Deployment of the FHIR Endpoint using Github Registry Images

Before deployment you have to get two certificates from the DFN PKI:

• Server X.509 certificate (DFN profile Web Server) for the FHIR server
• Server/Client X.509 certificate (DFN profile 802.1X Client) for the local Business Process Engine to access FHIR servers and for your FHIR server to perform HTTP HEAD calls to remote FHIR servers while validating incoming FHIR resources with references to remote FHIR servers.

Create a deployment folder named fhir_compose (for example) and copy the content of the folder dsf-docker-test-setup ▸ ⁨fhir into it to get a head start on configuring your setup.

WATCH OUT: The config.properties file in the dsf-docker-test-setup ▸ ⁨fhir folder is generated during the maven build, use docker-test-fhir-config.properties as the config.properties file starting point, if you don't want to build the project.

Reverse-Proxy

• Add the CA chain, the FHIR Endpoint Server Certificate and the FHIR Endpoint Server Certificate Private Key to the folder fhir_compose ▸ ⁨proxy⁩ ▸ ssl:
• Filenames have to be:
  • ca_certificate.pem for the CA chain
  • certificate.pem for the FHIR server certificate
  • private-key.pem for the FHIR server certificate private key
• You can find the current DFN PKI CA chain here. All entries are needed since the ca_certificate.pem file is currently used to configure the servers intermediate CAs and the CA Root for trusting client certificates.

Database

• Adapt ⁨⁨fhir_compose ▸ app⁩ ▸ ⁨conf⁩ ▸ config.properties with a new org.highmed.dsf.fhir.db.liquibase_user_password and org.highmed.dsf.fhir.db.server_user_password
• Add the liquibase_user_password to ⁨db ▸ conf ▸ ⁨postgress_password⁨

App

• Generate the thumbprint of the local Business Process Engine server/client certificate using certtool --fingerprint --hash=sha512 --infile=client_certificate.pem or openssl x509 -noout -fingerprint -sha512 -inform pem -in [certificate-file.pem]

WATCH OUT: thumbprint has to be in lowercase without colons!

• Create a .p12 keystore of the local Business Process Engine server/client certificate using openssl pkcs12 -export -out [client_certificate.p12] -inkey [private-key.pem] -in [client_certificate.pem] -certfile [chain.txt] and move it into fhir_compose ▸ app⁩ ▸ ⁨conf⁩
• You can find the current DFN PKI CA chain here. The full chain is needed since the .p12 store is used as trust-store to authenticate the server and as certificate key-store while authenticating as client. The root anchor (T-TeleSec GlobalRoot Class 2) is used to trust the server, when the server authenticates himself - transmitting all intermediate CAs with the server certificate to the client. The intermediate certificates together with the client certificate and its corresponding private key are used while the client is authenticating himself against a server, transmitting all intermediate CAs together with the client certificate to the server.

WATCH OUT: If the application runs on a machine behind a proxy using TLS Inspection, authentication based on client certificates will not work. TLS Inspection has to be turned off.

• Replace the file ⁨fhir_compose ▸ app⁩ ▸ ⁨conf⁩ ▸ bundle.xml with this file and fill the following placeholders with your entries: (This file is only for the test network, the one for production is in development)
  • <set-your-uuid-here>
  • <set-your-thumbprint-here>
  • <set-your-identifier-here> (2x)
  • <set-your-name-here>
• Adapt the following settings in the file ⁨fhir_compose ▸ app⁩ ▸ ⁨conf⁩ ▸ config.properties:
  • org.highmed.dsf.fhir.webservice.keystore.p12file
  • org.highmed.dsf.fhir.webservice.keystore.password
  • org.highmed.dsf.fhir.local-user.thumbprints
  • org.highmed.dsf.fhir.serverBase with the base url of the FHIR endpoint service
  • org.highmed.dsf.fhir.organizationType with either MeDIC or TTP
  • org.highmed.dsf.fhir.local-organization.identifier with the MeDIC identifier
• If outgoing connections use a proxy, additionally add the following settings to fhir_compose ▸ ⁨app⁩ ▸ ⁨conf⁩ ▸ config.properties:
  • org.highmed.dsf.fhir.remote.webservice.proxy.schemeHostPort with the proxy protocol, url and port
  • org.highmed.dsf.fhir.remote.webservice.proxy.username
  • org.highmed.dsf.fhir.remote.webservice.proxy.password
• Settings of the Jetty application server can be changed in the file fhir_compose ▸ app⁩ ▸ ⁨conf⁩ ▸ jetty.properties
• Make sure volumes can be accessed. The Application is run by a user with uid==gid==2101. That means that this user has to be able to read the conf and plugin folder and to read+write+execute the log folder.

Docker-Compose Configuration

Adapt the file ⁨⁨docker-compose.yml:

• Adapt the entry HTTPS_SERVER_NAME_PORT with the permanent redirect url for https (:)
• If the FHIR Endpoint is located on its own machine without the BPE:
  • Remove the network entries with the name bpe
  • Adapt the ports to of the entry proxy ▸ ports to 80:80 and 443:443
• Replace the entry of services ▸ proxy ▸ image with ghcr.io/highmed/fhir_proxy:latest
• Replace the entry of services ▸ app ▸ image with ghcr.io/highmed/fhir:latest

Adapt the file ⁨docker-compose.prod.yml:

• If you need additional entries in the file /etc/hosts (e.g. if there is no DNS resolving possible) add them to the field extra_hosts. If you want to only use a single docker-compose file, make sure to copy the necessary entries from docker-compose.prod.yml into your docker-compose.yml file.

Admission to the HiGHmed WhiteList:

Please contact one of the main developers of the framework to be whitelisted.

Running

Run docker-compose -f docker-compose.yml -f docker-compose.prod.yml up to start the reverse-proxy, database and app servers.

With a single docker-compose.yml file you can start the server using docker-compose up -d && docker-compose logs -f. This command will start the servers detached and then follows log outputs on screen. Issuing ctrl-c will end log output but won't stop the servers.