MyOscar2 on Java 7 Install
Preface
You are advised to review the notes on a 2014 installation of MyOSCAR attached in docx format.
Document Version History
- v1.0 – initial public release on oscarmanual.org – April 14, 2013
- v1.1 – cleanup – April 18, 2013
- v1.2 – minor revisions - Oct 3, 2013
- v1.3 – minor revisions - April 2, 2014
copyright by Peter Hutten-Czapski 2011-2013 © under the Creative Commons Attribution-Share Alike 3.0 Unported License.
|
Contents
|
Prerequisites
It is assumed that- You already have Oscar 12_1 installed on Ubuntu according to instructions on Tomcat 6
- You have configured Tomcat to provide Https connections.
- You have MySQL installed.
- You have a moderate level of Linux knowledge.
Overview:
Configuring and installing the MyOscar2 system involves four servers. One Oscar server and three MyOscar servers.
- The original Oscar itself. These instructions are for Oscar12_1.
- MyOscar_server. This server will respond to either Oscar or MyOscar_client through an XML protocol
- MyOscar_client server. This is the web GUI for administrative and patient access to the MyOscar system
- Oscar Clinic Component server. This is the server that administers appointment
setting, and is normally accessed through the MyOscar client
Java 7 Installation
Technically any Java7 will do, however development is done on Oracle Java 7.
Download from Oracle the 32bit or 64bit Linux "compressed binary file" - it has a ".tar.gz" file extension i.e. "[java-version]-i586.tar.gz" for 32bit and "[java-version]-x64.tar.gz" for 64bit. NOTE the following uses the file pattern for Java Oracle update 17. Yours will be newer and have slightly different naming which should be reflected in the commands you use.
Uncompress it
tar -xvf jdk-7u17-linux-i586.tar.gztar -xvf jdk-7u17-linux-x64.tar.gz (64bit)
The JDK 7 package is thus extracted into ./jdk1.7.0_17 directory
(again yours will be newer and have a slightly different directory).
-Now move the JDK 7 directory to /usr/lib
sudo mv ./jdk1.7.0_17 /usr/lib/jvm/java-7-oracleUse the debian alternatives tool to register this java with the java master group link
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/java-7-oracle/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/java-7-oracle/bin/javac" 1Now get a choice of slave linked java's to activate
sudo update-alternatives --config javaThis will give you options of java for your system, in this example you would pick 3 for Oracle Java 7
There are 3 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status
————————————————————
* 0 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 auto mode
1 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 manual mode
2 /usr/lib/jvm/java-6-sun/jre/bin/java 63 manual mode
3 /usr/lib/jvm/java-7-oracle/jre/bin/java 3 manual mode
Press enter to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/lib/jvm/java-7-oracle/jre/bin/java to provide /usr/bin/java (java) in manual mode.Check the version of your new JDK 7 installation to confirm you have the version you want:
$sudo java -version
java version “1.7.0”
Java(TM) SE Runtime Environment (build 1.7.0_17-b10)
Java HotSpot(TM) Client VM (build 23.3-b01, mixed mode)
Repeat for the java compiler
sudo update-alternatives --config javac
Tomcat 7 Installation
Preferred Option: Standalone MyOscar
The following instructions will install Tomcat 7 to your new stand alone Ubuntu 12_04 LTS MyOscar installation
sudo apt-get update sudo apt-get install tomcat7
Now stop the tomcat7 service
sudo service tomcat7 stop Stopping Tomcat servlet engine tomcat7 [ OK ]
Run the following command in your console to edit JAVA_HOME in the default tomcat7 start-up configuration file:
sudo nano /etc/default/tomcat7
Change the JAVA_HOME option to the following:
JAVA_HOME=/usr/lib/jvm/java-7-oracle
Save the file and you are done. Tomcat will now start using the Oracle JDK instead of OpenJDK when you start the tomcat7 service
sudo service tomcat7 start
Check to ensure that Tomcat is running and you are running on the Oracle JDK
/usr/share/tomcat7/bin/version.sh
Now change to a directory and then skip to the instructions that follow for setting up SSL work
cd /var/lib
Option B: MyOscar Colocated on Oscar Server
You cannot use apt-get to install Tomcat 7 on a machine where you have Tomcat 6 installed, it will fail. And yet Tomcat 6 is necessary to run Oscar12_1. Thus a manual installation is required.
You should install Tomcat 7 as the user who will run MyOscar...
so as root change to a directory where you will install Tomcat . Then get the latest Tomcat 7 binary from Apache. The version number below may have been superseded by the time you are reading this, so you may want to browse http://tomcat.apache.org/download-70.cgi for the best mirror and the number of the latest version . Then decompress the tarball
cd /var/lib sudo wget http://apache.mirror.rafal.ca/tomcat/tomcat-7/v7.0.39/bin/apache-tomcat-7.0.39.tar.gz sudo tar xvzf apache-tomcat-7.0.39.tar.gzFor convenience (and so that these instructions remain current) assign a symbolic link to the named directory
sudo ln -s /var/lib/apache-tomcat-7.0.39 ./tomcat7Now change ownership of the files to the unpriveldeged user who will be running Tomcat, in this case the tomcat7 user
sudo chown -R tomcat7:tomcat7 tomcat7
SSL connections for Everyone
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection.For My Oscar the major use is for security to ensure that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing
You can set up SSL connection via Tomcat with the instructions below. If you need lower port numbers or need to run a full web server you can set up SSL with Apache (see Installing Oscar to run on port 443)a) Prepare a Certificate
Use the Java keytool to generate a key for tomcat using standard RSA encryption. Use the same password for both the keypass and the storepass (technically they don't have to be the same for Tomcat 7 but its simpler this way)/ Remember to use your own password instead of the placeholder "liyi".
sudo $JAVA_HOME/bin/keytool -genkey -alias tomcat -validity 3650 -keyalg RSA-keystore/var/lib/tomcat7/.keystore-keypass liyi -storepass liyi
Now reference the generated keystore in the tomcat configuration file. Activate those connectors in server.xml specification taking care that you don't conflict with another services that might be using those ports.
sudo nano tomcat7/conf/server.xml
Now adjust the data so it looks something like the below (ports 8090 and 8091 used below as they don't conflict with default Tomcat6 settings) changing the location of the keystoreFile and the keystore password to match the actual ones you used.
<Connector port="8090" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8091" /> <Connector port="8091" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" enableLookups="false" disableUploadTimeout="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/var/lib/tomcat7/.keystore" keystorePass="liyi" />
b) Install Oscar's Server Certificate
Copy over the base64 certificate from the -BEGIN CERTIFICATE- to the -END CERTIFICATE- you are using on the Oscar server. if you can't access the certificate easily (you can view the certificate in FireFox) the following script may help
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'sample usage to extract the certificate for an Oscar server on 10.69.241.1 accessed on ssh on port 8443 would be
retrieve-cert.sh 10.69.241.1:8443 > oscar_certificate.fileNow add the certificate you are using for the OSCAR server to the myoscar's Java 7 keystore
$JAVA_HOME/bin/keytool -import -alias oscar -file oscar_certificate.file -keystore/var/lib/tomcat7/.keystore
You will be prompted for the passwords for the keystore, the certificate to be imported will be displayed, and then you will be asked if you Trust it
Trust this certificate? [no]: Yes Certificate was added to keystore
Now recipricate for the myoscar server's certificate on the OSCAR server.
War File Installation
The source is in Git. Follow the IDE Oscar install instructions, clone the source oscar_clinic_component, myoscar_server2
and oscar_client2 projects. Then change to each projects directory and
compile each with maven and copy the resultant to the tomcat webapps
directory.
Most of these components are built against java 7. Oscar_clinic_component is different and handled separately below. The following are not requirements but are versions that work for compiling
For the myoscar_server use the following. For the other wars do similarly.
mvn package -Dmaven.test.skip=true
cd target
sudo mv *-SNAPSHOT.war /var/lib/tomcat7/webapps/myoscar_server.war
Alternately copy the binary war files from Sourceforge to tomcat webapps or CATALINA_BASE as below.
$ wget http://sourceforge.net/projects/myoscar/files/myoscar2/myoscar_server-2013-08-13.war $ wget http://sourceforge.net/projects/myoscar/files/myoscar2/myoscar_client-2013-08-13.war $ sudo cp myoscar_server-2013-08-13.war $CATALINA_BASE/myoscar_server.war $ sudo cp myoscar_client-2013-08-13.war $CATALINA_BASE/myoscar.war
Optional bits
OPTIONAL If in development environment it may be useful to run the tests to check the build, to do that you need to setup a dbuser user with the dbpasswordf password for MySQL prior to compiling . At the MySQL prompt type
mysql>CREATE USER 'dbuser'@'localhost' IDENTIFIED BY 'dbpassword'; mysql>GRANT ALL ON *.* to 'dbuser'@'localhost' IDENTIFIED BY 'dbpassword';
Note that running the tests creates a myoscar_server database that will need to be dropped prior to initializing with a blank database or test data. For security reasons in production use remember to DROP USER the dbuser user or change the password to one that is not published after you are done with building.
OPTIONAL For debugging purposes it may be useful to setup the tomcat manager application by editing tomcat-users.xml
sudo nano /var/lib/tomcat7/conf/tomcat-users.xml
and add the following to the <tomcat-users> section (provide your own username and password)
<role rolename="manager-gui"/> <role rolename="admin"/> <user username="tomcat" password="liyi" roles="manager-gui,admin"/>
MyOscar Server Configuration
Note: You need to start Tomcat and allow config.xml to be expanded before you can edit config.xml (see below)
edit config.xml
sudo nano $CATALINA_BASE/myoscar_server/WEB-INF/classes/config.xmlAnd review and change as needed the following. Leave most of the settings alone. Do set the database configuration parameters in here if not smtp parameters as well. The user entry is the name of a MySQL user that has read write privileges on the myoscar_server2 database when identified by the password.
<?xml version="1.0" encoding="UTF-8"?> <server> <database> <user>MySQLuser</user> <password>MySQLpassword</password> <url_prefix>jdbc:mysql://127.0.0.1:3306/</url_prefix> <schema>myoscar_server2</schema> <driver>com.mysql.jdbc.Driver</driver> </database><smtp> <host>smpt.gmail.com</host> <ssl_port>443</ssl_port> <user>user</user> <password>userpassword</password> </smtp> </server>
Optional bit
TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat. To do that pass a system parameter of "-Dmyoscar_server_config=override.xml" where override.xml is an xml config file which trumps the default one. One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7
You only have to put in the sections that differ from the rest of the standard config file, and you probably should limit to that for safety (and have the build date and other developer tuned settings update when you update the war).
NOTE manually installed Tomcat 7s as above will have the bin at /var/lib/tomcat7/bin rather than the path shown below
sudo nano /usr/share/tomcat7/bin/setenv.sh
The file will be empty. You can specify a number of options here. By example you could put in
export JAVA_HOME="/usr/lib/jvm/java-7-oracle"
but for this purpose we want to add a parameter to JAVA_OPTS
JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_server_config=/var/local/tomcat7/webapps/server_override.xml"
JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_client_config=/var/local/tomcat7/webapps/client_override.xml"
JAVA_OPTS="${JAVA_OPTS} -Doscar_patient_portal_config=/var/local/tomcat7/webapps/portal_override.xml"
export JAVA_OPTS
Remember to make setenv.sh executionable
sudo chmod +x setenv.sh
Initialize the Database
Start Tomcat 7
cd /var/local/tomcat7/bin
sudo ./startup.shAfter installation and loading Tomcat you should go to http://localhost:8090/myoscar_server/admin/install.jsp to initialize the database.
You will be warned if a database already exists (you will have to drop the schema manually if you want to reload a blank database)
Encryption is optional. Probably you should NOT encrypt the database if you followed the instructions to encrypt the entire Ubuntu disk as suggested in the Oscar installation instructions. Click the button.
Wait a while and you will be given a screen with the following message:
MyOscar Server Admin
Database created successfully.You will need to start the application server / tomcat.
At this point MyOscar Server Admin Database, myoscar_server2 has been created successfully with the database credentials as indicated in your confix.xml and with the administrative user credentials as you provided.
You can check this with the mysql command line by logging into myoscar_server2 and showing tables, there will be about 35, with a line in Person with your administrative user and password (encrypted).
Then test that the connection works on http://localhost:8090/myoscar_server/ws
Finally test that the connection also works on what you supplied for "https_endpoint_url_base" in the XML file https://localhost:8091/myoscar_server/ws as its this connection that the MyOscar client uses. (you will see the same screen if it works)
MyOscar Client Configuration
Copy over the myoscar_client.war to the webapps directory as simply myoscar.war (this will be part of the URL that the user is going to type so keep it short). After the war expands alter your config.xml file.
sudo vi $CATALINA_BASE/myoscar/WEB-INF/classes/config.xmlAnd review and change as needed the following. Leave most of the settings alone. Match the "myoscar_base_url" that you are using for the server. smtp parameters need to be added as well for the contact us link to work.
<?xml version="1.0" encoding="UTF-8"?>
<server>
<smtp>
<host>smtp.gmail.com</host>
<ssl_port>465</ssl_port>
<user>user@gmail.com</user>
<password>userpassword</password>
</smtp>
<myoscar_client>
<!--
<myoscar_server_base_url>http://127.0.0.1:8090/myoscar_server</myoscar_server_base_url>
-->
<myoscar_server_base_url>https://127.0.0.1:8091/myoscar_server</myoscar_server_base_url>
<contact_us_recipient_email_addresses>example@domain</contact_us_recipient_email_addresses>
<contact_us_from_email_address>notifier@example.com</contact_us_from_email_address>
</myoscar_client>
</server>
Restart tomcat
cd /var/local/tomcat7/binsudo ./shutdown.shsudo ./startup.sh
Test your login to the client http://127.0.0.1:8090/myoscar
Note that the bottom right corner of the login page should have in faint gray the
build date, and if you hover the mouse over it, it should show you the
server URL it's connected to.
You should be able to login with the administrative user/password you specified when you initialized the server database above.
Agree to the legal stuff (you only have to do this once)
- For
the purposes of testing, click on the red "Create new user" menu link and create a provider account and assign a password.
- It can match the credentials the provider uses for Oscar but is probably better if it is something different.
- MyOscar user-names should be simple alpha numeric such as peterhc or john1
You should be able to login to the MyOscar Client using the provider user/password, just to verify the account/password does work.
You should also setup a "code" user name and a password that you will use for configuring web components that might link to MyOscar.
Optional bit
TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat. To do that pass a system parameter of "-Dmyoscar_client_config=override.xml" where override.xml is an xml config file which trumps the default one. One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with
sudo vi /var/local/tomcat7/bin/setenv.sh
You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS
JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_client_config=client_override.xml"
Oscar Clinic Component Configuration
Its optional but if you want appointment scheduling we have to configure that too. You will need to have setup Oscar with the schedule templates for the providers working schedule. This means you must also have created appointment types and time codes for the schedule, also make sure you setup the holiday days properly in oscar.
First clone the code (you need an account on oscartools.org to download)
peter@phc-14:~/git$ git clone ssh://peterhc@source.oscartools.org:29418/oscar_clinic_component Cloning into 'oscar_clinic_component'... remote: Counting objects: 359, done remote: Finding sources: 100% (359/359) remote: Total 359 (delta 115), reused 359 (delta 115) Receiving objects: 100% (359/359), 912.09 KiB | 575 KiB/s, done. Resolving deltas: 100% (115/115), done.
Unlike the other components this is built against java 6. You can check what you are using by checking version information for maven
peter@phc-14:~/git/oscar_clinic_component$ mvn -version Apache Maven 2.2.1 (rdebian-1) Java version: 1.6.0_35 Java home: /usr/lib/jvm/jdk1.6.0/jre Default locale: en_CA, platform encoding: UTF-8 OS name: "linux" version: "2.6.32-32-generic" arch: "amd64" Family: "unix"
- jdk1.6.0_24 and 1.6.0_35
Ok so you have the right compiler - Put it to use!
peter@phc-14:~/git$ cd oscar_clinic_component/ peter@phc-14:~/git/oscar_clinic_component$ mvn -Dmaven.test.skip=true clean package
Second deploy/copy the war file into the Tomcat 7 servlet container like any standard war.
cd target
sudo cp *-SNAPSHOT.war /var/local/tomcat7/webapps/oscar_clinc_component.warEdit config.xml, and preferably externalise the changes as am portal_override.xml file. The 2 most important settings would be the oscar web services settings and the myoscar server web services settings, they need to be correct for this to connect to them.
<server>
<misc>
<override_config_sytem_property_key>oscar_patient_portal_config</override_config_sytem_property_key>
</misc>
<oscar_patient_portal>
<myoscar_server_base_url>http://localhost:8090/myoscar_server</myoscar_server_base_url>
<myoscar_server_user>code_component_user</myoscar_server_user>
<myoscar_server_password>code_component_user_pass</myoscar_server_password>
<application_entry_uri>http://localhost:8090/oscar_clinic_component/index.jsp</application_entry_uri>
<booking_config_file list_entry="true">/var/lib/tomcat7/webapps/clinicBooking.xml</booking_config_file>
<!-- due to oscar security the url must end with a / -->
<oscar_server_base_url>https://localhost:8443/Oscar12_1/ws/</oscar_server_base_url>
<oscar_server_user>oscar_user</oscar_server_user>
<oscar_server_password>oscar_password</oscar_server_password>
</oscar_patient_portal>
</server>
Note that the actual appointment settings have been externalised as well to clinicBooking.xml which might look like the following. Note that the appointment_code is a comma separated subset of codes found in Oscar's database oscar_12_1.scheduletemplatecode.code. Similarly the appointment_type id's and names are taken from oscar_12_1.appointmentType
<root name="Northern Clinic">
<clinic name="default"></clinic>
<title>Haileybury Clinic Bookings</title>
<address>555 Meridian</address>
<phone>705-672-5555</phone>
<hours>Mon-Fri, 9AM-4PM</hours>
<daysToSearchAheadLimit>180</daysToSearchAheadLimit>
<numberOfAppointmentOptionsToReturn>30</numberOfAppointmentOptionsToReturn>
<appointment_code duration="15" code="1"></appointment_code>
<appointment_type id="3" name="MyOscar"></appointment_type>
<allowedProvider providerNo="101" role="PROVIDER">
<allowed_appointment id="1" appointment_codes="1" duration="15">
</allowed_appointment>
</allowedProvider>
</root>
sudo service tomcat7 stop sudo service tomcat7 start
For manually installed tomcat 7 it will be like the following
cd /var/lib/tomcat7/binsudo ./shutdown.shsudo ./startup.sh
If it hasn't registered itself (There is no entry in the left hand column that corresponds) it might be that you may need to load it yourself in the myoscar2 schema from the MySQL prompt. Note that the componentName has to match in both tables with something like:
INSERT INTO `RemoteComponent` (`id`, `componentName`, `componentUri`, `editDate`, `editorId`) VALUES (1, 'oclinic_Northern Clinic', 'http://localhost:8090/oscar_clinic_component/index.jsp?clinic=Northern Clinic', '2013-04-17 20:13:30', 5); INSERT INTO `RemoteComponentText` (`id`, `authorText`, `componentName`, `displayDescriptionText`, `displayName`, `locale`, `termsOfUseText`) VALUES (1, 'Peter H-C', 'oclinic_Northern Clinic', 'This component allows patients to book their own appointments online', 'Haileybury FHT', 'en_US', 'None.');
Optional bit
TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat. To do that pass a system parameter of "-Doscar_patient_portal_config=override.xml" where override.xml is an xml config file which trumps the default one. One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with
sudo vi /var/local/tomcat7/bin/setenv.sh
You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS
JAVA_OPTS="${JAVA_OPTS} -oscar_patient_portal_config=portal_override.xml"
Oscar Configuration for MyOscar2
Setup eForm to PDF
The eForm's "Send To PHR" functionality necessary for sending eForms and labwork to MyOscar relies on the HTML to PDF conversion feature. The Oscar12_1 deb installs and configures this for you. Test that it is working by printing something out of the Rich Text Editor which will produce a pdf for you if this is set up property.
Change the MyOscar settings in the Properties File
Alter your Oscar.properties file to match something like the following.
MY_OSCAR=yes
MY_OSCAR_EXCHANGE_INTERVAL = 5
ModuleNames=Indivo
# this is the link for 'view PHR record' in Oscar's Master File for the myOscar client
# If anyone needs to use Oscar off site it should be set to the myoscar client WAN IP and NOT the LAN
myOSCAR.url = https://WAN_IP:8091/myoscar/
# this is the Oscar server to myoscar_server connection so should be routed locally
# currently if you have a self signed certificate, you may have to run it as http
myoscar_server_base_url=http://10.69.241.1:8090/myoscar_server/ws# cxf web services set to your LAN ip of your OSCAR instance
https_endpint_url_base=http://192.168.1.1:8080/Oscar12_1/ws If your Oscar database is not configured with MyOscar tables (the deb installation is so configured automatically) then load them (replace ***** with the MySQL root password and oscar_mcmaster with the name of the 12_1 database)
$ mysql -uroot -p********* oscar_mcmaster <$HOME/src/oscar_source/oscar/database/mysql/updates/update-phr-docs.sql
Restart tomcat 6
sudo /etc/init.d/tomcat6 restartSetting up Oscar Providers
When you login as oscardoc, go to the top menu "pref", near the bottom of the screen will be "set myoscar login id".
Enter the provider username you created above and save it.
Go to the patients master file record and hit "edit". On the right hand column between "country of origin" and "sin" should by " Register for MyOSCAR" option link.
The subsequent screen should prompt you for your myoscar password. Once you fill that in, it should pre-populate most of the patients information. A username and initial password is supplied for the patient which you may edit, check off the provider(s) who should be allowed to access that chart, and if the patient should be allowed to contact them, then submit. You will be given the option of printing the username and password for the patient to take home.
A warning "The user and corresponding permissions
have been added. All checked providers
must authorize this demographic as "patient" from
the OSCAR Personal Health Record
message screen before the patient can communicate
with them.
" .
If you now go back to the patient ui, you should be able to login with that username/password.
On
the left menu of the patient ui, there should be "messages", click on
that. Click on "send new message". The "to" list should have your
provider as an option, put in a test subject and a test message and send
it. On the patient ui, on the left menu should be a "sent" option, you
should now notice the message you just sent is in that list.
If you now go back to the oscar ui as the provider, click on the
"myoscar" option on the top menu of the appointment/schedule screen. It
should default to the inbox and you should see your test message. You
should be able to reply etc to the message as well and verify that in
the patient ui the patient sees the response etc.
Security Considerations
Securing your MyOscar box is beyond the scope of this paper. However as MyOscar is designed to be accessible over the internet, we should be conscious of the issues.
The MyOscar client / patient ui by the nature of it's purpose, is meant to have an open port on the internet for patients to use.
The MyOscar server by virtue of it's design purpose is also meant to have an open port on the internet as other "Oscars" are suppose to be able to communicate with it. If you are not giving anyone else access to your MyOscar server then there's no need to forward or open *that* port. So in most cases, keep that one closed.
Oscar itself is an in between case. You mostly will access it on
your LAN and only certain parties at certain locations will need to
access it remotely. As described in security hardening, if you want to
access it outside the LAN (and that is convenient), then for the few
machines that need to do so you can can build an SSH tunnel with key
authentication.
As
for whether all 3 of these services are on the same machine or not, it
should not really matter, however we have run into intermittent
ssl_error_internal_error_alert with Firefox (only) on servers running
both Tomcat 6 and Tomcat 7 on the same JVM.
You should not be opening any machine
to the internet in any case. In theory you should only be opening the
ports you need, i.e. the Myoscar client's http port. This makes it no
less secure than any other http port on the planet like ebay's or your
banks, or anything else.
To be nit picky about internal security, you could put all 3
applications on 3 different physical servers, heck why not put the
database on a 4th server too, and have different passwords on all 4
servers and put firewalls up between all of them. You need to decide
your effort vs returns. There would have to be a serious error/flaw in
one of the applications web pages before anything else is compromised
let alone significantly compromised.
Document Actions
