Homepage › Clovertech Forums › Read Only Archives › Cloverleaf › Cloverleaf › Encrypted/secured/pgp tcp/ip hl7 interfaces
- This topic has 13 replies, 6 voices, and was last updated 6 years, 6 months ago by David Barr.
-
CreatorTopic
-
May 6, 2016 at 6:05 pm #55072Todd HorstParticipant
Increasingly our security department wants to encrypt internal network traffic. This could look like a secure connection similar to http vs https, or it could be encrypted payload, or both. Has anyone heard of this, or done this? What are you guy doing/planning?
-
CreatorTopic
-
AuthorReplies
-
-
May 6, 2016 at 9:15 pm #83987Jim KosloskeyParticipant
Well will your sending and receiving systems support secure protocols (like tcp/ip over SSL)?
Cloverleaf will but if the trading partners don’t then ???
As for encrpted payload you can do that with Tcl (I have played around with it) but once again what about the systems you are receiving from and sending to can they encrypt/decrypt?
email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.
-
May 10, 2016 at 1:06 pm #83988Todd HorstParticipant
Right, both sides would need to be speaking the same language.
I was trying to put feelers out to see what language that was… if anyone else was doing anything like it today.
How do you set cloverleaf to use an ssl channel?
-
May 10, 2016 at 1:14 pm #83989Jim KosloskeyParticipant
You would need the add-on for SSL, then there is are configuration settings on the appropriate protocols. The add-on has a fee – but if the security folks are serious they need to understand there are costs associated with their directives which they need to consider.
I think there is also some Tcl packages which you could use if you wanted to do it alll in Tcl. No fee I think but there are the development and maintenance costs to consider. They might be as high in the long run as the SSL add-on.
As for encryption, Tcl has some builtin support for most of the popular encryption algorithms.
What release of Cloverleaf?
email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.
-
May 10, 2016 at 1:16 pm #83990Jim KosloskeyParticipant
Oh and SSL can be associated with TCP/IP, FTP, and https so if your trading partners are already using one of those base protocols no need to change just add SSL.
email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.
-
May 10, 2016 at 1:19 pm #83991Todd HorstParticipant
We are on 6.1.2 and I think we have the ssl package license. Thats not a separate install is it? We also have the web services….which is a separate install.
-
May 10, 2016 at 1:35 pm #83992Jim KosloskeyParticipant
I don’t recall but I don’t think it is a separate install.
You can tell if it is active by configuring a couple of threads (one client, one server) and see if they connect. If you get an error the SSL add-on is not activated.
You can configure without the add-on but not execute as I recall.
As I said I have played around with it but we don’t use any SSL inside Cloverleaf routinely for a number of reasons have nothing to do with the capabilities of Cloverleaf.
email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.
-
July 20, 2016 at 6:42 pm #83993aaron kaufman-mooreParticipant
We are starting to get the same thing at my organization, so I’m also in search of a solution.
For those who might be more familiar, what about the use of IPSEC rules in windows firewall for securing the communication between Cloverleaf and 3rd party systems. If I were to utilize a certificate generated from our own CA, would Cloverleaf be able to use it to negotiate with a Windows server firewall rule that requires a Computer Certificate as the authentication method?
-
July 20, 2016 at 9:37 pm #83994David BarrParticipant
We use IPSEC for a lot of interfaces, but it’s normally not handled in Cloverleaf. Our network team sets up the tunnel connection to a remote site and gives us an IP address to connect to their server (which may be a NAT address). Then we can put that address in Clovlerleaf and treat it like it is a server on our local network. Connections can work in the other direction as well with Cloverleaf as the listener. IPSEC passwords and certs would be put in our firewall, not in the Cloverleaf config.
-
September 22, 2016 at 10:24 pm #83995David BarrParticipant
Has anyone else made progress encrypting HL7 traffic into/out of Cloverleaf? This is being brought up again at our organization. I was thinking that Cloverleaf Secure Courier might be another option, but in this case we’d need it to secure traffic on our own network. OpenVPN or Stunnel seem like other usable options. Is there anyone that has converted a bunch of unencrypted interfaces at once?
-
September 23, 2016 at 4:01 am #83996Rob LindseyParticipant
At another company I worked for 15+ years ago we got it to work on CL 3.x we encrypted the data just before being written out the protocol. We used BLOW-FISH algorithm back then. We were just testing it and it worked internally at that company in the test work with a single test interface. So I know it can be done.
It takes a lot of coordination between groups to get it going and esp with the ACKS etc.
-
September 23, 2016 at 3:35 pm #83997David BarrParticipantRob Lindsey wrote:
It takes a lot of coordination between groups to get it going and esp with the ACKS etc.
Yeah, that’s the problem. Turning on encryption on a thread isn’t very hard, but if you’re trying to connect to a system supported by a vendor, most of them aren’t very flexible turning on encryption because it’s not normally part of a standard HL7 interface, and there’s no uniform solution.
-
March 15, 2018 at 5:59 pm #83998Bob SchmidParticipant
Is there a pgp tcl package…I assume I will need pgp/gnupg installed as well
looking for site to download pgp tcl package (if such a package exists)
Thanks folks!
-
March 16, 2018 at 7:45 pm #83999David BarrParticipant
I don’t think so, but it’s pretty easy to call gpg in a TCL script and read in the output, msgset to put it in a message, etc.
-
-
AuthorReplies
- The forum ‘Cloverleaf’ is closed to new topics and replies.