How to use an EPR certificate with the MESH client

Similar documents
How to use the MESH Certificate Enrolment Tool

MESH General Practice Clinical System Changes and Impacts on Addressing

MESH client File Interface Specification

eroaming platform Secure Connection Guide

Provisioning Certificates

SSL Configuration: an example. July 2016

Configure DNA Center Assurance for Cisco ISE Integration

SSL/TLS Certificate Generation

Configure Cisco DNA Assurance

Public Key Enabling Oracle Weblogic Server

SSL/TLS Certificate Generation

SSL/TLS Certificate Generation

Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.6

ADFS Setup (SAML Authentication)

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

SAML with ADFS Setup Guide

Configuring SSL CHAPTER

Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface

OIOIDWS Integration testing

How to convert.crt SSL Certificate to.pfx format (with openssl Linux command) and Import newly generated.pfx to Windows IIS Webserver

Genesys Security Deployment Guide. What You Need

1 How to create a Certificate for your pass

Managing AON Security

How to Configure Mutual Authentication using X.509 Certificate in SMP SAP Mobile Platform (3.X)

IBM Presentations: Implementing SSL Security in WebSphere Partner Gateway

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

Managing Certificates

Wildcard Certificates

Configuring SSL. SSL Overview CHAPTER

Configuring CA WA Agent for Application Services to Work with IBM WebSphere Application Server 8.x

Configuring SSL. SSL Overview CHAPTER

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

HP Operations Orchestration

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

FortiNAC. Analytics SSL Certificates. Version: 5.x Date: 8/28/2018. Rev: D

Unified Management Portal

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

SSL/TLS Certificate Check

Let s Encrypt Apache Tomcat * * Full disclosure: Tomcat will not actually be encrypted.

SSL Configuration Oracle Banking Liquidity Management Release [April] [2017]

Configuring NiFi Authentication and Proxying with Apache Knox

Enabling Secure Sockets Layer for a Microsoft SQL Server JDBC Connection

Managing Certificates

HPE Enterprise Integration Module for SAP Solution Manager 7.1

Configuring the RTP Server

Using Certificates with HP Network Automation

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

BusinessObjects Enterprise XI Release 1 and Release 2

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Content and Purpose of This Guide... 1 User Management... 2

Skywire LTE CAT1 AWS IoT with TLS User Manual

White Paper: Configuring SSL Communication between IBM HTTP Server and the Tivoli Common Agent

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

Managing Administrative Security

Managing TLS Certificate, KeyStore, and TrustStore Files

Veritas Access Software-Defined Storage (SDS) Management Platform Solutions Guide

Configuring SAML-based Single Sign-on for Informatica Web Applications

SafeNet Authentication Client

Creating an authorized SSL certificate

SafeNet KMIP and Google Drive Integration Guide

Security configuration of the mail server IBM

Cisco WCS Server Hardening

Configuring Java CAPS for SSL Support

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.8+

Keytool and Certificate Management

Digital it Signatures. Message Authentication Codes. Message Hash. Security. COMP755 Advanced OS 1

Corporate Infrastructure Solutions for Information Systems (LUX) ECAS Mockup Server Installation Guide

Crypto Programming with OpenSSL. (Creating Certificates)

RSA Identity Governance and Lifecycle Microsoft Exchange Connector Application Guide. Microsoft Exchange Connector Application Guide

The most common type of certificates are public key certificates. Such server has a certificate is a common shorthand for: there exists a certificate

Prescription Monitoring Program Information Exchange. RxCheck State Routing Service. SRS Installation & Setup Guide

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Security Digital Certificate Manager

DataFlux Secure 2.5. Administrator s Guide. Second Edition. SAS Documentation

CSE 565 Computer Security Fall 2018

Configuring Secure Communication to Oracle to Import Source and Target Definitions in PowerCenter

The ehealth platform

Configure IBM Rational Synergy with 3 rd Party LDAP Server. Release

How to Enable Client Certificate Authentication on Avi

BIG-IP System: SSL Administration. Version

Public Key Infrastructure Configuration Guide, Cisco IOS XE Release 2

Using Username and Password for pxgrid Client

IBM i Version 7.2. Security Digital Certificate Manager IBM

Oracle Insurance Rules Palette

X-road MISP2 installation and configuration guide. Version 1.20

bbc Certificate Enrollment Guide Adobe Flash Access May 2010 Version 2.0

Data Security and Protection Toolkit - Start guide (all users)

File based Keystores for WebSphere Application Server z/os

Odette CA Help File and User Manual

Best Practices for Security Certificates w/ Connect

SDN Contribution HOW TO CONFIGURE XMII BUILD 63 AND IIS 6.0 FOR HTTPS

CSM - How to install Third-Party SSL Certificates for GUI access

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

JAVA - DRI Connection Test Manual

Telemetry Data Sharing Using S/MIME

PKI ADMINISTRATION USING EJBCA AND OPENCA

IBM. Security Digital Certificate Manager. IBM i 7.1

Transcription:

Document filename: How to use an EPR certificate with the MESH client Directorate / Programme Operations and Assurance Services Project Spine Services/ MESH Document Reference <insert> Project Manager Andrew Meyer Status Issued Owner Ash Raines Version 2.0 Author Stuart Baskerville Version issue date 05/05/2016 How to use an EPR certificate with the MESH client

Document Management Revision History Version Date Summary of Changes 0.1 27/04/2016 Initial version. 0.2 03/05/2016 Updated following review. 1.0 03/05/2016 Issued 1.1 05/05/2016 Updated to remove MESH client certificate sections 2.0 05/05/2016 Issued Reviewers This document must be reviewed by the following people: Reviewer name Title / Responsibility Date Version Simon Richards DTS Service Owner Marta Raper Kathryn Common Spine2 Project Manager Senior Communications Officer Approved by This document must be approved by the following people: Name Signature Title Date Version Ash Raines Glossary of Terms Term / Abbreviation API CN CSR DER DIR DTS EPR HSCIC JVM Keystore MESH What it stands for Application Programming Interface Common Name Certificate Signing Request Distinguished Encoding Rules Deployment Issue and Resolution Data Transfer Service End Point Registration Health and Social Care Information Centre Java Virtual Machine Repository for security certificates Messaging Exchange for Social Care and Heath Page 2 of 13

MOLES ODS OpenSSL PEM PKCS12 RA RATS RBAC RSA SSL MESH Online Enquiry Service Organisation Data Service Open source implementation of SSL Privacy Enhanced Mail Public-Key Cryptography Standards defined for transporting private keys and certificates Registration Authority Registration and Tracking Service Role-Based Access Control Rivest-Shamir-Adleman cryptosystem Secure Socket Layer - standard for establishing an encrypted link between a web server and a client Document Control: The controlled copy of this document is maintained in the HSCIC corporate network. Any copies of this document held outside of that area, in whatever format (e.g. paper, email attachment), are considered to have passed out of control and should be checked for currency and validity. Page 3 of 13

Contents 1 Introduction 5 1.1 Purpose of Document 5 1.1 Background 5 2 Overview 6 2.1 What is a certificate and how it is used in MESH? 6 2.2 What certificate can be used by MESH? 6 3 Spine end-point certificates 7 3.1 How to install the EPR certificate for the MESH client 7 3.2 How to install the EPR certificate for the MESH API 11 4 Contact HSCIC 12 5 Appendix A list of commands to create the MESH Keystore from an EPR certificate 13 Page 4 of 13

1 Introduction 1.1 Purpose of Document The purpose of this document provides an explanation of how client certificates are used in the MESH system and how users use an existing End Point Registration (EPR) certificate and install in their MESH client installation. For users wishing to request a new MESH client certificate, please refer to the MESH Client Certificates Manual Steps document for details. The intended audience for this document is DTS installers and users to assist in transition from DTS to MESH. 1.1 Background The BT contract for provision of the DTS expires on 30 June 2016. The Health and Social Care Information Centre (HSCIC) has developed a replacement for DTS which will be an inhouse managed service. This transition enabled HSCIC to introduce a number of service improvements and deliver cost savings. In January 2016 we transitioned the DTS Central Service from BT to the HSCIC MESH Service. This means that the service is now operated and managed by the HSCIC. The transition will also enable the new service to adapt to emerging user requirements in a more flexible and efficient manner. Page 5 of 13

2 Overview The DTS client uses a single certificate on all client installations to connect to the central service so it can send and receive messages. This requirement has remained unchanged following the migration to the MESH central service. However, to improve security levels to meet the current Spine Core security requirements, all MESH clients and MESH Server API installations will require a specific local certificate. This is because the new MESH client/mesh Server API rely on mutual authentication for higher security (both ends check that the other end has a valid certificate) as part of the logon process. 2.1 What is a certificate and how it is used in MESH? Digital certificates are a means by which consumers and businesses can use the security applications of Public Key Infrastructure (PKI). PKI comprises of technology that enables secure e-commerce and internet based communication. The MESH client uses the certificate when connecting to the MESH server to send and receive messages. At a later date, the certificate will also be used by the MESH server to enhance mailbox authentication by checking the certificate used is associated with that mailbox. 2.2 What certificate can be used by MESH? The MESH system will allow two types of certificate to be used: New MESH client certificate - for users that currently do not use an EPR certificate, a MESH-specific certificate will be required. These will be issued by the HSCIC s Deployment Issue and Resolution (DIR) team. Details of how to contact the team is available on the HSCIC website. Spine End-Point Registration (EPR) Certificate - if services currently connect to the Spine Messaging interfaces using an EPR certificate, this certificate can also be used for connection by the MESH client. Page 6 of 13

3 Spine end-point certificates If services currently connect to the Spine Messaging interfaces using an EPR certificate, this certificate can also be used for connection by the MESH client. 3.1 How to install the EPR certificate for the MESH client These steps assume that the EPR certificate and private key is available from the DIR team using the Spine SubCA. To create the Keystore, it is necessary to generate a PKCS12 database consisting of the private key and this certificate. The following steps should be performed to generate the PKCS12 database: 3.1.1 Install prerequisites The following prerequisites need to be performed: Download OpenSSL for Windows from the Source Forge website (currently version 0.9.8h) Install Open SSL for Windows Select Destination Location (C:\Program Files\GnuWin32) Select Components: Only the binaries are required Check your windows installation for msvcrt.dll and msvcp60.dll. These should be stored in C:\WINDOWS\system32 if downloaded from the Microsoft website. 3.1.2 Configure a command window (cmd) Open a cmd window as an administrator, right click cmd and select run as and select administrator. You should now see a cmd window and be able to use everything within the same directory. It is necessary to add openssl and the jre7bin directory to the path (for the keytool). Do this by issuing the following command. PATH = %PATH%;C:\Program Files\GnuWin32\bin;C:\Program Files\Java\jre7\bin If working on a 64 bit system, either of these directories may in fact reside in Program Files (x86). If this is the case a simple substitution is required in the command from Program Files to Program Files (x86). Now everything can be done within a single working directory. 3.1.3 Convert file EPR private key to PEM format Depending on how the EPR certificate was requested, it may not be in PEM format. An example private key in PEM format is shown below: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc 9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+ AX0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc blk948uada/bwvmzjxfy4tztah0cuqlaldoqbzu8twe7wd Page 7 of 13

H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0 GEs= -----END ENCRYPTED PRIVATE KEY----- Figure 1 Private Key in PEM format To convert to the correct format the openssl command should be used. Below is an example of a command to convert an RSA (Rivest-Shamir-Adleman) cryptosystem key to PEM format: openssl rsa -in.\ssh\id_rsa -outform pem > id_rsa.pem 3.1.4 Convert file EPR certificate to PEM format Depending on how the EPR certificate was requested, it may not be in PEM format. An example certificate in PEM format is shown below: -----BEGIN CERTIFICATE----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc 9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+ AX0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc blk948uada/bwvmzjxfy4tztah0cuqlaldoqbzu8twe7wd H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0 GEs= -----END CERTIFICATE ----- Figure 2 Certificate in PEM format To convert to the correct format the openssl command should be used. Below is an example of a command to convert an RSA key to pem format: openssl x509 -inform der -in certificate.cer -out certificate.pem 3.1.5 Create the Java Keystore Assuming the private key is in the file mykey.pem in PEM format. The certificate is in mycert.pem, which is also in PEM format. Copy these files into the <MESH-APP- HOME>/keystore directory. Type the following command to create the Keystore. This command prompts for a password. A password must be specified as this will be required by the MESH client to access the Keystore: openssl pkcs12 -export -in mycert.pem -inkey mycert.pem > MyCert.p12 The openssl command may prompt for a password if the private key was created with a password. This is used later. The.p12 file can then be used to create a Keystore using the keytool command below: keytool -importkeystore -srckeystore MyCert.p12 -destkeystore MESH.keystore -srcstoretype pkcs12 The keystore command will prompt for destination keystore password (used by the MESH client) and may prompt for the source keystore password of the private key if defined. You now have a keystore named MESH.keystore containing the certificate/key you need. Page 8 of 13

3.1.6 Download the Spine SubCA certificate Navigate to the NHS Certificate Services interface https://portal.national.ncrs.nhs.uk/esw/ Click the Install New SubCA cert (PEM format) link from the menu (left panel). Figure 3 Download the rootca.der (ESW) Save the certificate in the <MESH-APP-HOME>/keystore directory with the default name of subca.pem 3.1.7 Add the subca certificate to the Keystore To add the root certificate to the Keystore to create Truststore, the keytool command is used: keytool -importcert -file subca.pem -alias subca -keystore MESH.keystore 3.1.8 Download the Spine Root certificate Navigate to the NHS Certificate Services interface https://portal.national.ncrs.nhs.uk/esw/ Click the Install RootCA cert (PEM format) link from the menu (left panel). Page 9 of 13

Figure 4 Download the rootca.der (ESW) Save the certificate in the <MESH-APP-HOME>/keystore directory with the default name of rootca.pem 3.1.9 Add the root certificate to the Keystore To add the root certificate to the Keystore to create Truststore, the keytool command is used: keytool -import -file rootca.pem -alias rootca -keystore MESH.keystore The Keystore creation is complete and can now be used with the MESH client. 3.1.10 Step 4 Verify Installation To verify that both certificates have been added to the Keystore, the following command should be run. The command will prompt for the Keystore password specified above: keystore list keystore MESH.keystore The output should confirm two entries, the EPR and root certificates. The output should be similar to that shown below: >keytool -list -keystore mesh.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries rootca, 03-May-2016, trustedcertentry, Certificate fingerprint (SHA1): EC:7A:3B:3C:B7:95:EC:E9:56:C5:A7:BE:C4:20:4A:29:8F:EB:23:6C Page 10 of 13

subca, 03-May-2016, trustedcertentry, Certificate fingerprint (SHA1): B0:1F:20:80:4D:DB:F5:84:E4:47:77:87:3D:1C:83:40:0C:25:6B:C3 mesh, 03-May-2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 04:47:30:E9:67:EA:D9:F0:87:F5:AA:2C:E7:5D:CC:4C:4C:5B:93:9C The Keystore can now be used by the MESH client. To configure the MESH client, copy the MESH.keystore to the <MESH-APP-HOME>/keystore folder in the MESH client installation. Next the meshclient.cfg file will need to be updated to use the MESH Keystore. The following values will need to be updated: KeyStorePath KeyStorePassword This location is for the MESH keystore file e.g. C:\MESH-APP-HOME\KEYSTORE\mesh.keystore This is the Keystore password supplied with the user account details If using the MESH client on a non-windows based server, the above process can be used and the MESH.keystore copied to the server and configured in the same way. 3.2 How to install the EPR certificate for the MESH API If using the MESH Server API to connect to the MESH service, the EPR certificate should be installed into the client software so that a mutual authentication session can be established with the MESH server. This installation will vary depending on how the client software is configured. Page 11 of 13

4 Contact HSCIC For further information a dedicated MESH page has been created on the HSCIC website at: http://systems.hscic.gov.uk/ddc/mesh. If users have specific question related to MESH please contact the National Service Desk. Page 12 of 13

5 Appendix A list of commands to create the MESH Keystore from an EPR certificate Here is the list of commands to create the MESH keystore: openssl rsa -in.\ssh\id_rsa -outform pem > id_rsa.pem openssl x509 -inform der -in certificate.cer -out certificate.pem openssl pkcs12 -export -in mycert.pem -inkey mycert.pem > MyCert.p12 keytool -importkeystore -srckeystore MyCert.p12 -destkeystore MESH.keystore -srcstoretype pkcs12 Download the SubCA - https://portal.national.ncrs.nhs.uk/esw/certs/subca.pem.txt to c:\mesh-app-home\keystore\subca.pem keytool -importcert -file subca.pem -alias subca -keystore mesh.keystore Download the RootCA - https://portal.national.ncrs.nhs.uk/esw/certs/rootca.pem.txt and save the contents to c:\mesh-app-home\keystore\rootca.pem keytool -importcert -file rootca.pem -alias rootca -keystore mesh.keystore To confirm contents of the keystore keytool.exe -list -keystore c:\mesh-app-home\keystore\mesh.keystore Page 13 of 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback