MyOscar2 Installation for Oscar 11 and 12
Preface
Document Version History
- v1.0 – initial public release on oscarmanual.org – August 23, 2011
- v1.1 – added information about configuring eForm to PDF dependency – August 25, 2011
- v1.2 – added suggestions about usernames – August 29, 2011
- v1.3 – updated to Oscar 12 and newer sourceforge path – May 12, 2012
- v1.4 – added Tomcat 7 instructions and Patient Portal installation – May 13, 2012
- v1.5 – fixed Tomcat 7 instructions and Patient Portal installation – May 13, 2012
- v1.6 - updated with content from sourceforge. http://sourceforge.net/projects/myoscar/files/myoscar2/ - April 5, 2013 (EW)
copyright by Peter Hutten-Czapski 2011-2012 © under the Creative Commons Attribution-Share Alike 3.0 Unported License.
|
Contents
|
Prerequisites
It is assumed that- You already have Oscar 12 installed on Ubuntu according to instructions on Tomcat 6
- You have configured Tomcat to provide Https connections.
- You are running Oracle (Sun) java .
- You have a moderate level of Linux knowledge.
Overview:
Configuring and installing the MyOscar2 system involves four servers. One Oscar server and three MyOscar servers.
- The original Oscar itself. MyOscar2 requires version 11x or newer.
- MyOscar_server. This server will respond to either Oscar or MyOscar_client through an XML protocol
- MyOscar_client server. This is the web GUI for administrative and patient access to the MyOscar system
- Oscar Patient Portal server. This is the server that administers appointment setting, and is normally accessed through the MyOscar client
Tomcat 7 Installation
The following instructions will install Tomcat 7 to your linux box and allow for the MyOscar servers to run
First change to a directory where you will install Tomcat 7
Note: /var/local was used because this particular installation already had Tomcat 6 installed and MyOscar was being added to the same machine. If you are installing on a new server, you can put Tomcat in its normal location.
cd /var/local
Then get the latest Tomcat 7 binary from Apache. The version number below may have been superseded by the time you are reading this, so you may want to browse http://tomcat.apache.org/download-70.cgi for the best mirror and the number of the latest version .
sudo wget http://apache.mirror.rafal.ca/tomcat/tomcat-7/v7.0.39/bin/apache-tomcat-7.0.39.tar.gz sudo tar xvzf apache-tomcat-7.0.39.tar.gz
For convenience (and so that these instructions remain current) assign a symbolic link to the named directory
sudo ln -s /var/local/apache-tomcat-7.0.39 ./tomcat7
Setup a SSL certificate as per security hardening. Now activate those connectors in server.xml specification taking care that you don't conflict with another services that might be using those ports.
sudo vi tomcat7/conf/server.xml
Now adjust the data so it looks something like the below (ports 8090 and 8091 used as they don't conflict with default Tomcat6 settings) changing the location of the keystoreFile and the keystore password to match the actual ones you used. You can use the same certificate that you used for Tomcat6 if you prefer.
<Connector port="8090" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8091" /> <Connector port="8091" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" enableLookups="false" disableUploadTimeout="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/var/local/tomcat7/.keystore" keystorePass="liyi" />
War File Installation
Copy the binary war files from Sourceforge to tomcat webapps or CATALINA_BASE as below. NOTE to use these or earlier binaries as later ones use different components and require Java 7. Those instructions are found elsewhere.$ wget http://sourceforge.net/projects/myoscar/files/myoscar2/myoscar_server-2012-11-21.war $ wget http://sourceforge.net/projects/myoscar/files/myoscar2/myoscar_client-2012-12-19.war $ wget http://sourceforge.net/projects/myoscar/files/myoscar2/oscar_patient_portal-2012-12-19.war $ sudo cp myoscar_server-2012-11-21.war $CATALINA_BASE/myoscar_server.war $ sudo cp myoscar_client-2012-12-19.war $CATALINA_BASE/myoscar_client.war $ sudo cp oscar_patient_portal-2012-12-19.war $CATALINA_BASE/oscar_patient_portal.war
Optional bits
OPTIONAL If in development environment it may be useful to run the tests to check the build, to do that you need to setup a dbuser user with the dbpasswordf password for MySQL prior to compiling . At the MySQL prompt type
mysql>CREATE USER 'dbuser'@'localhost' IDENTIFIED BY 'dbpassword'; mysql>GRANT ALL ON *.* to 'dbuser'@'localhost' IDENTIFIED BY 'dbpassword';
Note that running the tests creates a myoscar_server database that will need to be dropped prior to initializing with a blank database or test data. For security reasons in production use remember to DROP USER the dbuser user or change the password to one that is not published after you are done with building.
OPTIONAL For debugging purposes it may be useful to setup the tomcat manager application by editing tomcat-users.xml
sudo vi /var/local/tomcat7/conf/tomcat-users.xml
and add the following to the <tomcat-users> section (provide your own username and password)
<role rolename="manager-gui"/> <role rolename="admin"/> <user username="tomcat" password="liyi" roles="manager-gui,admin"/>
MyOscar Server Configuration
Note: You need to start Tomcat and allow config.xml to be expanded before you can edit config.xml (see below)
edit config.xml
sudo vi $CATALINA_BASE/myoscar_server/WEB-INF/classes/config.xmlAnd review and change as needed the following. You will most likely want to at least set the database configuration parameters in here if not smtp parameters as well. The user entry is the name of a MySQL user that has read write privileges on the myoscar_server2 database when identified by the password. The "https_endpoint_url_base" is essential and must reflect the port that Tomcat is listening on for https connections on your server and the exact name of the server web application that you are referencing. If you change the default here you will need to match it later when you configure the client.
<database> <user>dbuser</user> <password>dbpassword</password> <url_prefix>jdbc:mysql://127.0.0.1:3306/</url_prefix> <schema>myoscar_server2</schema> <driver>com.mysql.jdbc.Driver</driver> </database><smtp> <host></host> <ssl_port></ssl_port> <user></user> <password></password> </smtp><myoscar_server> <https_endpoint_url_base>https://localhost:8091/myoscar_server/ws</https_endpoint_url_base>
Optional bit
TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat. To do that pass a system parameter of "-Dmyoscar_server_config=override.xml" where override.xml is an xml config file which trumps the default one. One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with
sudo vi /var/local/tomcat7/bin/setenv.sh
The file will be empty. You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS
JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_server_config=server_override.xml"
Remember to make setenv.sh executionable
sudo chmod +x setenv.sh
You only need to (and its probably safer) put parameters that you are changing from the default into the override.xml
Initialize the Database
Start Tomcat 7
cd /var/local/tomcat7/bin
sudo ./startup.shAfter installation and loading Tomcat you should go to http://localhost:8090/myoscar_server/admin/install.jsp to initialize the database.
You will be warned if a database already exists (you will have to drop the schema manually if you want to reload a blank database)
Encryption is optional. Probably you should NOT encrypt the database if you followed the instructions to encrypt the entire Ubuntu disk as suggested in the Oscar installation instructions. Click the button.
Wait a while and you will be given a screen with the following message:
MyOscar Server Admin
Database created successfully.You will need to start the application server / tomcat.
At this point MyOscar Server Admin Database, myoscar_server2 has been created successfully with the database credentials as indicated in your confix.xml and with the administrative user credentials as you provided.
You can check this with the mysql command line by logging into myoscar_server2 and showing tables, there will be about 35, with a line in Person with your administrative user and password (encrypted).
Then test that the connection works on http://localhost:8090/myoscar_server/ws
Finally test that the connection also works on what you supplied for "https_endpoint_url_base" in the XML file https://localhost:8091/myoscar_server/ws as its this connection that the MyOscar client uses. (you will see the same screen if it works)
MyOscar Client Configuration
Alter your config.xml file to match the "https_endpoint_url_base" that you are using. The client configuration must match the server, so if you changed the endpoint in the server config.xml you have to repeat that changed URL here.
sudo vi $CATALINA_BASE/myoscar_client/WEB-INF/classes/config.xmlRestart tomcat
cd /var/local/tomcat7/binsudo ./shutdown.shsudo ./startup.sh
Test your login to the client http://127.0.0.1:8090/myoscar_client
Note that the bottom right corner of the login page should have in faint gray the
build date, and if you hover the mouse over it, it should show you the
server url it's connected to.
You should be able to login with the administrative user/password you specified when you initialized the server database above.
Agree to the legal stuff (you only have to do this once)
- For
the purposes of testing, click on the red "Create new user" menu link and create a provider account and assign a password.
- It can match the credentials the provider uses for Oscar but is probably better if it is something different.
- MyOscar user-names should be simple alpha numeric such as peterhc or john1
You should be able to login to the MyOscar Client using the provider user/password, just to verify the account/password does work.
Optional bit
TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat. To do that pass a system parameter of "-Dmyoscar_client_config=override.xml" where override.xml is an xml config file which trumps the default one. One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with
sudo vi /var/local/tomcat7/bin/setenv.sh
You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS
JAVA_OPTS="${JAVA_OPTS} -Dmyoscar_client_config=client_override.xml"
Oscar Clinic Component (was Oscar Patient Portal) Configuration
Yes we have to configure that too.
First build the code or download the war archive
Second deploy/copy the war file into a servlet container like any standard war.
Edit config.xml. The 2 most important settings would be
the oscar web services settings and the myoscar server web services
settings, they need to be correct for this to connect to them.
There's also 3 parameters that need to be setup, the list of oscar
provider numbers, appointmentTypes, and time codes. These parameters
control which providers show up on the booking list, what appointment
types they can pick from, and what time slots in the providers schedule
is eligible for online booking.
You will need to have setup Oscar with the schedule templates for the
providers working schedule. This means you must also have created
appointment types and time codes for the schedule, also make sure you
setup the holiday days properly in oscar.
sudo vi $CATALINA_BASE/myoscar_client/WEB-INF/classes/config.xmlRestart tomcat
cd /var/local/tomcat7/binsudo ./shutdown.shsudo ./startup.sh
From the myoscar_client side, assuming your configuration is correct, it should register itself with the myoscar system with in a minute if you starting the server. Once that happens you should see it as an option under the persons preferences.
Optional bit
TIP: If you are going to be re-installing the war, rather than redoing this every time, copy this modified configuration outside the application itself and reference it when you start tomcat. To do that pass a system parameter of "-Doscar_patient_portal_config=override.xml" where override.xml is an xml config file which trumps the default one. One way of doing this is to put this information into the bin directory of Tomcat7 in setenv.sh which gets run when you start Tomcat7 with
sudo vi /var/local/tomcat7/bin/setenv.sh
You can specify a number of options here but for this purpose we want to add a parameter to JAVA_OPTS
JAVA_OPTS="${JAVA_OPTS} -oscar_patient_portal_config=portal_override.xml"
Oscar Configuration for MyOscar2
Setup eForm to PDF
The eForm's "Send To PHR" functionality necessary for sending eForms to MyOscar relies on the HTML to PDF conversion feature.
The HTML to PDF conversion requires the following 2 things :
- Wkhtmltopdf binary command line utility needs be installed. The oscar.properties file has an entry "WKHTMLTOPDF_COMMAND" which should be set to the wkhtmltopdf executable. See the comments in the oscar.properties for details.
- The oscar server must be contactable from itself using the server name the users web browser is using. So, as an example if user uses a url like https://oscar.example.com/oscar/index.jsp to access the server, the server itself must be able to use oscar.example.com to contact itself. This is not normally the case if the server is behind a NAT router, it's often considered a routing error on NAT servers and devices. The solution is that the servers hosts file should have that server name mapped to 127.0.0.1. This requirement is needed because the server contacts itself to generate pdf's from the web pages and it can not use 127.0.0.1 because tomcat virtual hosts may not map 127.0.0.1 properly, i.e. if you have 2 instances of oscar on the same tomcat instance and you use tomcat virtual hosting to map the host names to the webapps, 127.0.0.1 will not know which oscar instance you're referring to where as a proper host name will resolve to the proper webapp.
Installing and Configuring Wkhtmltopdf
In Ubuntu 10.04 a somewhat constrained version can be obtained fairly easily. You can skip this if you are using Oscar12.1
Test the installationsudo apt-get update sudo apt-get install wkhtmltopdf
for unmet dependencies
wkhtmltopdf http://www.google.com test.pdf
Edit the oscar.properties file so the fully justified path to the program is listed
WKHTMLTOPDF_COMMAND=/usr/bin/wkhtmltopdf
Change the MyOscar settings in the Properties File
Alter your Oscar.properties file to match something like the following.
MY_OSCAR=yes
MY_OSCAR_EXCHANGE_INTERVAL = 2
ModuleNames=Indivo
myOSCAR.url = http://localhost:8080/myoscar_client/If your Oscar database is not configured with MyOscar tables then load them (replace ***** with the MySQL root password and oscar_mcmaster with the name of the 11x database)
$ mysql -uroot -p********* oscar_mcmaster <$HOME/src/oscar_source/oscar/database/mysql/updates/update-phr-docs.sql
Restart tomcat 6
sudo /etc/init.d/tomcat6 restartSetting up Oscar Providers
When you login as oscardoc, go to the top menu "pref", near the bottom of the screen will be "set myoscar login id".
Enter the provider username you created above and save it.
Go to the patients master file record and hit "edit". On the right hand column between "country of origin" and "sin" should by " Register for MyOSCAR" option link.
The subsequent screen should prompt you for
your myoscar password. Once you fill that in, it should pre-populate
most of the patients information. Provide a username ending with @myoscar.org and password for the
patient, check off the provider who should be allowed to access that chart, then submit. A warning "The user and corresponding permissions have been added. All checked providers
must authorize this demographic as "patient" from the OSCAR Personal Health Record
message screen before the patient can communicate with them.
" will follow.
If you now go back to the patient ui, you should be able to login with that username/password.
On
the left menu of the patient ui, there should be "messages", click on
that. Click on "send new message". The "to" list should have your
provider as an option, put in a test subject and a test message and send
it. On the patient ui, on the left menu should be a "sent" option, you
should now notice the message you just sent is in that list.
If you now go back to the oscar ui as the provider, click on the
"myoscar" option on the top menu of the appointment/schedule screen. It
should default to the inbox and you should see your test message. You
should be able to reply etc to the message as well and verify that in
the patient ui the patient sees the response etc.
Security Considerations
Securing your MyOscar box is beyond the scope of this paper. However as MyOscar is designed to be accessible over the internet, we should be conscious of the issues.
The MyOscar client / patient ui by the nature of it's purpose, is meant to have an open port on the internet for patients to use.
The MyOscar server by virtue of it's design purpose is also meant to have an open port on the internet as other "Oscars" are suppose to be able to communicate with it. If you are not giving anyone else access to your MyOscar server then there's no need to forward or open *that* port. So in most cases, keep that one closed.
Oscar itself is an in between case. You mostly will access it on your LAN and only certain parties at certain locations will need to access it remotely. As described in security hardening, if you want to access it outside the LAN (and that is convenient), then for the few machines that need to do so you can can build an SSH tunnel with key authentication.
As
for whether all 3 of these services are on the same machine or not, it
should not really matter, however we have run into intermittent ssl_error_internal_error_alert with Firefox (only) on servers running both Tomcat 6 and Tomcat 7 on the same JVM.
You should not be opening any machine
to the internet in any case. In theory you should only be opening the
ports you need, i.e. the Myoscar client's http port. This makes it no
less secure than any other http port on the planet like ebay's or your
banks, or anything else.
To be nit picky about internal security, you could put all 3
applications on 3 different physical servers, heck why not put the
database on a 4th server too, and have different passwords on all 4
servers and put firewalls up between all of them. You need to decide
your effort vs returns. There would have to be a serious error/flaw in
one of the applications web pages before anything else is compromised
let alone significantly compromised.
Document Actions
