SQL Server

Mirth® Connect by NextGen Healthcare User Guide

MySQL

By default, the MySQL Connector/J JDBC driver will automatically connect via SSL/TLS if the server supports it. To force encrypted traffic at all times, use the sslMode parameter: jdbc:mysql://localhost:3306/mirthdb?sslMode=VERIFY_IDENTITY The above mode makes sure that SSL/TLS is always used, the server cert is trusted, and hostname verification is also performed. For a more lenient and less secure connection (but still using SSL/TLS), you can also use the VERIFY_CA option which skips the hostname verification, or the REQUIRED option which doesn't require the server cert to be trusted and will work for self-signed certs. Consult these online documentation pages for more information: https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-configuration-properties.html Parent topic: Connect to Database using SSL/TLS

Mirth® Connect by NextGen Healthcare User Guide

PostgreSQL

The simplest way to enable SSL/TLS traffic is to add "ssl=true" to your JDBC URL. For example: jdbc:postgresql://localhost:5432/mirthdb?ssl=true There is also an "sslmode" property you can use for more granular options: jdbc:postgresql://localhost:5432/mirthdb?sslmode=verify-full And many other options as well. Consult these online documentation pages for more information: https://www.postgresql.org/docs/current/ssl-tcp.html https://jdbc.postgresql.org/documentation/ssl https://jdbc.postgresql.org/documentation/head/connect.html#ssl Parent topic: Connect to Database using SSL/TLS

Mirth® Connect by NextGen Healthcare User Guide

Importing the Database Server Certificate

If the certificate your database is using is self-signed or not signed by a common trusted Certificate Authority (CA), then you will likely need to import that certificate into your default Java truststore in order to connect to your database using SSL/TLS. Your default Java truststore is typically the "cacerts" JKS file that usually resides inside your Java installation folder under "jre/lib/security", and the default password is "changeit". You can also override the default truststore by supplying the "-Djavax.net.ssl.trustStore" JVM option into the mcserver.vmoptions or mcservice.vmoptions files. Using keytool: keytool -importcert -keystore /path/to/javahome/jre/lib/security/cacerts -storepass changeit - alias myalias - file /path/to/cert/server .crt -noprompt Make sure to change the paths and alias above as needed. Depending on your permissions you may need to perform this as sudo/Administrator to edit the Java cacerts truststore. You can also use a GUI tool like Portecle to import

Mirth® Connect by NextGen Healthcare User Guide

Oracle

By default SSL/TLS is not used when connecting to Oracle via the JDBC thin client. To enable it, use the protocol TCPS in the expanded URL syntax: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=xe))) Note that the Oracle server must first be configured to support that TCPS protocol as well. Consult these online documentation pages for more information: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG074 https://docs.oracle.com/en/database/oracle/oracle-database/20/jjdbc/client-side-security.html#GUID-2BD2F189-A58C-4A85-8524-CFD9BB9AC575 Parent topic: Connect to Database using SSL/TLS

Mirth® Connect by NextGen Healthcare User Guide

Connect to Database using SSL/TLS

By default, Mirth® Connect is configured to connect to an embedded Apache Derby database for quick deployment, development, and testing. When using Mirth® Connect in production environments, we recommend changing the underlying database to one of the supported servers: PostgreSQL 8.3+ MySQL 5.6+ Oracle 10gR2+ SQL Server 2005+ There is more information on changing the database type here: Changing the Database Type And more information about configurable options in mirth.properties here: mirth.properties File Typically these database connections are not encrypted by default. The instructions to enable SSL/TLS traffic for database connections differ depending on the database and JDBC driver you are using. Here are some instructions for each of the supported backend databases. For more information, consult the manuals for the specific database and JDBC driver you are using. Importing the Database Server Certificate PostgreSQL MySQL Oracle SQL Server Parent topic: Secure Installation and De

LDAP Authorization User Guide

Enable Encryption

Configure options for encrypted communication between Mirth® Connect by NextGen Healthcare and a Lightweight Directory Access Protocol (LDAP) server. Mirth® Connect by NextGen Healthcare can communicate with a Lightweight Directory Access Protocol (LDAP) server using an encrypted connection. You can set options to encrypt the LDAP connection. LDAP Configuration In the LDAP Configuration section, set Encryption to one of the following: None: No encryption is performed. STARTTLS: Start with Transport Layer Security (TLS) and upgrade to an encrypted connection. Typically, LDAP servers use port 389 for TLS. SSL: Use Secure Sockets Layer (SSL) protocol. Typically, LDAP servers use port 636 for SSL. Set Certificate Validation to one of the following: Enabled: Mirth® Connect does not connect to the LDAP server if the server presents an SSL certificate that is not trusted. For the connection to succeed, you need to first import the LDAP server public SSL certificate. Disabled: Mirth® Connect t

SQL Server

Recommendations

MySQL

PostgreSQL

Importing the Database Server Certificate

Oracle

Connect to Database using SSL/TLS

Enable Encryption

MySQL

PostgreSQL

Importing the Database Server Certificate

Oracle

Connect to Database using SSL/TLS

Enable Encryption