Security
For security we, and the entire internet, rely heavily on SSL/TLS. More information on SSL/TLS can be found on Wikipedia
Our minimum required TLS version is 1.2. Also you must make sure your framework of choice sends an SNI-extension with your TLS handshake.
CSR requirements
Any CSR you submit to us for signing needs to fulfill the following requirements:
- Your key-length is at least 2048 bit long.
- CN, OU, O, L, ST, C and email-address are filled.
- Your CN matches
{name_connector}-{customer_code}-{identifier}
:- {name_connector}:
name of your connector; lowercase; can not contain-
but can contain_
. - {customer_code}:
provided by the customer, useTE1002
for CSR’s for development. - {identifier}:
free text, like:staging
,production
,id2431
; can not contain-
but can contain_
. - Valid examples:
connector_name-TE1002-free_text
orconnector_name-DF0000-production
.
- {name_connector}:
Generating a CSR
At Nedap Healthcare we exclusively use OpenSSL, we suggest you do the same. Using OpenSSL you can generate a CSR with the following command:
openssl req -out my_connector-TE1002-example.csr -new -newkey rsa:2048 -nodes -keyout my_connector-TE1002-example.key
Now, OpenSSL will ask you for some more information. Then, it will generate my_connector-TE1002-example.csr
and my_connector-TE1002-example.key
. It is essential that you keep the .key
-file private, never send this to us or anyone else. The .csr
should be uploaded through Topdesk for us to sign. We will send you a .pem
-file. You should use this certificate to sign any calls made to our API’s.
Testing your certificate
Send a GET
-request to the /ping
endpoint on our API, make sure you use the URL matching the environment your certificate was made for. You can find the URLs for our different environments here.
For example, when testing your development certificate:
GET https://api-development.ons.io/ping
If your requests are being signed with the appropriate certificate, the service will respond with a 200
status code and pong
body. If you are not correctly signing your requests, the service will respond with a 403
status code.
Valid ciphers
Any of these ciphers can to be used to be able to make successful calls to the Nedap Healthcare endpoints:
- ‘ECDHE-ECDSA-AES256-GCM-SHA384’
- ‘ECDHE-ECDSA-AES128-GCM-SHA256’
- ‘ECDHE-ECDSA-CHACHA20-POLY1305’
- ‘ECDHE-RSA-AES256-GCM-SHA384’
- ‘ECDHE-RSA-AES128-GCM-SHA256’
- ‘ECDHE-RSA-CHACHA20-POLY1305’
- ‘DHE-RSA-AES256-GCM-SHA384’
- ‘DHE-RSA-AES128-GCM-SHA256’
CA Chain
If your programming language or platform of choice needs the entire CA chain. You can get it here: CA chain