Skip to content

Instantly share code, notes, and snippets.

@hishamrashdan

hishamrashdan/Managing SSL Connections in MC.md

Forked from jonbartels/Managing SSL Connections in MC.md
Created March 27, 2024 08:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hishamrashdan/c42a95d2a5f93ffd70b554cb088821d4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hishamrashdan/c42a95d2a5f93ffd70b554cb088821d4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @jonbartels jonbartels revised this gist Jan 19, 2024. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -18,7 +18,7 @@ The quick rundown is:
    5. Commercial solutions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a an SSL extension with up-front pricing at - https://consultzen.com/zen-ssl-extension/
    - Innovar has published an AWS instance with SSL support at - https://aws.amazon.com/marketplace/pp/prodview-rrvfqfm5vxbtk?sr=0-2&ref_=beagle&applicationId=AWSMPContessa
    - Innovar has published an AWS instance with SSL support at - https://aws.amazon.com/marketplace/pp/prodview-rrvfqfm5vxbtk
    6. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
  2. @jonbartels jonbartels revised this gist Apr 17, 2023. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -8,6 +8,7 @@ The quick rundown is:
    - The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
    - Tony Germano has a plugin implemented for SSL listeners for HTTPS at https://github.com/tonygermano/connect-plugins
    - Another open source SSL implementation is at https://github.com/tobchen/tc-ssl-plugin
    4. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side. Open source tools:
    - stunnel https://www.stunnel.org/
    - haproxy http://www.haproxy.org/
  3. @jonbartels jonbartels revised this gist Aug 15, 2022. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -12,6 +12,8 @@ The quick rundown is:
    - stunnel https://www.stunnel.org/
    - haproxy http://www.haproxy.org/
    - nginx https://docs.nginx.com/

    An open-source tool that lets Mirth Connect manage `stunnel` has been published at https://github.com/pacmano1/mirthstunnel
    5. Commercial solutions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a an SSL extension with up-front pricing at - https://consultzen.com/zen-ssl-extension/
  4. @jonbartels jonbartels revised this gist Jul 11, 2022. 1 changed file with 4 additions and 1 deletion.
    5 changes: 4 additions & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -8,7 +8,10 @@ The quick rundown is:
    - The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
    - Tony Germano has a plugin implemented for SSL listeners for HTTPS at https://github.com/tonygermano/connect-plugins
    4. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    4. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side. Open source tools:
    - stunnel https://www.stunnel.org/
    - haproxy http://www.haproxy.org/
    - nginx https://docs.nginx.com/
    5. Commercial solutions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a an SSL extension with up-front pricing at - https://consultzen.com/zen-ssl-extension/
  5. @jonbartels jonbartels revised this gist Apr 25, 2022. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -9,9 +9,10 @@ The quick rundown is:
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
    - Tony Germano has a plugin implemented for SSL listeners for HTTPS at https://github.com/tonygermano/connect-plugins
    4. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    5. Commercial extensions
    5. Commercial solutions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a competing SSL offering at - https://consultzen.com/zen-ssl-extension/
    - Zen Healthcare IT has a an SSL extension with up-front pricing at - https://consultzen.com/zen-ssl-extension/
    - Innovar has published an AWS instance with SSL support at - https://aws.amazon.com/marketplace/pp/prodview-rrvfqfm5vxbtk?sr=0-2&ref_=beagle&applicationId=AWSMPContessa
    6. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
  6. @jonbartels jonbartels revised this gist Apr 4, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -3,7 +3,7 @@ Mirth Connect is awesome! One common question on the forums and Slack is how to
    The quick rundown is:
    1. The built-in MC HTTP *Sender* connector will do HTTPS if:
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname. This is logically equivalent to the "green check" if you open the URL in a browser.
    - The certificate has been added to the truststore for the JVM that MC is running under (read https://kailo.tech/health-it/mirth-connect-add-ssl/_)
    - The certificate has been added to the truststore for the JVM that MC is running under
    - Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
    - The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
  7. @jonbartels jonbartels revised this gist Sep 20, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -15,6 +15,6 @@ The quick rundown is:
    6. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
    - Who is expected to manage the connections? Interface engineers benefit from options plugins that keep this inside MC
    - Who is expected to manage the connections? Interface engineers benefit from options plugins that keep this inside MC. Network engineers and devops will tend to prefer proxies and tunnels that are closer to the infrastructure layer than the application layer.
    - When will certs expire and what are the corporate policies about cert management? Most certificates are good for 1 to 3 years, that means that updates are required as the certificates expire. What option is easies for your organization to a) detect this expiration and b) update certificates BEFORE they expire as routine maintenance?
    - What other software in your environment uses SSL and how is that managed?
  8. @jonbartels jonbartels revised this gist Sep 20, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -15,6 +15,6 @@ The quick rundown is:
    6. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
    - Who is expected to manage the connections? Interface engineers benefit from options 3 and 4. Network and DevOps are well positioned for 1 and 2.
    - Who is expected to manage the connections? Interface engineers benefit from options plugins that keep this inside MC
    - When will certs expire and what are the corporate policies about cert management? Most certificates are good for 1 to 3 years, that means that updates are required as the certificates expire. What option is easies for your organization to a) detect this expiration and b) update certificates BEFORE they expire as routine maintenance?
    - What other software in your environment uses SSL and how is that managed?
  9. @jonbartels jonbartels revised this gist May 13, 2021. 1 changed file with 4 additions and 3 deletions.
    7 changes: 4 additions & 3 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -7,11 +7,12 @@ The quick rundown is:
    - Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
    - The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
    3. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    4. Commercial extensions
    - Tony Germano has a plugin implemented for SSL listeners for HTTPS at https://github.com/tonygermano/connect-plugins
    4. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    5. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a competing SSL offering at - https://consultzen.com/zen-ssl-extension/
    5. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL
    6. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
    - Who is expected to manage the connections? Interface engineers benefit from options 3 and 4. Network and DevOps are well positioned for 1 and 2.
  10. @jonbartels jonbartels revised this gist Mar 11, 2021. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -7,11 +7,11 @@ The quick rundown is:
    - Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
    - The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
    2. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    3. Commercial extensions
    3. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    4. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a competing SSL offering at - https://consultzen.com/zen-ssl-extension/
    4. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL
    5. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
    - Who is expected to manage the connections? Interface engineers benefit from options 3 and 4. Network and DevOps are well positioned for 1 and 2.
  11. @jonbartels jonbartels revised this gist Mar 11, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -11,7 +11,7 @@ The quick rundown is:
    3. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a competing SSL offering at - https://consultzen.com/zen-ssl-extension/
    4. Channel code - You can use tools like Apache HTTP Commons in MC and use that code to deal with SSL
    4. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

    The main consideration between these options are:
    - Who is expected to manage the connections? Interface engineers benefit from options 3 and 4. Network and DevOps are well positioned for 1 and 2.
  12. @jonbartels jonbartels revised this gist Mar 11, 2021. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,10 +1,12 @@
    Mirth Connect is awesome! One common question on the forums and Slack is how to manage SSL connctions. These questions mainly focus on HTTPS but also include TCP connections.

    The quick rundown is:
    1. The built-in MC HTTP connector will do HTTPS if:
    1. The built-in MC HTTP *Sender* connector will do HTTPS if:
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname. This is logically equivalent to the "green check" if you open the URL in a browser.
    - The certificate has been added to the truststore for the JVM that MC is running under (read https://kailo.tech/health-it/mirth-connect-add-ssl/_)
    - Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
    - The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.
    2. The built-in MC HTTP *Listener* connector will not do SSL directly. A plugin or a proxy is necessary.
    2. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    3. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
  13. @jonbartels jonbartels revised this gist Dec 16, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -3,7 +3,7 @@ Mirth Connect is awesome! One common question on the forums and Slack is how to
    The quick rundown is:
    1. The built-in MC HTTP connector will do HTTPS if:
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname. This is logically equivalent to the "green check" if you open the URL in a browser.
    - The certificate has been added to the truststore for the JVM that MC is running under
    - The certificate has been added to the truststore for the JVM that MC is running under (read https://kailo.tech/health-it/mirth-connect-add-ssl/_)
    - Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
    2. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    3. Commercial extensions
  14. @jonbartels jonbartels revised this gist Nov 13, 2019. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,9 +1,10 @@
    Mirth Connect is awesome! One common question on the forums and Slack is how to manage SSL connctions. These questions mainly focus on HTTPS but also include TCP connections.

    The quick rundown is:
    1. The built-in MC HTTP connector will do HTTPS if either:
    1. The built-in MC HTTP connector will do HTTPS if:
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname. This is logically equivalent to the "green check" if you open the URL in a browser.
    - The certificate has been added to the truststore for the JVM that MC is running under
    - Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
    2. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    3. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
  15. @jonbartels jonbartels revised this gist Nov 13, 2019. 1 changed file with 7 additions and 2 deletions.
    9 changes: 7 additions & 2 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -2,10 +2,15 @@ Mirth Connect is awesome! One common question on the forums and Slack is how to

    The quick rundown is:
    1. The built-in MC HTTP connector will do HTTPS if either:
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname. This is logically equivalent to the "green check" if you open the URL in a browser.
    - The certificate has been added to the truststore for the JVM that MC is running under
    2. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    3. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a competing SSL offering at - https://consultzen.com/zen-ssl-extension/
    4. Channel code - You can use tools like Apache HTTP Commons in MC and use that code to deal with SSL
    4. Channel code - You can use tools like Apache HTTP Commons in MC and use that code to deal with SSL

    The main consideration between these options are:
    - Who is expected to manage the connections? Interface engineers benefit from options 3 and 4. Network and DevOps are well positioned for 1 and 2.
    - When will certs expire and what are the corporate policies about cert management? Most certificates are good for 1 to 3 years, that means that updates are required as the certificates expire. What option is easies for your organization to a) detect this expiration and b) update certificates BEFORE they expire as routine maintenance?
    - What other software in your environment uses SSL and how is that managed?
  16. @jonbartels jonbartels created this gist Nov 13, 2019.
    11 changes: 11 additions & 0 deletions Managing SSL Connections in MC.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,11 @@
    Mirth Connect is awesome! One common question on the forums and Slack is how to manage SSL connctions. These questions mainly focus on HTTPS but also include TCP connections.

    The quick rundown is:
    1. The built-in MC HTTP connector will do HTTPS if either:
    - The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname
    - The certificate has been added to the truststore for the JVM that MC is running under
    2. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side.
    3. Commercial extensions
    - Mirth has a commercial SSL extension - https://www.nextgen.com/products-and-services/integration-engine
    - Zen Healthcare IT has a competing SSL offering at - https://consultzen.com/zen-ssl-extension/
    4. Channel code - You can use tools like Apache HTTP Commons in MC and use that code to deal with SSL