Oracle® Health Sciences Information Manager Policy Monitor Installation and Configuration Guide Release 2.0.1 E37025-03 |
|
|
PDF · Mobi · ePub |
This chapter provides information about the OHIM Policy Monitor components and templates.
The Policy Monitor implements an Audit Record Repository (ARR) as required by the ATNA profile. The following links provide some context as to what "ARR" represents in this guide. Before setting up your OHIM Policy Monitor, Oracle recommends you review these links.
Audit Trail and Node Authentication (ATNA) Integration Profile
which is built on top of the following:
Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications
The Syslog Protocol
Transmission of Syslog Messages over Transport Layer Security (TLS)
Transmission of Syslog Messages over User Datagram Protocol (UDP)
Note:
The above links open documents that deal with the Internet Protocol Suite, specifically "Internet Official Protocol Standards" (STD1) as related to ARR. They provide critical technical information about secure transmission of data over the internet, including node authentication and an audit trail. It is recommended that you read them.The Policy Monitor is called the Audit Record Repository Server in Oracle Healthcare Master Person Index Working With IHE Profiles (Part Number E18591-01).
This chapter includes the following sections:
Configuring Oracle Health Sciences Information Manager Policy Monitor
Starting the Oracle Health Sciences Information Manager Policy Monitor
Execute the following commands to install the Policy Monitor:
$ tar -zxvf ohim_hpm_installer.tgz
$ cd ohim_hpm_installer
$ java -jar ohim_hpm_installer.jar
To follow the prompts, see Appendix A, "Running the Oracle Health Sciences Information Manager Policy Monitor Installer".
This section is applicable only if you are migrating from 1.2 or 1.2.1.
On the source database:
Execute the following command to export the tables data into a dump file:
> exp <arr_user_name> TABLES=(CDD_VL_TYP,EVNT_ID_TYP,TYP_VL_PR_TYP,ADT_SRC_ID_TYP,PRT_OBJ_ID_TYP,ACTV_PRT_TYP,EVNT_ID_TYP_CDD_VL_TYP,ADT_MSG,ADT_MSG_ACTV_PRT_TYP,ADT_MSG_PRT_OBJ_ID_TYP,ACTV_PRT_TYP_CDD_VL_TYP,ADT_SRC_ID_TYP_CDD_VL_TYP,PRT_OBJ_ID_TYP_TYP_VL_PR_TYP,ADT_MSG_ADT_SRC_ID_TYP,ARR_SYS_MSG) FILE=<dump_file_name> log=export.log
password: <arr_user_password>
Note down the value of SEQ_COUNT column of the SEQ_GEN sequence from the SEQUENCE table.
On the target database:
Create the tables using the create tables
command of the Policy Monitor:
> arr -propertyfile arr.properties -command create-tables
See Appendix B.
Execute the following command to import the data using the dump file that was generated in step 1a into Policy Monitor DB user:
> imp FILE=<dump_file_name> log=import.log fromuser=<source_arr_user_name> touser=<target_arr_user_name> CONSTRAINTS=N IGNORE=y
Username: system
Password: <system_user_password>
Update the SEQ_COUNT column value of the SEQ_GEN sequence with the value in step 1b.
From this release of OHIM Policy Monitor, you are not required to manually edit the file. You will be prompted through the script. Execute the following code to configure the OHIM Health Policy Monitor properties.
> cd <arr_install_dir>/bin
> ant -f arr.xml create-arr-properties-file
[input] Choose target database [input] Enter oracle_host [input] Enter oracle_port [input] Enter oracle_sid [input] Enter oracle_username [input] Enter oracle_password [input] Enter arr_port [input] Enter property_file_name
To edit a password in a properties file:
> ant -f arr.xml update-config-properties-file-password
To edit a property in a properties file:
> ant -f arr.xml update-config-properties-file-property
For more information, refer to Appendix E, "Password Encoding".
Note:
Opening ports below 1024 require root permissions.Perform the following steps to setup the network.
Allow external connections to UDP and TLS port by opening incoming ports:
# cd /etc/sysconfig/
# vi iptables
Add the lines:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6514 -j ACCEPT
Restart the service.
# service iptables restart
Flushing firewall rules: [OK]
Note:
Before proceeding to the next step, ensure that the host name does not return a fully qualified name for the machine. Check the following commands before proceeding:Check that the following command returns a non-fully qualified name:
> hostname
Check that the following command returns a fully qualified name:
> hostname -f
Check that the following command returns the domain:
> hostname -d
Perform the following steps to create and import self-signed certificates.
> cd <arr_install_dir>/bin
Execute create-and-import-selfsigned-certs.sh
to install the self-signed certificate.
> sh create-and-import-selfsigned-certs.sh
This performs the following:
creates the keystore for the private internal key
exports the certificate that will authenticate the internal key
imports the trusted certificates into the truststore
provides these certificates to the server to use for authentication purposes
Note:
Before proceeding to the next step, copy the certificate of the host computer<HOSTNAME.cer>
to <arr_install_dir>/bin/keystore
folder.To install a host machine's certificate, run the script import-hostname-cert.sh
:
> sh import-hostname-cert.sh
Enter the host name of the machine whose certificate is being imported into the truststore: <HOSTNAME>
.
To avoid a java.security.cert.CertificateException
you must ensure that your OHIG or OHIM hostnames are not fully qualified.
To Make the Hostname Not Fully Qualified
Set the OHIM and OHIG host names to be not fully qualified.
Add aliases for all hosts.
Regenerate and reimport the certificates.
Restart all the servers.
Test that you do not have a Java security certificate exception.
Start the server using the following command:
> cd <arr_install_dir>/bin
To start in UDP mode:
> arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command start-udp-server
To start in TLS mode:
> arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command start-tls-server