web stats
Configuring Mirth SSL Plugin to use a Custom Certificate Authority? - Mirth Community

Go Back   Mirth Community > Mirth Connect > Support

Reply
 
Thread Tools Display Modes
  #1  
Old 08-27-2014, 08:37 AM
mirraraenn mirraraenn is offline
Mirth Newb
 
Join Date: Jun 2014
Posts: 16
mirraraenn is on a distinguished road
Default Configuring Mirth SSL Plugin to use a Custom Certificate Authority?

How can I configure Mirth (with SSL Plugin) to use a non-standard certificate authority to allow for receiving and sending to hosts that have certificates created from that CA?
Reply With Quote
  #2  
Old 08-27-2014, 09:16 AM
narupley's Avatar
narupley narupley is online now
Mirth Employee
 
Join Date: Oct 2010
Posts: 7,123
narupley is on a distinguished road
Default

Quote:
Originally Posted by mirraraenn View Post
How can I configure Mirth (with SSL Plugin) to use a non-standard certificate authority to allow for receiving and sending to hosts that have certificates created from that CA?
You just need to add the root (CA) certificate to the truststore.
__________________
Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

Nicholas Rupley
Work: 949-237-6069
Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


- How do I foo?
- You just bar.
Reply With Quote
  #3  
Old 08-27-2014, 09:51 AM
mirraraenn mirraraenn is offline
Mirth Newb
 
Join Date: Jun 2014
Posts: 16
mirraraenn is on a distinguished road
Default

Quote:
Originally Posted by narupley View Post
You just need to add the root (CA) certificate to the truststore.
When you're talking about the truststore, do you mean the 'CACerts' keystore located at the java directory\lib\security\cacerts or with the keystore created and loaded for Mirth itself? I've added it to the first one, but not the second one because it says in the SSL plugin manager guide that it isn't used for HTTP Senders (but is still required).
Reply With Quote
  #4  
Old 08-27-2014, 09:53 AM
narupley's Avatar
narupley narupley is online now
Mirth Employee
 
Join Date: Oct 2010
Posts: 7,123
narupley is on a distinguished road
Default

Quote:
Originally Posted by mirraraenn View Post
When you're talking about the truststore, do you mean the 'CACerts' keystore located at the java directory\lib\security\cacerts or with the keystore created and loaded for Mirth itself? I've added it to the first one, but not the second one because it says in the SSL plugin manager guide that it isn't used for HTTP Senders (but is still required).
Neither. You need to add it to appdata/truststore.jks and restart the Mirth Connect server. You should not be touching the Mirth Connect keystore (appdata/keystore.jks) at all.

As I said here as well, in 3.1 we're completely overhauling the SSL Manager plugin to be much easier to use. I highly recommend watching this (starts at 7:19): http://www.mirthcorp.com/protected-c...eveloper-qa-73
__________________
Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

Nicholas Rupley
Work: 949-237-6069
Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


- How do I foo?
- You just bar.
Reply With Quote
  #5  
Old 08-27-2014, 07:14 PM
mirraraenn mirraraenn is offline
Mirth Newb
 
Join Date: Jun 2014
Posts: 16
mirraraenn is on a distinguished road
Default

Quote:
Originally Posted by narupley View Post
Neither. You need to add it to appdata/truststore.jks and restart the Mirth Connect server. You should not be touching the Mirth Connect keystore (appdata/keystore.jks) at all.

As I said here as well, in 3.1 we're completely overhauling the SSL Manager plugin to be much easier to use. I highly recommend watching this (starts at 7:19): http://www.mirthcorp.com/protected-c...eveloper-qa-73
Thanks Narupley, this helped very much. For anyone viewing this thread with the same problem, what you need to do is to:
1. Navigate to http://portecle.sourceforge.net/ and launch the Portecle tool.
2. Once it has launched, navigate to the Mirth application files and open the truststore.jks file located at %MirthAppdataFolder%\appdata\truststore.jks (in my case on x64 Windows it was C:\Program Files\Mirth Connect\appdata\truststore.jks).
3. You will be prompted for a password, which you will need to get from the mirth.properties file at %MIrthAppDataFolder%\conf\mirth.properties. It will look similiar to this
keystore.storepass = XXXXXXXXX
4. Once opened, select the import certificate button and load the trusted CA certificate whose sites you will be trying to connect to.
5. I am not sure if this keystore is refreshed or not while Mirth is running, do you need to restart Mirth to have it refresh its certificate trust? That would be the final step if it were necessary.

I have a separate issue now that this is fixed, but will address it in a separate thread. Thanks again!
Reply With Quote
  #6  
Old 08-23-2016, 09:30 AM
tsayers tsayers is offline
Mirth Newb
 
Join Date: Aug 2014
Posts: 12
tsayers is on a distinguished road
Default

Quote:
Originally Posted by narupley View Post
I highly recommend watching this (starts at 7:19): http://www.mirthcorp.com/protected-c...eveloper-qa-73
This was very helpful. Do you have a similar demo for when using SSL Tunnels?
Reply With Quote
  #7  
Old 06-11-2018, 11:47 AM
chapanovich chapanovich is offline
What's HL7?
 
Join Date: Jun 2018
Posts: 1
chapanovich is on a distinguished road
Default mirth service keeps restoring original keystore

I added a certificate and root certificate to keystore.jks but whenever the service starts it recreates the original one. Then I tried creating an entirely new keystore with a different name and modified mirth.conf to point to it, but when the service starts it replaces that one with the original keystore. Any way around this?
Reply With Quote
  #8  
Old 06-12-2018, 06:42 AM
narupley's Avatar
narupley narupley is online now
Mirth Employee
 
Join Date: Oct 2010
Posts: 7,123
narupley is on a distinguished road
Default

Quote:
Originally Posted by chapanovich View Post
I added a certificate and root certificate to keystore.jks but whenever the service starts it recreates the original one. Then I tried creating an entirely new keystore with a different name and modified mirth.conf to point to it, but when the service starts it replaces that one with the original keystore. Any way around this?
You just need to use the alias "mirthconnect" for your cert chain entry. That's what the server looks for when it starts up.
__________________
Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

Nicholas Rupley
Work: 949-237-6069
Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


- How do I foo?
- You just bar.
Reply With Quote
Reply

Tags
certificate, certificate authority, host, mirth, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -8. The time now is 06:30 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Mirth Corporation