Oracle® Healthcare Analytics Data Integration

Secure Installation and Configuration Guide

Release 1.0

E26520-01

November 2011

This section presents an overview of the OHADI requirements. It also describes the tasks that you must complete before you can install the OHADI application. This chapter includes the following sections:

• Technology Stack and System Requirements

• General Security Principles

• Installing the Prerequisite Software

• Installing Oracle Healthcare Analytics Data Integration

• Documentation Accessibility

1 Technology Stack and System Requirements

The requisite technology stack for Oracle Healthcare Analytics Data Integration Configuration is provided in the media pack, with the exception of Informatica. It consists of the following products:

• Oracle Database 11.2.0.2

• Oracle Healthcare Data Warehouse Foundation 4.0

Note:

Informatica is not part of the media pack. You need to acquire its license separately. All references to media pack server in this document refer to the computer onto which you download the media pack for Oracle Healthcare Analytics Data Integration.

The following table lists system requirement references.

Table 1 System Requirement References

Product	Reference
Oracle Database 11.2.0.2	Database Installation Guide for <platform>
Informatica PowerCenter 9.0.1 HotFix 2	Informatica PowerCenter Installation Guide
Oracle Healthcare Data Warehouse Foundation 4.0	Oracle Healthcare Data Warehouse Foundation Patch Readme and Release Notes
Other Technology Stack Components	My Oracle Support / Certifications

2 General Security Principles

The following principles are fundamental to using any application securely.

Keep Software Up To Date

One of the principles of good security practice is to keep all software versions and patches up to date.

Keeping Up To Date on the Latest Security Information Critical Patch Updates

Oracle continually improves its software and documentation. Critical Patch Updates are the primary means of releasing security fixes for Oracle products to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. We highly recommend customers to apply these patches as soon as they are released.

Configure Strong Passwords on the Database

Although the importance of passwords is well known, the following basic rule of security management is worth repeating:

Ensure all passwords are strong passwords.

You can strengthen passwords by creating and using password policies for your organization. For guidelines on securing passwords and for additional ways to protect passwords, refer to the Oracle® Database Security Guide specific to the database release you are using.

You should modify the following passwords to use your policy-compliant strings:

• Passwords for the database default accounts, such as SYS and SYSTEM.

• Passwords for the database application-specific schema accounts, such as HDM, HDI, and HMC.

• The password for the database listener. You must not configure a password for the database listener as that will enable remote administration. For more information, refer to the section "Removing the Listener Password" of Oracle® Database Net Services Reference 11g Release 2 (11.2).

Follow the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Overly ambitious granting of responsibilities, roles, grants — especially early on in an organization's life cycle when people are few and work needs to be done quickly — often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.

Before executing DDL scripts to create HMC schema, a database user should be created with specified limited set of privileges. DBA access should not be given to the user.

Database Security Features

The following principles are fundamental to using any application securely.

• Database Vault - Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.

• About Audit Vault - Oracle Audit Vault automates the audit collection, monitoring and reporting process. It turns audit data into a key security resource for detecting unauthorized activity. Consider using this feature to satisfy compliance regulations such as SOX, PCI, and HIPAA, and to mitigate security risks.

• About Tablespace Encryption - Transparent Data Encryption is one of the three components of the Oracle Advanced Security option for Oracle Database 11g Release 2 Enterprise Edition. It provides transparent encryption of stored data to support your compliance efforts. Applications do not have to be modified and will continue to work seamlessly as before. Data is automatically encrypted when it is written to disk, and automatically decrypted when accessed by the application. Key management is built in to the Tablespace Encryption feature, eliminating the complex task of creating, managing and securing encryption keys.

Managing Default User Accounts

Schema owner should not be the user used for normal production; in stead the account should be locked after the installation.

Closing All Open Ports Not in Use

Keep only the minimum number of ports open. You should close all ports not in use.

Disabling the Telnet Service

Oracle Healthcare Analytics Data Integration Configuration does not use the Telnet service.

Telnet listens on port 23 by default.

If the Telnet service is available on any computer, Oracle recommends that you disable Telnet in favor of Secure Shell (SSH). Telnet, which sends clear-text passwords and user names through a log-in, is a security risk to your servers. Disabling Telnet tightens and protects your system security.

Disabling Other Unused Services

In addition to not using Telnet, the Oracle Healthcare Analytics Data Integration Configuration does not use the following services or information for any functionality:

• Simple Mail Transfer Protocol (SMTP). This protocol is an Internet standard for E-mail transmission across Internet Protocol (IP) networks.

• Identification Protocol (identd). This protocol is generally used to identify the owner of a TCP connection on UNIX.

• Simple Network Management Protocol (SNMP). This protocol is a method for managing and reporting information about different systems.

Restricting these services or information does not affect the use of Oracle Healthcare Analytics Data Integration Configuration. If you are not using these services for other applications, Oracle recommends that you disable these services to minimize your security exposure. If you need SMTP, identd, or SNMP for other applications, be sure to upgrade to the latest version of the protocol to provide the most up-to-date security for your system.

Designing for Multiple Layers of Protection

When designing a secure deployment, design multiple layers of protection. If a hacker should gain access to one layer, such as the application server, that should not automatically give them easy access to other layers, such as the database server.

Providing multiple layers of protection may include:

• Enable only those ports required for communication between different tiers, for example, only allowing communication to the database tier on the port used for SQL*NET communications (1521 by default).

• Place firewalls between servers so that only expected traffic can move between servers.

Security Guidelines for Informatica Server

As OHADI processes clinical and healthcare information that contains sensitive patient information, you must configure Informatica server for maximum security. Follow the security guidelines provided by Informatica user documentation.

Configuring Secure SQL NET

If Informatica repository is installed in a database server other than the server having HDWF schema, the data transfer will take place between two different database servers over a network. As HDWF contains sensitive clinical and healthcare data, you must secure the communication between database servers. Use Oracle® Net Manager to configure encryption to secure communication between database servers .Oracle provides different encryption algorithms to secure communication. Select an appropriate encryption algorithm. For more information, refer to Oracle® Database Advanced Security Administrator's Guide 11g Release 2 (11.1).

3 Installing the Prerequisite Software

Before you can install the OHADI application, you must complete the following pre-installation tasks:

1. Install Oracle Database 11.2.0.2. Follow the instructions in Database Installation Guide for <platform>.

2. Install Oracle Healthcare Data Warehouse Foundation 4.0. Follow the instructions in Oracle Healthcare Data Warehouse Foundation Patch Readme and Release Notes.

3. Install Informatica PowerCenter 9.0.1 HotFix 2. Follow the instructions in Informatica PowerCenter Installation Guide.

4. While creating the Informatica Repository Service, set the code page to UTF-8.

4 Installing Oracle Healthcare Analytics Data Integration

OHADI application installation consists of the following steps:

• Setting Up Database

• Setting Up Informatica

• Preparing Scripts to Import Informatica Workflows

• Importing Workflows

4.1 Setting Up Database

This patch contains the following files required to install the physical data model portion of Oracle Healthcare Analytics Data Integration 1.0 (OHADI) and the associated documentation:

Table 2 Media Pack Contents

File Name	Contains
doc\ohadi_r1_0_mediapack_docs.zip	User Documentation Files
software\ohadi_metadata_config_ddl_1_0.sql	Script to create Physical Database Objects for Metadata Configuration Schema
software\ohadi_interface_grant_access_1_0.sql	Script to grant SELECT permission to metadata configuration user and HDWF user to access interface schema tables
software\ohadi_metadata_config_grant_access_1_0.sql	Script to grant SELECT permission to HDWF user to access metadata configuration schema tables
software\ohadi_etl_seed_data_scripts.zip	Contains seed data procedures and scripts

Preinstallation Checklist

• Ensure that you have set the NLS_LENGTH_SEMANTICS parameter of the session creating Metadata Configuration (HMC) schema to either CHAR or BYTE as per your requirements.

• Ensure that you have set a consistent default date format setting across HDWF, OHADI, and Rules Metadata Configuration.

• Ensure that you have set a consistent time zone setting across HDWF, OHADI, and Rules Metadata Configuration.

Instructions for Installing Metadata Configuration (HMC) Schema

To install HMC schema:

1. You should create a HMC user with appropriate default tablespace with requisite quotas and temporary tablespace. To create a HMC user:

   CREATE USER HMC IDENTIFIED BY <password> DEFAULT TABLESPACE <tablespace name> TEMPORARY TABLESPACE <temporary tablespace name> QUOTA <size or UNLIMITED> ON <tablespace name>;

   For example,

   CREATE USER HMC IDENTIFIED BY <secure password> DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users;

2. Grant the following privileges to the user created in step 1:

   • ALTER SESSION

   • CREATE DATABASE LINK

   • CREATE INDEXTYPE

   • CREATE JOB

   • CREATE MATERIALIZED VIEW

   • CREATE PROCEDURE

   • CREATE SEQUENCE

   • CREATE SESSION

   • CREATE SYNONYM

   • CREATE TABLE

   • CREATE TRIGGER

   • CREATE TYPE

   • CREATE VIEW

3. Grant DBA privilege to HMC user from SYSTEM user.

4. Log in to an Oracle 11gR2 database as a database schema owner (user created in step 1).

5. Locate the Oracle DDL script ohadi_metadata_config_ddl_1_0.sql on your Oracle 11gR2 database and execute it in HMC schema.

6. Extract software\ohadi_etl_seed_data_scripts.zip to OHADI installation directory(@{OHADI_INSTALL_DIR}.

7. Execute the following script to load seed data into HMC schema on your Oracle 11gR2 database at {OHADI_INSTALL_DIR}\ohadi_metadata_config_etl_seed_data_1_0.sql.

8. Locate and execute the Oracle DDL script ohadi_metadata_config_grant_access_1_0.sql on your Oracle 11gR2 database. The script prompts for HDWF Schema Name.

   Enter name of HDWF schema in the Enter value for hdwf_schema_name: prompt.

9. Disconnect from HMC user.

10. Revoke DBA privilege from HMC user.

Post Installation Configuration Instructions

1. Grant DBA privilege to HDI user from SYSTEM user.

2. Log in to an Oracle 11gR2 database as HDI user.

3. Locate and execute the Oracle DDL script ohadi_interface_grant_access_1_0.sql on your Oracle 11gR2 database. The script prompts for HDWF Schema and Metadata Configuration Schema Names.

4. Enter HDWF and HMC schema names in Enter value for hdwf_schema_name: and Enter value for metadata_config_schema_name: prompts respectively.

5. Disconnect from HDI user.

6. Revoke DBA privilege from HDI user.

7. Log in to an Oracle 11gR2 database as HDM user.

8. Create a private synonym on hdi_etl_glbl_param_g residing in HMC schema to be accessed by HDM User. Execute the following command:

   create synonym hdi_etl_glbl_param_g for <HMC Schema>>.hdi_etl_glbl_param_g

9. Execute the following script to create and execute a procedure.

   @{OHADI_INSTALL_DIR}\ohadi_hdwf_etl_procedure_1_0.sql

   The script prompts for HMC schema name. The procedure creates one seed data record in all HDWF tables with ID value as -1 representing a not available record called as NAV record on your Oracle 11gR2 database.

10. Enter HMC schema name in ETL_CONFIG_SCHEMA: prompt.

4.2 Setting Up Informatica

The media pack contains the following files used to setup Informatica Workflows:

Table 3 Files for Informatica Workflows

File Name	Contains
software\ohadi_informatica_workflows.zip	Contains xmls for all Informatica workflows
software\ SIL_DI_Global_Param_File.prm	Informatica global configuration file
software\ohadi_informatica_batch_scripts.zip	Contains scripts having Informatica pmrep command line import commands to import all OHADI workflows. It also contains scripts for both Linux (with extension .sh) and Windows (with extension .bat) platforms.
software\ohadi_Data_Lineage_Queries.txt	Contains scripts to query about data lineage information about Informatica.

Perform the following steps:

1. Create the following relational database connections in Informatica:

   • <DI_SOURCE_INFA_CONNECTION> to connect to schema containing HDWF Interface Tables

   • <DI_TARGET_INFA_CONNECTION > to connect to hdwf_schema_name

   • <DI_ETL_INFA_CONNECTION > to connect to metadata_config_schema_name(HMC)

     Make a note of the connection objects.

2. Create an Informatica repository with name repository name Oracle_Healthcare_Analytics_Data_integration.

3. Create five directories with the following names in the Informatica repository you created in step 2.

   Table 4 Informatica Folders

   Informatica Folder Name	To Import
   DI_HDWF_INCREMENTAL_LOAD	Incremental Load ETLs
   DI_HDWF_INITIAL_LOAD	Initial Load ETLs
   DI_HDWF_INITIAL_LOAD_PARTY_AVAILABLE	Party Role Related Initial Load ETLs
   DI_HDWF_INCREMENTAL_LOAD_PARTY_AVAILABLE	Party Role Related Incremental Load ETLs
   DI_HDWF_MASTER_DATA_MANAGEMENT	Master Data Management ETLs

   
   

4. Navigate to ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles and create the following five directories:

   • DI_HDWF_INCREMENTAL_LOAD

   • DI_HDWF_INITIAL_LOAD

   • DI_HDWF_MASTER_DATA_MANAGEMENT

   • DI_HDWF_PARTY_INITIAL_LOAD

   • DI_HDWF_PARTY_INCREMENTAL_LOAD

5. Configure following values in etl global parameter file SIL_DI_Global_Param_File.prm:

   • $$DBSCHEMA_TARGET=hdwf_schema_name

   • $$DBSCHEMA_SOURCE=hdwf_interface_table_schema_name

   • $$DBSCHEMA_ETL= metadata_config_schema_name(HMC)

   • $DBCONNECTION_ETL=<DI_ETL_INFA_CONNECTION >

   • $DBCONNECTION_TARGET=<DI_TARGET_INFA_CONNECTION >

   • $DBCONNECTION_SOURCE=<DI_SOURCE_INFA_CONNECTION >

6. Copy the updated global parameter file to the following locations:

   • ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles

   • ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles/DI_HDWF_INCREMENTAL_LOAD

   • ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles/DI_HDWF_INITIAL_LOAD

   • ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles/DI_HDWF_MASTER_DATA_MANAGEMENT

   • ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles/DI_HDWF_PARTY_INITIAL_LOAD

   • ${INFA_INSTALL_DIR}/server/infa_shared/SrcFiles/DI_HDWF_PARTY_INCREMENTAL_LOAD

4.3 Preparing Scripts to Import Informatica Workflows

1. Extract following zip files to OHADI installation directory(@{OHADI_INSTALL_DIR}. Contents of both zip files must be extracted into same directory.

   • software\ohadi_informatica_batch_scripts.zip

   • software\ohadi_informatica_workflows.zip

   The following import scripts are provided to import workflows:

   Table 5 Batch Scripts

   Batch Script Name	To Import
   ohadi_initial_load_workflow_import.sh	Initial load ETLs in Linux environment
   ohadi_incremental_load_workflow_import.sh	Incremental load ETLs in Linux environment
   ohadi_master_data_management_workflow_import.sh	Master data management ETLs in Linux environment
   ohadi_initial_load_workflow_import.bat	Initial load ETLs in Windows environment
   ohadi_incremental_load_workflow_import.bat	Incremental load ETLs in Windows environment
   ohadi_master_data_management_workflow_import.ba	Master data management ETLs in Windows environment

   
   

2. First line of all the scripts in step 1 contain connection information for Informatica Server and Repository. The line is as follows:

   pmrep connect -r <Informatica_Repository_Name> -d <Informatica_Server_Domain_Name> -n <Informatica Administrator_User_Name> -x <Informatica Administrator_Password>

   You must modify the first line in each of the scripts with Informatica Repository Name, Informatica Server Domain Name, and Informatica Administrator User Name, and Informatica Administrator Password as per your Informatica Server setup.

3. Set Environment Variables required for pmrep command to work:

   Get the path for Informatica server installation directory (${INFA_INSTALL_DIR}.

   • For Windows, set following environment variables:

     INFA_DOMAINS_FILE=${INFA_INSTALL_DIR}\clients\PowerCenterClient\domains.infa

     PATH=${INFA_INSTALL_DIR}\server\bin

   • For Linux and Unix, set following environment variables:

     INFA_HOME=${INFA_INSTALL_DIR}/

     LD_LIBRARY_PATH=$LD_LIBRARY_PATH: ${INFA_INSTALL_DIR}/server/bin

     PATH=$PATH${INFA_INSTALL_DIR}/server/bin

     INFA_DOMAINS_FILE=${INFA_INSTALL_DIR}/domains.infa

4.4 Importing Workflows

You can either import all workflows or import a specific workflow for a subject area.

4.4.1 Importing All Workflows

To import all wokflows, perform the following:

For Windows, execute the following scripts:

1. ohadi_master_data_management_workflow_import.bat

2. ohadi_initial_load_workflow_import.bat

3. ohadi_incremental_load_workflow_import.bat

For Linux or Unix environment, execute the following scripts:

1. ohadi_master_data_management_workflow_import.sh

2. ohadi_initial_load_workflow_import.sh

3. ohadi_incremental_load_workflow_import.sh

To import the ETLs into an existing Informatica Repository, change the default repository name Oracle_Healthcare_Analytics_Data_integration to the existing Informatica repository in the following files:

• ohadi_informatica_batch_scripts\OHADI_incremental_control.txt

• ohadi_informatica_batch_scripts\OHADI_incremental_control_party_available.txt

• ohadi_informatica_batch_scripts\OHADI_initial_control.txt

• ohadi_informatica_batch_scripts\OHADI_initial_control_party_available.txt

• ohadi_informatica_batch_scripts\OHADI_Master_Data_Management_control.txt

In each of these control files, navigate to the line TARGETREPOSITORYNAME ="Oracle_Healthcare_Analytics_Data_integration" /> and update the repository name to the existing Informatica repository.

4.4.2 Importing Workflows for a Specific Subject Area

Execute the script ohadi_master_data_management_workflow_import.bat or ohadi_master_data_management_workflow_import.sh.

Perform the following steps:

1. Open the batch script. The batch scripts are grouped by subject area and there is a comment in the batch script file with subject area name. Copy import commands of only those subject area ETLs and create another batch file for that subject area.

2. To connect to the server, add the following pmrep connect command in the first line:

   pmrep connect -r <Informatica_Repository_Name> -d <Informatica_Server_Domain_Name> -n <Informatica Administrator_User_Name> -x <Informatica Administrator_Password>

   You must modify the above line with Informatica Repository Name, Informatica Server Domain Name, and Informatica Administrator User Name, and Informatica Administrator Password as per your Informatica Server setup.

3. Execute the newly created batch script for the subject area.

5 Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

---

Oracle Healthcare Analytics Data Integration Secure Installation and Configuration Guide, Release 1.0

E26520-01

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.