CA:Aud

The Canadian Audit Trail (CA:Aud) Implementation Guidance provides support for Event Logging for Auditing. To allow for these features, CA:Sec actors can be grouped with CA:Aud actors.

If the grouping is in place, an actor from CA:Sec shall implement the required transactions and/or content modules in CA:Sec in addition to all the transactions required for the grouped actor (Column 2).

CA:Sec Actor

Actor(s) to be grouped with

Secure Application

CA:Aud / Audit Creator

CA:Sec actors, when grouped with Audit Creator, shall use the Record Audit Event [ITI-20] transaction to send audit event log messages to an Audit Record Repository.

Alternatively, other non-IHE methods can be used to record audit messages, that do not require grouping with CA:Aud actors.

IUA

The Internet User Authorization (IUA) Profile provides support for user authentication, app authentication, and authorization decisions. To allow for these features, CA:Sec actors can be grouped with IUA actors.

If the grouping is in place, an actor from CA:Sec shall implement the required transactions and/or content modules in CA:Sec in addition to all the transactions required for the grouped actor (Column 2).

CA:Sec Actor

Actor(s) to be grouped with

Local Secure Application (Client)

IUA / Authorization Client

Remote Secure Application (Server)

IUA / Resource Server

This option is described in the IUA specification for ATNA profile as STX: HTTPS IUA Option.

Actors that support this option utilize server-side authenticated TLS (also known as https) to authenticate the server to the client and provide communications integrity and encryption.

This configuration utilizes ATNA Profile server-side TLS (https) to authenticate the server to the client and provide communications integrity and encryption; and the IUA Profile to authenticate the client application to the server (IUA Resource Server).

  • TLS shall be server side authenticated, and may be client authenticated
  • TLS shall be compliant with BCP195
  • Local Secure Node or Secure Application shall reject connections that are not https, and may enforce other policies
  • Remote Secure Node or Secure Application shall reject connections that do not carry a valid IUA token, and may enforce other policies
  • No labels