XDS Test Kit 2005-2006
Big Picture of XDS Profile Testing
There are two types of testing for the XDS Profile:
- Server testing - When testing your implementation of the Registry and Repository actors, you will use the xdstest tool to generate test messages aimed at your servers and collect responses. This happens on your equipment behind your firewall. The directions for a particular test will instruct you how to report the results. The test data to use on your system is available from Test Data. Instructions on how to conduct these tests are available from Test Descriptions.
- Client testing - When testing your implementation of the Document Source and Document Consumer actors, you will need an Internet connection. These tests are run against the NIST Public Registry server. The directions for a particular test will instruct you how to report the results. Instructions on how to conduct these tests are available from Test Descriptions.
The big overview of all the XDS tests is documented in a big table.
Frequently Asked Questions
The test environment for XDS contains two major elements
- xdstest - a Java-based command line tool for generating Provide and Register, Register, and Query transactions to a Registry or Repository.
- Public Registry - a public implementation of the XDS Registry and Repository actors used to test your Document Source and Consumer actors.
URLs for NIST Public Registry
The NIST Public Registry uses a separate URL for each transaction it supports:
For non-TLS communications:
|Provide and Register (send to the repository)||http://hcxw2k1.nist.gov:8080/xdsServices2/registry/soap/portals/repository|
|Register (send to the registry)||http://hcxw2k1.nist.gov:8080/xdsServices2/registry/soap/portals/registry|
|Query (query the registry)||http://hcxw2k1.nist.gov:8080/xdsServices2/registry/soap/portals/query|
For mutual TLS communications:
- Coming Soon
All XDS transactions require the use of mutual TLS as specified in the ATNA profile. All tests (with the exception of 11710, 11717, and 11720) can be run with or without mutual TLS. All HIMSS participants are required to use mutual TLS. Credit for test results will not be given without the use of mutual TLS. But, you are welcome to test without mutual TLS while you are debugging.
ACC vendors are not using mutual TLS this season.
NOTICE: All these URLs point to xdsServices2, last year's version (xdsServices) will continue to run unaltered until at least January. Make sure you point to this year's services.
Configuration for mutual TLS
Testing Mutual TLS against the Public Registry
The public registry is configured for mutual authentication using TLS.
This section documents the certificates to be used in testing. The next section focuses on configuration options for the xdstest tool.
In mutual TLS authentication (node authentication) two key pairs are used to do mutual authentication, the server authenticates the client and the client authenticates the server.
We are supporting two key formats, PEM (used by openSSL) and JKS/PKCS12 (used by Java keystore). You may use either as suits your environment. The public key from each is installed on the public registry server.
The support files are located [here]. They are:
- hcxw2k1.cert is the public certificate for the public registry server hcxw2k1.nist.gov
- keystore is a Java-style keystore file (jks format file) containing a public/private key pair for you to install and use as your 'client' key pair. The public certificate that matches this private key has been installed on the public registry server.
- test_sys_1.key.pem is a openSSL-style private key for you to install and use as your 'client' key. The public certificate that matches this private key has been installed on the public registry server.
- test_sys_1.cert.pem is the public certificate file associated with the openSSL-style private key.
- security.properties is a security configuration file for use with xdstest.
To test mutual TLS, you will have to install the public registry's public cert and one of the client public/private key pairs on your test machine in a trusted certificate file.
Correct cipher for XDS/ATNA now available
To use TLS with the cipher required by ATNA and XDS (TLS_RSA_WITH_AES_128_CBC_SHA) use this server cert.
- hcxw2krsaNew.cert is the server cert generated with the RSA algorithm. This file is located [here]. The old cert expired and was replaced on March 27, 2006
Using xdstest Client
Correct cipher for XDS/ATNA now available
To use the xdsTestClient with TLS you'll need to add hcxw2k1.cert keystore and security.properties to your testing environment. Import the hcxw2k1.cert file into a trusted certificate file. Here's some [documentation] for doing this.
After you added this certificate to the file edit the security.properties file to reflect the location of the certs file as well as your keystore file. The keystore file password is changeit.
Then edit the test.properties file for a particular test. Change the url to
where testpath is the path you would normally use.
Execute the xdstest.jar file with the s command line option passing in the location of the security.properties file
java -jar /home/user/xdsTestClient/lib/xdstest.jar -s/home/user/xdsTestClient/security.properties
To send a TLS request with the restricted cipher change the url in the test.properties file to
https://hcxw2k1.nist.gov:8443/testpath and execute the xdstest.jar as follows:
java -Dhttps.cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA -jar /home/user/xdsTestClient/lib/xdstest.jar -s/home/user/xdsTestClient/security.properties
Note there is no space after the -s.
Schema and Metadata Validator
The XDS Schema, which is a cleaned-up version of the ebXML Registry version 2.1 Schema, is available from the main page.
The Metadata Validator is available as a service online and will be available for download soon.
Definition of Affinity Domain for Pre-Connectathon testing
For purposes of Pre-Connectathon testing, we have defined an Affinity Domain for the test registry to live in.
Patient IDs are of the format
so an example patient ID looks like:
where the ID is the identifier for the patient within this domain and the only thing that varies between patients. For use with the test registry at NIST, all patient IDs shall be allocated using a patient ID allocation tool on the web
A set of codes has been assigned to this Affinity Domain. They are the same as last year and defined in the XML file at Code Table.
How to use the xdstest tool
The readme file is available here.
Test Requirements - Table of individual tests organized by actor and transaction listing Required/Optional status of the test.
Test Descriptions - Details of all the tests, best view through the Test Requirements table above.
There are two major downloads for testing XDS, the xdstest testing tool and the test data. All documentation for testing is provided online.
Testing Tool - xdstest
The xdstest testing tool can be downloaded from here. It is written in Java and should run on any platform. We provide the pre-build jar file and the sources. We recommend using the pre-built jar file. The readme file is available here. It describes some basics on how to use the tool and what the configuration data means.
Test Data/Test Kit
Version 2.2 has been started. See the change log below for details
Version 2.1 is now available (see here). See the Change Log below for details on what has been added and fixed.
Version 2.0 is now available (see here). See the Change Log below for details on what has been added and fixed.
Version 1.5 is now available (see here). See the Change Log below for details on what has been added and fixed.
Version 1.4 is now available (see here). See the Change Log below for details on what has been added and fixed.
Version 1.3 is now available (see here). See the Change Log below for details on what has been added and fixed.
Version 1.2 is now available (see here). See the Change Log below for details on what has been added and fixed.
Version 1.1 is now available (see here). See the Change Log below for details on what has been added and fixed.
The first release of the XDS test kit (version 1.0) is now available for download from here. This first release includes the first dozen tests.
You can track changes to the test kit or testing in general here.
Big changes from last year
XDS Schema will be available
Namespaces will be required in metadata xml
For discussion and tips on the XDS profile (but not necessarily related to the 2005-20065 testing season, see Notes on XDS Profile.
Basic XUA functionality will be implemented on the NIST public registry this season. See the XUA Implementers Guide for a discussion on the functionality to be implemented.