PHIN Messaging System
Overview  |
Installation |
Quick Steps |
FAQs |
Support |
VeriSign Intermediate Certificate Update
Information about the upcoming VeriSign Intermediate Certificate Update
FAQs
The PHINMS Team and the PHINMS Help Desk shares Frequently Asked Questions. The Frequently Asked Questions (FAQs) captured below pertain to Release 2.8.01. Suggestions to add additional questions can be sent to the PHINMS Web Site point-of-contact using the Support tab.
- What is a Collaboration Protocol Agreement?
- What is a CDC PartyID?
- What is the difference between a PartyID and an OID?
- What is a Digital Certificate and what is the purpose?
- Do higher-priced certificates provide more security?
- What is the recommendation bit length for SSL certificates?
- What are the different types of Digital Certificates? Which ones are required for a Sender/Receiver to successfully exchange data? Specifically, what does each certificate do and why is it required?
- What vendors do PHINMS recommend more or less than others?
- When and how are expired PHINMS Digital Certificates updated?
- What steps need to be taken to correct a certificate problem?
- Does PHINMS require a Digital Certificate?
- What is the purpose of the timeout connection for the Sender?
- Transport Queue Configuration
- Which version of PHINMS should be installed?
- Which operating system does PHINMS use?
- What is the cost to use PHINMS?
- What is the difference between a Refresh and a Restart?
1. What is a Collaboration Protocol Agreement?
A Collaboration Protocol Agreement (CPA) is a business-level agreement between the PHINMS Sender and Receiver. The CPA stores information necessary for partners to communicate with one another. It includes the transport protocol and security constraints both partners have agreed to use when messaging one another. A CPA is required for each location which has installed PHINMS. The CPA file name consists of the Receiver's and Sender's PartyID with an .xml extension. The file is stored in both the PHINMS Receiver's CPA directory and the Sender's CPA directory2. What is a CDC PartyID?
The Centers for Disease Control and Prevention (CDC) PartyID is a unique object identifier (OID) for each instance of the PHINMS Sender and Receiver used when sending messages to the CDC. The CDC PHINMS Help Desk issues the PartyID at no cost. The value of the PartyID must be the same as the Message Receiver's PartyID in the Collaboration Protocol Agreement. A PartyID would resemble "1.23.456.7.891234.5.6.7.8.9.0.1".3. What is the difference between a PartyID and an OID?
A PartyID is an object identifier (OID) used by PHINMS. It is a unique OID assigned to an organization by the CDC PHINMS Help Desk.Note: A CDC PartyID is an OID but an OID is not necessarily a PartyID.
4. What is a Digital Certificate and what is the purpose?
A Digital Certificate is a digital identity of a person, computer, or organization. It is a binary file used for Authentication, Encryption, Signature, etc. Digital Certificates are typically issued by Organizations or Root Certificate Authorities5. Do higher-priced certificates provide more security?
There is no concept of higher-priced certificates rather encryption strength. PHINMS recommends 1024 bit encryption strength both on Client certificates (Sender) and SSL certificates (IIS Proxy Server).6. What is the recommendation bit length for SSL certificates?
SSL Certificates should be 1024 bit length.7. What are the different types of Digital Certificates? Which ones are required for a Sender/Receiver to successfully exchange data? Specifically, what does each certificate do and why is it required?
View Diagram
PHINMS Sender Side:
Client Certificate: Most CDC related programs will issue a CDC SDN issued Digital Certificate to an individual. This is used to authenticate the Sender in an Organization to the Receiver (example - sender.pfx). The client certificate is a combination of both a private key and a public key of the Sender's certificate.
Encryption Certificate: This is the public key of the Receiver (example - state.cer). The encryption certificate can be downloaded by doing a LDAP lookup or obtaining the information in an email from the Receiver. The data sent to the Receiver is encrypted using the encryption certificate (example - receiver.cer).
Certificate Authority Certificates: A Certificate Authority (CA) Certificate is a Key Store which comes bundled with the PHINMS product. When a Sender is trying to make a HTTPS SSL (Secure Socket Layer) connection to the Receiver's IIS server, it needs to validate the certificate chain of the SSL certificate installed on the IIS server. PHINMS uses this key store to look up for trust chain. When the Root and Intermediate Certificate of the SSL certificate are not present in the CA cert file then the HTTPS connection fails. The Receiver will need to provide the Root and Intermediate of the SSL certificate to the Sender in an email. The Sender will then need to import the information.
PHINMS Receiver Side:Secure Socket Layer Certificate: This is the certificate installed on IIS proxy server to provide HTTPS SSL connection to the Sender. The SSL connection creates a secure tunnel between the Sender and the IIS server. This certificate has to be purchased from a Vendor. An existing certificate or generate certificate using Open SSL can also be used. When using the non-popular of open source, ensure the root and the intermediate (if exists) is provided to the Sender to add to the trust chain (example - state.us.gov).
Client Certificate (Public Key): A client certificate on the IIS proxy server refers to the public key of the Sender's client certificate. This is allows the Receiver to trust the Sender by providing Authentication and Authorization. The Sender will need to provide the public key of the client certificate to the Receiver in an email (example - sender.cer).
Decryption Certificate: Most CDC related programs will issue a CDC SDN issued Digital Certificate to an individual. This is used in decrypt the data sent by a Sender (example - receiver.pfx). The Decruptioin Certificate is a combination of both the private key and the public key of the Sender's certificate.
8. What vendors do PHINMS recommend more or less than others?
There are many vendors which issue Digital Certificates like Client Certificate and SSL Server Certificates. Some included are Verisign, Thawte, Entrust, Equifax, Geotrust to name a few. PHINMS does not recommend one over the other. An existing and self-signed certificate may be used..
9. When and how are expired PHINMS Digital Certificates updated?
An email notification will be sent as a reminder to re-apply for a new Digital Certificate when the certificate is either PHINMS Staging or Production. The reminders are sent three times (1 month, 15 days, and 5 days) before the date of expiration. Navigate to https://ca.cdc.gov to apply for a new Digital Certificate.
When SSL certificates are expiring the vendor will need to be notified.
10. What steps need to be taken to correct a certificate problem?
There may be several reasons for a certificate problem. The most convenient way to diagnosis the problem is to review the log files. Some of the most common issues are as follows:
- SSL and Client Certificate expiration,
- encrypting with a wrong public key on the Sender's side,
- the Sender not being able to trust the Receiver's SSL certificate chain, and/or
- the wrong private key password using the Sender's or Receiver's console.
11. Does PHINMS require a Digital Certificate?
A Digital Certificate is required for security purposes when using PHINMS to send messages to the CDC. The Digital Certification verifies the identity of the Sender and provides the Receiver with the means to encrypt a response. The CDC Secure Data Network (SDN) issues user identity Digital Certificates. A Digital Certificate is also required when partners are sending messages directly to other partners and the messages are not sent to the CDC. A Digital Certificate can be purchased from a Certificate Authority (CA). Instructions for requesting a Digital Certificate to send messages to the CDC are located in the PHINMS 2.8.01 Implementation Guide
12. What is the purpose of the timeout connection for the Sender?
The timeout connection is used to set the number of milliseconds the Message Sender waits before timing out the attempt to connect to the SML.PHINMS 2.8.01 Implementation Guide
13. How is encryption enabled?
The message is encrypted using the private key infrastructure. Refer to FAQ #4 for additional information.
PHINMS 2.8.01 Implementation Guide
14. Which version of PHINMS should be installed?
Currently the latest version is PHINMS 2.8.01 and recommended for installation. Upgrade options are documented in the PHINMS Implementation Guide.
PHINMS 2.8.01 Implementation Guide
15. Which operating system does PHINMS use?
PHINMS is platform-independent. Any operating system can be used; however, PHINMS has only been tested with a select few. The PHINMS Team does not support the platforms which have not been tested. The following platforms are tested and guaranteed to work with PHINMS and they are supported by the PHINMS team:
- Windows 2000,
- Windows 2003,
- Windows XP,
- Solaris Sparc 10 Update 3, and
- Red Hat Enterprise Linux ES release 4, Kernel version 2.6.9-42.0.8.ELsmp.
16. What is the cost to use PHINMS?
There is no cost to use the PHINMS software. The software has been designed by the CDC for the Public Health communities.
17. What is the difference between a Restart and Refresh?
When the default database is started any data changes should be reflected when the PHINMS console is refreshed. The request to restart indicates the Tomcat server requires to be stopped then restarted whenever a configuration changes or installing a new component such as Web Services Adapters.