Mirth Connect has many ways to manage SSL connections. This gist provides a primer on how to manage them. Edits, contributions, and corrections are appreciated!

Managing SSL Connections in MC.md

Mirth Connect is awesome! One common question on the forums and Slack is how to manage SSL connctions. These questions mainly focus on HTTPS but also include TCP connections.

The quick rundown is:

1. The built-in MC HTTP Sender connector will do HTTPS if:

• The endpoint has a certificate which is signed by a CA already present in the JVM truststore and has the right DN or SAN for the hostname. This is logically equivalent to the "green check" if you open the URL in a browser.
• The certificate has been added to the truststore for the JVM that MC is running under
• Changes to DNS or host files allow a hostname to match the DN or SAN already present in the cert (not reccomended)
• The connector may flag these connections with a warning or red x. Test the channel first as the validator makes assumptions about SSL that may not apply in this case.

2. The built-in MC HTTP Listener connector will not do SSL directly. A plugin or a proxy is necessary.

• Tony Germano has a plugin implemented for SSL listeners for HTTPS at https://github.com/tonygermano/connect-plugins
• Another open source SSL implementation is at https://github.com/tobchen/tc-ssl-plugin

4. SSL firewalls or stunnel can also proxy the SSL connections. MC connects to the unsecured side of the tunnel and the SSL layer is handled on the other side. Open source tools:

• stunnel https://www.stunnel.org/

• haproxy http://www.haproxy.org/

• nginx https://docs.nginx.com/

  An open-source tool that lets Mirth Connect manage stunnel has been published at https://github.com/pacmano1/mirthstunnel

5. Commercial solutions

• Mirth had a commercial SSL extension but it is now part of a larger licensed product - https://www.nextgen.com/products-and-services/integration-engine
• Zen Healthcare IT has a an SSL extension with up-front pricing at - https://consultzen.com/zen-ssl-extension/
• Innovar has published an AWS instance with SSL support at - https://aws.amazon.com/marketplace/pp/prodview-rrvfqfm5vxbtk
• Innovar also has an AWS EKS container instance with SSL support at - https://aws.amazon.com/marketplace/pp/prodview-pauxcxqvvvgic
• Innovar also sells their SSL plugin independently of AWS at - https://www.innovarhealthcare.com/plugin-sale

6. Channel code - You can use tools like Apache HTTP Commons or OKHttp in MC and use that code to deal with SSL

The main consideration between these options are:

• Who is expected to manage the connections? Interface engineers benefit from options plugins that keep this inside MC. Network engineers and devops will tend to prefer proxies and tunnels that are closer to the infrastructure layer than the application layer.
• When will certs expire and what are the corporate policies about cert management? Most certificates are good for 1 to 3 years, that means that updates are required as the certificates expire. What option is easies for your organization to a) detect this expiration and b) update certificates BEFORE they expire as routine maintenance?
• What other software in your environment uses SSL and how is that managed?

Additional examples and references:

• A tutorial to communicate with DICOM over TLS, without using paid tools is at https://saga-it.com/blog/mirth-connect-dicom-over-tls/. This example also shows how to manage the Mirth truststore, it should work similarly for HTTP or TCP.
• An open-source tool that lets Mirth Connect manage stunnel has been published at https://github.com/pacmano1/mirthstunnel
• A limited open-source SSL plugin is at https://github.com/tonygermano/connect-plugins