Encrypted/secured/pgp tcp/ip hl7 interfaces

[Todd Horst]

Increasingly our security department wants to encrypt internal network traffic. This could look like a secure connection similar to http vs https, or it could be encrypted payload, or both.

Has anyone heard of this, or done this? What are you guy doing/planning?

Topic

[Jim Kosloskey]

Well will your sending and receiving systems support secure protocols (like tcp/ip over SSL)?

Cloverleaf will but if the trading partners don’t then ???

As for encrpted payload you can do that with Tcl (I have played around with it) but once again what about the systems you are receiving from and sending to can they encrypt/decrypt?

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Todd Horst]

Right, both sides would need to be speaking the same language.

I was trying to put feelers out to see what language that was… if anyone else was doing anything like it today.

How do you set cloverleaf to use an ssl channel?

[Jim Kosloskey]

You would need the add-on for SSL, then there is are configuration settings on the appropriate protocols. The add-on has a fee – but if the security folks are serious they need to understand there are costs associated with their directives which they need to consider.

I think there is also some Tcl packages which you could use if you wanted to do it alll in Tcl. No fee I think but there are the development and maintenance costs to consider. They might be as high in the long run as the SSL add-on.

As for encryption, Tcl has some builtin support for most of the popular encryption algorithms.

What release of Cloverleaf?

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Jim Kosloskey]

Oh and SSL can be associated with TCP/IP, FTP, and https so if your trading partners are already using one of those base protocols no need to change just add SSL.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Todd Horst]

We are on 6.1.2 and I think we have the ssl package license. Thats not a separate install is it? We also have the web services….which is a separate install.

[Jim Kosloskey]

I don’t recall but I don’t think it is a separate install.

You can tell if it is active by configuring a couple of threads (one client, one server) and see if they connect. If you get an error the SSL add-on is not activated.

You can configure without the add-on but not execute as I recall.

As I said I have played around with it but we don’t use any SSL inside Cloverleaf routinely for a number of reasons have nothing to do with the capabilities of Cloverleaf.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[aaron kaufman-moore]

We are starting to get the same thing at my organization, so I’m also in search of a solution.

For those who might be more familiar, what about the use of IPSEC rules in windows firewall for securing the communication between Cloverleaf and 3rd party systems.  If I were to utilize a certificate generated from our own CA, would Cloverleaf be able to use it to negotiate with a Windows server firewall rule that requires a Computer Certificate as the authentication method?

[David Barr]

We use IPSEC for a lot of interfaces, but it’s normally not handled in Cloverleaf. Our network team sets up the tunnel connection to a remote site and gives us an IP address to connect to their server (which may be a NAT address). Then we can put that address in Clovlerleaf and treat it like it is a server on our local network. Connections can work in the other direction as well with Cloverleaf as the listener. IPSEC passwords and certs would be put in our firewall, not in the Cloverleaf config.

[David Barr]

Has anyone else made progress encrypting HL7 traffic into/out of Cloverleaf? This is being brought up again at our organization. I was thinking that Cloverleaf Secure Courier might be another option, but in this case we’d need  it to secure traffic on our own network. OpenVPN or Stunnel seem like other usable options. Is there anyone that has converted a bunch of unencrypted interfaces at once?

[Rob Lindsey]

At another company I worked for 15+ years ago we got it to work on CL 3.x we encrypted the data just before being written out the protocol.  We used BLOW-FISH algorithm back then.  We were just testing it and it worked internally at that company in the test work with a single test interface.  So I know it can be done.

It takes a lot of coordination between groups to get it going and esp with the ACKS etc.

[David Barr]

Rob Lindsey wrote:

It takes a lot of coordination between groups to get it going and esp with the ACKS etc.

Yeah, that’s the problem. Turning on encryption on a thread isn’t very hard, but if you’re trying to connect to a system supported by a vendor, most of them aren’t very flexible turning on encryption because it’s not normally part of a standard HL7 interface, and there’s no uniform solution.

[Bob Schmid]

Is there a pgp tcl package…I assume I will need pgp/gnupg installed as well

looking for site to download pgp tcl package (if such a package exists)

Thanks folks!

[David Barr]

I don’t think so, but it’s pretty easy to call gpg in a TCL script and read in the output, msgset to put it in a message, etc.

[Author]

Replies