Apply Source Connector SSL Settings

Item	Name	Default Value	Description
A	My Server Certificate	None	Select the local certificate used to identify this listener connector. For additional information, see My Server Certificate
B	Client Authentication	Disabled	Disabled: No client authentication is requested. Request: Client certificate is requested but not required. If the client presents a certificate it will be used for extra security. Require: Client certificate is required. If the client does not present a certificate, the handshake will fail.
C	Client Certificate Validation	Enabled	If enabled, only the certificates configured in the below Trusted Client Certificates section will be trusted. If disabled, all certificates are automatically trusted.
D	Trusted Client Certificates	Java Truststore only	Select the wrench icon here to select which certificates to trust. This applies not only to certificates presented by clients for mutual authentication, but also to those trusted for CRL / OCSP revocation checking. For additional information, see Trusted Client Certificates
E	Present Issuer DNs	Enabled	If enabled, during the SSL handshake the server will respond with a list of accepted client issuer distinguished names (DNs). Disabling this can provide extra security as potential attackers are given less information about the correct security parameters.
F	Subject DN Validation	No	If enabled, only client certificates with subject distinguished names (DNs) matching the given list will be allowed. If a client certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail. For additional information, see Subject DN Validation
G	Allow Expired Certificates	No	If disabled, both local and remote certificates will be checked during the SSL handshake to ensure that none of the certificates in the accessible chain have expired.
H	OCSP Enabled	No	Select Yes to enable Online Certificate Server Protocol (OCSP) checking for all local and remote certificates. The issuer of the response certificate must be trusted as well in order to verify signatures. For additional information, see OCSP Revocation Checking
I	CRL Enabled	No	Select Yes to enable Certificate Revocation List (CRL) checking for all local and remote certificates. The issuer of the CRL must be included in your trusted certificates as well in order to verify signatures. For additional information, see CRL Revocation Checking
J	Enabled Protocols	Server defaults	The TLS/SSL protocols to enable for this listener connector. For additional information, see Enabled TLS/SSL Protocols
K	Enabled Cipher Suites	Server defaults	The TLS/SSL cipher suites to enable for this listener connector. For additional information, see Enabled TLS/SSL Cipher Suites

SSL Manager User Guide

Apply Destination Connector SSL Settings

On the Channels page, double-click a channel in the Channel list. Select the Destinations tab. In the Connector Type field, select the connector type that supports the SSL Manager (HTTP Sender, Web Service Sender, File Writer in FTP mode). In the SSL Settings section, the SSL Manager is inactive. If you populate the URL field in the HTTP Sender Settings section, the field turns yellow with a Lock icon next to the URL. If you move the pointer over the Lock icon, a tool tip appears that explains the reason for the situation. (Selecting the Lock icon opens a window with the same content as the tool tip.) Adding a URL while the Manager is Inactive In the SSL Settings section - Use SSL Manager field, select Yes to nullify the locked condition and enable all security options and two-way authentication. (The URL field turns green to reflect the change.) Enabling SSL Manager Select the wrench icon to open the SSL Settings window: Items on the SSL Settings Window Item Name Default Value Descrip

SSL Manager User Guide

Settings

Certificate DN Regex (optional) settings Validation Errors Select the type of errors you want this alert to trigger on. Expired: Triggers when a certificate has expired or is about to expire. If this option is checked, the Cert Expiration Settings below will be used. Revoked by CRL: Triggers when a channel/connector has CRL Revocation Checking enabled and encounters a certificate that has been revoked according to the CRL. Revoked be OCSP: Triggers when a channel/connector has OCSP Revocation Checking enabled and encounters a certificate that has been revoked according to the OCSP provider. DN Rejected: Triggers when a channel/connector has Subject DN Validation enabled and encounters a certificate that has been rejected due to an incorrect Subject DN. Cert Expiration Settings These settings are used when the Expired error type is enabled. Time Until Expiration: The amount of time (for example, 7d) before a certificate expires to trigger the alert. Only valid down to a minute-level pre

SSL Manager User Guide

Common Connector SSL Settings

The following sections provide descriptions and examples of common connector SSL settings. Subject DN Validation OCSP Revocation Checking CRL Revocation Checking Enabled TLS/SSL Protocols Enabled TLS/SSL Cipher Suites Subject DN Validation OCSP Revocation Checking CRL Revocation Checking Enabled TLS/SSL Protocols Enabled TLS/SSL Cipher Suites

SSL Manager User Guide

Trusted Client Certificates

Trusted Client Certificates: On the SSL Settings window, in the Trusted Client Certificates field, select the Wrench icon. The Trusted Certificates window appears. which is identical in task options and appearance to the Public Certificates table on the Settings - SSL Manager page. Trusted Certificates Window: Selecting Certificates and Selecting OK Check the boxes of the desired certificates (or select the Select All / Deselect All links above the list), then select the OK button. If you check [Java Truststore], all cacerts in the default Java TrustStore will be trusted. Note: To view the default Java Truststore contents, double-click the [Java Truststore] row. When you select the OK button, the Trusted Certificates window closes, and the Trusted Client Certificates section of the SSL Settings window reflects your selections. SSL Settings Window Displaying Trusted Client Certificates Parent topic: Apply Source Connector SSL Settings

SSL Manager User Guide

Subject DN Validation

If enabled, only client certificates with subject distinguished names (DNs) matching the given list will be allowed. If a client certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail. Subject DN Validation option on the SSL Settings window Select the wrench icon to open the Trusted Subject DNs window: Set Trusted Certificate Subject DNs window Select the New / Delete buttons to add or remove entries. For each Trusted Subject DN entry, configure the following: Distinguished Name: The full or partial distinguished name (DN) to trust. This will be matched against the Subject DN of the remote certificate. Full Match: If enabled, all components (RDNs) configured here must match the ones in the certificate, and the subject DN cannot have any additional components. If disabled, the components configured here will only be considered a required subset, and the subject DN may have additional components. Example 1 Example 2 Example 3 Parent topic:

Mirth® Connect by NextGen Healthcare User Guide

SSL Manager Extension

This section only applies if you have the SSL Manager extension installed. This guide will summarize the available settings, but there is a separate user guide specifically written for the SSL Manager that goes into depth about all the available features. Contact our help desk to obtain a copy of the SSL Manager guide. Source Connector Settings Client Authentication: Client authentication (sometimes called mutual or bi-lateral authentication) can provide additional security as both the client and server must present certificates that the other can choose to trust or not. The Trusted Client Certificatessection determines which client certs (or intermediate/root certs) to trust. Present Issuer DNs: This is only applicable when Client Authentication is used. If enabled, during the SSL handshake the server will respond with a list of accepted client issuer distinguished names (DNs). Disabling this can provide extra security as potential attackers are given less information about the correc

Apply Source Connector SSL Settings

Recommendations

Apply Destination Connector SSL Settings

Settings

Common Connector SSL Settings

Trusted Client Certificates

Subject DN Validation

SSL Manager Extension