Skip to content
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.

Deployment of the FHIR Endpoint using Local Images

Jump to bottom
Hauke Hund edited this page Dec 8, 2020 · 24 revisions

Before deploying you have to build the project using mvn clean install.

Additionally, two certificates from the DFN PKI are necessary:

  • Server X.509 certificate (DFN profile Web Server) for the FHIR server
  • Server/Client X.509 certificate (DFN profile 802.1X Client) for the local Business Process Engine to access FHIR servers and for your FHIR server to perform HTTP HEAD calls to remote FHIR servers while validating incoming FHIR resources with references to remote FHIR servers.

Create a deployment folder and copy the following dsf-folders into it:

  • dsf-docker-test-setup ▸ ⁨fhir⁩ --> fhir_compose
  • dsf-docker⁩ ▸ ⁨fhir_proxy⁩ --> fhir_proxy
  • dsf-fhir ▸ dsf-fhir-server-jetty ▸ docker --> fhir_app

Reverse-Proxy

  • Add the CA chain, the FHIR Endpoint Server Certificate and the FHIR Endpoint Server Certificate Private Key to the folder fhir_compose ▸ ⁨proxy⁩ ▸ ssl:
  • Default filenames are:
    • ca_certificate.pem for the CA chain
    • certificate.pem for the FHIR server certificate
    • private-key.pem for the FHIR server certificate private key
  • You can find the current DFN PKI CA chain here. All entries are needed since the ca_certificate.pem file is currently use to configure the servers intermediate CAs and the CA Root for trusting client certificates.
  • Adapt the filenames if needed in fhir_proxy ▸ ⁨conf⁩ ▸ ⁨extra⁩ ▸ host-ssl.conf:
    • SSLCertificateChainFile and SSLCACertificateFile
    • SSLCertificateFile
    • SSLCertificateKeyFile

Database

  • Adapt ⁨fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩ ▸ config.properties with a new org.highmed.dsf.fhir.db.liquibase_user_password and org.highmed.dsf.fhir.db.server_user_password
  • Add the liquibase_user_password to fhir_compose ▸ ⁨db ▸ conf ▸ ⁨postgress_password⁨

App

  • Generate the thumbprint of the local Business Process Engine server/client certificate using certtool --fingerprint --hash=sha512 --infile=client_certificate.pem or openssl x509 -noout -fingerprint -sha512 -inform pem -in [client_certificate.pem]

WATCH OUT: thumbprint has to be in lowercase without colons!

  • Create a .p12 keystore of the local Business Process Engine server/client certificate using openssl pkcs12 -export -out [client_certificate.p12] -inkey [private-key.pem] -in [client_certificate.pem] -certfile [chain.txt] and move it into ⁨fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩
  • You can find the current DFN PKI CA chain here. The full chain is needed since the .p12 store is used as trust-store to authenticate the server and as certificate key-store while authenticating as client. The root anchor (T-TeleSec GlobalRoot Class 2) is used to trust the server, when the server authenticates himself - transmitting all intermediate CAs with the server certificate to the client. The intermediate certificates together with the client certificate and its corresponding private key are used while the client is authenticating himself against a server, transmitting all intermediate CAs together with the client certificate to the server.

WATCH OUT: If the application runs on a machine behind a proxy using TLS Inspection, authentication based on client certificates will not work. TLS Inspection has to be turned off.

  • Replace the file ⁨fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩ ▸ bundle.xml with this file and fill the following placeholders with your entries: (This file is only for the test network, the one for production is in development)
    • <set-your-uuid-here>
    • <set-your-thumbprint-here>
    • <set-your-identifier-here> (2x)
    • <set-your-name-here>
  • Adapt the following settings in the file ⁨fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩ ▸ config.properties:
    • org.highmed.dsf.fhir.webservice.keystore.p12file
    • org.highmed.dsf.fhir.webservice.keystore.password
    • org.highmed.dsf.fhir.local-user.thumbprints
    • org.highmed.dsf.fhir.serverBase with the base url of the FHIR endpoint service
    • org.highmed.dsf.fhir.organizationType with either MeDIC or TTP
    • org.highmed.dsf.fhir.local-organization.identifier with the MeDIC identifier
  • If outgoing connections use a proxy, additionally add the following settings to fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩ ▸ config.properties:
    • org.highmed.dsf.fhir.remote.webservice.proxy.schemeHostPort with the proxy protocol, url and port
    • org.highmed.dsf.fhir.remote.webservice.proxy.username
    • org.highmed.dsf.fhir.remote.webservice.proxy.password
  • Settings of the Jetty application server can be changed in the file fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩ ▸ jetty.properties
  • Adapt the file ⁨fhir_compose ▸ ⁨docker-compose.yml:
    • Adapt the entry HTTPS_SERVER_NAME_PORT with the permanent redirect url for https (:)
    • If the FHIR Endpoint is located on its own machine without the BPE:
      • Remove the network entries with the name bpe
      • Adapt the ports to of the entry proxy ▸ ports to 80:80 and 443:443
  • Adapt the file ⁨fhir_compose ▸ docker-compose.prod.yml:
    • If you need additional entries in the file /etc/hosts (e.g. if there is no DNS resolving possible) add them to the field extra_hosts
  • Make sure volumes can be accessed. The Application is run by a user with uid==gid==2101. That means that this user has to be able to read the conf and plugin folder and to read+write+execute the log folder.

Admission to the HiGHmed WhiteList:

Please contact one of the main developers of the framework to be whitelisted.

Build and Running

  • Build the proxy using docker build -t highmed/fhir_proxy ./fhir_proxy
  • Build the app using docker build -t highmed/fhir ./fhir_app
  • In the folder fhir_compose run docker-compose -f docker-compose.yml -f docker-compose.prod.yml up
Clone this wiki locally