pmix rxcheck connection technical assistance … · ensure the srs is able to resolve the domain...
TRANSCRIPT
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
RxCheck Connection Technical Assistance Guide
This Technical Assistance Guide (TAG) is intended to provide PDMP Administrators with
information on how to connect to the RxCheck Hub to share information across state prescription
drug monitoring programs (PDMPs). The RxCheck Hub was designed with the involvement of the
PDMP community, private industry, and the federal government to enable a nationwide
capability for the timely, secure exchange of prescription information.
Status of the RxCheck Hub
The RxCheck Hub is operational and ready to support real‐time data exchange between
PDMPs. The system’s infrastructure has been tested and validated, and includes the latest
design improvements identified since its inception. The RxCheck Hub will be maintained by
the IJIS Institute with oversight from the RxCheck Governance Body. Information on costs can
be obtained from the IJIS Institute.
Establishing Connectivity to the RxCheck Hub
Prior to connecting to the RxCheck Hub, a PDMP must first meet the following criteria:
at least one other state to serve as an exchange partner
enabling legislation to engage in interstate operability
a Memorandum of Understanding (MOU) governing data sharing among partners
Contacts for Technical Assistance
IJIS Institute Donald Gabbin (703) 726‐3647 [email protected]
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
History
The National Drug Control Strategy of 2010, issued by the White House Office of National
Drug Control Policy, identified the need to establish data linkages between PDMPs as a
national priority. Data sharing among PDMPs permits cross‐state tracking of patients’
prescription history, suspected doctor‐shopping, prescription fraud, and prescribing
trends. In response, the Bureau of Justice Assistance (BJA), with project management and
acquisition support from the IJIS Institute, and in collaboration with PDMPs, developed
the Prescription Monitoring Information Exchange (PMIX) National Architecture. The
PMIX National Architecture was developed as a direct response to the concerns and needs
expressed by states who were members of the BJA/IJIS PDMP Committee. While the PMIX
National Architecture was being developed, the RxCheck Hub was developed to
implement the PMIX National Architecture and deliver a functional interstate data sharing
hub. Additional information about the PMIX National Architecture can be found on the
PDMP Training and Technical Assistance Center’s (TTAC) website.
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Interface Connection Options
Overview
The PDMPs’ technical management team should first review the PMIX Service Specification
Package, in particular the Service Description Document (SDD), which describes the basic
functions comprising the information sharing attributes of the service. The technical team
will then need to consider the PMIX RxCheck connection options and determine the
option that best suits their environment. The following diagram depicts the two PMIX
RxCheck connection options.
Figure 1: PMIX Connection Options
PMIXState Routing Service (SRS)
PMIX RxCheck Hub
Option 1: PDMP system uses a trusted web service connection to a PMIX SRS.
SecureWeb Service
TrustedWeb Service
PDMP
OC
PDMP
OC Secure
Web Service
Option 2: PDMP system implements the secure web service connection
direct ly with the RxCheck Hub.
X.509 cert ificates required for advanced message level
security.
The SRS handles all X.509 cert ificate based message level security
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Option1: PMIX SRS
Option 1, as shown in the Figure 1 diagram, involves a state PDMP system connecting to
the PMIX RxCheck Hub via the PMIX State Routing Service (SRS). The PMIX SRS enables
PDMPs to “offload” PMIX functionality such as PMIX compliant service hosting,
request/response message validation, role‐based site authorization and full message
routing. In addition, the PMIX SRS handles all X.509 certificate‐based message
encryption/decryption involved in communicating over the PMIX secure web service
interface. The PMIX SRS has been certified via the PMIX Springboard Conformance Test
process, therefore the interface and corresponding functionality is guaranteed to
interoperate with the RxCheck Hub. For additional information regarding the Option 1
connection specification, refer to the PMIX Service Specification Package (SSP) Trusted
SIDD (PMIX_SIDD_WS_Trusted_v_1.1.0).
Option 2: Custom Proxy
Option 2, on the other hand, affords a PDMP greater flexibility to develop their own proxy
interface service using their native platform and technology. A custom proxy interface
must comply with all requirements documented in the service interface specification,
including web service communication using WS‐Security message‐level encryption. For
additional information regarding the Option 2, custom proxy, connection specification,
refer to the PMIX Service Specification Package (SSP) Secure SIDD document
(PMIX_SIDD_WS_Secure_v_1.1.0).
Note: The PMIX SSP includes several reference implementations, for various Java
platforms, which provide broad programmatic guidance in the form of functional
software.
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Getting Started Procedures
The steps listed below are intended to provide PDMP technical staff with general guidance
which serves to augment the information contained in the PMIX SSP documentation. Please
note that implementation may vary depending upon a PDMP’s computer system. The IJIS
Institute is available to provide technical assistance as needed.
Step 1: Software Installation (Option 1 only)
Install the latest version of the .NET Framework
Install the latest version of the PMIX State Routing Service
Install & configure Windows IIS Server Role
Install the latest version of the PMIX Admin Console
Install the latest version of the PMIX RAS Service
Bind the security certificate to the SRS HTTP endpoint
o i.e. netsh http>add sslcert ipport=0.0.0.0:18802 certhash=8…2 appid={8…2}
Establish a PMIX SRS Directory Structure:
o Dedicated, standalone LDAP:
Install Microsoft ADLDS
Setup a new ADLDS instance
Instance name should be: CN=PMIX,DC=rxcheck,DC=org
Run the LDAP scripts provided with the SRS software
o Existing, Enterprise LDAP:
Run the LDAP scripts provided with the SRS software
Configure the PMIX SRS LDAP Directory Service
o Communication Endpoints
RxCheck Hub
PDMP System
o Message Filtering
o Role‐based Site Authorization
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Step 2: Network Preparation
Configure and validate network connectivity between the State Routing Service
(Option 1) or the Custom Proxy (Option 2) and the two endpoint systems:
o “External” ‐ RxCheck Central Hub
o “Internal” – PDMP System
The following steps, which are based on a typical configuration process, reflect
general network configuration guidance and may need to be tailored to apply to
specific environments.
o Network Access
Enable the SRS to access the RxCheck Hub
Provide the PMIX RxCheck Administrator with the SRS external
IP address, so they can configure the IJIS network firewall
Configure the networking components:
o Add the necessary network address translation (NAT)
o Add the routing rules needed to route outbound traffic
o If necessary, add any outbound firewall rules
o If the external IP address is “virtual”, ensure any added
routing provisions are implemented
Enable the SRS to access the State PDMP
Configure the networking components:
o Add the necessary network address translation (NAT)
o Add the routing rules needed to route outbound traffic
o If necessary, add any outbound firewall rules
o If the external IP address is “virtual”, ensure any added
routing provisions are implemented
Enable the RxCheck Hub to access the SRS
Provide the PMIX RxCheck Administrator with the SRS
externally accessible IP address used to connect to the listener
Configure the networking components:
o Add the necessary inbound firewall rules
o If the external IP address is “virtual”, ensure any added
routing provisions are implemented
o Domain Name Resolution
RxCheck Hub
Identity the domain name and network address
Ensure the SRS is able to resolve the domain name to the IP
State PMP System
Identity the domain name and network address
Ensure the SRS is able to resolve the domain name to the IP
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Step 3: Security
The following outline provides instructions (Windows Server) to help acquire and install
the X.509 certificate for the PMIX SRS (Option 1) or the Custom Proxy (Option 2):
Generate SSL/TLS Custom CSR (if necessary) o Using the Certificates snap‐in for computer manager, from the Action menu,
select All Tasks ‐ Advanced Operations and then ”Create Custom Request” o Select “Proceed without enrollment policy”, the (No template) Legacy key
and PKCS #10 for Request format o Configure the following CSR options so to use the certificate for TLS/SSL o On the CSR Form General tab:
Enter the Friendly name o On the CSR Form Subject tab:
In the Subject name area under Type, click Common Name In the Subject name area under Value, enter the fully qualified domain
name of the server In the Alternative name area under Type, click DNS In the Alternative name area under Value, enter the fully qualified
domain name of the server o On the CSR Form Extensions tab:
Under Key usage, in Available options, select Digital signature Under Key encipherment, Extended Key Usage (application policies), in
the Available options, select Server & Client Authentication o On the CSR Form Private Key tab:
In the Cryptographic Service Provider section, deselect all CSPs and select Microsoft RSA SChannel Cryptographic Provider (Encryption).
Under Key options, in the Key size list, select a key size of 2048. Select the Make private key exportable check box.
o Reference: http://technet.microsoft.com/en‐us/library/ff625722(v=ws.10).aspx
Import certificates (SRS certificate and any exchange patterns’ certificates) o Using the Certificates snap‐in for computer manager, from the Action menu,
select All Tasks, and then select Import to start the Certificate Import Wizard o Type (or navigate to) the file name containing the certificate to be imported o Select "Place all certificates in the following store" and select "Personal"
Ensure the certificates have a Friendly Name o Using the Certificates snap‐in for computer manager, navigate to
"Personal\Certificates" and verify the "Friendly Name" is set to the subject
Copy the certificates o Using the Certificates snap‐in for computer manager, navigate to
"Personal\Certificates" and copy the newly imported certificate o Then, navigate to "Trusted People\Certificates" and past the certificate
Note: Any secure http URL must include the domain name that matches the certificate
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Step 4: Conduct Loopback Testing
Perform a loopback test in which a PDMP simulates both the requesting and disclosing
states. As such, the PDMP sends the PMIX request to their own PDMP system
endpoint via either the PMIX SRS (Option 1) or the Custom Proxy (Option 2).
Note: The response will follow the same steps in the reverse direction
Note: After successfully completing a local loopback test, the test “loop” can be
expanded to include a pass through the RxCheck Hub
Step 5: Integration Testing
Perform integration testing with an exchange partner; the request will flow from the
requesting‐state PDMP application to the requesting‐state SRS (Option 1) or the
Custom Proxy (Option 2), to the RxCheck Hub, to the disclosing‐state PDMP
application (note: the response will follow the same steps in the reverse direction)
Step 6: Springboard Testing (Optional, Option 2 Only)
Conduct Springboard Conformance Testing to validate the interoperable aspects of
the service interface specification in order to assert that a participating system
conforms to the PMIX Specification. The conformance specification and the
associated test cases define a series of tests designed to exercise each interoperability
aspect of the specification at least once.
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Appendix A: Pre‐Installation Checklist
The following architecture diagram and pre‐installation checklist table will orient the
deployment team by identifying important system information prior to the software
installation and configuration.
Figure 2: Typical PMIX Component Architecture Overview
ID Description Value
1. SRS Service Host Base URL Address
1.1 Domain Name:
1.2 IP Address:
2. RxCheck Hub Service Host URL Address https://test.rxcheck.org:18803/2010/12/pmx/router
2.1 Domain Name: test.rxcheck.org
2.2 IP Address:
3. SRS RxCheck Hub Listener URL Address https://
3.1 Domain Name:
3.2 IP Address:
4. New site PDMP Application URL Address
4.1 Domain Name:
4.2 IP Address:
5. New site unique qualifier (NW)
6. Exchange partner unique qualifier (EP)
A. The new site’s PMIX SRS certificate
B. The partner site’s PMIX SRS certificate
# Network Configuration (Firewall, Router)
Table 1: Pre‐Installation Checklist
PMIXSRS
RxCheckHub
PDMP
OC
New (NW)Site
Exchange Partner (EP)
1 2
4 3
A B
5 6
#
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Appendix B: PMIX SRS AdminConsole Overview
The following screen images show how the checklist data values collected prior to installation
can be entered into the AdminConsole. For additional information, refer to the AdminConole
documentation.
Figure 3: Service Endpoint Configuration Screen
Figure 4: Client Endpoint Configuration Screen
Figure 5: Digital Certificate Configuration Screen
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Appendix C: Implementation Plan Template
Server Administration (~ 1 hours)
Install the latest version of the .NET Framework
Install the latest version of the PMIX State Routing Service (SRS)
Install & configure Windows IIS Server Role
Install the latest version of the PMIX Admin Console
Install the latest version of the PMIX RAS Service
Establish a PMIX SRS LDAP Directory Structure
Configure the PMIX SRS LDAP Directory Service
Network Administration (~ 1 hours)
Configure the SRS to RxCheck Hub (Outbound) network
Configure the SRS to State PDMP (Internal) network
Configure the RxCheck Hub to SRS (Inbound) network
Establish Domain Name (DNS) Resolution
Security Administration (~ 1 hours)
Generate SSL/TLS Custom CSR (if necessary)
Import the certificate to Personal Store
Ensure the certificates have a Friendly Name
Copy the certificate to Trusted People Store
Bind the certificate to the SRS HTTP endpoint
Testing (~ 1 hours) Verify State PDMP outbound request/response via SRS to disclosing site
Verify State PDMP inbound request processing through SRS from requesting site
Telephone: (781) 609‐7741 | Fax: (888) 705‐8053 | Email: [email protected] | Website: www.pdmpassist.org
Additional Resources
PMIX National Architecture Overview
PMIX National Architecture version 1.0
PMIX Springboard Service Conformance Package
MOU Guideline for Interstate Data Sharing
Sample MOU for the Exchange of Live Patient Data