HL7 Authentication
Last updated
Last updated
If your deployment does no leverage client certificates for authentication, then your configuration must supply a configuration in the security
attribute for the configuration. It can have one of the values drawn from the list below, which impact the method with which clients are authenticated.
When the None
authentication method is specified, then the SanteDB server will use the value of MSH-3
as an application identity, and the configured noAuthSecret
as the client secret.
This configuration option is only recommended if it is impossible to use X509 certificates or MSH-8 or SFT-4 authentication schemes. All MSH-3
values will share the same secret.
When the Msh8
option is specified for security mode, then SanteDB server will use the following authentication strategy:
When Sft4
is used as the security mode, then SanteDB server will use the following authentication strategy:
SFT-4 is only supported on newer version of HL7 and should not generally be used unless a reliable software binary value is provided.
If your use case requires remote servers to enforce client authentication using X.509 certificates, the configuration is modified to add a client certificate or client certificate authority as:
When using X.509 authentication the HL7 message handler will use the MSH-3|MSH-4
value as the device name and the thumbprint of the selected X.509 certificate as the secret. Additionally, the X.509 certificate must have a chain which includes the certificate indicated in <clientAuthorityCertificate
.
When node authentication is perform using certificates, the value of the securityMode
attribute dictates the authentication strategy for the application (MSH-3
). Where:
You can use the SanteDB Configuration Tool's HL7 Version 2 Service to configure these options in the user interface.
MSH-8
App ID
App Secret
Dev ID
Dev Secret
FOO+BAR
MSH-3
BAR
MSH-3|MSH-4
FOO
FOOBAR
MSH-3
noAuthSecret
MSH-3|MSH-4
FOOBAR
App ID
App Secret
Dev ID
Dev Secret
MSH-3
SFT-4
MSH-3|MSH-4
MSH-8
Security Mode
Authentication
None
No application authentication is performed - the system application is used
Msh8
The entire value of the MSH-8
segment is used as the client secret for the application
Sft4
The entire value of the SFT-4
segment is used as the client secret for the application