Configure SSL on Inbound HL7 Device
- Jonathan Reis
- Nick Judson
The Inbound HL7 device supports SSL/TLS tunnels via certificate exchange. This device, acting as an HL7 receiver, can provide a certificate to HL7 senders. Additionally, it can require and validate certificates sent by HL7 senders as part of the connection negotiation.
Specifying a server certificate will provide data protection (encryption) as well as guaranteeing Connexion's identity to each sender.
If you wish to validate the identity of senders, you can also require each client to send a certificate as part of the connection negotiation.
Server-Side Certificate
To enable SSL/TLS, you must
Enable SSL within the device configuration
Specify which certificate will be provided to clients.
You need to specify a certificate to be provided to each sender (as part of the communications negotiation). If your data is crossing a publicly-accessible network, we recommend the use of a thrid-party purchased certificate. This type of certificate would be installed on the Connexion host operating system and then selected from the ‘Installed (Subject Name)’ drop-down list.
If you are operating within a private network and you have control of the sending side, you can generate a self-signed certificate using the ‘Generate Self-Signed Certificate’ button. You will need to Export this certificate and provide it to the sending system, as self-signed certificates must be explicitly trusted by the sender (typically by being installed into a certificate store).
The Connexion (or Remote Agent) account must have read access to the certificate private key. You may see errors similar to The credentials supplied to the package were not recognized if the service account doesn’t have read access.
In this case you should open the Windows certificate manager, select the certificate, right-click → all tasks → manage private keys.
Then add the service account, selecting read-only access.
Client Certificates
If you wish to validate the identity of each sender, you can require each sender to provide a certificate. The client-provided certificate will be matched against a list of accepted certificate thumbprints, and only those within the list will be allowed to connect.
To enable client certificate validation, check the ‘Validate Client Certificate’ option. You will then need to create a list of all acceptable certificates. If the sender has provided you with a certificate, use the import option to add it to the list. You may also generate your own certificate and then provide it to the sender.
To generate a new client certificate, click the Create New option followed by the Export link. Provide the exported .cer file to the customer.
Certificate validation can be a complex subject. We recommend qualified individuals review these settings and ensure that TLS tunnels are properly created (via Wireshark or similar tools).