HiGHmed DSF 0.5.1 Deployment

See HiGHmed Install 0.9.3 for the latest release.

This setup guide uses pre-build docker images for DSF Version 0.5.1. This guide is only suitable for HiGHmed organizations.
If you are not a member of HiGHmed, see NUM-CODEX Install.

Prerequisites

Virtual Machines

DSF FHIR VM: min. 4 GB RAM, 4 vCPU, 20 GB HDD
DSF BPE VM: min. 4 GB RAM, 4 vCPU, 20 GB HDD

Docker / Docker-Compose

Both VMs need latest docker and docker-compose. For the latest install guide see https://docs.docker.com/engine/install and https://docs.docker.com/compose/install

docker:

sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

docker-compose (warning: 1.29.2 might not be latest):

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Client/Server Certificates

Two Certificates from the DFN PKI are needed, more infos see Authentication

Certificate A: DFN PKI Server Certificate (Profile: 'Web Server', Common-Name: Your external DSF FHIR Servers FQDN)
Certificate B: DFN PKI Client Certificate (Profile: '802.1X Client', Common-Name: Your DSF BPE Servers FQDN)

Network setup / Network access

For additional information on the network setup see Network-and-Architecture.

The DSF FHIR server needs to be accessible via the internet and able to access the internet without TLS interception.
The BPE FHIR server should only be accessible by the internal network and able to access your DSF FHIR server via its external FQDN and the internet without TLS interception.

Here is a quick overview of the expected network setup. Connections to the fTTP and the local GECCO FHIR server are not listed:

Source	Target	Port	Protocol
DSF BPE (lokal)	DSF FHIR (lokal)	443	https, wss
DSF BPE (lokal)	DSF FHIR (GECCO Transfer Hub)	443	https
DSF FHIR (lokal)	DSF FHIR (GECCO Transfer Hub)	443	https
DSF FHIR (GECCO Transfer Hub)	DSF FHIR (lokal)	443	https

On-Boarding Excel Spreadsheet

You are required to fill out the on-boarding Excel spreadsheet, provided with the NUM-CODEX hackathon invite, and send it to the GECCO Transfer Hub. If the GECCO Transfer Hub already received and validated your On-Boarding Excel Spreadsheet and you do not have to change any information, you can skip this step.

Setup

Prepare Certificates

Certificate with DFN PKI Profile 'Web Server' (certificate A)
This certificate will be used as the DSF FHIR servers server certificate (ssl_certificate_file.pem, ssl_certificate_key_file.pem)
- Store PEM encoded certificate as ssl_certificate_file.pem
- Store not encrypted, PEM encoded private-key as ssl_certificate_key_file.pem
Certificate with DFN PKI Profile '802.1X Client' (certificate B)
This certificate will be used as the DSF BPE servers client certificate (client_certificate.pem, client_certificate_private_key.pem) as well as the DSF FHIR servers client certificate (client_certificate.pem, client_certificate_private_key.pem)
- Store PEM encoded certificate as client_certificate.pem
- Store encrypted or not encrypted, PEM encoded private-key as client_certificate_private_key.pem

DSF FHIR Server

Add Group/User
Add group and user used by the DSF FHIR java application. Ubuntu compatible commands below:
```
sudo addgroup --gid 2101 fhir
sudo adduser --system --no-create-home --uid 2101 --gid 2101 fhir
```
Download and Extract Config Files
Download prepared DSF FHIR server config files and folder structure from
https://github.com/highmed/highmed-dsf/wiki/resources/dsf_highmed_fhir_0_5_1.tar.gz
```
cd /opt
wget https://github.com/highmed/highmed-dsf/wiki/resources/dsf_highmed_fhir_0_5_1.tar.gz
sudo tar --same-owner -zxvf dsf_highmed_fhir_0_5_1.tar.gz
```
The tar command will unpack the config files at /opt/fhir assuming you changed into the /opt directory.
Verify that the fhir system user or group can write into the following folder
- /opt/fhir/log
Add certificates and keys
- Add the server certificate (Certificate A) and the corresponding private-key to /opt/fhir/secrets/
  - ssl_certificate_file.pem (chmod: 440, chown: fhir:docker)
  - ssl_certificate_key_file.pem (chmod: 440, chown: fhir:docker)
- Add the client certificate (Certificate B) and the corresponding private-key to /opt/fhir/secrets/
  - client_certificate.pem (chmod: 440, chown: fhir:docker)
  - client_certificate_private_key.pem (chmod: 440, chown: fhir:docker)
- If the private key is encrypted, add a password file with the password as the only content to /opt/fhir/secrets/
  - client_certificate_private_key.pem.password
- If the private key is not encrypted, remove the corresponding docker secret lines from the docker-compose.yml file
```
L39:      - app_client_certificate_private_key.pem.password
...
L56:      ORG_HIGHMED_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
...
L118:  app_client_certificate_private_key.pem.password:
L119:    file: ./secrets/client_certificate_private_key.pem.password
```
Modify database passwords
- /opt/fhir/secrets/db_liquibase.password
  - Generate a random password (min. 32 characters recommended) and replace the content of the file.
- /opt/fhir/secrets/db_user.password
  - Generate a random password (min. 16 characters recommended) and replace the content of the file.
- /opt/fhir/secrets/db_user_permanent_delete.password
  - Generate a random password (min. 16 characters recommended) and replace the content of the file.
Modify the docker-compose.yml file and set environment variables to the appropriate values
- services -> proxy -> environment:
  - HTTPS_SERVER_NAME_PORT: TODO_DSF_FRIR_SERVER_EXTERNAL_FQDN:443 Set your FHIR servers external FQDN, e.g. foo.bar.de -> foo.bar.de:443
- services -> app -> environment:
  - ORG_HIGHMED_DSF_FHIR_SERVER_BASE_URL: https://TODO_DSF_FRIR_SERVER_EXTERNAL_FQDN/fhir
    Set your FHIR servers external FQDN, e.g. foo.bar.de -> https://foo.bar.de/fhir
  - ORG_HIGHMED_DSF_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE: TODO_ORGANIZATION_IDENTIFIER
    Set your Organizations DSF identifier, aka the shortest FQDN that resolves to the main homepage of the organization, e.g. hs-heilbronn.de
  - ORG_HIGHMED_DSF_FHIR_SERVER_ORGANIZATION_NAME: TODO_ORGANIZATION_NAME
    Set your Organizations official name, e.g. Hochschule Heilbronn
  - ORG_HIGHMED_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT: TODO_CLIENT_CERTIFICATE_THUMBPRINT
    Set the SHA-512 Hash (lowercase hex) of your client certificate (Certificate B)
    Use certtool --fingerprint --hash=sha512 --infile=client_certificate.pem to generate the hash.
  - ORG_HIGHMED_DSF_FHIR_SERVER_USER_THUMBPRINTS: TODO_CLIENT_CERTIFICATE_THUMBPRINTS
    Set the SHA-512 Hash (lowercase hex) of your client certificate (Certificate B)
    This parameter is a comma separated list e.g. ab12...37ff,f3a2...bb22. You can add additional client certificate thumbprints for example the thumbprint of your (the admins) personal DFN PKI S/MIME certificate, to access the DSF FHIR servers REST interface.
  - ORG_HIGHMED_DSF_FHIR_SERVER_USER_THUMBPRINTS_PERMANENT_DELETE: TODO_CLIENT_CERTIFICATE_THUMBPRINTS
    Set the SHA-512 Hash (lowercase hex) of your client certificate (Certificate B)
    This parameter is a comma separated list e.g. ab12...37ff,f3a2...bb22. Usually it is not necessary to add additional thumbprints other than your client certificate (Certificate B) here. When a client uses a certificate with a thumbprint listed here, the client is allowed to permanently delete FHIR resources.
  - For additional environment variables, see DSF 0.5.1 configuration parameters
Start the DSF FHIR Server
Start using: docker-compose up -d && docker-compose logs -f (Ctrl-C will close log, but not stop container)

DSF BPE Server

Add Group/User
Add group and user used by the DSF BPE java application. Ubuntu compatible commands below:
```
sudo addgroup --gid 2202 bpe
sudo adduser --system --no-create-home --uid 2202 --gid 2202 bpe
```
Download and Extract Config Files
Download prepared DSF BPE server config files and folder structure from
https://github.com/highmed/highmed-dsf/wiki/resources/dsf_highmed_bpe_0_5_1.tar.gz
```
cd /opt
wget https://github.com/highmed/highmed-dsf/wiki/resources/dsf_highmed_bpe_0_5_1.tar.gz
sudo tar --same-owner -zxvf dsf_highmed_bpe_0_5_1.tar.gz
```
The tar command will unpack the config files at /opt/bpe assuming you changed into the /opt directory.
Verify that the bpe system user or group can write into the following folders
- /opt/bpe/log
- /opt/bpe/last_event
- /opt/bpe/psn
Add certificates and keys
- Add the client certificate (Certificate B) and the corresponding private-key to /opt/bpe/secrets/
  - client_certificate.pem (chmod: 440 chown: bpe:docker)
  - client_certificate_private_key.pem (chmod: 440 chown: bpe:docker)
- If the private key is encrypted, add a password file with the password as the only content to /opt/bpe/secrets/
  - client_certificate_private_key.pem.password
- If the private key is not encrypted, remove the corresponding docker secret lines from the docker-compose.yml file
```
L13:      - app_client_certificate_private_key.pem.password
...
L41:      ORG_HIGHMED_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
...
L93:  app_client_certificate_private_key.pem.password:
L94:    file: ./secrets/client_certificate_private_key.pem.password
```
- Add the CRR public-key used for asymmetrically encrypting the GECCO FHIR Bundles to /opt/bpe/secrets/
  - crr_public_key.pem (chmod: 440 chown: bpe:docker)
  - You can download the 4096 Bit RSA PEM encoded public-key for the Test-Setup here: https://keys.num-codex.de/crr_public-key-pre-prod.pem
Modify database passwords
- /opt/bpe/secrets/db_liquibase.password
  - Generate a random password (min. 32 characters recommended) and replace the content of the file.
- /opt/bpe/secrets/db_user.password
  - Generate a random password (min. 16 characters recommended) and replace the content of the file.
- /opt/bpe/secrets/db_user_camunda.password
  - Generate a random password (min. 16 characters recommended) and replace the content of the file.
Modify the docker-compose.yml file and set environment variables to the appropriate values
- services -> app -> environment:
  - ORG_HIGHMED_DSF_BPE_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE: TODO_ORGANIZATION_IDENTIFIER
    Set your Organizations DSF identifier, aka the shortest FQDN that resolves the main homepage of the organization, e.g. hs-heilbronn.de
  - ORG_HIGHMED_DSF_BPE_FHIR_SERVER_BASE_URL: https://TODO_DSF_FRIR_SERVER_FQDN/fhir
    Set your FHIR servers external FQDN, e.g. foo.bar.de -> https://foo.bar.de/fhir
  - For additional environment variables, see DSF 0.5.1 configuration parameters
Start the DSF BPE Server (without process plugins)
Start using: docker-compose up -d && docker-compose logs -f (Ctrl-C will close log, but not stop container)
Verify the DSF BPE Startup
- Check that the BPE was able to download new Task resources from the DSF FHIR server during startup.
- Check that the BPE was able to download a Subscription resource from the DSF FHIR server during startup.
- Check that the BPE was able to connect to the websocket endpoint of the DSF FHIR server during startup.
If you need to debug the TLS connection to your DSF FHIR server use for example:
docker run -it --rm alpine/openssl s_client your-fhir-server.fqdn:443
The command above should print the server certificate of your DSF FHIR server (certificate A) and end with a message like [...]tlsv13 alert certificate required[...]
Stop the DSF BPE Server
- Hit Ctrl-C to close log
- Stop using: docker-compose stop
Add the following DSF BPE process plugins, for instructions on how to configure the plugin, see release notes.
- num-codex / codex-processes-ap1 version 0.4.0 or later:
  https://github.com/num-codex/codex-processes-ap1/releases/tag/v0.4.0
- highmed / highmed-processes / feasibility version 0.5.0 or later:
  https://github.com/highmed/highmed-processes/releases/tag/v0.5.0
- highmed / highmed-processes / local-services version 0.5.0 or later:
  https://github.com/highmed/highmed-processes/releases/tag/v0.5.0
- highmed / highmed-processes / ping version 0.5.0 or later:
  https://github.com/highmed/highmed-processes/releases/tag/v0.5.0
- highmed / highmed-processes / update-allow-list version 0.5.0 or later:
  https://github.com/highmed/highmed-processes/releases/tag/v0.5.0
- highmed / highmed-processes / update-resources version 0.5.0 or later:
  https://github.com/highmed/highmed-processes/releases/tag/v0.5.0
Start the DSF BPE Server (with process plugins)
Start using: docker-compose up -d && docker-compose logs -f (Ctrl-C will close log, but not stop container)
Request Allow-List upload from HiGHmed TTP
The Allow-List upload is needed in order to execute HiGHmed and NUM-CODEX processes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly