The SSL/TLS Configurations Page
Transport Layer Security (TLS) provides strong protection for communication between pairs of entities. It allows you to perform authentication, data integrity protection, and data encryption. TLS is the successor to the secure sockets layer (SSL).
The SSL/TLS Configurations page allows you to see all of the SSL/TLS Configurations you have created, whether they are enabled or not, and the type of each connection (Client or Server).
You can sort the table of configurations by clicking the Name, Description, Enabled, or Type headers, or enter text in the Search box to filter the list. The table will paginate automatically when it becomes long.
You can also use the SSL/TLS Configurations page to:
-
Test an SSL/TLS Configuration (client configurations only)
Create an SSL/TLS Configuration
To create a new SSL/TLS Configuration:
-
On the SSL/TLS Configurations page, under Create SSL/TLS Configuration, type the desired name of your SSL/TLS Configuration.
Only alphanumeric characters are allowed. No spaces or special characters.
-
Type an optional Description.
-
If desired, check Enabled to enable the configuration after creating it.
You can enable or disable it later by editing the configuration.
-
Choose a Type for the configuration.
Client means that this configuration is used when Health Connect Cloud initiates a connection to another system, for example, in an outbound TCP adapter in a production’s business operation.
Server means that this configuration used when another systems initiates a connection to Health Connect Cloud, for example, in an inbound TCP adapter in a production’s business service.
-
Choose the desired Certificate Verification for this configuration.
If this is a Client configuration:
-
None means that the server does not need to provide a certificate and the client performs no verification.
-
Required means that the server must provide a certificate and the client verifies the certificate with the Certificate Authority that issued the certificate.
If this is a Server configuration:
-
None means that the client neither requires or requests a certificate.
-
Request means that the client may or may not provide a certificate and the server verifies the certificate only if provided.
-
Required means that the client must provide a certificate and the server verifies the certificate with the Certificate Authority that issued the certificate.
-
-
Upload the file containing the trusted Certificate Authority certificate(s).
This file contains the X.509 certificate(s) in PEM format of the Certificate Authority (CA) or Certificate Authorities that this configuration trusts. The configuration uses the certificates of the trusted CA(s) to verify peer certificates. Typically, a production system uses certificates from commercial CAs with publicly available certificates.
This field does not appear if certificate verification is not needed for this configuration.
-
Upload the file containing configuration certificate.
This is the configuration’s own X.509 certificate(s) in PEM format, if required.
-
Upload the file containing associated private key.
This is the configuration’s private key file.
If a configuration certificate is provided, a private key is required.
-
Select the Private Key Type.
This is the algorithm used to generate the private key, where valid options are DSA (Digital Signature Algorithm) and RSA (Rivest, Shamir, and Adleman).
-
Type the Private Key Password.
If the private key is password-protected and you do not enter a value here, Health Connect Cloud cannot confirm that the private key and the certificate’s public key match each other.
-
Select the Minimum Protocol Version supported by this configuration.
This is the earliest version of the TLS protocol that this configuration supports.
-
Select the Maximum Protocol Version supported by this configuration.
This is the latest version of the TLS protocol that this configuration supports.
-
If desired, edit the Enabled Cipherlist.
The default set of cipher suites is:
-
ALL — Includes all cipher suites except the eNULL ciphers
-
!aNULL — Excludes ciphers that do not offer authentication
-
!eNULL — Excludes ciphers that do not offer encryption
-
!EXP — Excludes export-approved algorithms (both 40- and 56-bit)
-
!SSLv2 — Excludes SSL v2.0 cipher suites
-
-
For Server configurations only, select the size of Diffie-Hellman key (if using).
-
For Server configurations only, optionally enable and configure OSCP Stapling.
OCSP (Online Certificate Status Protocol) is an internet protocol that checks the validity status of a certificate in real-time.
-
Click Create Configuration.
For more information on the fields on this page, see About ConfigurationsOpens in a new tab.
After you create a configuration, it shows up in the SSL/TLS Configurations list at the top of the page.
Edit an SSL/TLS Configuration
To edit an SSL/TLS Configuration:
-
On the SSL/TLS Configurations page, click the Edit Configuration icon in the Actions column for that SSL/TLS Configuration.
-
In the dialog box, edit any of the fields, and click Submit.
See Create an SSL/TLS Configuration for information on each field.
Delete an SSL/TLS Configuration
To delete an SSL/TLS Configuration:
-
On the SSL/TLS Configurations page, click the Delete Configuration icon in the Actions column for that SSL/TLS Configuration.
-
In the Delete Configuration dialog box, type Permanently Delete, and click Delete.
The configuration is removed from the SSL/TLS Configurations list at the top of the page.
Test an SSL/TLS Configuration
To test an SSL/TLS Configuration (client configurations only):
-
On the SSL/TLS Configurations page, click the Test Connection icon in the Actions column for that SSL/TLS Configuration.
-
In the SSL/TLS Connection Test dialog box, type a Hostname (not its URL) and a Port.
-
Click Test Connection.
The dialog box is updated with information saying whether the connection test succeeded or failed. If the test succeeded, additional details of the connection are provided, such as the protocol and ciphersuite that were used.