Secure Installation and Deployment
Installation Directory
Networking
Web Server Certificate
Installation Directory
Networking
By it is very nature,
Mirth® Connect
is an application that typically has a lot of inbound and outbound connections.
Web Server Certificate
Connect to Database using SSL/TLS
Recommendations
Explore
Mirth® Connect by NextGen Healthcare User Guide
Networking
By it is very nature, Mirth® Connect is an application that typically has a lot of inbound and outbound connections. It is up to you (or your IT staff) to decide how lenient or strict you want your firewall to be. Typically all inbound access is denied by default, and specific IP/port rules are added for specific channels. Outbound connectivity is less of a concern, and typically all outbound connections are allowed. Image of the network topography By default, Mirth® Connect listens on two ports: 8080 and 8443. These ports are used by the web server that serves up the main launch page, as well as API access (which the Administrator GUI and CLI use). The specific ports used can be configured in mirth.properties: http.port https.port You can disable plain HTTP altogether by simply commenting out the "http.port" entry. This ensures that only secure HTTP (HTTPS) is used for all main web server traffic. Parent topic: Secure Installation and Deployment
Mirth® Connect by NextGen Healthcare User Guide
Installation Directory
In general, the principle of least privilege should be followed, and only Administrators should have access to the installation directory that Mirth® Connect is installed into. If installed on a dedicated machine, that machine should only be accessible to said administrators. If installed on a shared machine, it should be done in such a way that the Connect installation directory is only accessible by administrators. Notes on specific folders inside the installation directory: appdata: The Application Data Directory stores configuration and temporary files used by Mirth® Connect during runtime. Take note of: configuration.properties: By default this file is used to store the current state of the Configuration Map. However in mirth properties you can choose to store the configuration map in the database, or you can select a different file location. For example if you have a separate network storage location specifically for secure files, you could choose to store the configuration map f
Mirth® Connect by NextGen Healthcare User Guide
Web Server Certificate
The certificate used for the main web server is stored in the keystore.jks file. If not present, Mirth® Connect will automatically create a new certificate upon startup. Since this auto-generated certificate is self-signed, you will see security warnings in your browser if you navigate to the HTTPS landing page. You can replace this auto-generated certificate with your own company cert. This could still be self-signed or signed by an internal service if API/HTTPS access will only occur on your private company network. If you expose the API/HTTPS traffic over a publicly accessible DNS, you should replace this certificate with one that is signed by a CA (certificate authority). For instructions on how to replace the web server certificate, look here: Application Data Directory Parent topic: Secure Installation and Deployment
Mirth® Connect by NextGen Healthcare User Guide
Environmental Upkeep
Not only is it important to properly configure Mirth® Connect, but it is also critical to keep all aspects of your environment secure as well. Mirth Connect Software Operating System Java Mirth Connect Software Operating System Java Parent topic: Security Best Practices
Mirth® Connect by NextGen Healthcare User Guide
Connect to Database using SSL/TLS
By default, Mirth® Connect is configured to connect to an embedded Apache Derby database for quick deployment, development, and testing. When using Mirth® Connect in production environments, we recommend changing the underlying database to one of the supported servers: PostgreSQL 8.3+ MySQL 5.6+ Oracle 10gR2+ SQL Server 2005+ There is more information on changing the database type here: Changing the Database Type And more information about configurable options in mirth.properties here: mirth.properties File Typically these database connections are not encrypted by default. The instructions to enable SSL/TLS traffic for database connections differ depending on the database and JDBC driver you are using. Here are some instructions for each of the supported backend databases. For more information, consult the manuals for the specific database and JDBC driver you are using. Importing the Database Server Certificate PostgreSQL MySQL Oracle SQL Server Parent topic: Secure Installation and De
Mirth® Connect by NextGen Healthcare User Guide
Getting Started with Mirth® Connect
This section outlines the system requirements, walks you through the Mirth® Connect installation instructions, and explains the Mirth® Connect Administrator. If you have a stand-alone instance of Mirth® Connect, an installer is included for Windows® , Linux® , and macOS® systems. This section outlines the system requirements, walks you through the installation instructions, and explains the Mirth® Connect Administrator. Note: This section mainly pertains to the standalone version of Mirth® Connect. If you have purchased a Mirth® Appliance by NextGen Healthcare, you can disregard the download and installation procedures. Mirth Connect System Requirements The Mirth® Connect server is a fully standalone application that does not require any sort of application server. Install Mirth Connect Using the Mirth Connect Installer You can use the Mirth® Connect Installer (for Windows, Linux, and Mac OS X / macOS) to install Mirth® Connect or to upgrade a previous version of the software. The Mirt
