Version History
Version# | Date | Modified By | Description of Modification |
---|---|---|---|
1.0 | 03/14/2013 | Matt Tiller | Initial version |
1.1 | 04/01/2013 | Matt Weaver | Added clarification regarding keystores on the classpath. |
1.2 | 04/05/2013 | Deepthi Rodrigues | Updated wiki links for Exchange certificate configuration page |
1.3 | 08/01/2013 | Alamelu Chidambaram | Added new SSL setting needed for Managed Server |
1.4 | 03/06/2014 | Srinivasa Murthy | Removed the data source related to HIEM and modified the WebLogic Administration Console URL |
1.5 | 03/21/2014 | Kerry Chin | Edited for formatting, style, grammar, etc. |
1.6 | 10/31/2014 | Chris May/Naresh Subramanyan | Updated for Admin GUI, Direct Config, and Direct QOS |
1.7 | 01/29/2015 | Alamelu Chidambaram | Updated JAVA_OPTIONS for Ping Utility Feature |
1.8 | 10/26/2018 | Minh-Hai Nguyen | Update to use JDK 8 and keysize 2048 |
Preface
The CONNECT Product team's approach is to provide instructions that focus on the setting or configuration that is required and less on exactly how to set that configuration. For example, the CONNECT Product team's instructions are more likely to say, "set a given environment variable to a given value" as opposed to "execute this command on windows," and again, "execute this command on *nix." Another example, specific to WebLogic, is that the CONNECT Product team's instructions will not reference exactly how to start a managed server because there are too many ways to start a managed server that may differ from site to site, such as command line, node manager, python or shell scripts, etc.
For examples of how the CONNECT team accomplished some configurations, please see the /wiki/spaces/CONNECT4/pages/48005195.
Testing with the CONNECT regression suite
Important note: Pre-populated entity requests in the CONNECT regression suite contain <urn1:authorized>authorized</urn1:authorized> elements, which will result in an exception on WebLogic 12.2. Please update the value from "authorized" or "?" to "true" if executing these tests and encountering exceptions.
Prerequisites
- Java 1.8 or higher version
- Database (MySQL is CONNECT default).
- WebLogic Server
WebLogic Setup
The CONNECT Product Team testing included the use of one Admin Server and one Managed Server with the CONNECT application and datasources deployed directly to the managed server. Our approach was to maximize the configurations and settings that can be done in the CONNECT application and minimize modifications that must be made to the WebLogic instance. To this end, the only modifications made to the WebLogic install were changing to Oracle JDK 1.8, adding the keystore/truststore java options, adding the keystore/truststore to the classpath, and deploying the datasources. The CONNECT Product Team is very interested in working with community members to reduce the modifications to the WebLogic instance in order to support CONNECT.
Change WebLogic to Use JDK
WebLogic start-up scripts will pick up java from the JAVA_HOME environment variable. Adopters should set their JAVA_HOME environment variable to point to Oracle JDK version 1.x.0_yy (where x is the version number and yy is the update).
Create Key Store
How Do I Set Up the Certs?
Deploying CONNECT from Binaries#certkeystore
Either add the keystore and truststore to the classpath or provide absolute paths in the signature and truststore properties files. See Exchange Certificate Configuration Details for more information.
(1) Add the folder containing the keystore and truststore to the classpath. Be sure to add the path to the beginning of the existing path so that the existing path is preserved. For example:
CLASSPATH=<path to certs>:$CLASSPATH
(2) Alternatively, update signature.properties and truststore.properties to contain absolute paths as shown in the following two code blocks:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.keystore.alias=gateway org.apache.ws.security.crypto.merlin.file=<absolute path to gateway.jks> org.apache.ws.security.crypto.merlin.keystore.private.password=changeit
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.file=<absolute path to cacerts.jks>
Create Config Directory
Create a folder to put configuration files in. For example:
mkdir /home/connect/nhinc
Make sure the folder just created is reflected in -Dnhinc.properties.dir in the JAVA_OPTIONS.
Copy/transfer configuration files to the config folder. In the binary distribution these files can be found in the Properties directory of the zip. If using the source code:
cp -pr Product/Production/Common/Properties/src/main/resources/* /home/connect/nhinc
Set Up Environment Variables
What Java Options Do I Need to Deploy CONNECT?
JAVA_OPTIONS=-Xmx8g -Dnhinc.properties.dir=/home/connect/nhinc -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=<path to keystore>/gateway.jks -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore=<path to truststore>/cacerts.jks -DCLIENT_KEY_ALIAS=gateway -Djava.security.egd=file:/dev/./urandom -DUseSunHttpHandler=true
Note: The JVM option "-Dweblogic.management.clearTextCredentialAccessEnabled=true" should be added only for WebLogic 12.1.3 Install.
Set Up Datasources
Set up the following datasources using the WebLogic Administration Console. "Name" can be any value an implementer chooses. The CONNECT Product team recommends using meaningful names.
Name | jndi Name | Database Name |
---|---|---|
AdminGuidbDataSource | jdbc/adminguidb_datasource | adminguidb |
AssigningAuthoritydbDataSource | jdbc/assigningauthoritydb_datasource | assigningauthoritydb |
AsyncMsgsDataSource | jdbc/asyncmsgs_datasource | asyncmsgs |
AuditDatasource | jdbc/auditrepo_datasource | auditrepo |
ConfigdbDatasource | jdbc/configdb_datasource | configdb |
DocRepositoryDataSource | jdbc/docrepository_datasource | docrepository |
EventdbDataSource | jdbc/eventdb_datasource | eventdb |
MessageMonitoringdbDataSource | jdbc/messagemonitoringdb_datasource | messagemonitoringdb |
PatientCorrelationdbDataSource | jdbc/patientcorrelationdb_datasource | patientcorrelationdb |
PatientdbDataSource | jdbc/patientdb_datasource | patientdb |
TransRepoDataSource | jdbc/transrepo_datasource | transrepo |
- Browse to the WebLogic Administration Console (typically http://<localhost or IP Address>:7001/console) and log in
- In the left Domain Structure panel, go to Services -> Datasources
- Click New -> Generic Data Source
- Enter Name, jndi name, and database type. Default CONNECT database is MySQL. Click Next
- Select the appropriate driver for the environment and click Next
- Configure transaction setting -- for CONNECT Product team testing Support Global Transactions was unchecked. Click Next
- Enter User Name, Password, Server Name, Database Name, and Port Number. Click Next. Username and password for default CONNECT database is nhincuser/nhincpass
- Test the configuration using the "Test Connection" button. If successful, click Next or review changes and fix
- Select Targets -- Check the box next to the managed server created for CONNECT
- Click Finish
Configure Keystore & Truststore
- Under "Environment," go to "Servers," then go to the adopter's managed server
- Navigate to "Keystores"
- Keystores: "Custom Identity and Custom Trust"
- Under "Keystores" --> "Identity"
- "Custom Identity Keystore:" = <path to certs>/gateway.jks
- "Custom Identity Keystore Type:" = JKS (or leave blank)
- Enter the passphrase and confirm
- Under "Keystores" --> "Trust"
- "Custom Trust Keystore:" = <path to certs>/cacerts.jks
- "Custom Trust Keystore Type:" = JKS (or leave blank)
- Enter the passphrase and confirm
Configure SSL & Two-Way SSL
Using the WebLogic Console, configure the WebLogic instance to require the client certificate during SSL handshakes.
- Login to the WebLogic Console, typically at http://localhost:7001/console
- Under "Environment," go to "Servers," then go to the adopter's managed server
- Navigate to the "SSL" tab
- Identity and Trust Locations: "Keystores"
- Private Key Alias: "gateway"
- Enter passphrase and confirm
- Certificate Location: "from Custom Identity Keystore"
- Trusted Certificate Authorities: "from Custom Trust Keystore"
- Navigate to the "SSL" tab and then the Advanced section
- Ensure the drop down for "Two Way Client Cert Behavior" is set to "Client Certs Requested and Enforced"
- Check JSSE-SSL flag (for weblogic 12.1.x)
Step 6 is needed only if you see the following Exception during server start-up:
Loading the identity certificate and private key stored under the alias gateway from the JKS keystore file /../../../gateway.jks
Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate
Deploy CONNECT
- Browse to the WebLogic Administration Console (typically http://<localhost or IP Address>:7001/console) and log in
- In the left Domain Structure panel, go to Deployments. Click Install
- Browse to the <binary-location>/CONNECT-<VERSION>/CONNECT/<VERSION>/CONNECT-WL-<VERSION>.ear file. Click Next
- Ensure "Install this deployment as an application" is checked. Click Next
- Check the Check Box next to the target managed server. Click Next
- Click Finish
- Optional: For deploying CONNECT Admin GUI, repeat the steps 2-6 using <binary-location>/CONNECT-<VERSION>/CONNECTAdminGUI/<VERSION>/CONNECTAdminGUI-<VERSION>.war.