Personal tools
You are here: Home / MyOSCAR PHR / Developers / Installing MyOscar2 / MyOscar2 Installation for Oscar 11 and 12

MyOscar2 Installation for Oscar 11 and 12

Installing and configuring MyOscar2 (Java 6 versions) for Oscar 11 and 12 (use MyOscar v1 for 10.12 and older Oscar versions)

Preface

These instructions are adequate for a local instance of MyOscar2 for development work.

Document Version History

  • v1.0 – initial public release on oscarmanual.org – August 23, 2011
  • v1.1 – added information about configuring eForm to PDF dependency – August 25, 2011
  • v1.2 – added suggestions about usernames – August 29, 2011
  • v1.3 – updated to Oscar 12 and newer sourceforge path – May 12, 2012
  • v1.4 – added Tomcat 7 instructions and Patient Portal installation – May 13, 2012
  • v1.5 – fixed Tomcat 7 instructions and Patient Portal installation – May 13, 2012
  • v1.6 - updated with content from sourceforge. http://sourceforge.net/projects/myoscar/files/myoscar2/  - April 5, 2013 (EW)
This document is based on advice from Ted Leung
copyright by Peter Hutten-Czapski 2011-2012 © under the Creative Commons Attribution-Share Alike 3.0 Unported License

Contents

  1. Preface
    1. Document Version History
  2. Prerequisites
  3. Overview
  4. War File Installation
  5. MyOscar Server
  6. MyOscar Client
  7. Oscar Configuration
  8. Security Considerations

    Prerequisites

    It is assumed that
    1. You already have Oscar 12 installed on Ubuntu according to instructions on Tomcat 6
    2. You have configured Tomcat to provide Https connections.
    3. You are running Oracle (Sun) java .
    4. You have a moderate level of Linux knowledge.
    Note: These instructions assume that you will be adding the MyOscar servers on another machine.  MyOscar was designed to operate as a stand-alone server.

    Overview:

    Configuring and installing the MyOscar2 system involves four servers.  One Oscar server and three MyOscar servers.

    1. The original Oscar itself.  MyOscar2 requires version 11x or newer.
    2. MyOscar_server. This server will respond to either Oscar or MyOscar_client through an XML protocol
    3. MyOscar_client server.  This is the web GUI for administrative and patient access to the MyOscar system
    4. Oscar Patient Portal server.  This is the server that administers appointment setting, and is normally accessed through the MyOscar client

     

    Tomcat 7 Installation 

    The following instructions will install Tomcat 7 to your linux box and allow for the MyOscar servers to run

    First change to a directory where you will install Tomcat 7

    Note: /var/local was used because this particular installation already had Tomcat 6 installed and MyOscar was being added to the same machine.   If you are installing on a new server, you can put Tomcat in its normal location.

    cd /var/local

    Then get the latest Tomcat 7 binary from Apache.  The version number below may have been superseded by the time you are reading this, so you may want to browse http://tomcat.apache.org/download-70.cgi for the best mirror and the number of the latest version .

    sudo wget http://apache.mirror.rafal.ca/tomcat/tomcat-7/v7.0.39/bin/apache-tomcat-7.0.39.tar.gz
    sudo tar xvzf apache-tomcat-7.0.39.tar.gz

     For convenience (and so that these instructions remain current) assign a symbolic link to the named directory

    sudo ln -s /var/local/apache-tomcat-7.0.39 ./tomcat7

    Setup a SSL certificate as per security hardening.  Now activate those connectors in server.xml specification taking care that you don't conflict with another services that might be using those ports.

    sudo vi tomcat7/conf/server.xml

    Now adjust the data so it looks something like the below (ports 8090 and 8091 used as they don't conflict with default Tomcat6 settings) changing the location of the keystoreFile and the keystore password to match the actual ones you used.  You can use the same certificate that you used for Tomcat6 if you prefer.

       <Connector port="8090" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8091" />  
       <Connector port="8091" protocol="HTTP/1.1" 
                   SSLEnabled="true"
                   maxThreads="200" 
                   scheme="https" 
                   secure="true" 
                   enableLookups="false" 
                   disableUploadTimeout="true" 
                   clientAuth="false"  
                   sslProtocol="TLS" 
                   keystoreFile="/var/local/tomcat7/.keystore"
                   keystorePass="liyi"   />

    War File Installation

    Copy the binary war files from Sourceforge to tomcat webapps or CATALINA_BASE as below.  NOTE to use these or earlier binaries as later ones use different components and require Java 7.  Those instructions are found elsewhere.
    $ wget http://sourceforge.net/projects/myoscar/files/myoscar2/myoscar_server-2012-11-21.war
    $ wget http://sourceforge.net/projects/myoscar/files/myoscar2/myoscar_client-2012-12-19.war
    $ wget http://sourceforge.net/projects/myoscar/files/myoscar2/oscar_patient_portal-2012-12-19.war
    $ sudo cp myoscar_server-2012-11-21.war $CATALINA_BASE/myoscar_server.war
    $ sudo cp myoscar_client-2012-12-19.war $CATALINA_BASE/myoscar_client.war
    $ sudo cp oscar_patient_portal-2012-12-19.war $CATALINA_BASE/oscar_patient_portal.war

    Optional bits

    Note: You will need to install MySQL if the MyOscar is on another machine.
     

    OPTIONAL  If in development environment it may be useful to run the tests to check the build, to do that you need to setup a dbuser user with the dbpasswordf password for MySQL prior to compiling .  At the MySQL prompt type

    mysql>CREATE USER 'dbuser'@'localhost' IDENTIFIED BY 'dbpassword';
    mysql>GRANT ALL ON *.* to 'dbuser'@'localhost' IDENTIFIED BY 'dbpassword';

    Note that running the tests creates a myoscar_server database that will need to be dropped prior to initializing with a blank database or test data.  For security reasons in production use remember to DROP USER the dbuser user or change the password to one that is not published after you are done with building.

    OPTIONAL  For debugging purposes it may be useful to setup the tomcat manager application by editing tomcat-users.xml

    sudo vi /var/local/tomcat7/conf/tomcat-users.xml

    and add the following to the <tomcat-users> section (provide your own username and password)

    <role rolename="manager-gui"/>
    <role rolename="admin"/> 
    <user username="tomcat" password="liyi" roles="manager-gui,admin"/>

     

    MyOscar Server Configuration

    Note: You need to start Tomcat and allow config.xml to be expanded before you can edit config.xml  (see below)

    edit config.xml

    sudo vi $CATALINA_BASE/myoscar_server/WEB-INF/classes/config.xml

    And review and change as needed the following.  You will most likely want to at least set the database configuration parameters in here if not smtp parameters as well. The user entry is the name of a MySQL user that has read write privileges on the myoscar_server2 database when identified by the password.  The "https_endpoint_url_base" is essential and must reflect the port that Tomcat is listening on for https connections on your server and the exact name of the server web application that you are referencing.  If you change the default here you will need to match it later when you configure the client.

    	<database>
    		<user>dbuser</user>
    		<password>dbpassword</password>
    		<url_prefix>jdbc:mysql://127.0.0.1:3306/</url_prefix>
    		<schema>myoscar_server2</schema>
    		<driver>com.mysql.jdbc.Driver</driver>
    	</database>
    	<smtp>
    		<host></host>
    		<ssl_port></ssl_port>
    		<user></user>
    		<password></password>
    	</smtp>
    
    	<myoscar_server>
    		<https_endpoint_url_base>https://localhost:8091/myoscar_server/ws</https_endpoint_url_base>

    Optional bit

    TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat.  To do that pass a system parameter of "-Dmyoscar_server_config=override.xml" where override.xml is an xml config file which trumps the default one.  One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with 

    sudo vi /var/local/tomcat7/bin/setenv.sh

    The file will be empty.  You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS

    JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_server_config=server_override.xml"

    Remember to make setenv.sh executionable

    sudo chmod +x setenv.sh

    You only need to (and its probably safer) put parameters that you are changing from the default into the override.xml

    Initialize the Database

    Start Tomcat 7

    cd /var/local/tomcat7/bin
    sudo ./startup.sh

    After installation and loading Tomcat you should go to http://localhost:8090/myoscar_server/admin/install.jsp to initialize the database. 

    You will be warned if a database already exists (you will have to drop the schema manually if you want to reload a blank database)

    Encryption is optional.  Probably you should NOT encrypt the database if you followed the instructions to encrypt the entire Ubuntu disk as suggested in the Oscar installation instructions.  Click the button.

    MyOscar2 Server Initialising

     Wait a while and you will be given a screen with the following message:

    MyOscar Server Admin

    Database created successfully.
    You will need to start the application server / tomcat.

    At this point MyOscar Server Admin Database, myoscar_server2 has been created successfully with the database credentials as indicated in your confix.xml and with the administrative user credentials as you provided.
    You can check this with the mysql command line by logging into myoscar_server2 and showing tables, there will be about 35, with a line in Person with your administrative user and password (encrypted). 

    Then test that the connection works on http://localhost:8090/myoscar_server/ws

    MyOscar2 SOAP Services

     Finally test that the connection also works on what you supplied for  "https_endpoint_url_base" in the XML file https://localhost:8091/myoscar_server/ws  as its this connection that the MyOscar client uses.  (you will see the same screen if it works)

    MyOscar Client Configuration

    Alter your  config.xml file to match the "https_endpoint_url_base" that you are using. The client configuration must match the server, so if you changed the endpoint in the server config.xml you have to repeat that changed URL here.

    sudo vi $CATALINA_BASE/myoscar_client/WEB-INF/classes/config.xml

    Restart tomcat

    cd /var/local/tomcat7/bin
    sudo ./shutdown.sh
    sudo ./startup.sh

    Test your login to the client http://127.0.0.1:8090/myoscar_client

    MyOscar Client Login
    Note that the bottom right corner of the login page should have in faint gray the build date, and if you hover the mouse over it, it should show you the server url it's connected to.

    You should be able to login with the administrative user/password you specified when you initialized the server database above.
    MyOscar Terms of Use

    Agree to the legal stuff (you only have to do this once)

    MyOscar Welcome

    • For the purposes of testing, click on the red "Create new user" menu link and create a provider account and assign a password. 
    • It can match the credentials the provider uses for Oscar but is probably better if it is something different.
    • MyOscar user-names should be simple alpha numeric such as peterhc or john1

    MyOscar New User

    You should be able to login to the MyOscar Client using the provider user/password, just to verify the account/password does work.

    Optional bit

    TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat.  To do that pass a system parameter of "-Dmyoscar_client_config=override.xml" where override.xml is an xml config file which trumps the default one.  One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with 

    sudo vi /var/local/tomcat7/bin/setenv.sh

    You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS

    JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_client_config=client_override.xml"

     Oscar Clinic Component (was Oscar Patient Portal) Configuration

    Yes we have to configure that too. 

    First build the code or download the war archive

    Second deploy/copy the war file into a servlet container like any standard war.

    Edit config.xml. The 2 most important settings would be the oscar web services settings and the myoscar server web services settings, they need to be correct for this to connect to them.
       There's also 3 parameters that need to be setup, the list of oscar provider numbers, appointmentTypes, and time codes. These parameters control which providers show up on the booking list, what appointment types they can pick from, and what time slots in the providers schedule is eligible for online booking.
       You will need to have setup Oscar with the schedule templates for the providers working schedule. This means you must also have created appointment types and time codes for the schedule, also make sure you setup the holiday days properly in oscar.

    sudo vi $CATALINA_BASE/myoscar_client/WEB-INF/classes/config.xml

    Restart tomcat

    cd /var/local/tomcat7/bin
    sudo ./shutdown.sh
    sudo ./startup.sh
    To test go to the client url, i.e. http://127.0.0.1:8090/oscar_patient_portal/test_login.jsp that should bring up a test login page to check if everything is working properly, you can by pass the myoscar client by using this page but you must fill in the userId (not username)

    From the myoscar_client side, assuming your configuration is correct, it should register itself with the myoscar system with in a minute if you starting the server. Once that happens you should see it as an option under the persons preferences.

    Optional bit

    TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat.  To do that pass a system parameter of "-Doscar_patient_portal_config=override.xml" where override.xml is an xml config file which trumps the default one.  One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with 

    sudo vi /var/local/tomcat7/bin/setenv.sh

    You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS

    JAVA_OPTS="${JAVA_OPTS} -oscar_patient_portal_config=portal_override.xml"

    Oscar Configuration for MyOscar2

    Setup eForm to PDF

    The eForm's "Send To PHR" functionality necessary for sending eForms to MyOscar relies on the HTML to PDF conversion feature.

    The HTML to PDF conversion requires the following 2 things :

    1. Wkhtmltopdf binary command line utility needs be installed. The oscar.properties file has an entry "WKHTMLTOPDF_COMMAND" which should be set to the wkhtmltopdf executable. See the comments in the oscar.properties for details.
    2. The oscar server must be contactable from itself using the server name the users web browser is using. So, as an example if user uses a url like https://oscar.example.com/oscar/index.jsp to access the server, the server itself must be able to use oscar.example.com to contact itself. This is not normally the case if the server is behind a NAT router, it's often considered a routing error on NAT servers and devices. The solution is that the servers hosts file should have that server name mapped to 127.0.0.1. This requirement is needed because the server contacts itself to generate pdf's from the web pages and it can not use 127.0.0.1 because tomcat virtual hosts may not map 127.0.0.1 properly, i.e. if you have 2 instances of oscar on the same tomcat instance and you use tomcat virtual hosting to map the host names to the webapps, 127.0.0.1 will not know which oscar instance you're referring to where as a proper host name will resolve to the proper webapp.

     

    Installing and Configuring Wkhtmltopdf

    In Ubuntu 10.04 a somewhat constrained version can be obtained fairly easily. You can skip this if you are using Oscar12.1

    sudo apt-get update
    sudo apt-get install wkhtmltopdf
    Test the installation

    for unmet dependencies

    wkhtmltopdf http://www.google.com test.pdf

     Edit the oscar.properties file so the fully justified path to the program is listed

    WKHTMLTOPDF_COMMAND=/usr/bin/wkhtmltopdf

    Change the MyOscar settings in the Properties File

    Alter your Oscar.properties file to match something like the following.

    MY_OSCAR=yes
    MY_OSCAR_EXCHANGE_INTERVAL = 2
    ModuleNames=Indivo
    myOSCAR.url = http://localhost:8080/myoscar_client/

    If your Oscar database is not configured with MyOscar tables then load them (replace ***** with the MySQL root password and oscar_mcmaster with the name of the 11x database)

    $ mysql -uroot -p********* oscar_mcmaster < $HOME/src/oscar_source/oscar/database/mysql/updates/update-phr-docs.sql 

    Restart tomcat 6

    sudo /etc/init.d/tomcat6 restart

    Setting up Oscar Providers

    When you login as oscardoc, go to the top menu "pref", near the bottom of the screen will be "set myoscar login id".

    11x Oscar Preferences

    Enter the provider username you created above and save it.

    11x Set MyOscar Username

    Go to the patients master file record and hit "edit". On the right hand column between "country of origin" and "sin" should by " Register for MyOSCAR" option link. 

    Edit Master Record

    The subsequent screen should prompt you for your myoscar password. Once you fill that in, it should pre-populate most of the patients information. Provide a username ending with @myoscar.org and password for the patient, check off the provider who should be allowed to access that chart, then submit.  A warning "The user and corresponding permissions have been added. All checked providers must authorize this demographic as "patient" from the OSCAR Personal Health Record message screen before the patient can communicate with them. " will follow.
    11x Register for MyOscar
    If you now go back to the patient ui, you should be able to login with that username/password.
    On the left menu of the patient ui, there should be "messages", click on that. Click on "send new message". The "to" list should have your provider as an option, put in a test subject and a test message and send it. On the patient ui, on the left menu should be a "sent" option, you should now notice the message you just sent is in that list.

    If you now go back to the oscar ui as the provider, click on the "myoscar" option on the top menu of the appointment/schedule screen. It should default to the inbox and you should see your test message. You should be able to reply etc to the message as well and verify that in the patient ui the patient sees the response etc.

     

    Security Considerations

    Securing your MyOscar box is beyond the scope of this paper.  However as MyOscar is designed to be accessible over the internet, we should be conscious of the issues.

    The MyOscar client / patient ui by the nature of it's purpose, is meant to have an open port on the internet for patients to use.

    The MyOscar server by virtue of it's design purpose is also meant to have an open port on the internet as other "Oscars" are suppose to be able to communicate with it. If you are not giving anyone else access to your MyOscar server then there's no need to forward or open *that* port.  So in most cases, keep that one closed.

    Oscar itself is an in between case.  You mostly will access it on your LAN and only certain parties at certain locations will need to access it remotely. As described in security hardening, if you want to access it outside the LAN (and that is convenient), then for the few machines that need to do so you can can build an SSH tunnel with key authentication.

    As for whether all 3 of these services are on the same machine or not, it should not really matter, however we have run into intermittent ssl_error_internal_error_alert with Firefox (only) on servers running both Tomcat 6 and Tomcat 7 on the same JVM.

    You should not be opening any machine to the internet in any case. In theory you should only be opening the ports you need, i.e. the Myoscar client's http port. This makes it no less secure than any other http port on the planet like ebay's or your banks, or anything else.

    To be nit picky about internal security, you could put all 3 applications on 3 different physical servers, heck why not put the database on a 4th server too, and have different passwords on all 4 servers and put firewalls up between all of them. You need to decide your effort vs returns. There would have to be a serious error/flaw in one of the applications web pages before anything else is compromised let alone significantly compromised.

     

    Document Actions