Securing SanteDB APIs
If you are running SanteDB iCDR or dCDR in a context where they need to be accessed from outside the datacenter, you will need to setup the services to use TLS.
This will require obtaining an SSL certificate, installing the certificate into the local certificate store using either:
- Microsoft Management Console (
mmc) Certificates snap-in. certmgron Mono (Linux or Mac)- SSL Termination (for REST APIs only)
Securing the HL7v2 interfaces is documented in SanteDB HL7v2 Implementation and is not covered here.
If installing SanteDB on Microsoft Windows, you should obtain a security certificate from a certificate authority. Once obtained, install the certificate into the Machine context of the host operating system.
- 1.Press (WIN)+R and type
mmc
- 2.Use File -> Add/Remove Snap-In and select Certificates
- 3.Select the Computer Account and ensure the local server is the target
- 4.Import your certificate and private key (which you generated to get the certificate) into the Personal store. When completed you should see the certificate with a key indicator
Once this is complete, you should use the SanteDB Configuration Tool Certificate Binding to bind the certificate to the service and endpoint.
You can also secure dCDR instances, however the process is a manual one. First, you should configure the dCDR web or gateway service like you normally would (i.e. join the domain and ensure you can login with
localhost:9200)- 1.Obtain the certificate thumbprint information from the certificate details:
- 2.In an elevated command prompt, bind the dCDR HTTP listener port to the certificate via
netshfor example:netsh http add sslcert ipport=0.0.0.0:9200 appid={A97FB5DE-7627-401C-8E70-5B96C1A0073B} certhash=<hash-of-your-cert> - 3.If your dCDR instance is running as a less privileged account (other than
LOCAL SERVICE) then you will need to reserve the URL:netsh http add urlacl url=http://+:9200 user=<user-of-service> - 4.In an elevated text editor (like notepad) open
%systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\santedb-www\default\SanteDB.config - 5.You should edit the
RestConfigurationSectionand bind each of the service ports fromhttp://127.0.0.1:9200tohttps://127.0.0.1:9200 - 6.Save the configuration file
- 7.Restart the SanteDBWWW service
The best way to run SanteDB iCDR and dCDR services is behind a reverse proxy using NGINX. This allows the components within the data center to communicate directly with one another (on a secure private network) without TLS overhead and only uses encryption when data leaves the private network.
To use NGINX you will have to create a
/etc/nginx/services-available/name.domain.com file with the following contents. The configuration has two pieces:- 1.A configuration for the secured service you're exposing (recommended 8443 for iCDR and 443 for dCDR)
- 2.A configuration for the unsecured service which redirects to the secured port.
# Example of iCDR API
server {
listen 8443 ssl;
listen [::]:8443 ssl;
# For dCDR you should maybe use
# listen 443 ssl;
# listen [::]:443 ssl;
# These should be the X509 cert and private key
# you got from your CA
ssl_certificate /etc/nginx/ssl/my_cert.crt;
ssl_certificate_key /etc/nginx/ssl/my_key.rsa;
# This is the host name of the server you're binding to
server_name name-of-your-server.net;
location / {
# Forward to app server
proxy_pass http://internal-ip-address:8080/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cookie_domain internal-ip-address name-of-your-server.net;
proxy_pass_request_headers on;
}
}
# Server redirects any unsecured requests to secured
server {
listen 8080;
listen [::]:8080;
server_name name-of-your-server.net;
return 301 https://$host$request_uri;
}
You should then link this file to the
/etc/nginx/sites-enabled directory and restart nginx.
Last modified 1yr ago