6/14

2 Installing and Configuring Oracle Health Sciences Information Manager Policy Monitor

This chapter provides information about the OHIM Policy Monitor components and templates.

The Policy Monitor implements an Audit Record Repository (ARR) as required by the ATNA profile. The following links provide some context as to what "ARR" represents in this guide. Before setting up your OHIM Policy Monitor, Oracle recommends you review these links.

• Audit Trail and Node Authentication (ATNA) Integration Profile

  • http://wiki.ihe.net/index.php?title=ATNA

  which is built on top of the following:

• Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications

  • http://tools.ietf.org/html/rfc3881

• The Syslog Protocol

  • http://tools.ietf.org/html/rfc5424

• Transmission of Syslog Messages over Transport Layer Security (TLS)

  • http://tools.ietf.org/search/rfc5425

• Transmission of Syslog Messages over User Datagram Protocol (UDP)

  • https://tools.ietf.org/html/rfc5426

  Note:

  The above links open documents that deal with the Internet Protocol Suite, specifically "Internet Official Protocol Standards" (STD1) as related to ARR. They provide critical technical information about secure transmission of data over the internet, including node authentication and an audit trail. It is recommended that you read them.

  The Policy Monitor is called the Audit Record Repository Server in Oracle Healthcare Master Person Index Working With IHE Profiles (Part Number E18591-01).

This chapter includes the following sections:

• Installing the Policy Monitor

• Configuring Oracle Health Sciences Information Manager Policy Monitor

• Starting the Oracle Health Sciences Information Manager Policy Monitor

2.1 Installing the Policy Monitor

Execute the following commands to install the Policy Monitor:

1. $ tar -zxvf ohim_hpm_installer.tgz

2. $ cd ohim_hpm_installer

3. $ java -jar ohim_hpm_installer.jar

To follow the prompts, see Appendix A, "Running the Oracle Health Sciences Information Manager Policy Monitor Installer".

2.1.1 Migrating from 1.2 or 1.2.1

This section is applicable only if you are migrating from 1.2 or 1.2.1.

1. On the source database:

   1. Execute the following command to export the tables data into a dump file:

      > exp <arr_user_name> TABLES=(CDD_VL_TYP,EVNT_ID_TYP,TYP_VL_PR_TYP,ADT_SRC_ID_TYP,PRT_OBJ_ID_TYP,ACTV_PRT_TYP,EVNT_ID_TYP_CDD_VL_TYP,ADT_MSG,ADT_MSG_ACTV_PRT_TYP,ADT_MSG_PRT_OBJ_ID_TYP,ACTV_PRT_TYP_CDD_VL_TYP,ADT_SRC_ID_TYP_CDD_VL_TYP,PRT_OBJ_ID_TYP_TYP_VL_PR_TYP,ADT_MSG_ADT_SRC_ID_TYP,ARR_SYS_MSG) FILE=<dump_file_name> log=export.log

      password: <arr_user_password>

   2. Note down the value of SEQ_COUNT column of the SEQ_GEN sequence from the SEQUENCE table.

2. On the target database:

   1. Create the tables using the create tables command of the Policy Monitor:

      > arr -propertyfile arr.properties -command create-tables

      See Appendix B.

   2. Execute the following command to import the data using the dump file that was generated in step 1a into Policy Monitor DB user:

      > imp FILE=<dump_file_name> log=import.log fromuser=<source_arr_user_name> touser=<target_arr_user_name> CONSTRAINTS=N IGNORE=y

      Username: system

      Password: <system_user_password>

   3. Update the SEQ_COUNT column value of the SEQ_GEN sequence with the value in step 1b.

2.2 Configuring Oracle Health Sciences Information Manager Policy Monitor

2.2.1 Configuring Oracle Health Sciences Information Manager Health Policy Monitor Properties

From this release of OHIM Policy Monitor, you are not required to manually edit the file. You will be prompted through the script. Execute the following code to configure the OHIM Health Policy Monitor properties.

1. > cd <arr_install_dir>/bin

2. > ant -f arr.xml create-arr-properties-file

   [input] Choose target database
   [input] Enter oracle_host
   [input] Enter oracle_port
   [input] Enter oracle_sid
   [input] Enter oracle_username
   [input] Enter oracle_password
   [input] Enter arr_port
   [input] Enter property_file_name
   

To edit a password in a properties file:

> ant -f arr.xml update-config-properties-file-password

To edit a property in a properties file:

> ant -f arr.xml update-config-properties-file-property

For more information, refer to Appendix E, "Password Encoding".

2.2.2 Setting up the Network

Note:

Opening ports below 1024 require root permissions.

Perform the following steps to setup the network.

1. Allow external connections to UDP and TLS port by opening incoming ports:

   # cd /etc/sysconfig/

   # vi iptables

2. Add the lines:

   -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6514 -j ACCEPT

3. Restart the service.

   # service iptables restart

   Flushing firewall rules: [OK]

2.2.3 Creating and Importing Self-Signed Certificates

Note:

Before proceeding to the next step, ensure that the host name does not return a fully qualified name for the machine. Check the following commands before proceeding:

1. Check that the following command returns a non-fully qualified name:

   > hostname

2. Check that the following command returns a fully qualified name:

   > hostname -f

3. Check that the following command returns the domain:

   > hostname -d

Perform the following steps to create and import self-signed certificates.

1. > cd <arr_install_dir>/bin

2. Execute create-and-import-selfsigned-certs.sh to install the self-signed certificate.

   > sh create-and-import-selfsigned-certs.sh

   This performs the following:

   • creates the keystore for the private internal key

   • exports the certificate that will authenticate the internal key

   • imports the trusted certificates into the truststore

   • provides these certificates to the server to use for authentication purposes

   Note:

   Before proceeding to the next step, copy the certificate of the host computer <HOSTNAME.cer> to <arr_install_dir>/bin/keystore folder.

3. To install a host machine's certificate, run the script import-hostname-cert.sh:

   > sh import-hostname-cert.sh

   Enter the host name of the machine whose certificate is being imported into the truststore: <HOSTNAME>.

2.2.3.1 Avoiding a Java Security Certificate Exception

To avoid a java.security.cert.CertificateException you must ensure that your OHIG or OHIM hostnames are not fully qualified.

To Make the Hostname Not Fully Qualified

1. Set the OHIM and OHIG host names to be not fully qualified.

2. Add aliases for all hosts.

3. Regenerate and reimport the certificates.

4. Restart all the servers.

5. Test that you do not have a Java security certificate exception.

2.3 Starting the Oracle Health Sciences Information Manager Policy Monitor

Start the server using the following command:

> cd <arr_install_dir>/bin

To start in UDP mode:

> arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command start-udp-server

To start in TLS mode:

> arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command start-tls-server