Introduction
WildfFly 15.0.0 Final can be download at: http://wildfly.org/downloads
This guide focuses on the Wildfly's Elytron subsystem configuration needed to deploy CONNECT. Please refer to the CONNECT Implementation Guides to integrate CONNECT with your live web service components and to import genuine certificates issued by an authorized certificate authority before attempting transactions on a live exchange.
Prerequisites
- A running instance of MySQL - The CONNECT team uses version 5.7.22
- Either a downloaded /wiki/spaces/CONNECTWIKI/pages/117610137 or a /wiki/spaces/CONNECTWIKI/pages/113311928
- If Direct will be deployed with CONNECT, the Java Cryptography Extension must be installed. Please see the Oracle JCE Documentation.
- Set JBOSS_HOME as an environment variable with the path to your JBoss installation root and add the variable to your class path
Detailed Setup
CONNECT properties directory module setup
Create the CONNECT properties directory:
For Windows, create a $JBOSS_HOME/modules/system/layers/base/org/connectopensource/configuration/main folder (some folders may already exist, some will need to be created)
For Linux, execute the following command: mkdir -p $JBOSS_HOME/modules/system/layers/base/org/connectopensource/configuration/main
To register the CONNECT properties directory as a WildFly module, create a module.xml file within that directory and add the following contents:
${JBOSS_HOME}/modules/.../org/connectopensource/configuration/main/module.xml<?xml version="1.0" encoding="UTF-8"?> <module xmlns="urn:jboss:module:1.1" name="org.connectopensource.configuration"> <resources> <resource-root path="."/> </resources> </module>Copy the CONNECT configuration files to the newly-created CONNECT properties directory. In the binary distribution, these files can be found in the Properties directory. To copy directly from the source in LINUX:
cp -r $CONNECT_ROOT/Product/Production/Common/Properties/src/main/resources/* $JBOSS_HOME/modules/system/layers/base/org/connectopensource/configuration/main
Configure keystores and truststores on the JBoss classpath. Execute the following commands from the CONNECT properties directory to create the keystores. To manage these files in another location be sure to make the necessary configuration updates listed /wiki/spaces/CONNECTWIKI/pages/10584180.
keytool -v -genkey -keyalg RSA -keysize 2048 -keystore gateway.jks -keypass changeit -storepass changeit -validity 365 -alias gateway -dname "cn=localhost" keytool -v -export -rfc -alias gateway -file localhost.cer -keystore gateway.jks -keypass changeit -storepass changeit keytool -v -import -keypass changeit -noprompt -trustcacerts -alias localhost -file localhost.cer -keystore cacerts.jks -storepass changeit
Setting JAVA_OPTS
In the standalone configuration file ($JBOSS_HOME/bin/standalone.conf in Linux, $JBOSS_HOME\bin\standalone.conf.bat in Windows), append the following and localize each statement based on your target OS:
Java 8 Users
Please note that Java 8 does not utilize the MaxPermSize and PermSize flags. These may be omitted on Java 8+
In Windows:
rem # Increase memory allocation
set "JAVA_OPTS=-Xmx8000m -XX:MaxPermSize=1024m -XX:PermSize=1024m"
rem # configuration directory
set "JAVA_OPTS=%JAVA_OPTS% -Dnhinc.properties.dir=$JBOSS_HOME/modules/system/layers/base/org/connectopensource/configuration/main"
rem # keystore and truststore
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=$JBOSS_HOME/modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStoreType=JKS"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=$JBOSS_HOME/modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStoreType=JKS"
set "JAVA_OPTS=%JAVA_OPTS% -DCLIENT_KEY_ALIAS=gateway"
In Linux:
# Increase memory allocation
JAVA_OPTS="-Xmx8000m -XX:MaxPermSize=1024m -XX:PermSize=1024m"
# configuration directory
JAVA_OPTS="$JAVA_OPTS -Dnhinc.properties.dir=${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main"
# keystore and truststore
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStoreType=JKS"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreType=JKS"
JAVA_OPTS="$JAVA_OPTS -DCLIENT_KEY_ALIAS=gateway"
Configure SSL
Make the following configuration changes in $JBOSS_HOME/standalone/configuration/standalone.xml:
- Add a connect socket binding for port 8181 under the "standard-sockets" socket binding group:
- Add stateless Bean in EJB undertow system
<subsystem xmlns="urn:wildfly:elytron:5.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
..
<tls>
<key-stores>
<key-store name="ehealthKS">
<credential-reference clear-text="changeit"/>
<implementation type="JKS"/>
<file path="/modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks" relative-to="jboss.home.dir"/>
</key-store>
<key-store name="ehealthTS">
<credential-reference clear-text="changeit"/>
<implementation type="JKS"/>
<file path="/modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks" relative-to="jboss.home.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="ehealthKM" key-store="ehealthKS" alias-filter="gateway">
<credential-reference clear-text="changeit"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="ehealthTM" key-store="ehealthTS"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="ehealthSSC" need-client-auth="true" key-manager="ehealthKM" trust-manager="ehealthTM"/>
</server-ssl-contexts>
</tls>
..
</subsystem>
- Add an HTTPS listener to the "default-server" entry in the Undertow subsystem (Note: replace the previous http listener if it exists):
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="connect" ssl-context="ehealthSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
SNI setup
SNI configuration are detailed in section " SNI Configuration in Wildfly 15" on Multiple Certificate, TLS and SAML support .
Address bindings
By default, WildFly services and applications are bound only to localhost. As needed, change any references of 127.0.0.1 to the desired binding address. 0.0.0.0 can be used to bind to all addresses.
Configure data sources
Download and copy mysql-connector-java-5.1.10.jar into the $JBOSS_HOME/standalone/deployments directory to install the MySQL JDBC driver.
Browse to http://localhost:9990 to open up the Admin Console. Click on Data Sources. Click on Add and use the following chart to configure your data sources (make sure you select the MySQL JDBC driver and provide database username and password):
Name | JNDI Name | Connection URL | Ref-Name | JTA |
|---|---|---|---|---|
| adminguidb_pool | java:/jdbc/adminguidb_datasource | jdbc:mysql://localhost:3306/adminguidb | jdbc/adminguidb_datasource | true |
assigningauthoritydb_pool | jdbc/assigningauthoritydb_datasource | true | ||
asyncmsgs_pool | jdbc/asyncmsgs_datasource | true | ||
auditrepo_pool | jdbc/auditrepo_datasource | false | ||
| configdb_pool | java:/jdbc/configdb_datasource | jdbc:mysql://localhost:3306/configdb | jdbc/configdb_datasource | true |
docrepository_pool | jdbc/docrepository_datasource | true | ||
| eventdb_pool | java:/jdbc/eventdb_datasource | jdbc:mysql://localhost:3306/eventdb | jdbc/eventdb_datasource | true |
| messagemonitoringdb_pool | java:/jdbc/messagemonitoringdb_datasource | jdbc:mysql://localhost:3306/messagemonitoringdb | jdbc/messagemonitoringdb_datasource | true |
patientcorrelationdb_pool | jdbc/patientcorrelationdb_datasource | true | ||
patientdb_pool | jdbc/patientdb_datasource | true | ||
transrepo_pool | jdbc/transrepo_datasource | true |
Enable the data sources
Data sources need to be enabled after they have been added. An additional optional step would be to test all the connections after enabling.
Execute CONNECT database scripts
Execute the following SQL scripts:
- $CONNECT_ROOT/Product/DBScripts/nhincdb/dropall.sql
- $CONNECT_ROOT/Product/DBScripts/nhincdb/nhincdb.sql
- $CONNECT_ROOT/Product/DBScripts/nhincdb/populateTestData.sql
Deploy CONNECT
- Start the WildFly server and open the admin console. Follow the instructions for creating a new user.
- After creating a new user, click the Try Again link in the admin console to log in.
- In the Admin Console, click Deployments tab
- In the left Nav panel, click Add next to Deployment
Choose Upload a new deployment click Next, click Choose File and browse to the <binary-location>/CONNECT-<VERSION>/CONNECT/<VERSION>/CONNECT-JB7-<VERSION>.ear file, click Next and then click Finish
If deploying from compiled source code, the CONNECT ear will be located at $CONNECT_ROOT/Product/Production/Deploy/jboss7/target
- Click the Enable button corresponding to the CONNECT ear file
Optional: For deploying CONNECT Admin GUI, repeat the steps 1-4 using <binary-location>/CONNECT-<VERSION>/CONNECTAdminGU/<VERSION>/CONNECTAdminGUI-<VERSION>.war
If deploying from compiled source code, the AdminGUI war file will be located at $CONNECT_ROOT/Product/Production/Adapters/General/CONNECTAdminGUI/target
Log4J Configuration
Edit $JBOSS_HOME/standalone/configuration/standalone.xml as following:
- Add new file handler (ie NHIN) under the existing File handler to logging subsystem:logging subsystem
<subsystem xmlns="urn:jboss:domain:logging:6.0"> .. <periodic-rotating-file-handler name="FILE" autoflush="true"> <formatter> <named-formatter name="PATTERN"/> </formatter> <file relative-to="jboss.server.log.dir" path="Nhin.log"/> <suffix value=".yyyy-MM-dd"/> <append value="true"/> </periodic-rotating-file-handler> <logger category="gov.hhs"> <level name="DEBUG"/> </logger> <root-logger> <level name="INFO"/> <handlers> <handler name="FILE"/> </handlers> </root-logger> .. </subsystem>