mTLS 1.2 Security

The webservices info that Cloverleaf provides says to use a GUI program called Portecle to manage your trust/key stores. You can generate certs/cert requests, create key/trust stores, export/import keys, etc. You can also do this solely via the command line, but it’s def not as easy.

After you setup your stores/certs, then you point the webservices thread configuration to the appropriate trust/key store locations on the server as needed. Provide the type of store and password also.

This may not be all that’s needed, but it’s where I’d start to look.

You can download Portecle if it’s not already installed. On a linux box you can use MobaXterm to execute (command line) Portecle so it can bring up the GUI.

java -jar <path to portecle.jar>

I think if the above is correct the mTLS should work since it has to do with exchanging the proper certs of both parties.

We have vendor using some type of zero trust architecture through mutual TLS (mTLS 1.2) authentication for HL7 traffic. Anyone know how to do this?

I will give an example based on what we have done for one partner who wanted/required mTLS config.  A couple additional notes is that (1) we both agreed we could work with self-signed certs for this, as there was also another layer of security (VPN) involved; and (2) I did not use trust/key stores, though may revisit in the future if this becomes more widespread – so far it was the only such one-off request done ~3 years ago.

1. Partner provided me their public certificate
2. I used openssl to generate a Private key / Public cert pair, and provided our public cert to client
3. note that the certs must be in PEM format… so if viewing the files, the should contain readable ‘–BEGIN CERTIFICATE–‘ …  ‘–END CERTIFICATE–‘
4. For configuration where we are the server, partner is the client:

Mode = ServerAuth
<p data-ccp-border-bottom=”1px solid #b3b3b3″ data-ccp-padding-bottom=”4px”>           CA Path – the directory path to where the partners public cert resides </p>
<p data-ccp-border-top=”0px none ” data-ccp-padding-top=”0px” data-ccp-border-bottom=”1px solid #b3b3b3″ data-ccp-padding-bottom=”4px”>           CA File – the file name of the partners public cert </p>
<p data-ccp-border-top=”0px none ” data-ccp-padding-top=”0px” data-ccp-border-bottom=”1px solid #b3b3b3″ data-ccp-padding-bottom=”4px”>           Certificate File: path/file name of our public cert </p>
<p data-ccp-border-top=”0px none ” data-ccp-padding-top=”0px” data-ccp-border-bottom=”1px solid #b3b3b3″ data-ccp-padding-bottom=”4px”>           Private Key: path/file name of our private key </p>
<p data-ccp-border-top=”0px none ” data-ccp-padding-top=”0px”>           Password: private key password </p>
       5. For configuration where partner is the server, we are the client:

Mode = ClientAuth

All other entries are the same as the above.

we have a 2-server test environment, so made it easy enough to set up a sandbox to trial-and-error test the configurations.

Hope this is of help.