Security
Transport security
All HTTPS endpoints use TLS 1.2+. MLLP connections can be optionally wrapped in TLS — configure the keystore in application.yaml:
server:
ssl:
key-store: classpath:jambridge.p12
key-store-password: ${KEYSTORE_PASSWORD}
key-store-type: PKCS12
For MLLP TLS, set mllp.tls.enabled: true in BridgeConfig.yaml and configure the same keystore.
Admin API authentication
The JamBridge admin API (:8443) uses SMART on FHIR Bearer tokens issued by the AJ Auth Server. Configure the JWKS endpoint:
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://authserver:9000/oauth2/jwks
Consent enforcement
Every FHIR write passes through the consent check in Stage 4. The consent decision includes:
patientRef— FHIR Patient reference (golden record)actorRef— FHIR Organization reference (sending facility)resourceType— FHIR resource type being writtenaction—writefor all JamBridge writespurpose—TREATfor clinical care (configurable)
A "permitted": false response generates MSA|AE and stops the pipeline. No FHIR resource is written.
ATNA audit trail
Every transaction generates an IHE ATNA AuditEvent:
- Written asynchronously — never blocks the ACK path
- Dual transport: RFC 5425 TLS syslog + BALP FHIR AuditEvent to HAPI
- Non-repudiation: includes actor, patient, resource, action, outcome, timestamp
- Standards: IHE ATNA ITI-20, HIPAA §164.312, GDPR Art. 30
Fail-closed design
When consent.fail-closed: true:
| Condition | Behaviour |
|---|---|
| Consent DENIED | MSA|AE, pipeline stopped, audit outcome=8 |
| Consent service timeout | MSA|AE, pipeline stopped, audit outcome=8 |
| Consent service 5xx | MSA|AE, pipeline stopped, audit outcome=8 |
| HAPI circuit OPEN | MSA|AA, message queued for retry |
| MPI unavailable | MSA|AE, pipeline stopped (patient unresolvable) |