[Tom Patton]

Hi Traci, What have you found for performance for an EC2 core vs. what you might have had previously/

[Tom Patton]

Update – thanks to Viken Ohannessian and James McPheron – my errors have been corrected.

Things I missed:

• The CA path and file do not need to be from a CA.  Put in the path to the file and the filename for the cert you get from your trading partner
• The public key and private key MUST MATCH.  And they must be generated from the same keystore entry.  We created a keystore entry with Portecle or Keystore explorer and then exported the public and private keys into pkcs12 files
• We then converted the pkcs12 keys into pem files (Clover TLS needs pem), using openssl commands

I hope that helps…

[Tom Patton]

Update – I opened a ticket with support on this and they forwarded to development.

Development suggested using tcp/ip rather than pdl.  This didn’t work either.

Support then indicated it was new config and to contact account rep for consulting services.

Will update with an answer once found, but the key issue is why clover doesn’t send my cert when requested?

[Tom Patton]

Thank you Jim – this was extremely helpful!

Using keytool I pulled the cert into the .jks file in /home/hci, but it still doesn’t seem to present the cert to the other side.

This is a client ssl connection – where the other side is expecting to receive their cert from us (that works with the cert file entry), then asks for our cert on our machine that we also shared with them.

It appears Clover doesn’t send the cert.  Maybe it has to do with this log entry:

__cSocket: >>>> Set SSL Client to Verify NONE…

I’m baffled too – this seems to be a clover thread / AIX setup thing, but your thoughts were helpful – b/c the .jks wasn’t setup yet…

 

[Tom Patton]

Jim – you are absolutely spot on.   Using the HL7 event to pass info to the SFTP file pickup thread didn’t work.  I really couldn’t get the filename and patient date passed in the msg meta data, and – it would also scan the entire folder looking for the file name passed.

In the end, we kept the logic and architecture the same and used the curl libraries shipped with Clover 19.1 and got it working.

Thank you for the response and the offer!!

[Tom Patton]

Thank you David – that is exactly what I had, but it didn’t have very good error recovery.

And now, the openssh libs of AIX don’t work with the Cloverleaf libs (Cloverleaf libs are newer).  So, I’m kind of suck.

[Tom Patton]

I also agree that it depends on your understanding of the OS.

However, you can always use Infor to setup your clustered environment – that has worked well for us to have the setup done and then we manage going forward.

We run AIX for Clover, and Windows for advanced security and global monitor – that works well.

We also run a windows OPENLink engine that handles an old SNA connection for registration data.  I had to switch to windows host server when IBM rolled communication manager into Websphere and the price was astronomical…

Ever since then I get grief every month when we need to do patching and need a 15 minute outage.

[Tom Patton]

I should also note that AIX FTP transfers this file at the correct size and it’s able to be displayed – CURL under TCL and in a FTP protocol thread has this problem where the file can’t be displayed and the file size is not accurate.

[Tom Patton]

David, thank you for your response.

I’ve tried the binary encoding on the thread, but then I can’t get authenticated…

I’ve forced binary by using curl option – CURLOPT_BINARYTRANSFER 1.

And it is transferring binary, but I’m getting 80,000 extra bytes added to the file….

The file size on AIX 7.1 (CL 6.1) is 180845 and ends up as 263058.

Here is my verbose log snippet – does anyone see anything odd?

* Hostname was NOT found in DNS cache

*   Trying 999.999.999.999…

* Connected to 999.999.999.999 (999.999.999.999) port 21 (#0)

< 220 EFT Server Enterprise 6.5.5.2

> USER someaccount

< 331 Password required for someaccount.

> PASS guessyguessy

< 230 Login OK. Proceed.

> PWD

< 257 "/" is current folder.

* Entry path is ‘/’

> EPSV

* Connect data stream passively

* ftp_perform ends with SECONDARY: 0

< 229 Entering Extended Passive Mode (|||5435|).

* Hostname was NOT found in DNS cache

*   Trying 999.999.999.999…

* Connecting to 999.999.999.999 (999.999.999.999) port 5435

* Connection failed

* connect to 999.999.999.999 port 21 failed: Connection timed out

* Failed to connect to 999.999.999.999 port 21: Connection timed out

* Failed EPSV attempt. Disabling EPSV

> PASV

< 227 Entering Passive Mode (999,999,999,999,76,163).

* Hostname was NOT found in DNS cache

*   Trying 999.999.999.999…

* Connecting to 999.999.999.999 (999.999.999.999) port 19619

* Connected to 999.999.999.999 (999.999.999.999) port 21 (#0)

> TYPE I

< 200 Type set to I.

> STOR ZZTEST6_CPOE2tom6_3032184_20170719_MQNeuroOncCons_F_19520101_F_02180_1028149_02180_1028149__H0414563.pdf

< 150 Opening BINARY mode data connection for ZZTEST6_CPOE2tom6_3032184_20170719_MQNeuroOncCons_F_19520101_F_02180_1028149_02180_1028149__H0414563.pdf.

* We are completely uploaded and fine

* Remembering we are in dir “”

< 226 Transfer complete. 263058 bytes transferred. 263058 bps.

> QUIT

< 221 Service closing control connection.

* Closing connection 0

any help is appreciated…

[Tom Patton]

Baron, We are in the middle of replacing our Cerner lab system with Soft.

We have also chosen to downgrade the 2.5.1 msgs from Soft to 2.3.1 for our other receiving systems – but not ELR.

At this point, for our Soft implementation, Soft is planning to send a 2.5.1 msg to our state (MA).

It sounds like you are just owngrading to Paragon for your own reporting right?

Mainly I just wanted you to know we are also dealing with Soft…

[Tom Patton]

Rob, thank you – I was on the same path – just not thinking of the IB TPS.  But that’s a better option.  We’ll ACK every msg and hold msgs until we get the last.

Thanks – and thank you for the code.

[Tom Patton]

Rob Abbott wrote:

Cloverleaf certainly has the ability to accept multiple packets for a single message.

[Tom Patton]

I have not seen a maximum yet – and I’ve sent some multi-MB (some double digit) files via TCP/IP with pdl driver with an encoded payload in OBX:5.

And yes, there was a backup while the packets were sent.

And no, it was never my intent to send files that large.  We have one department that, from time to time, forgets to reduce the picture quality setting on their 14 megapixel camera that they use to attach 5 pictures to the PDF report from….

[Tom Patton]

Jim,

You are right – the potential timing issues almost force this process into a more “batch-like” or decoupled process.

So I’m thinking  one process might be to receive the HL7 RP msg via TCP/IP and store that patient info and filename in a file.

The next process might pickup the patient-filename row from the file, match it to the PDF file and rename the PDF file (so it has the patient information from the HL7 msg in the filename e.g. MR, Last Name, DOB, DOS).

Then the third process could pickup the filename and build an hl7 msg and send that msg.

The 1st and 3rd processes would be Clover site threads.

The 2nd would be a cron script and would also email “file not found” msgs to the user if the file is not there after 48 hours.

As you can see by the timing of these post I’ve been walking around this for a couple weeks.

This seems like the most rational approach, but I can’t help but think I’m missing something.

This is for a CareFusion PDF where they refuse to place the pt last name in the filename – if they did, this would be done in 5 minutes…

[Tom Patton]

The aspect of HITECH I see affecting our engines it this:

“Technical safeguards affect PHI that is maintained or transmitted by any electronic media. This section addresses issues involving authentication of users, audit logs, checking data integrity, and ensuring data transmission security.”

Some vendors are implementing features in their engines to audit or prevent manual changes and resends of msgs going their engines.  Anyone hear of any plans like this for Clover?

[Author]

Replies