Link Search Menu Expand Document
Ons API

Security

For security we, and the entire internet, rely heavily on SSL/TLS. More information on SSL/TLS can be found on Wikipedia

Our minimum required TLS version is 1.2. Also you must make sure your framework of choice sends an SNI-extension with your TLS handshake.

CSR requirements

Any CSR you submit to us for signing needs to fulfill the following requirements:

  • Your key-length is at least 2048 bit long.
  • CN, OU, O, L, ST, C and email-address are filled.
  • Your CN matches {name_connector}-{customer_code}-{identifier}:
    • {name_connector}:
      name of your connector; may only contain word characters ([a-zA-Z0-9_])
    • {customer_code}:
      provided by the customer, use TE1002 for CSR’s for development.
    • {identifier}:
      free text, like: staging, production, id2431; may only contain word characters ([a-zA-Z0-9_])
    • Valid examples:
      connector_name-TE1002-free_text or connector_name-DF0000-production.

Generating a CSR

At Nedap Healthcare we exclusively use OpenSSL, we suggest you do the same. Using OpenSSL you can generate a CSR with the following command:

openssl req -out my_connector-TE1002-example.csr -new -newkey rsa:2048 -nodes -keyout my_connector-TE1002-example.key

Now, OpenSSL will ask you for some more information. Then, it will generate my_connector-TE1002-example.csr and my_connector-TE1002-example.key. It is essential that you keep the .key-file private, never send this to us or anyone else. The .csr should be uploaded through Topdesk for us to sign. We will send you a .pem-file. You should use this certificate to sign any calls made to our API’s.

Testing your certificate

Send a GET-request to the /ping endpoint on our API, make sure you use the URL matching the environment your certificate was made for. You can find the URLs for our different environments here.

For example, when testing your development certificate:

GET https://api-development.ons.io/ping

If your requests are being signed with the appropriate certificate, the service will respond with a 200 status code and pong body. If you are not correctly signing your requests, the service will respond with a 403 status code.

Note: When testing with curl on Windows, make sure you are on a recent version of curl (7.55.1 is often installed by default and does not support client certificates well)

Valid ciphers

Any of these ciphers can to be used to be able to make successful calls to the Nedap Healthcare endpoints:

  • ‘ECDHE-ECDSA-AES256-GCM-SHA384’
  • ‘ECDHE-ECDSA-AES128-GCM-SHA256’
  • ‘ECDHE-ECDSA-CHACHA20-POLY1305’
  • ‘ECDHE-RSA-AES256-GCM-SHA384’
  • ‘ECDHE-RSA-AES128-GCM-SHA256’
  • ‘ECDHE-RSA-CHACHA20-POLY1305’
  • ‘DHE-RSA-AES256-GCM-SHA384’
  • ‘DHE-RSA-AES128-GCM-SHA256’

CA Chain

If your programming language or platform of choice needs the entire CA chain. You can get it here: CA chain