HAPI – HL7 over HTTP - Signature Profile

Signature Profile

Signature Profile provides an encrypted signature which allows a receiving application to strongly authenticate the sender, and optionally vice versa.

To use Signature Profile, you first require a private key and corresponding public key, each in a keystore. The private key is used on the sending end, and the public key must be provided to the receiving end. If responses are also being signed, a second pair of keys must be created, but will be kept on the opposite ends (the private key lives on the receiving end, so that it can be used to sign responses).

See generating keys for information on creating self-signed keys.

Signer

HL7 over HTTP uses the Bouncycastle library to provide message signature. To use this feature, you must add the "bcprov" and "bcmail" JAR files to your classpath. Maven users may use the following dependencies:

<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcprov-jdk16</artifactId>
  <version>${bouncycastle.version}</version>
</dependency>
<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcmail-jdk16</artifactId>
  <version>${bouncycastle.version}</version>
</dependency>

Signing client messages

To sign a message within an HL7 over HTTP client, follow the example below:

// Create a client
HohRawClientSimple client = new HohRawClientSimple("remotehost", 8080, "/");

// Create a message signer
BouncyCastleCmsMessageSigner signer = new BouncyCastleCmsMessageSigner();
signer.setKeyStore(KeystoreUtils.loadKeystore("/path/to/keystore/keystore.jks", "store_password"));
signer.setKeyAlias("keyalias");
signer.setAliasPassword("key_password");

client.setSigner(signer);

// Send a message
IReceivable<String> response = client.sendAndReceive(sendable);

Message signers may also be used with the HoH LLP implementation:

// Create the ConnectionHub
String host = "localhost";
int port = 8080;
boolean tls = false;

Hl7OverHttpLowerLayerProtocol llp;
llp = new Hl7OverHttpLowerLayerProtocol(ServerRoleEnum.CLIENT);
llp.setHost(host);

//Create a message signer
BouncyCastleCmsMessageSigner signer = new BouncyCastleCmsMessageSigner();
signer.setKeyStore(KeystoreUtils.loadKeystore("/path/to/keystore/keystore.jks", "store_password"));
signer.setKeyAlias("keyalias");
signer.setAliasPassword("key_password");
llp.setSigner(signer);


DefaultHapiContext ctx = new DefaultHapiContext();
ctx.setLowerLayerProtocol(llp);

// Connect
Connection connection = ctx.newClient(host, port, tls);

Signing server messages

Message signers may also be used within an HoH Servlet.

public class SignatureServlet extends HohServlet {

	@Override
	public void init(ServletConfig theConfig) throws ServletException {
		
		//Create a message signer and pass it to the servlet
		BouncyCastleCmsMessageSigner signer = new BouncyCastleCmsMessageSigner();
		try {
			signer.setKeyStore(KeystoreUtils.loadKeystore("/path/to/keystore/keystore.jks", "store_password"));
		} catch (Exception e) {
			throw new ServletException(e);
		}
		signer.setKeyAlias("keyalias");
		signer.setAliasPassword("key_password");
		setSigner(signer);
	
		// ... also provide a message handler ...
		
	}

}