAndRegisterDocumentSet-b |

|sion |urn:gov:hhs:fha:nhinc:nhincproxyxdrsecured:async:request:ProvideAndRegisterDocumentSet-bAsyncRequest_Request |

| | |

| |urn:gov:hhs:fha:nhinc:nhincproxyxdr:async:request:ProvideAndRegisterDocumentSet-bAsyncRequest_Request |

| |urn:gov:hhs:fha:nhinc:nhincproxyxdrsecured:ProvideAndRegisterDocumentSet-b |

| |urn:gov:hhs:fha:nhinc:nhincproxyxdr:ProvideAndRegisterDocumentSet-b |

Table 4 - *XSPA Resource Name

*Note: Additionally you will need to provide a generic evaluation of the ws-resource that is being delivered. In some cases this may be the external services endpoint address, i.e., etc.

if (XSPAResource.getResourceName() == null || XSPAResource.getResourceName().equals(“”)) {

//failed action assertion translation

String ws_resource = assertion.getSAMLAuthzDecisionStatement().getResource();

if (ws_resource.indexOf("PatientDiscovery") > -1 ) {

res = "PatientDiscovery";

}

else if (ws_resource.indexOf("DocQuery") > -1 ) {

res = "DocumentQuery";

}

else if (ws_resource.indexOf("DocRetrieve") > -1) {

res = "DocumentRetrieve";

}

else if (ws_resource.indexOf("DocSubmission") > -1) {

res = "DocumentSubmission";

}

else {

res = "Unknown Resource - "+ws_resource+” ”;

}

}

3 Example AdapterPolicyEngineImpl

The following is an incomplete java source class, and is intended to provide some guidance.

public class AdapterPolicyEngineImpl

{

private Log log = null;

private WebServiceContext iContext;

private gov.hhs.fha.mon.nhinccommonadapter.CheckPolicyRequestType iRequest;

private String homeCommunityId = "";

private List oidLIST = new ArrayList();

private String chEndpoint = "";

private String PROPERTY_FILE_NAME = "policyengine.properties"

private String HOME_COMMUNITY_ID_KEY = "HCID";

private String ORGANIZATION_OID_LIST = "OID_LIST";

private String CONTEXT_HANDLER_WS_ENDPOINT = "CONTEXT_HANDLER_ENDPOINT";

public AdapterPolicyEngineImpl()

{

log = createLogger();

setJerichoPolicyEngineInfo();

}

protected Log createLogger()

{

return LogFactory.getLog(getClass());

}

protected void loadAssertion(AssertionType assertion, WebServiceContext wsContext) throws Exception

{

// TODO: Extract message ID from the web service context for logging.

}

public CheckPolicyResponseType checkPolicy(gov.hhs.fha.mon.nhinccommonadapter.CheckPolicyRequestType request, WebServiceContext context)

{

log.debug("Begin AdapterPolicyEngineImpl.checkPolicy (unsecure)");

CheckPolicyResponseType checkPolicyResp = null;

this.iContext = context;

this.iRequest = request;

try

{

AssertionType assertion = request.getAssertion();

loadAssertion(assertion, context);

checkPolicyResp = checkPolicyMyPolicyEngineInstance(assertion);

}

catch (Exception e)

{

String sMessage = "Error occurred calling AdapterPolicyEngineImpl.checkPolicy. Error: " +

e.getMessage();

log.error(sMessage, e);

throw new RuntimeException(sMessage, e);

}

log.debug("End AdapterPolicyEngineImpl.checkPolicy (unsecure)");

return checkPolicyResp;

}

private XSPASubject createSubject(AssertionType assertion) {

XSPASubject xspaS = new XSPASubject();

//translated and assign values to XSPASubject object

return xspaS;

}

private XSPAResource createResource(AssertionType assertion) {

XSPAResource xspaR = new XSPAResource();

//translate and assign values to XSPAResource object

return xspaR;

}

private void setPolicyEngineConfiguration() {

//From your policyengine.properties file in the $NHINC_PROPERTIES_DIR DIRECTORY SET VALUES FOR

// - Servicing organizations HomeCommunityId

// - Listing of all oids associated/and internal to this organization ... need to determine inbound our outbound

// - Get service endpoint for the CONTEXTHANDLER

endpoint = PropertyAccessor.getProperty(PROPERTY_FILE_NAME, CONTEXT_HANDLER_WS_ENDPOINT);

oidLIST = populateOIDList(PropertyAccess.getProperty(PROPERTY_FILE_NAME, ORGANIZATION_OID_LIST));

homeCommunityId = PropertyAccessor.getProperty(PROPERTY_FILE_NAME, HOME_COMMUNITY_ID_KEY);

}

private CheckPolicyResponseType checkPolicyMyPOlicyEngine(AssertionType assertion) {

CheckPolicyResponseType res = new CheckPolicyResponseType();

ResponseType rt = new ResponseType();

try {

XSPASubject xspaS = createSubject(assertion);

XSPAResource xspaR = createResource(assertion);

ContextHandlerWSService service = new ContextHandlerWSService();

ContextHandlerWS port = service.getContextHandlerWSPort();

((BindingProvider)port).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, chEndpoint);

PolicyEnforcementObject policyDecision = port.enforcePolicy(xspaS, xspaR);

// Set following values from xspa PolicyEnforcementObject to CheckPolicyResponseType

// Set ResultType

// Set DecisionType

// Set StatusType

// Set ObligationType

// Set ResponseType

}

catch (Exception e) {

log.warn("",e);

}

res.setResponse(rt);

return res;

}

private String getUniquePatientIdentifier(String nhinpatient) {

String res = "";

try {

StringTokenizer st = new StringTokenizer(nhinpatient, "^");

res = st.nextToken();

}

catch (Exception ex) {

log.warn("Error in Processing uniguePatientId",ex);

}

return res;

}

private String getRequestType (String ws_resource, String subjectlocality) {

String res = "";

// translate SAMLAuthzDecisionStatement.getResource() to Resource Name

// determine if request is inbound vs. outbound set new resource type with In (inbound) vs. Out(outbound) appending it to the resource name;

return res;

}

private void populateOIDsList(String oidlist) {

try {

StringTokenizer st = new StringTokenizer(oidlist);

while (st.hasMoreTokens()) {

String res = st.nextToken();

res = "urn:oid:" + res;

oidLIST.add(res);

}

}

catch (Exception ex) {

log.warn("Error reading internal oid list",ex);

}

}

// determines if requesting subjectLocality is an internal oid external, internal is outbound - Out, external is inbound - In

private boolean isOIDMember(String oid) {

boolean res = false;

Iterator iter = oidList.iterator();

while (iter.hasNext()) {

String iOID = (String)iter.next();

if (iOID.equals(oid)) {

res = true;

}

}

return res;

}

}

4 Example AdapterPolicyEngineSecuredImpl

The AdapterPolicyEngineSecuredImpl acts an secured proxy for AdapterPolicyEngineImpl. When running in secure mode the SAMLTokenHandler will pick up the ws-resource value as being the service endpoint. To correct this you must capture this value from the body of the request and reassign the value to CheckPolicyRequestType before passing the request off to the unsecured portion of the AdapterPolicyEngine.

public class AdapterPolicyEngineSecuredImpl

{

private static org.mons.logging.Log log = org.mons.logging.LogFactory.getLog(AdapterPolicyEngineSecuredImpl.class);

public CheckPolicyResponseType checkPolicy(gov.hhs.fha.mon.nhinccommonadapter.CheckPolicyRequestSecuredType body, WebServiceContext context)

{

// Collect assertion

log.debug("Begin AdapterPolicyEngineSecureImpl.checkPolicy (secure)");

AssertionType assertion = SamlTokenExtractor.GetAssertion(context);

//System.out.println("AdapterPolicyEngineSecureImpl : checkPolicy "+assertion.getSamlAuthzDecisionStatement().getAction());

//System.out.println("AdapterPolicyEngineSecureImpl : checkPolicy "+assertion.getSamlAuthzDecisionStatement().getResource());

//Need to get ws_addressing info from body as opposed to assertion when in secured mode if this fails then we are done because we

//wont be able to determine whether or not this is PatientDiscovery, DocQuery, or DocRetrieve

try {

List rTypes = body.getRequest().getResource();

Iterator iter = rTypes.iterator();

String callingURN = "";

while (iter.hasNext()) {

ResourceType r = (ResourceType) iter.next();

List aTypes = r.getAttribute();

Iterator iter2 = aTypes.iterator();

while (iter2.hasNext()) {

AttributeType a = (AttributeType) iter2.next();

if ("urn:gov:hhs:fha:nhinc:saml-authz-decision-statement-resource".equals(a.getAttributeId())) {

AttributeValueType v = a.getAttributeValue().get(0);

callingURN = (String) v.getContent().get(0);

}

}

}

assertion.getSamlAuthzDecisionStatement().setResource(callingURN);

} catch (Exception wsEx) {

log.warn("Failed to determine ws resource from body of Request.", wsEx);

}

CheckPolicyResponseType checkPolicyResp = null;

AdapterPolicyEngineImpl oPolicyEngine = new AdapterPolicyEngineImpl();

try

{

gov.hhs.fha.mon.nhinccommonadapter.CheckPolicyRequestType checkPolicyRequest = new gov.hhs.fha.mon.nhinccommonadapter.CheckPolicyRequestType();

checkPolicyRequest.setAssertion(assertion);

checkPolicyRequest.setRequest(body.getRequest());

checkPolicyResp = oPolicyEngine.checkPolicy(checkPolicyRequest, context);

}

catch (Exception e)

{

String sMessage = "Error occurred calling AdapterPolicyEngineImpl.checkPolicy. Error: " +

e.getMessage();

log.error(sMessage, e);

throw new RuntimeException(sMessage, e);

}

return checkPolicyResp;

}

}

3 Deployment Considerations

The following sections are representative of the changes you will need to make to properly configure your AdapterPolicyEngine implementation. These configuration files can be found under the $NHINC_PROPERTIES_DIR directory.

1 internalConnectionInfo.xml

Set policy engine secured endpoints.

policyengineservicesecured

Policy Engine Service Secured



2 AdapterPIPConfig.xml

Set the policy information point configuration to no implementation.

3 AdapterPEPConfig.xml

Set the policy enforcement point configuration to no implementation.

4 AdapterPolicyEngineOrchestratorProxyConfig.xml

Set policy orchestration to no implementation

5 PolicyEngineConfigProxy.xml

For secured policy engine implementation set following.

6 AdapterPolicyEngine.properties

This file configures your AdapterPolicyEngine and should be placed in the $NHINC_PROPERTIES_DIR directory.

# Make changes the reflect your installation environment

# Home Community Id of this node

HCID=1.1.1.1

# Listing or all OIDs internal to your environment entries should be space delimited

OID_LIST=1.1.1.1 1.1.1.1.150 1.1.1.1.160 1.1.1.1.180

# Endpoint to ContextHandlerService

CONTEXT_HANDLER_ENDPOINT=

4 Validation Testing

A suite of example soupUI tests for validating your adapter implementation have been provided with this document. They can be found at;

Security Framework-Quality Assurance-AdapterPolicyEngineTestExamples.zip

***we will need to update this link when committed to Oasis Site

Revision History

|Document ID |Date |Committer |Comment |

|xspa-nwhin-adapter-guide |03/11/2012 |Duane DeCouteau |Initial Draft |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download