Configure SSL on Inbound HL7 Device

Owned by Jonathan Reis
Last updated: May 02, 2022 by Nick Judson
3 min read

The Inbound HL7 device supports SSL/TLS tunnels via certificate exchange. This device, acting as an HL7 receiver, can provide a certificate to HL7 senders. Additionally, it can require and validate certificates sent by HL7 senders as part of the connection negotiation.

Specifying a server certificate will provide data protection (encryption) as well as guaranteeing Connexion's identity to each sender.

If you wish to validate the identity of senders, you can also require each client to send a certificate as part of the connection negotiation.

Server-Side Certificate

To enable SSL/TLS, you must

  • Enable SSL within the device configuration

  • Specify which certificate will be provided to clients.

You need to specify a certificate to be provided to each sender (as part of the communications negotiation). If your data is crossing a publicly-accessible network, we recommend the use of a thrid-party purchased certificate. This type of certificate would be installed on the Connexion host operating system and then selected from the ‘Installed (Subject Name)’ drop-down list.

If you are operating within a private network and you have control of the sending side, you can generate a self-signed certificate using the ‘Generate Self-Signed Certificate’ button. You will need to Export this certificate and provide it to the sending system, as self-signed certificates must be explicitly trusted by the sender (typically by being installed into a certificate store).

Client Certificates

If you wish to validate the identity of each sender, you can require each sender to provide a certificate. The client-provided certificate will be matched against a list of accepted certificate thumbprints, and only those within the list will be allowed to connect.

To enable client certificate validation, check the ‘Validate Client Certificate’ option. You will then need to create a list of all acceptable certificates. If the sender has provided you with a certificate, use the import option to add it to the list. You may also generate your own certificate and then provide it to the sender.

To generate a new client certificate, click the Create New option followed by the Export link. Provide the exported .cer file to the customer.

Certificate validation can be a complex subject. We recommend qualified individuals review these settings and ensure that TLS tunnels are properly created (via Wireshark or similar tools).