The CAREWare HTTP Server generates the website for CAREWare and facilitates communication between the user’s browser and the CAREWare Business Tier. The CAREWare HTTP server installs as a Windows Service. By default it listens and responds to unencrypted HTTP requests on port 8080. If you plan on opening up CAREWare to the internet, it is a HIPPA requirement to configure the HTTP server to use a TLS certificate for encryption or have users connect securely to the internal network using a remote connection or VPN option. If a TLS certificate is used for CAREWare, that certificate needs to be an X.509 Apache style certificate obtained from an official Certificate Authority (CA). There are many CAs who offer different levels of services with varying costs. Support for choosing a CA that fits the organization’s needs is outside the scope of this document.
The rest of this document outlines each step that should be taken for installing and configuring the CAREWare HTTP server.
Follow the instructions here to install CAREWare. Once installed, the CAREWare HTTP Server can be configured to complete the connection.
It is important to test the local connection prior to making any adjustments.. This verifies CAREWare is connecting using the default settings, which can eliminate many other possible reasons a connection fails with customized settings.
To test the local connection enter http://localhost:8080/careware/rs/index.htm in any browser other than Internet Explorer as IE is no longer supported by Microsoft. The CAREWare log in screen should appear.
If there are errors, check the HTTP Server log file located at C:\Program Files\CAREWare HTTP Server\cwhttp\logs by default. Also check the Business Tier log file located at C:\Program Files\CAREWare Business Tier by default. If assistance is needed in figuring out the problem, contact the CAREWare Help Desk by following the instructions here.
TLS Setup Steps Overview
If CAREWare is to be set up as an internet facing application, HIPAA requires HTTP applications that communicate across the internet to encrypt their communications with TLS 1.2 or newer. The TLS protocol uses X.509 Apache style certificates.
Get your X.509 certificate
X.509 certificates come in a few different forms, and there are various tools provided by different companies and organizations that can convert these certificates to different file formats. The CAREWare HTTP Server uses Apache style certificate files where the certificate is in one file and the private key is in another, typically with .crt and .key extensions. If your certificate and private key are already in the Windows Certificate Store, you can export the certificate and the private key, which will give you the two files you need. If the certificate is exported as a PFX file, the certificate and key can be exported using Open SSL by following the instructions here.
Configure your DNS, Router, and Server
X.509/TLS Certificates are linked to a domain name under the organization’s control. That domain name needs to be registered in the public DNS system so that it forwards TCP traffic to the router. The default port for HTTPS/TLS is 443. The router needs to be configured to forward incoming traffic for port 443 from the IP linked to the URL to the used by the CAREWare HTTP server. The Windows Firewall on the CAREWare HTTP Server needs to be configured to allow incoming traffic on port 443 as well.
Configure the CAREWare HTTP Server to use TLS
The CAREWare HTTP Server comes with HttpSettingsTool.exe for configuring options for the website. The HttpSettingsTool configures the CAREWare HTTP Server by making changes to the res_admin_settings.txt file located at C:\Program Files\CAREWare HTTP Server\cwhttp\res_admin by default. When the CAREWare HTTP Server is started, it retrieves its configuration information from res_admin_settings.txt.
To configure the CAREWare HTTP Server to use a TLS certificate, follow these instructions:
- Go to the CAREWare HTTP Server utility located at C:\Program Files\CAREWare HTTP Server by default.
- Right click HttpSettingsTool.exe.
- Click Run as Administrator.
- For Security Choice, select Encrypt HTTP Traffic using TLS with x509 certificate.
- Either leave Port blank or enter: 443. If Port is blank, then 443 is used by default.
- For Security type and location select Apache style crt and key file located in file system.
- For Certificate File Path and Name click the ellipses and navigate to the certificate file.
- For Key File Path and Name click the ellipses and navigate to the private key file.
- Leave Business Tier URL set to http://localhost:8000/getDocument.
- Uncheck Write debug info to log file.
- Click Save and Restart the HTTP Service.
Check today’s log file in the directory located at C:\Program Files\CAREWare HTTP Server\cwhttp\logs by default. Make sure there is a log entry that reads HTTP: communication with browsers are encrypted with TLS 1.2.
Test the URL
Open up a browser and enter https://yourURL/careware/rs/index.htm and make sure the browser reports the connection as secure.