HL7 Authentication

Node Authentication using Message

If your deployment does no leverage client certificates for authentication, then your configuration must supply a configuration in the security attribute for the configuration. It can have one of the values drawn from the list below, which impact the method with which clients are authenticated.

No Authentication

When the None authentication method is specified, then the SanteDB server will use the value of MSH-3 as an application identity, and the configured noAuthSecret as the client secret.

MSH-8 Authentication

When the Msh8 option is specified for security mode, then SanteDB server will use the following authentication strategy:

SFT-4 Authentication

When Sft4 is used as the security mode, then SanteDB server will use the following authentication strategy:

Node Authentication using x.509 Certificates

If your use case requires remote servers to enforce client authentication using X.509 certificates, the configuration is modified to add a client certificate or client certificate authority as:

 <add address="sllp://0.0.0.0:2200" receiveTimeout="0" name="SanteMPI IHE SLLP">
  <sllp checkCrl="true" requireClientCert="true">
    <serverCertificate findType="FindByThumbprint" storeLocation="LocalMachine" findValue="467808134ADFFA873694261C707016EC03080A86" />
    <clientAuthorityCertificate findType="FindByThumbprint" storeLocation="LocalMachine" findValue="F62FBFA197D0B71207D504D1C7B39598B72C47FD" />
  </sllp>

When using X.509 authentication the HL7 message handler will use the MSH-3|MSH-4 value as the device name and the thumbprint of the selected X.509 certificate as the secret. Additionally, the X.509 certificate must have a chain which includes the certificate indicated in <clientAuthorityCertificate.

When node authentication is perform using certificates, the value of the securityMode attribute dictates the authentication strategy for the application (MSH-3). Where: