Unlike other filters in Rhapsody, the user interface for the HL7 Message Modifier filter uses a web interface, much in the same way as the Management Console. This web application is hosted by the Rhapsody engine, and is available over the same HTTP(S) ports as the Management Console. When you open the configuration dialog of an HL7 Message Modifier filter in Rhapsody IDE, Rhapsody IDE connects to the web application internally using a standard HTTP or an HTTPS connection, and then hosts the user interface using an embedded instance of Internet Explorer® or Microsoft® Edge.

Even when using an HTTP connection (in other words, an unencrypted connection), the password for any user accessing an HL7 Message Modifier filter is never sent over the wire (as is also the case when connecting to the Management Console). The connection, however, is obviously not encrypted or signed. This may not be an issue when connecting to a Rhapsody engine running on the same machine as the IDE or within a trusted network environment. For a secure encrypted connection, you may wish to use an HTTPS connection.

Rhapsody IDE can be configured to use an HTTP or HTTPS connection by selecting the same option as for the Management Console on the Rhapsody IDE toolbar:

Configuring the HTTPS Connection

In order to use the HL7 Message Modifier filter (and the Management Console) over an HTTPS connection, an SSL certificate needs to be available when Rhapsody is started. You can use a certificate purchased from a root certificate authority (CA), or alternatively generate a self-signed certificate (in most cases, you can use a self-signed certificate in internal network scenarios). The primary advantage of a certificate issued by a CA is that there is no need to install it on any client machine (in other words, the machine running Rhapsody IDE or web browser) because the machine would already trust the CA. In contrast a self-signed certificate needs to be explicitly installed on the client machine in order for it to be trusted.

In addition to being a trusted SSL certificate, the certificate must have not expired, and must include the hostname of the Rhapsody server as all web browsers will check this before allowing it to be used.

The first time a Rhapsody engine is started, it generates a self-signed certificate if HTTPS is enabled and no SSL certificate is available. This certificate can of course be replaced by the system administrator (refer to Using a User-defined Certificate for the HTTPS Mode for details), but is available to be used immediately if only a self-signed certificate is required. This certificate is generated with the following attributes:

  • 2048-bit RSA key.
  • SHA-512 hash algorithm.
  • Includes all hostnames (except 'localhost') configured on the Rhapsody server.
  • Constrained so that it cannot be used to sign any other certificates (in other words, if you trust this certificate on a client machine, you do not have to worry about it being used to generate many other certificates that you will automatically trust).

Installing an SSL Certificate on the Client Machine

As noted, the client machine running Rhapsody IDE (or the web browser) is required to trust the SSL certificate presented by the Rhapsody server. This can be achieved in the following ways:

  • Purchasing an SSL certificate from a trusted root certificate authority. In this case there is no need to install the certificate at all as it will be automatically trusted by the Rhapsody IDE and web browsers (provided that it has not expired and the hostnames in the certificate match the hostname used to connect to it).
  • Generating an SSL certificate using a site-specific root certificate authority, where the site-specific root certificate is already trusted by the client machine.
  • Generating a self-signed SSL certificate for the Rhapsody server, and explicitly install this certificate on the client machine to establish the trust relationship.

Rhapsody IDE provides a straightforward way to install this certificate on the client machine if the certificate is valid and the hostnames match. To install the certificate manually:

  1. Navigate to the secure Management Console at https://<enginename>:<port> (for example, https://rhapsody:8444).
  2. View the certificate (some browsers require you to allow it for this session first before showing it to you).

  3. An option is then generally available to either install the certificate, or copy it to a file.

    Internet Explorer does not appear to provide these options unless you first add the Rhapsody server to the list of trusted sites.

For Internet Explorer®, all certificates can be viewed and managed by performing the following steps:

  1. Start Internet Explorer®.
  2. Navigate to Tools>Internet options.
  3. Select the Content tab.
  4. Click the Certificates button about half-way down this tab.
  5. Select the Trusted Root Certificate Authorities tab in the new dialog.
  6. Certificates can now be added, removed, or exported using the buttons available on this page.

Untrusted SSL Certificate When Launching the HL7 Message Modifier Filter

If Rhapsody IDE detects an untrusted SSL certificate when launching the HL7 Message Modifier filter, it displays the following dialog:

The option to install the certificate is only available when the certificate is self-signed and constrained so that it cannot be used to sign other certificates. Installing the certificate places it into the trusted root certificate authorities for the current Windows® user if accepted as trusted by the user through a Windows® confirmation dialog. The View Certificate link allows you to inspect the certificate prior to installing it. You can manually install the certificate instead if you so desire.

For security reasons, the IDE does not allow the installation of certificates that are not self-signed or not restricted to prevent being used to sign off other certificates. These can of course be installed manually (the root issuer's certificate) to establish the trust relationship.

Rhapsody IDE uses the same certificate store as a web browser running on that machine. Therefore, using an untrusted certificate error implies that a web browser connecting to the Management Console via HTTPS to the same engine from the Rhapsody IDE machine would lead to the same problem. Installing the certificate here also establishes the trust relationship for the web browser connecting to the secure Management Console.

Alternatively, you have the option of reverting to using an HTTP instead of HTTPS connection, which does not require an installed SSL certificate.

Invalid SSL Certificate When Launching the HL7 Message Modifier

If Rhapsody IDE detects an invalid SSL certificate when launching the HL7 Message Modifier filter, it displays the following dialog:

The SSL certificate is considered invalid when it is expired (or not yet active), or if Rhapsody IDE is unable to use any of the hostnames contained in the certificate to connect to the Rhapsody engine.

If the certificate has expired then a new one must be generated and trusted by the client machine.

If the hostnames do not match, then either DNS issues should be resolved so that the client machine can use the hostnames in the certificate to connect to the Rhapsody server, or a new SSL certificate should be generated using additional DNS names for the server. Rhapsody IDE is able to generate SSL certificates from its certificate manager if required.

Unlike the case of an untrusted SSL certificate, there is no option available to install the certificate on the client machine. Since the issue lies with the validity of the certificate itself rather than the trust relationship, installing the certificate does not help resolve the problem.

Preventing HTTP Fallback

If you want to allow HTTPS connections only, then disable the HTTP connector on the Rhapsody engine so that all connections to the HL7 Message Modifier filter (and the Management Console) have to be made over HTTPS. Refer to Using a User-defined Certificate for the HTTPS Mode for details.

Alternatively, the option to connect using HTTP when an SSL error of some description occurs can be disabled on the client via a registry key by creating a DWORD registry value called AllowMessageModifierHttpFallback with a value of zero in one of the following locations:

  • HKEY_CURRENT_USER\Software\Rhapsody\Rhapsody IDE 6\Settings (affects the current Windows user only).
  • HKEY_LOCAL_MACHINE\Software\Rhapsody\Rhapsody IDE 6\Settings (32-bit only).

  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Rhapsody\Rhapsody IDE 6\Settings (64-bit only).

    If the value is present and set to zero in any of these locations, the Connect Using HTTP button is unavailable when an SSL error occurs.