Professional Documents
Culture Documents
Contents
Purpose....................................................................................................................................... 1
FQDN & IP Requirements............................................................................................................1
Certificate Requirements.............................................................................................................2
Participant Connectivity Information.............................................................................................3
Surescripts Active/Active Data Centers........................................................................................6
Surescripts Prescription Benefits and Medication History Connectivity Information.....................9
Surescripts Prescription Routing Connectivity Information.........................................................10
Purpose
Surescripts objective for its Transport Layer Security (TLS) / Public Key Infrastructure (PKI)
Certificate Interconnection Policy is to ensure the integrity and scalability of the Pharmacy Health
Information Exchange by allowing only authorized Participants to have authenticated and secure
access to the network, while avoiding unnecessary operational complexity or expense to our
Participants.
(PHI), and the Production environment should not contain test information. Participant
employees / contractors may have varying levels of access to PHI; therefore, access to
Staging/QA/Development systems should not directly allow access to Production.
6. The IP address provided should be registered with the American Registry for Internet
Numbers (ARIN) using the Participants name and contact information (i.e. Amazon,
AT&T, Yahoo, or Comcast should not be used).
a) If the provided IP address is not registered to the Participant, the Participant must
send an email to Surescripts to affirm that the IP address provided is operated by the
Participant.
b) The email must come from the Participant domain (i.e. no @yahoo.com or
@gmail.com).
7. TLS connections inbound to Surescripts must use TCP port 443.
Certificate Requirements
1. Certificate Common Name must match the FQDN provided in the URL.
2. Certificate Common Name must be an FQDN, not an IP address.
3. Certificate must be signed by a public Trusted Root Certificate Authority (CA) with a
minimum 2048 bit Public Key.
a) A public Trusted Root Certificate Authority (CA) is defined as a provider that
minimally follows the CA operational criteria outlined in either the WebTrust
Principles and Criteria for Certification Authorities (www.webtrust.org) or the
equivalent ANSI / ETSI-TS guidelines.
b) The CA must have completed a WebTrust for Certificate Authorities
(www.webtrust.org) audit or an equivalent third-party attestation.
i. Surescripts must recognize the Root CA as a valid and trusted entity. For a
sample list of Root CAs, go to: http://support.microsoft.com/kb/931125.
ii. Surescripts will NOT accept self-signed certificates or certificates issued by a
private Certificate Authority.
iii. Surescripts will not manually import any Participant Public Key issued by a
Private CA. Surescripts cannot make any exceptions to this requirement.
c) The certificate is not required to be set up specifically or solely for Surescripts (e.g.,
Surescripts.mydomain.com). The same certificate applied on a server can be used
for multiple sites.
d) Generic FQDNs are acceptable in a certificate (i.e. www.mydomain.com), but must
contain the Participants domain name (mydomain.com). Surescripts currently does
not support wildcard certificates (e.g., *.mydomain.com or mydomain.com).
e) Certificate must be current and active (not expired or revoked). Surescripts rejects
TLS connections with invalid certificates.
Page 3
Project Details
What services will you be certifying on?
Prescription Routing
Prescription Benefit and Medication History
Medication History for Hospitals
Rx Change transaction
Cancel Rx transaction
Sending a Verify message
Receiving a Verify message
EPCS service
Yes
No
Prescription Routing:
See next section
Page 4
Prescription Benefit and Medication History:
Yes
No
Page 5
Prescription Routing:
See next section
Prescription Benefit and Medication History:
Yes
No
Messaging Source IP :
Directory IP :
Page 6
Contact Information
Who is your Point-of-Contact for
Network/Firewall changes that the Surescripts
Network Services staff can work with?
Name:
Phone Number:
Email Address:
Name:
Phone Number:
Email Address:
Name:
Phone Number:
Email Address:
Name:
Phone Number:
Email Address:
Page 7
Participants must use Fully Qualified Domain Names (FQDN) with public DNS lookups
to support the dynamic resolution of the Surescripts FQDN. DO NOT hard-code IP
addresses in hosts files or within application software. Failure to comply will result in an
inability to transmit messages to Surescripts primary and secondary data centers.
Surescripts will employ Global Traffic Manager which relies on DNS to route traffic.
Participants must add the Surescripts IP addresses for the secondary data center for all
Surescripts environments into their firewalls in order to transmit to and receive from both
Surescripts data centers.
It must be stressed that due to the all-or-nothing nature of our network, because we route
transactions between Participants, that Surescripts is making connectivity to BOTH of our data
centers mandatory. Regardless of Active/Active, Participants will not be able to utilize the
Surescripts disaster recovery center unless they make the required setup.
Each data center (primary and secondary) is capable of supporting the entire network volume
which allows for continuous availability even if one data center is temporarily unavailable (due
to network maintenance, etc).
Additional FAQ:
1. Q: Will we have the ability to test basic connectivity to/from the new data center before
implementation?
Page 8
A: Yes. From a participants transmitting server, telnet to port 443 on the IP address
corresponding to the appropriate FQDN (e.g. telnet 38.126.166.7 443 to test
connectivity to messaging.surescripts.net at the Surescripts secondary data center).
2. Q: What are the new/additional Surescripts IP's we will need to open up on our firewalls
in support of the active-active data centers?
A: See tables below.
Page 9
Outbound from
Inbound to Surescripts Surescripts Primary
Primary Data Center
Data Center
Port
Outbound from
Inbound to Surescripts Surescripts Secondary
Secondary Data Center Data Center
https://switch-cert01.rxhub.net/rxhub
https://switch.rxhub.net/rxhub
443
208.86.145.233
208.86.145.228
209.117.210.233
209.117.210.132
443
208.86.145.253
208.86.145.228
209.117.210.253
209.117.210.132
22
208.86.145.238
208.86.145.228
209.117.210.238
209.117.210.132
22
208.86.145.239
208.86.145.228
209.117.210.239
209.117.210.132
80
208.86.145.235
208.86.145.228
209.117.210.235
209.117.210.132
80
208.86.145.254
208.86.145.228
209.117.210.254
209.117.210.132
https://transport-cert.rxhub.net
https://transport.rxhub.net
https://files-cert.rxhub.net/webdav/
https://files.rxhub.net/webdav/
https://cert.rxhub.net/pci/app/login/for
m
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Environment
Name
Port
Inbound to
Surescripts
Primary Data
Center
Legend: Must be
added for Outbound
from Surescripts
(Secondary Data
Center)
Outbound from
Surescripts
Primary Data
Center
Inbound to
Surescripts
Secondary Data
Center
Outbound from
Surescripts
Secondary Data
Center
https://staging.surescripts.net/XXX/AuthenticatingXmlServer.aspx
Production*
https://messaging.surescripts.net/XXX/AuthenticatingXmlServer.aspx
Directory Messaging v4.0 (DirectoryDownload, AddPrescriber, AddPharmacy,
etc.)
Certification*
https://staging.surescripts.net/XXX/DirectoryXmlServer.aspx
Production*
https://messaging.surescripts.net/XXX/Directoryxmlserver.aspx
Directories Messaging v4.4 (DirectoryDownload, AddPrescriber, AddPharmacy,
etc.)
443
69.25.46.8
69.25.46.11
38.126.166.8
38.126.166.11
443
69.25.46.7
69.25.46.10
38.126.166.7
38.126.166.10
443
69.25.46.8
N/A
38.126.166.8
N/A
443
69.25.46.7
N/A
38.126.166.7
N/A
Staging
https://staging.surescripts.net/Directory4dot4/directoryxmlserver.aspx
443
69.25.46.8
N/A
38.126.166.8
N/A
Production
https://admin.surescripts.net/directory4dot4/directoryxmlserver.aspx
443
69.25.46.5
N/A
38.126.166.5
N/A
https://staging.surescripts.net/Downloads/
443
69.25.46.8
N/A
38.126.166.8
N/A
Production
https://admin.surescripts.net/Downloads/
443
69.25.46.5
N/A
38.126.166.5
N/A
https://staging.surescripts.net
443
69.25.46.8
69.25.46.11
38.126.166.8
38.126.166.11
Production
https://admin.surescripts.net
443
69.25.46.5
69.25.46.10
38.126.166.5
38.126.166.10
*You will post messages to these URLs, where XXX will be replaced with your Surescripts assigned information. Your assigned information will be sent out at a
later date, in your connectivity form. Green denotes new IPs for Directories.