SSL Certificate Validation

Option	Description
Validation Errors	Select all of the error types you want the alert to trigger on. Expired: The alert triggers when a certificate you have currently imported has expired or is close to expiring. The Cert Expiration Settings (Time Until Expiration and Re-trigger Interval) provides additional conditions to this when Expired is selected. Revoked by CRL: The alert triggers when a certificate has been revoked in a Certificate Revocation List. This indicates the certificate is no longer valid and should be replaced. Revoked by OCSP: The alert triggers when a certificate has been revoked in a response from an OCSP (Online Certificate Server Protocol) server. This indicates the certificate is no longer valid and should be replaced. DN Rejected: The alert will trigger when the Subject Distinguished Name (DN) of the remote certificate has been rejected due to your configured DN rejection settings. For additional information, see the SSL Manager User Guide for Mirth® Connect by NextGen Healthcare on the NextGen Knowledge Center.
Certificate DN Regex	Optional. If specified, only certificates with a Subject Distinguished Name (DN) matching this Java-style regular expression causes this alert to trigger.
Time Until Expiration	The amount of time (for example, 7d) before a certificate expires to trigger the alert. Only valid down to a minute-level precision. If left blank, zero (0) is assumed, meaning the alert triggers when the certificate actually reaches its validity end date.
Re-trigger Interval	After the first certificate expiration trigger, the alert triggers again periodically at this interval until the certificate has either been replaced or removed. Only valid down to a minute-level precision. If left blank, the alert only triggers once for every time this alert is enabled.

Advanced Alerting User Guide

Channel Error

The Channel Error type triggers whenever a channel encounters an error. You can decide what type of errors you want your alert to trigger on. This includes choosing among categories of error types, and optionally using a regular expression that only allows events whose error source, error message, or exception stacktrace matches. An image of the Errors section. Alert Error Categories Any: Select this option to trigger on all error categories. Source Connector: An error that originated from the source connector during deploy/start, receiving a message, or sending a response. Destination Connector: An error that originated from a destination connector during deploy/start, dispatching a message, or receiving a response. Serializer: An error that originated from the source or destination filter/transformer script, specifically when serializing the message to the internal representation (such as XML), or deserializing the message to the outbound data type format. Filter: An error that origi

SSL Manager User Guide

Settings

Certificate DN Regex (optional) settings Validation Errors Select the type of errors you want this alert to trigger on. Expired: Triggers when a certificate has expired or is about to expire. If this option is checked, the Cert Expiration Settings below will be used. Revoked by CRL: Triggers when a channel/connector has CRL Revocation Checking enabled and encounters a certificate that has been revoked according to the CRL. Revoked be OCSP: Triggers when a channel/connector has OCSP Revocation Checking enabled and encounters a certificate that has been revoked according to the OCSP provider. DN Rejected: Triggers when a channel/connector has Subject DN Validation enabled and encounters a certificate that has been rejected due to an incorrect Subject DN. Cert Expiration Settings These settings are used when the Expired error type is enabled. Time Until Expiration: The amount of time (for example, 7d) before a certificate expires to trigger the alert. Only valid down to a minute-level pre

Advanced Alerting User Guide

About Trigger Types

Trigger types are pre-defined actions that initiate alerts. The following sections describe the different trigger types supported by the Advanced Alerting extension. Channel Error The Channel Error type triggers whenever a channel encounters an error. No. of Messages (Sliding Window) The No. of Messages (Sliding Window) trigger type listens for incrementing statistics on your channel or connector. If a certain amount of increment events occur for a particular statistic in a certain window of elapsed time, the alert triggers. No. of Messages (Threshold) The No. of Messages (Threshold) trigger type observes the current queued or error statistics for a particular channel or connector. If the statistic is greater than equal to the specified threshold for a certain amount of time, this alert will trigger. Deployed State The Deployed State trigger type observes the state of the currently deployed channels. SSL Certificate Validation The SSL Certificate Validation trigger type listens for err

SSL Manager User Guide

Advanced Alerting - SSL Certificate Validation Trigger

Note: Advanced Alerting is a separate extension available for Mirth® Connect by NextGen Healthcare. The following features are only available when both the SSL Manager and Advanced Alerting are installed. The SSL Certificate Validation trigger type for Advanced Alerting allows you to configure proactive alerts that trigger when a certificate has expired, been revoked, or when the Subject DN (distinguished name) has been rejected. Navigation Settings

SSL Manager User Guide

SSL Manager Global Settings

The Global Settings section allows you to configure certificate expiration warning settings. These warnings take place whenever any user logs into the Mirth® Connect by NextGen Healthcare Administrator. Proactive, automatic alerts for certificate expiration/revocation are also available with the Advanced Alerting extension. For additional information, see Advanced Alerting - SSL Certificate Validation Trigger. Global Settings section for SSL Manager Login Warnings: If enabled, users will be warned upon login if any certificates are no longer valid (expired or revoked). Time Until Expiration: The minimum amount of time (for example, 7d) before a certificate expires to start warning users. If left blank, zero (0) will be assumed, meaning that users will only be warned when certificates actually reach their validity end dates. Upon logging into the Administrator, if any certificates are expired or are within the Time Until Expiration range, the user will be shown a window like this: Error

Mirth® Connect by NextGen Healthcare User Guide

SSL Manager Extension

This section only applies if you have the SSL Manager extension installed. This guide will summarize the available settings, but there is a separate user guide specifically written for the SSL Manager that goes into depth about all the available features. Contact our help desk to obtain a copy of the SSL Manager guide. Source Connector Settings Client Authentication: Client authentication (sometimes called mutual or bi-lateral authentication) can provide additional security as both the client and server must present certificates that the other can choose to trust or not. The Trusted Client Certificatessection determines which client certs (or intermediate/root certs) to trust. Present Issuer DNs: This is only applicable when Client Authentication is used. If enabled, during the SSL handshake the server will respond with a list of accepted client issuer distinguished names (DNs). Disabling this can provide extra security as potential attackers are given less information about the correc

SSL Certificate Validation

Recommendations

Channel Error

Settings

About Trigger Types

Advanced Alerting - SSL Certificate Validation Trigger

SSL Manager Global Settings

SSL Manager Extension

Channel Error

Settings

About Trigger Types

Advanced Alerting - SSL Certificate Validation Trigger

SSL Manager Global Settings

SSL Manager Extension