Abstract

On March 12, 2025, Bamboo Health has performed two changes to the PMP Gateway system. We exited Entrust as our CA provider, and we moved the IP addresses for the PMP Gateway domains to different infrastructure. Note: this change did not impact client certificates issued by Bamboo Health. This document provided information for customers and guidance on how to test their changes.

Latest status

This change was fully implemented on March 12, 2025 and is considered complete. This document will no longer be updated.

Change plan

January 14, 2025

Initial publication of this document.

January 21, 2025

Initial customer notifications sent.

February 19, 2025

Customer testing URL provided.

February 24, 2025 @ 12:00pm Eastern

First scheduled Office Hours call.

Review the meeting recording.

March 3, 2025 @ 3:00pm Eastern

Second scheduled Office Hours call.

Review the meeting recording.

March 4, 2025

Pre-production change COMPLETE.

March 12, 2025

Production change COMPLETE.

Customer recommendations

This section is historical and will not receive further updates.

Testing your environment

We have published a customer testing URL. We recommend customers use this testing URL to validate their configuration. If you are able to access this URL, your system is properly configured and ready for the upcoming changes.

MTLS Testing Expected Behavior

By default, for the v5.1 Report Request API, we will remove the secure, mutualauth, or mtls subdomains from the Report Link URL in the response XML. If you perform any host validation and expect the Report Link host name to match one of the Report Request host names, you should add these base hosts to the list of valid Gateway hosts:

• Pre-production Base Host: https://prep.pmpgateway.net
• Production Base Host: https://pmpgateway.net

Pre-production examples

MTLS Report Request URL

https://mtls.prep.pmpgateway.net/v5/report or https://mtls.prep.pmpgateway.net/v5_1/report

Secure Report Request URL (after go-live)

https://secure.prep.pmpgateway.net/v5/report or https://secure.prep.pmpgateway.net/v5_1/report

Expected Report Link URL

https://prep.pmpgateway.net/v5/report_link/(link_uuid) or https://prep.pmpgateway.net/v5_1/report_link/(link_uuid)

Production examples

MTLS Report Request URL

https://mtls.pmpgateway.net/v5/report or https://mtls.prep.pmpgateway.net/v5_1/report

MutualAuth Report Request URL (after go-live)

https://mutualauth.pmpgateway.net/v5/report or https://mutualauth.pmpgateway.net/v5_1/report

Expected Report Link URL

https://pmpgateway.net/v5/report_link/(link_uuid) or https://pmpgateway.net/v5_1/report_link/(link_uuid)

If you are unable to add the appropriate base domains to your list of valid Gateway hosts, please contact support at https://pmpgateway.zendesk.com/hc/en-us to request we return the same host for the Report Link URL that is used for the Report Request. Please know this change may result in your users receiving a popup requesting they select a client certificate to be sent on the request to view the patient report. This is expected behavior. You can safely close this popup to display the report. Depending on the browser you use, this popup could be displayed on every request

Trust Store and Certificate Pinning

Up to date guidance is found on the Bamboo Health HTTP/TLS Support documentation page.

During this maintenance, we may switch between leaf TLS certificates signed by any active or deprecated root. You are encouraged to not pin TLS certificates; if your information security standards require pinning, you must follow the published instructions in the above link and include all listed CAs in your trust store, including the currently used Entrust CA.

DNS/IP address allow-listing

We recommend you do not allowlist any of our systems. If your information security standards require allowlisting, you should allowlist at the domain level for the relevant domains below. If you cannot allowlist a domain, you must allowlist all IP addresses for the relevant systems below to ensure proper connectivity between our systems.

Gateway domains for non-mutual auth users

Pre-production

• Domain - prep.pmpgateway.net
• IP addresses - dynamic

Production

• Domain - pmpgateway.net
• IP addresses - dynamic

Gateway domains for mutual auth users

Pre-production

• Domain - secure.prep.pmpgateway.net
• Testing URL - removed
• IP addresses
  • 3.216.254.203/32
  • 3.223.153.77/32
  • 15.197.238.191/32
  • 35.170.126.157/32
  • 76.223.120.105/32

Production

• Domain - mutualauth.pmpgateway.net
• Testing URL - removed
• IP addresses
  • 3.231.241.167/32
  • 35.71.189.100/32
  • 35.168.195.93/32
  • 54.175.185.147/32
  • 75.2.73.134/32

Frequently Asked Questions

This section is historical and will not receive further updates.

TLS/SSL

What is TLS?

TLS is the technology used to secure web (HTTPS) communication between a client & a server. TLS relies on the creation of a certificate on the server which is signed by a certificate authority.

What is a CA?

A CA is a certificate authority. Certificate authorities are audited entities trusted by web browsers to sign server certificates to attest that the certificate was issued to an appropriate organization.

What are root and intermediate certificate?

Root and intermediate certificates are TLS certificates issued and managed by a CA. These certificates are used to generate a digital signature attesting the validity of the server certificate.

What is a server certificate?

Server certificates are TLS certificates issued and managed by service providers, including Bamboo Health. These certificates are signed by a CA's intermediate certificate, creating an attestation that the server certificate was properly issued. Server certificates are short lived and must be rotated on an annual basis.

What is a trust store?

A trust store is a collection of all CA root certificates that are trusted to sign server certificates. Trust stores are managed by browsers (Mozilla Firefox, Google Chrome) and operating systems (Windows, Linux, MacOS). This allows users to connect securely to web sites without additional management of their trust stores.

Pinning & IP/DNS allowlisting

What is pinning?

Pinning is a practice where a client instructs their web browser or system to only trust a certain certificate. If the server presents a different certificate, communications cannot be established.

Why does Bamboo Health discourage pinning?

Existing system and browser trust stores are suitable for most purposes. Pinning increases the chance of outage as we perform maintenance, including the standard rotation of server certificates.

My policy requires pinning. How can I do this safely?

If your policy requires pinning, follow the instructions on the Bamboo Health HTTP/TLS Support documentation page. Notably you must pin to all root certificates per instructions, as we may present server certificates signed by any of the listed CAs during the migration process.

What is IP allowlisting

IP allowlisting (or whitelisting) is the process where clients block outbound communication to all IP addresses that are not explicitly on an allowlist.

What is DNS allowlisting?

DNS allowlisting (or whitelisting) is the process where clients block outbound communication to all domains that are not explicitly on an allowlist.

Why does Bamboo Health discourage DNS or IP allowlisting?

Allowlisting increases the opportunity for outage or misconfiguration.

My policy requires allowlisting. How can I do this safely?

Allowlist all the above DNS entries. If you cannot allowlist DNS entries, allowlist all IP ranges above.

Specific change questions

Does this change impact the client certificate used for PMP Gateway mutual auth?

No. Mutual auth client certificates managed inside PMP Gateway are not impacted.

Why is Bamboo Health moving away from Entrust?

Entrust was a certificate authority trusted by all major web browsers. Due to compliance incidents, Google and Firefox announced the intent to distrust certificates issued by Entrust in 2025. This forces us to move to a new CA.

How can I ensure my system is ready for this change?

Customers should share all communications with their internal IT teams. Customers that pin certificates or use DNS/IP allowlisting should review the details above to ensure their internal systems are configured properly.

How can I test this change in advance?

We will provide testing links above that allow customers to test their systems no later than 2/19/2025.

What if I have additional questions on this change?

We will be conducting two office hour sessions to review this change & answer questions. Links to these sessions are above. Additionally, questions can be directed to pmpgateway-cert-update-2025@bamboohealth.com.

Will Bamboo Health open a bridge for this change?

No.

How can I get support after the change was made?

Contact Bamboo Health via Zendesk using standard processes.