1 Installing and Configuring HIM Policy Monitor

This chapter provides information about the HIM Policy Monitor components and templates. It then leads you through the steps to import the Policy Monitor template, create a Policy Monitor VM, and then configure a Policy Monitor VM.

The Policy Monitor implements an Audit Record Repository (ARR) as required by the ATNA profile. The following links provide some context as to what "ARR" represents in this guide. Before beginning to set up your HIM Policy Monitor VM, we recommend you review these links.

Audit Trail and Node Authentication (ATNA) Integration Profile
- http://wiki.ihe.net/index.php?title=ATNA
which is built on top of the following:
Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications
- http://tools.ietf.org/html/rfc3881
The Syslog Protocol
- http://tools.ietf.org/html/rfc5424
Transmission of Syslog Messages over Transport Layer Security (TLS)
- http://tools.ietf.org/search/rfc5425

Transmission of Syslog Messages over User Datagram Protocol (UDP)

https://tools.ietf.org/html/rfc5426

Note:

The above links open documents that deal with the Internet Protocol Suite, specifically "Internet Official Protocol Standards" (STD1) as related to ARR. They provide critical technical information about secure transmission of data over the internet, including node authentication and an audit trail. It is recommended that you read them.

The Policy Monitor is called the Audit Record Repository Server in Oracle Healthcare Master Person Index Working With IHE Profiles (Part Number E18591-01).

This chapter includes the following sections:

"Understanding HIM Policy Monitor Components and Templates"
"Importing the HIM Policy Monitor Template"
"Creating the HIM Policy Monitor VM"
"Configuring the HIM Policy Monitor VM"

1.1 Understanding HIM Policy Monitor Components and Templates

The HIM Policy Monitor template uses the "Paravirtualized" virtualization method. The template is distributed as a compressed tar file (*.tgz). The compressed tar file contains two binary files and a text file. The binary files are the disk images taken from a fully configured and functional VM. The text file is a VM configuration file.

1.1.1 HIM Policy Monitor Components

The contents of the compressed tar file is listed below:

Disk Image with Oracle Software

/appliance.img
Disk Image with Operating System

/System.img
VM Configuration File

/vm.cfg

1.1.2 Policy Monitor VM Template

The VM consists of the following pre-installed software:

Oracle Enterprise Linux 5 (as in System.img)

http://www.oracle.com/technetwork/topics/linux/whatsnew/index.html
HIM specific software (as in appliance.img)
- Apache Ant 1.8.1
  
  Install directory: /home/common/ant
- Java Development Kit 1.6.0_21
  
  Install directory: /home/common/java/latest (symbolic link to JDK 1.6.0_21)
- For hiauser only:
  - HIM Policy Monitor 1.0
    
    Install directory: /home/hiauser/arr
VM Memory Settings:
- 2 GB (2048 MB) of RAM
  
  Note:
  The RAM memory setting can be changed after installation in VM Manager.
- 16 GB of Disk Space
Linux Users:
- Root user
  - Username: root
  - Linux Group: root
  - Password: ovsroot
- HIM specific user
  - Username: hiauser
  - Linux Group: hiauser
  - Password: hiapass
Tip:
For security purposes, it is recommended that you change the default passwords after installation.

1.2 Importing the HIM Policy Monitor Template

To import the HIM Policy Monitor VM template:

Copy the HIM Policy Monitor VM template .tgz file to the /OVS/seed_pool directory of your Oracle VM Server machine.
Uncompress the .tgz file:

> tar -zxvf <FILENAME>.tgz

This step creates a directory with the name of the template.

Example:
```
> cd /OVS/seed_pool
> tar -zxvf /OVS/seed_pool/OVM_HIAV1_X86_POLICYMONITOR_PVM.tgz
```
Creates the directory:

/OVS/seed_pool/OVM_HIAV1_X86_POLICYMONITOR_PVM
Log in to the Oracle VM Manager

Note:
The default location for the Oracle VM Manager log in screen is http://<VM_MANAGER_HOST_NAME>:8888/OVS.
From the Oracle VM Manager console:
1. Click the Resources tab. The Virtual Machine Templates screen is displayed.
2. Click the Import button. The Source screen is displayed.
3. Choose the Select from Server Pool (Discover and register) radio button.
4. Click Next. The General Information screen is displayed.
  
  Enter or select the following general information:
  
  - The server pool on which the virtual machine will be located.
  
  Server Pool Name: <SERVER_POOL_NAME>
  
  - The operating system of the Virtual Machine Operating System:
  
  Oracle Enterprise Linux 5
  
  - The Oracle VM template to be imported.
  
  Virtual Machine Template Name: <VM_TEMPLATE_NAME>
  
  - The username used to log in to the Virtual Machine.
  
  Virtual Machine System Username: root
  
  - The password used to log in to the Virtual Machine.
  
  Virtual Machine System Password: ovsroot
5. Click Next. The Confirm Information screen is displayed.
6. Click Confirm. The Virtual Machine Template screen is displayed with a message to confirm the VM template has been imported.
Click the Resources tab to see the list of available VM templates.
To make the Virtual Machine template available for use, select the Virtual Machine template and click Approve, moving the VM template from the "Pending" state to the "Active" state.

The VM template is imported and ready for use in Oracle VM Manager.

1.3 Creating the HIM Policy Monitor VM

To create the HIM Policy Monitor VM from the VM template:

Create a new VM using the Policy Monitor VM template just installed by following the instructions in the VM Manager 2.2 User's Guide (refer to Section 6.3.1, "Creating Virtual Machine from a Template").
To power on the Virtual Machine select the Virtual Machines tab, select the Virtual Machine Name, and click Power On.
In the VM Manager Console ensure that the Policy Monitor VM is now in the running state (Status=Running).

1.4 Configuring the HIM Policy Monitor VM

This section provides instructions for configuring the HIM Policy Monitor VM.

"How to VNC into a VM"
"Configuring the VM Network Settings"
"Preparing the Policy Monitor Database"
"Configuring HIM Policy Monitor VM"
"Validating the Policy Monitor VM"

1.4.1 How to VNC into a VM

To VNC into a VM:

Note:

To enable the VNC Port link in the VM Manager follow the instructions in "Installing OVM Console" at http://oss.oracle.com/oraclevm/manager/RPMS/README-console.

Expand the details of the VM by clicking the + on Show. You can VNC into the box from the VM Manager by clicking on the VNC Port link under the VM details, or you can use a VNC client to log in using the address:

<VM_SERVER_HOST_NAME>:<VM_VNC_PORT>

1.4.2 Configuring the VM Network Settings

To configure the VM to use static IP:

Note:

The VM is configured by default to use DHCP to assign an IP address.

If you are using DHCP addressing you can skip the following steps.

To configure the VM to use static IP, log in as the root user (default password: ovsroot) and set the IP using the following steps:
1. Select System, Administration, and then Network.
2. Choose Devices, click Edit, select the Statically Set IP Address radio button, and then enter the following values:
  
  - Address: <VM_IP>
  
  - Subnet mask: <SUBNET_MASK>
  
  - Default Gateway address: <DEFAULT_GATEWAY_ADDRESS>
3. Click OK.
4. Choose File and then click Save.
5. Click the DNS tab and then enter the following values:
  
  - Hostname: <VM_HOST_NAME>
  
  - Primary DNS: <PRIMARY_DNS>
  
  - Secondary DNS: <SECONDARY_DNS>
  
  - Tertiary DNS: <TERTIARY_DNS>
  
  - DNS search path: <VM_NAME_SUFFIX>
6. Choose Next and click Save.
7. Choose the Hosts tab, click New, and then enter the following values:
  
  - Address: <VM_IP>
  
  - Hostname: <VM_HOST_NAME>
  
  - Aliases: <VM_NAME_PREFIX> hostname
8. Click Okay.
9. Choose File and then click Save.
10. Restart Network Services from a terminal window.
  
  > service network restart
11. Check the output for <VM_IP>.
  
  > ifconfig
12. Check the output for <VM_HOST_NAME>.
  
  > hostname
13. Check the success of:
  
  > ping <VM_IP>
14. Check the success of:
  
  > ping <VM_HOST_NAME>

1.4.3 Preparing the Policy Monitor Database

To prepare the Policy Monitor database tables for Oracle:

Copy the files under /home/hiauser/arr/database/oracle to a machine with Oracle SQL*Plus installed.
To create the Policy Monitor database user load the script create-user-oracle.sql into the database.

Example:
```
> sqlplus system@<SID>
SQL> @create-user-oracle.sql
```

To create the Policy Monitor database tables:

> cd /home/hiauser/arr/bin

Run the script create-arr-properties-file.sh to create the properties file used to configure the Policy Monitor application, selecting [oracle] as your target database.

Example:

> sh create-arr-properties-file.sh
– The dialect of your database installation:
Choose target database: oracle
– The hostname of your Oracle Database
Enter oracle_host: <ORACLE_HOST>
– The Oracle TNS Listener port of your Oracle Database
Enter oracle_port: <ORACLE_PORT>
– The Oracle System ID (SID) of your Oracle Database
Enter oracle_sid: <ORACLE_SID>
– The Oracle Database username
Enter oracle_username: <ORACLE_USERNAME>
– The Oracle Database password
Enter oracle_password: <ORACLE_PASSWORD>
– The port of the syslog server
Enter arr_port: <ARR_PORT>
– The output properties file name
Enter properties_file_name: <ARR_PROPERTIES>

Run the script arr.sh using command create-tables.

Example:

> arr.sh -propertyfile <ARR_PROPERTIES> -command create-tables

1.4.4 Configuring HIM Policy Monitor VM

To configure the HIM Policy Monitor VM:

Log in to the VM as hiauser (default password: hiapass).
Navigate to the directory: /home/hiauser/arr/bin.
Edit the file <ARR_PROPERTIES_FILE>.
Enable remote syslog access by reconfiguring firewall.

Note:
Opening ports below 1024 require root permissions.

To permit connections on a port from other systems:

* Enable a TCP connection
1. Select System, Administration, Security Level, and Firewall.
2. Click Other ports, and Add.
3. Enter <ARR_PORT> in the Port(s) field, and specify tcp as the Protocol.
4. Click OK.
* Enable a UDP connection
1. Select System, Administration, Security Level, and Firewall.
2. Click Other ports, and Add.
3. Enter <ARR_PORT> in the Port(s) field, and specify udp as the Protocol.
4. Click OK.
Note:
Before proceeding to the next step, configure a fully-qualified-hostname for the Virtual Machine.
Run the script create-and-import-selfsigned-certs.sh to install the self-signed certificate. It does the following things:
- Creates the keystore for the private internal key
- Exports the certificate that will authenticate the internal key
- Imports the trusted certificates into the truststore
- Provides these certificates to the Policy Monitor to use for authentication purposes
  
  > sh create-and-import-selfsigned-certs.sh
  
  Note:
  Before proceeding to the next step, copy the certificate of the host computer <HOSTNAME.cer> to /home/hiauser/arr/bin/keystore folder.
To install a host machine's certificate, run the script import-hostname-cert.sh:

> sh import-hostname-cert.sh

Enter the hostname of the machine whose certificate is being imported into the truststore: <HOSTNAME>.
Start the server using the following commands:
- > cd /home/hiauser/arr/bin
  - To start in UDP mode:
    
    > arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command start-udp-server
  - To start in TLS mode:
    
    > arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command start-tls-server

1.4.5 Validating the Policy Monitor VM

To validate the Policy Monitor software on the VM after it is configured:

Ensure that the Policy Monitor Server is up and running.
Validate the configuration using the test client distributed with the VM:
1. > cd /home/hiauser/arr/bin
2. To send a message in UDP mode:
  
  > arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command send-udp-msg -arr.input_file ../docs/test_syslog_msg.txt
  
  To send a message in TLS mode:
  
  > arr.sh -propertyfile <ARR_PROPERTIES_FILE> -command send-tls-msg -arr.input_file ../docs/test_syslog_msg.txt
3. Login to your database and confirm that the test record has been stored in the ARR_SYS_MSG table (for additional information, see "Overview of Policy Monitor Database").