Using the Transport Layer Security (TLS)

Transport Layer Security (TLS) is a security protocol that provides privacy and data security when you communicate over the internet. It encrypts data that is sent across in emails, messages, or voice over IP. You can configure HL7 activities with TLS protocol to encrypt data in transit.

To set up TLS for HL7 activities, perform the following procedure:

Note: You can use the keytool.bat provided as an example to generate the certificates.

Prerequisites

You must have TIBCO ActiveMatrix BusinessWorks™ 6.6.0 or later.

Procedure

  1. Provide an input file as a request to the starter FilePoller activity.
  2. In the LLPRequestResponse activity, provide host and port of the server (where LLPReceiver is present).
  3. Create an SSLClient resource by using the resource picker.
  4. Create a keystore to provide as input to the SSLClient resource.
  5. Provide a client side certificate or the jks file and certificates password in the client keystore.
  6. Provide a range of listener ports on the server side for the LLPReceiver activity.
  7. Create an SSLServer resource for LLPReceiver.
  8. Create a keystore to provide to the SSLServer resource.
  9. Provide a server side certificate or the jks file and certificates password in the server keystore.
  10. To send back the acknowledgment, add an LLPResponse activity on the server side.
  11. To receive an acknowledgment, add an expression condition in BW transition and a name of the request activity in the LLPResponse activity.

Generating Client and Server Side Certificates

To generate the certificates required to configure the client and server resources, perform the following procedure:

Procedure

  1. Create a bat file containing the following commands: 
    keytool -genkeypair -alias <server_alias> -keyalg <key_alg> -keysize <key_size> -keystore <keystore_path> -ext san=dns:<host_name>,ip:<ip_adress>
keytool -export -alias <server_alias> -keystore <keystore_path> -rfc -file <certificate_path> -ext san=dns:<host_name>,ip:<ip_adress>
keytool -genkeypair -alias <client_alias> -keyalg <key_alg> -keysize <key_size> -keystore <keystore_path> -ext san=dns:<host_name>,ip:<ip_adress>
keytool -export -alias <client_alias> -keystore <keystore_path> -rfc -file <certificate_path> -ext san=dns:<host_name>,ip:<ip_adress>
keytool -importcert -alias <server_alias> -file <server_cert> -keystore <client_keystore>
keytool -importcert -alias <client_alias> -file <client_cert> -keystore <server_keystore>
  2. Run the bat file in the Java/<version>/bin directory.
  3. Enter all the information you are prompted while generating the certificates. Make a note of the keystore password you enter, as it is required when using the certificates.
  4. To get the server.jks alias name, enter the following command in the Java <version>/bin directory: keytool -v -list -keystore server.jks

Example

keytool -genkeypair -alias server_alias -keyalg RSA -keysize 2048 -keystore server.jks -ext san=dns:localhost,ip:127.0.0.1
keytool -export -alias server_alias -keystore server.jks -rfc -file server.cer -ext san=dns:localhost,ip:127.0.0.1
keytool -genkeypair -alias client_alias -keyalg RSA -keysize 2048 -keystore client.jks -ext san=dns:localhost,ip:127.0.0.1
keytool -export -alias client_alias -keystore client.jks -rfc -file client.cer -ext san=dns:localhost,ip:127.0.0.1
keytool -importcert -alias server_alias -file server.cer -keystore client.jks
keytool -importcert -alias client_alias -file client.cer -keystore server.jks