Running BCFIPS in SpringBoot 3.2
Healthcare Standards
by Keith W. Boone
1M ago
I'm rewriting wrappers for a Spring Boot 1.5 application using Spring Boot 3.2 to help me eliminate some older dependencies I cannot even get patches for anymore.  So now I have to make my new Spring Boot application work with the latest Bouncy Castle FIPS code. I've previously mentioned the NIST Certified Bouncy Castle FIPS TLS libraries in other posts.  SOAP is tremendously complicated to configure and manage.  REST is so much easier, and when you don't need all of the power of a SOAP stack, you can certainly send SOAP messages in XML quite readily using a normal REST transp ..read more
Visit website
More fun with SNI and TLS with Akamai edge servers and Bouncy Castle internal_error(80)
Healthcare Standards
by Keith W. Boone
1M ago
Recently, endpoints that one of the systems I maintain frequently connects to underwent a change in how they hosted their servers.  They were moved into an Akamai edge server framework, which requires use of the Server Name Indicator (SNI) extension in TLS communications.  This isn't routinely enabled in a straight Java JSSE client connection, especially when using Bouncy Castle FIPS.  As I previously stated, you have to configure it in your code. My guess is that when a request is made without the SNI TLS extension, the Akamai edge environment reports a TLS error.  Sa ..read more
Visit website
The nastiest code I ever wrote
Healthcare Standards
by Keith W. Boone
2M ago
Creating a mock that injects random errors into the expected responses is necessary to ensure that your server resiliency features work as intended. Doing so can be very challenging, especially if your mock has to simulate complex behavior.  FWIW, I call it a mock, because it is, but the endpoint is a test endpoint used by a production environment to verify that the server is operating correctly. What appears below all-out wins the award for the nastiest, most evil code I've ever written that appears in a production system. resp = ReflectionUtils.unwrapResponse(resp); if (resp instanceo ..read more
Visit website
TLS 1.2, Server Name Indication (SNI) and SOAP via CXF
Healthcare Standards
by Keith W. Boone
11M ago
It seems that I am destined to become a deep expert in the vagaries of TLS these days.  My most recent challenge was in figuring out why Server Name Indication (SNI) extensions weren't simply working in my BC-FIPS implementation that I talked about in the last few posts. Background on SNI For a brief moment, let's talk a little about SNI.  TLS is a lower layer session protocol on top of TCP that encrypts communication.  HTTP and HTTPS are higher layer (Application) protocols on top of TLS.  When you connect to an IP address over TCP, then initiate a TLS connection, the appl ..read more
Visit website
Debugging TLS Protocol Failures in BC-FIPS and Spring Applications
Healthcare Standards
by Keith W. Boone
1y ago
Debugging TLS protocol failures can be a nightmare.  With JSSE, you can use the old standby java JVM option:      -Djavax.net.debug=ssl,handshake, data,trustmanager,help   to get detailed reporting of what is happening.  Usually that provides more than enough (in fact too much) information to debug the protocol problem, but when using BCFIPS, guess what, it doesn't work anymore.  Why? Well, while these command line arguments make debugging easier, they also transmit decrypted information to the console, which is a huge leak of encrypted information. So, what ..read more
Visit website
Dynamically Reloading TLS Trust and Identity Material
Healthcare Standards
by Keith W. Boone
1y ago
Wouldn't it be nice if you didn't have to restart your server to dynamically update keys, certificates or trust stores?  I've spend a good bit of time on this across both client and server implementations and so I have a few pointers.  If you've read the last two posts, you know I've been working through requirements and implementation.  Now I'm going to add this auto-renewal of trust and key material to that effort. Most folks will just need to deal with setting up trust and key managers for their web application.  That's fairly straightforward.  The challenge that I ..read more
Visit website
Addressing technical challenges with BC-FIPS
Healthcare Standards
by Keith W. Boone
1y ago
Last week I talked about the requirements for implementing TLS and a certified encryption module (specifically Bouncy Castle FIPS or BC-FIPS).  Today I'm going to tell you a bit more about technically how one my go about this, and the specific technical challenges that you may run into. First of all, BC-FIPS provides some installation instructions that a) no longer work with JDK-11, and b) also don't play well with Spring Boot uber-jar class loading using standard Classpath override mechanisms.  I never found root cause for this problem, all I wound up doing was simply dynamically ..read more
Visit website
TLS, FIPS and the Bouncy Castle Certified Encryption Module
Healthcare Standards
by Keith W. Boone
1y ago
Image Courtesy of Wikipedia History Becoming educated in a topic seems to offer opportunities to become yet further educated, or in other words, once you've demonstrated expertise in a particular technology, more problems related to it will come your way.  So be careful what you work on. Many years ago, I had to work out how to implement the IHE ATNA profile.  I spent quite a bit of time on this project and became rather expert at diagnosing TLS problems, and configuring Tomcat to support the IHE Audit Trail and Node Authentication Profile (ATNA).  So much so that I fir ..read more
Visit website
My HTI1 comments to @ONC_HealthIT
Healthcare Standards
by Keith W. Boone
1y ago
This is what I just submitted for HTI-1 comments.  It's a text file, not a PDF or Word document with a lovely cover letter.  ONC doesn't need all that.  It's generally ordered in the same way as their comment template, but I chose NOT to comment on a bunch of things, and I didn't label it.  Frankly, that all goes back to my first comment: This rule is so extensive, and covers so much new detail that the current deadline for submission of comments is simply too short to process the material adequately. There's a ton of small issues with spelling and grammar.  It's ..read more
Visit website
HTI1 Robin's Eggs
Healthcare Standards
by Keith W. Boone
1y ago
For those who've been reading this blog for a decade or more, you probably know what a Robin's Egg is.  For those who don't, click the preceding link. And while Robin is no longer with us, these eggs live on in her memory.  For those who want their Robin's eggs for HTI-1, you can find them here. There are two files you can grab:  An edited version of ONC's 508 Compliant Word document containing the text of the rule.  Most of the reformatting is simply adding headings to the damn thing so that it has a navigable table of contents. A spreadsheet containing all 36 tables fr ..read more
Visit website

Follow Healthcare Standards on FeedSpot

Continue with Google
Continue with Apple
OR