Skip to content

Installation

Before Running

Firewall Access - out

All should be using http/https ports (80, 443)

  • archive.ubuntu.com - Ubuntu package manager
  • *.docker.com - install docker, docker hub
    • get.docker.com
    • download.docker.com
    • hub.docker.com
  • github.com - get projects
  • repo.maven.apache.org - maven downloads

Firewall Access - in

  • 80, 443 - nginx (covers openhim-console)
  • 8080, 5000, 5001, 5050, 5051, 5052, 7788 - openhim-core

Firewall Access - intraservice

  • 5432 - postgres db
  • 8444 - fhir server
  • 27017 - mongo db

Installing Commands

Update Ubuntu:

  • sudo apt-get update
  • sudo apt-get upgrade

Install git:

  • sudo apt-get install git

Install Docker:

  • curl https://get.docker.com/ | sh -

Install Docker-compose:

  • sudo curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  • sudo chmod +x /usr/local/bin/docker-compose
  • sudo docker-compose --version

Downloading projects

Download Consolidated Server project:

Create Certificates

It is recommended to Generate a CA and generate certificates off of this CA, then tell all the servers to trust the same CA (assuming you have control over said CA so only services you want are trusted), but using the same cert for all the services should also work.

Useful links:

Creating a CA: https://scriptcrunch.com/create-ca-tls-ssl-certificates-keys/

Creating a cert with SAN: https://www.golinuxcloud.com/openssl-generate-csr-create-san-certificate/

Keystore Truststore: http://docs.openelis-global.org/en/latest/install/

Pem key > ./prod/ssl/cs.key

Pem cert > ./prod/ssl/cs.crt

Pem key & pem.crt > ./prod/ssl/cs.keystore

Pem cert and/or Pem CA cert > ./prod/ssl/cs.truststore

openssl pkcs12 -inkey prod/ssl/cs.key -in prod/ssl/cs.crt -export -out prod/ssl/cs.keystore

keytool -import -alias csCert -file prod/ssl/cs.crt -storetype pkcs12 -keystore prod/ssl/cs.truststore

Make sure OE instances trust the cert (or better yet, the CA) for the Consolidated-server by loading them into their truststore. If the Consolidated-server is behind a load balancer that does ssl offloading, this means OE will need to trust the offloaders cert or CA

Configuring Projects

Choose one or the other

Quick Config Container(s):

  • Run ./configure.sh
    • Server address: the address that all of the services are running on (this will be the url they will reach out to to communicate, it should be the DNS entry of the server)
    • Db admin password: password for cs_admin
    • Db password: password for cs_user
    • Keystore password: key encryption password
    • Truststore password: trust encryption password

Detailed Configure Container(s):

  • cd Consolidated-Server/
  • Edit ./prod/properties/default.json
    • Set host to the name used to access this server
  • edit file ./prod/conf/nginx.conf
    • Replace any host.openelis.org names with the server’s DNS entry
  • If using a docker database running on the same machine: Edit prod/database/database.env
    • write a unique password
  • Otherwise manually create a database, create a user, and run ./prod/database/dbInit.sql
  • Whichever database is used, fill out the db connection info in:
    • ./prod/database/user
    • ./prod/database/password
  • Fill out ./prod/properties/application.yaml
    • Server address:hapi.fhir. Server_address SHOULD BE THE ACCESS POINT TO THIS SERVER IE THE OPENHIM PATHWAY
    • Db connection info: datasource.*
  • Fill out ./prod/tomcat/hapi_server.xml
    • truststorePass and keystorePass

Configure OpenHIM Core:

  • sudo docker-compose -f docker-compose-production.yml up -d --build
  • Log into OpenHIM-console Login to root@openhim.org:openhim-password
  • Make note of the password you change to
  • Navigate to the certificate page
  • Upload your server certificate and key pair for OpenHIM
  • Core is now using this cert key pair

Configure Clients:

  • Add a trusted cert for your client (and the chain of CAs you trust)
  • Navigate to client tab
  • Add client
    • Add new role: fhir-pusher
    • Add new role: fhir-puller
    • Give client ID and Client name
    • Select client certificate as authentication method

Configure Channels:

  • Navigate to channels tab
  • Add channel: FHIR Channel
    • HTTP
    • URL pattern: /fhir.*
    • PRIVATE
    • fhir-pusher
    • fhir-puller
    • Route
    • name: hapi-fhir-jpaserver
    • type: http
    • secured: yes
    • CA ca
    • Host: <server-path>
    • Port: 8444

Upgrade

Updating Commands

Update Ubuntu

  • sudo apt-get update
  • sudo apt-get upgrade

Update Git Project

  • git stash (optional, unless there are conflicts)
  • git submodules init
  • git pull origin --recurse-submodules
  • git checkout -- configure.sh

Configuring Projects

Choose one or the other

Quick Config Container(s):

  • Run ./configure.sh
    • Server address: the address that all of the services are running on (this will be the url they will reach out to to communicate, it should be the DNS entry of the server)
    • Db admin password: password for cs_admin
    • Db password: password for cs_user
    • Keystore password: key encryption password
    • Truststore password: trust encryption password

Notes

Passwords

ALL passwords should be recorded into the 1Password Vault