Skip to Main Content
SEI Idea Portal
Status Submitted
Workspace HC-DPS-EI: ZFP
Created by Abdullah Alshehri
Created on May 22, 2023

ZFP RAD-69 include security headers when calling registry/repository

No description provided
Description

This is for SEHATI national wide project in Saudi Arabia, where we as GEHC are providing ZFP RAD-69 component as part of this project while Registry & Repository systems are provided by 3rd party company (OrionHealth).


During the initial integration testing where we test if ZFP can make the iti-18 & iti-43 queries, ZFP was failing to make those queries and based on OrionHealth logs its caused by the security headers which ZFP by desgin doesnt have security headers into its code.


The only way to make ZFP able to query the OrionHealth Registry is by requesting OrionHealth to disable the security headers which based on OrionHealth & customer is security downgrade and risk as anyone could query their registry when the security headers function is disabled.


What we can do to fix this from ZFP side is to include in the ZFP code/Config the ability to implement security headers, and below is the options that provided by OrionHealth:

  1. Digest Username and Password (Plaintext)

  2. Digest Username and Password (encrypted)

  3. Encrypted Username and Password (using an encryption certificate)

  4. Option to disable security headers -> for customers who have their systems in their local network and don't want to implement any security headers

  • Syed Niyamaddin
    Reply
    |
    May 22, 2023

    ZFP as XDS document consumer when integrated with 3rd party XDS actors like document registry and repository (Orion Health in our case), secure communication with SSL certificates is not adequate according to Orion Health. The SOAP request/call from ZFP to Orion endpoints should contain security headers. the options for security headers presented by OH as follows,


    1. Digest Username and Password (Plaintext)

    2. Digest Username and Password (encrypted)

    3. Encrypted Username and Password (using an encryption certificate)

    4. Option to disable security headers -> for customers who have their systems in their local network and don't want to implement any security headers.


    ZFP Product team confirms that current ZFP releases do not support security headers. To implement this, ZFP require a code change in the next release.


    This idea raised to prioritize the request in future release ASAP.

    Thanks.