NextGen Knowledge Center

SSL Manager Extension

This section only applies if you have the SSL Manager extension installed. This guide will summarize the available settings, but there is a separate user guide specifically written for the SSL Manager that goes into depth about all the available features. Contact our help desk to obtain a copy of the SSL Manager guide.

Source Connector Settings

  • Client Authentication: Client authentication (sometimes called mutual or bi-lateral authentication) can provide additional security as both the client and server must present certificates that the other can choose to trust or not. The Trusted Client Certificatessection determines which client certs (or intermediate/root certs) to trust.
    • Present Issuer DNs: This is only applicable when Client Authentication is used. If enabled, during the SSL handshake the server will respond with a list of accepted client issuer distinguished names (DNs). Disabling this can provide extra security as potential attackers are given less information about the correct security parameters.
    • Subject DN Validation: This is only applicable when Client Authentication is used. If enabled, only client certificates with subject distinguished names (DNs) matching the given list will be allowed. If a client certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail.
  • Allow Expired Certificates: The default value for this is No, meaning that when an expired certificate is encountered, the SSL handshake will fail. It is recommended not to enable this unless you need to for legacy purposes or for development/testing.
  • OCSP Enabled: Select Yes to enable Online Certificate Server Protocol (OCSP) checking for all local and remote certificates. The issuer of the response certificate must be trusted as well in order to verify signatures.
  • CRL Enabled: Select Yes to enable Certificate Revocation List (CRL) checking for all local and remote certificates. The issuer of the CRL must be included in your trusted certificates as well in order to verify signatures.
  • Protocols / Cipher Suites: The server defaults (set in mirth.properties) are used by default here. However you can choose to override this and enable/disable certain protocols or cipher suites here. For example, you may need to enable a less secure cipher suite in order to communicate with an external legacy system. Any settings you override here will only affect this connector, not any other connector or the overall server settings. So you can still allow less secure settings for a particular connection without affecting anything else on your Mirth Connect server.

Destination Connector Settings

  • Trusted Server Certificates: This section determines which server certs (or intermediate/root certs) to trust.
  • Hostname Validation: If enabled, validation will fail if the Subject CN (or Subject Alternative Name) presented in the server certificate does not match the actual endpoint the connector is dispatching to. If disabled, valid certificates will be accepted even if the host name does not match.
  • Subject DN Validation: If enabled, only server certificates with subject distinguished names (DNs) matching the given list will be enabled. If a server certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail.
  • Allow Expired Certificates: The default value for this is No, meaning that when an expired certificate is encountered, the SSL handshake will fail. It is recommended not to enable this unless you need to for legacy purposes or for development/testing.
  • OCSP Enabled: Select Yes to enable Online Certificate Server Protocol (OCSP) checking for all local and remote certificates. The issuer of the response certificate must be trusted as well in order to verify signatures.
  • CRL Enabled: Select Yes to enable Certificate Revocation List (CRL) checking for all local and remote certificates. The issuer of the CRL must be included in your trusted certificates as well in order to verify signatures.
  • My Client Certificate: Client authentication (sometimes called mutual or bi-lateral authentication) can provide additional security as both the client and server must present certificates that the other can choose to trust or not. To enable this, simply provide a client cert for this setting and it will be presented to the server. It is up to the server to validate or ignore the client cert.
  • Protocols / Cipher Suites: The server defaults (set in mirth.properties) are used by default here. However you can choose to override this and enable/disable certain protocols or cipher suites here. For example, you may need to enable a less secure cipher suite in order to communicate with an external legacy system. Any settings you override here will only affect this connector, not any other connector or the overall server settings. So you can still allow less secure settings for a particular connection without affecting anything else on your Connect server.

Advanced Alerting - SSL Manager Trigger

If the Advanced Alerting extension is installed along with the SSL Manager, there will be a new trigger type available:

With this new type you can setup alerts that trigger when a certificate has expired or been revoked, or when it has been rejected by a connector because of any Subject DN Validation settings you have configured.