OCSP Revocation Checking

SSL Manager User Guide

CRL Revocation Checking

If enabled, Certificate Revocation List (CRL) checking will be done on all local and remote certificates. The issuer of the CRL must be included in your trusted certificates as well in order to verify signatures. CRL Enabled option on the SSL Settings window Select the wrench icon to open the CRL Settings window: CRL Settings window with CRL URI field and Hard Fail option CRL URI: This setting is optional. If specified, this URI will be used in addition to any certificate CRL Distribution Points when checking for revocation. HTTP, File FTP, or LDAP URIs are supported. Hard Fail: When enabled, this connector will depend on the remote CRL provider. If a CRL cannot be downloaded or verified for any reason, all connections will fail revocation checks. Parent topic: Common Connector SSL Settings

SSL Manager User Guide

Subject DN Validation

If enabled, only client certificates with subject distinguished names (DNs) matching the given list will be allowed. If a client certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail. Subject DN Validation option on the SSL Settings window Select the wrench icon to open the Trusted Subject DNs window: Set Trusted Certificate Subject DNs window Select the New / Delete buttons to add or remove entries. For each Trusted Subject DN entry, configure the following: Distinguished Name: The full or partial distinguished name (DN) to trust. This will be matched against the Subject DN of the remote certificate. Full Match: If enabled, all components (RDNs) configured here must match the ones in the certificate, and the subject DN cannot have any additional components. If disabled, the components configured here will only be considered a required subset, and the subject DN may have additional components. Example 1 Example 2 Example 3 Parent topic:

SSL Manager User Guide

Common Connector SSL Settings

The following sections provide descriptions and examples of common connector SSL settings. Subject DN Validation OCSP Revocation Checking CRL Revocation Checking Enabled TLS/SSL Protocols Enabled TLS/SSL Cipher Suites Subject DN Validation OCSP Revocation Checking CRL Revocation Checking Enabled TLS/SSL Protocols Enabled TLS/SSL Cipher Suites

Mirth® Connect by NextGen Healthcare User Guide

SSL Manager Extension

This section only applies if you have the SSL Manager extension installed. This guide will summarize the available settings, but there is a separate user guide specifically written for the SSL Manager that goes into depth about all the available features. Contact our help desk to obtain a copy of the SSL Manager guide. Source Connector Settings Client Authentication: Client authentication (sometimes called mutual or bi-lateral authentication) can provide additional security as both the client and server must present certificates that the other can choose to trust or not. The Trusted Client Certificatessection determines which client certs (or intermediate/root certs) to trust. Present Issuer DNs: This is only applicable when Client Authentication is used. If enabled, during the SSL handshake the server will respond with a list of accepted client issuer distinguished names (DNs). Disabling this can provide extra security as potential attackers are given less information about the correc

SSL Manager User Guide

Apply Source Connector SSL Settings

On the Channels page, double-click a channel in the Channel list. Select the Source tab. In the Connector Type field, select the connector type that supports the SSL Manager (for example, HTTP Listener, Web Service Listener, File Reader in FTP mode). In the SSL Settings section - Enable field, select Yes. Enabling SSL Settings Select the wrench icon to open the SSL Settings window: Items on the SSL Settings Window Item Name Default Value Description A My Server Certificate None Select the local certificate used to identify this listener connector. For additional information, see My Server Certificate B Client Authentication Disabled Disabled: No client authentication is requested. Request: Client certificate is requested but not required. If the client presents a certificate it will be used for extra security. Require: Client certificate is required. If the client does not present a certificate, the handshake will fail. C Client Certificate Validation Enabled If enabled, only the certi

SSL Manager User Guide

Apply Destination Connector SSL Settings

On the Channels page, double-click a channel in the Channel list. Select the Destinations tab. In the Connector Type field, select the connector type that supports the SSL Manager (HTTP Sender, Web Service Sender, File Writer in FTP mode). In the SSL Settings section, the SSL Manager is inactive. If you populate the URL field in the HTTP Sender Settings section, the field turns yellow with a Lock icon next to the URL. If you move the pointer over the Lock icon, a tool tip appears that explains the reason for the situation. (Selecting the Lock icon opens a window with the same content as the tool tip.) Adding a URL while the Manager is Inactive In the SSL Settings section - Use SSL Manager field, select Yes to nullify the locked condition and enable all security options and two-way authentication. (The URL field turns green to reflect the change.) Enabling SSL Manager Select the wrench icon to open the SSL Settings window: Items on the SSL Settings Window Item Name Default Value Descrip

OCSP Revocation Checking

Recommendations

CRL Revocation Checking

Subject DN Validation

Common Connector SSL Settings

SSL Manager Extension

Apply Source Connector SSL Settings

Apply Destination Connector SSL Settings

CRL Revocation Checking

Subject DN Validation

Common Connector SSL Settings

SSL Manager Extension

Apply Source Connector SSL Settings

Apply Destination Connector SSL Settings