Securing SanteDB APIs
Last updated
Last updated
If you are running SanteDB iCDR or dCDR in a context where they need to be accessed from outside the datacenter, you will need to setup the services to use TLS.
This will require obtaining an SSL certificate, installing the certificate into the local certificate store using either:
Microsoft Management Console (mmc
) Certificates snap-in.
certmgr
on Mono (Linux or Mac)
SSL Termination (for REST APIs only)
Securing the HL7v2 interfaces is documented in SanteDB HL7v2 Implementation and is not covered here.
If installing SanteDB on Microsoft Windows, you should obtain a security certificate from a certificate authority. Once obtained, install the certificate into the Machine context of the host operating system.
Press (WIN)+R and type mmc
Use File -> Add/Remove Snap-In and select Certificates
Select the Computer Account and ensure the local server is the target
Import your certificate and private key (which you generated to get the certificate) into the Personal store. When completed you should see the certificate with a key indicator
Once this is complete, you should use the SanteDB Configuration Tool Certificate Binding to bind the certificate to the service and endpoint.
You can also secure dCDR instances, however the process is a manual one. First, you should configure the dCDR web or gateway service like you normally would (i.e. join the domain and ensure you can login with localhost:9200
)
Obtain the certificate thumbprint information from the certificate details:
In an elevated command prompt, bind the dCDR HTTP listener port to the certificate via netsh
for example: netsh http add sslcert ipport=0.0.0.0:9200 appid={A97FB5DE-7627-401C-8E70-5B96C1A0073B} certhash=<hash-of-your-cert>
If your dCDR instance is running as a less privileged account (other than LOCAL SERVICE
) then you will need to reserve the URL: netsh http add urlacl url=http://+:9200 user=<user-of-service>
In an elevated text editor (like notepad) open %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\santedb-www\default\SanteDB.config
You should edit the RestConfigurationSection
and bind each of the service ports from http://127.0.0.1:9200
to https://127.0.0.1:9200
Save the configuration file
Restart the SanteDBWWW service
The best way to run SanteDB iCDR and dCDR services is behind a reverse proxy using NGINX. This allows the components within the data center to communicate directly with one another (on a secure private network) without TLS overhead and only uses encryption when data leaves the private network.
To use NGINX you will have to create a /etc/nginx/services-available/name.domain.com
file with the following contents. The configuration has two pieces:
A configuration for the secured service you're exposing (recommended 8443 for iCDR and 443 for dCDR)
A configuration for the unsecured service which redirects to the secured port.
You should then link this file to the /etc/nginx/sites-enabled
directory and restart nginx.
You can secure the SanteDB APIs using dual-PKI (public key infrastructure) authentication. This method of API security will require that a remote node present a valid, trusted RSA certificate prior to any application level logic being executed. There are some configurations where this strategy can be deployed:
Securing the OAUTH endpoint so that devices must present a certificate prior to obtaining an access token.
Securing all API endpoints so that even those with valid access tokens must present the certificate.
In order to use client certificate authentication, the SanteDB iCDR or dCDR must be configured to use HTTPS as described in the above instructions. If using NGINX as a TLS termination point, the PEM for the certificate must be passed to the SanteDB server in the X-SSL-ClientCert
header.
Configuring the client certificates first requires the netsh
command to be used to require client certificates:
Next an implementation of the ICertificateIdentityProvider
must be configured in the SanteDB service. This service maps an X509 certificate to a user, device, or application. In your <services>
node, add a reference to the certificate handler.
Next, the endpoints in the SanteDB configuration file need to be changed from http://
scheme to https://
scheme, and the ClientCertificateAccessBehavior
added to the service. For example, if your OAUTH configuration is:
Then the configuration to use client certificates should be updated to:
The <configuration>
element of the client certificate access behavior controls how the access behavior validates the client certificate including.
revokeCheck
Online, Offline, None
Controls how client certificates' revokation status is validated.
allowClientHeader
true, false
Indicates whether the X-SSL-ClientCert
header is to be allowed. Note: If running behind NGINX with SSL termination this must be true, if not it is recommended to be false.
trustedIssuers
X509 Certificate
The trusted issuers of client certificates. If the client presents a certificate that is valid to the operating system, however is not issued by a CA in this list then the access request will be denied.