Configuring HL7 message broker client authentication

Configure mutual TLS authentication to secure communication between the IBM Master Data Management HL7 message broker and external healthcare systems.

Before you begin

Before you begin, ensure that you have the client-side certificate files from the external systems that will connect to the message broker. The certificate files can be in .crt or .pem format.

About this task

The message broker uses mutual TLS for client authentication. External systems must provide valid client-side certificates to establish secure connections with the message broker. You inject client-side certificates into the message broker through the IBM Master Data Management Custom Resource.

To configure client authentication:

Procedure

  1. Create a secret for each client-side certificate in the IBM® Software Hub Operands namespace:

    For a .crt certificate file:

    oc create secret generic my-secret --from-file=tls.crt -n ${PROJECT_CPD_INST_OPERANDS}

    For a .pem certificate file:

    oc create secret generic your-secret --from-file=tls.pem -n ${PROJECT_CPD_INST_OPERANDS}

    Replace my-secret and your-secret with meaningful names for your secrets.

  2. Open the IBM Master Data Management Custom Resource for editing: 
    oc edit mdm -n ${PROJECT_CPD_INST_OPERANDS}
  3. In the mdm_message_broker section, add the secret names under the secrets array: 
    mdm_message_broker:
  enabled: true
  hl7:
    mllp:
      ssl:
        enabled: true
        secrets:
        - my-secret
        - your-secret
  4. Save and close the Custom Resource file.
    The message broker pod restarts automatically to apply the new certificate configuration.
  5. Verify that the IBM Master Data Management Custom Resource update is complete: 
    oc get mdm -n ${PROJECT_CPD_INST_OPERANDS}
    Wait until the STATUS column shows Completed and the PROGRESS column shows 100%.
  6. Verify that the message broker pod is running with the new configuration: 
    oc get po -n ${PROJECT_CPD_INST_OPERANDS} | grep message
    The output displays the message broker pod with a Running status.

Results

The message broker is configured to accept connections from clients with the specified certificates. External healthcare systems can now establish secure, authenticated connections to the message broker.

What to do next

If you have multiple client-side certificates to add to the message broker, you can use either of the following approaches:

  • Create separate secrets for each certificate and add all secret names to the secrets array in the IBM Master Data Management Custom Resource.
  • Combine all client-side certificates into a single .pem file and create one secret from the combined file.

For example, to combine certificates:

cat client1.crt client2.crt client3.crt > combined.pem
oc create secret generic combined-certs --from-file=combined.pem -n ${PROJECT_CPD_INST_OPERANDS}

Then reference the single secret in the IBM Master Data Management Custom Resource:

secrets:
- combined-certs