Guidance for the use of TLS with Cerner Ignite

Introduction

All HL7 FHIR and HL7 SMART endpoints offered by Cerner utilize the Secure HyperText Transfer Protocol (“https”) to ensure the confidentiality and integrity of data transmissions. Cerner strongly RECOMMENDS that application developers also utilize https for protecting their own application endpoints.

The https protocol relies upon public key infrastructure (“PKI”) as the means by which client applications can verify the authenticity of each remote service endpoint. This document provides Cerner’s guidance to developers on how to utilize https and PKI in conjunction with Cerner’s services as to guarantee interoperability of https connections.

Establishing TLS Connections to Cerner

The following requirements and recommendations apply to any software connecting to Cerner’s implementation of HL7® FHIR® or HL7® SMART®.

Supported versions of HTTP

Cerner currently supports the HTTP 1.1 protocol. Connectivity to certain endpoints using newer versions MAY be technically possible, but are not guaranteed to be available in all service deployments.

TLS Versions and Cipher Suites

Cerner ascribes to follow all best current practices “BCPs” published by the IETF, which currently includes:

As of this writing, these best current practices dictate the use of TLS versions 1.2 and 1.3, along with a recommneded suite of minimum encryption cipher suites. Cerner RECOMMENDS developers either:

Certificate Chain Validation Process

Developers writing software that interoperates with Cerner’s HL7® FHIR® and HL7® SMART® components should utilize https implementations that implement RFC 6125 for certificate validation.

Trusted Certificate Authorities

Cerner relies on public PKI systems (specifically, certificate authorities participating in the CA/Browser Forum), as the means by which it identifies its services to customers and third-party applications. Multiple vendors of operating systems, browsers, and other layered software components publish their own vetted list of certificate authorities that participtate in CA/Browser Forum.

Cerner REQUIRES developers to choose one or more vetted sources of certificate authorities that participate in CA/Browser Forum to trust within their application, as Cerner does not guarantee it will source certificates from any one specific certificate authority.

Cerner RECOMMENDS the use of any of the following programs that provide vetted certificate authority lists:

Developer-Operated TLS Endpoints

Most applications integrating with Cerner’s implementations of HL7® FHIR® and HL7® SMART® will have endpoints that receive communication from browsers or Cerner software. Examples include, but are not limited to:

Supported versions of HTTPS

Cerner REQUIRES developers support the HTTPS 1.1 protocol.

TLS Versions and Cipher Suites

Cerner RECOMMENDS developers utilize an evergreen TLS implementation to protect https endpoints. Developers MUST use an implementation that supports current IETF best practices for TLS in order to guarantee interoperability with browsers and Cerner infrastructure. Cerner RECOMMENDS developers utilize public testing tools, such as Qualsys SSL Labs to verify proper functioning of their https implementation.

Trusted Certificate Authorities

To guarantee interoperability with customer deployments and Cerner infrastructure, Cerner RECOMMENDS developers utilize certificates from public certificate authorities that participate in the CA/Browser Forum and that have been generally accepted into root certificate programs of the major browser vendors (Google, Apple, Microsoft, Mozilla).