GE Healthcare Introduction Example Apache Server Installation for Centricity Electronic Medical Record rowser & moile access These instructions descrie how to install and configure an Apache server to provide encryption and a firewall when you use Centricity Electronic Medical Record rowser and moile access. Note: This installation does not represent a complete security implementation. For more information regarding security guidelines, refer to Centricity Electronic Medical Record rowser and moile access Security Considerations or Preparing and Maintaining Centricity Electronic Medical Record. For more information regarding the software, refer to: http://www.joss.org/community/docs/doc-12529 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html http://www.openssl.org http://httpd.apache.org Before you egin Installation and configuration steps Before you install and configure the Apache server: Install Centricity EMR 9.1 or 9.2 1 Install Apache software: a Download the est availale version from http://httpd.apache.org. Note: These directions are for use with Apache HTTP Server 2.2.11 and the download link: Win32 Binary including OpenSSL 0.9.8i. Other versions may require modified or additional steps. Using the Apache-provided executale, install the full software package. When prompted, select the default location. Note: These steps assume the Apache software is installed on the same server as JBoss. 2 Verify the Apache installation is correctly installed: a Start Apache. In a command window, type: httpd k restart or navigate to Start>Programs>Administrative Tools>Services. Click on the Apache server listing, right click and select Restart. May 2009 2009 General Electric Company All rights reserved.
Test the installation: Test http (port 80 access.) If the installation is correctly configured, the window appears. In the rowser address ar, type: http://<hostname> Note: You can find the hostname y opening a command window and at the prompt, typing: hostname Test https (port443 access.) Since you have not yet configured https, the rowser should e unale to find the rowser page. In the rowser address ar, type: https://<hostname> 3 Otain an SSL certificate. You can purchase a certificate or create a certificate for testing purposes y using OpenSSL. To create a certificate: a Install OpenSSL: i Navigate to http://www.openssl.org/related/inaries.html The link on the page redirects to: http://www.slprowe.com/products/win32openssl.htm ii Select Win32 OpenSSL v0.9.8k Light from the list, doule click and select Run to install. Note: Figure 1 shows an error message you may receive. Ignore the message and click OK to continue the installation. Figure 1: Error message Create certificate: i In a command window, navigate to the directory Apache\in and type at the prompt: set OPENSSL_CFG=./openssl.cnf ii When the prompt returns, type: openssl req -new -x509 -nodes -out server.crt -keyout server.key Answer the prompts to receive a certificate file server.crt Note: For more information on the types of ssl certificates (.crt), see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html 4 Copy the apache/conf directory tree to another directory as a ack-up starting reference. 2 May 2009
5 Configure JBoss: a Modify the file: Program Files\Centricity Practice Solution 90\JBoss Application Server\joss\joss\server\default\deploy \joss-we.deployer\server.xml to add the jvmroute and change port 8009 to 9009. Add the olded text: <!-- Define an AJP 1.3 Connector on port 9009 --> <Connector port="9009" address="${joss.ind.address}" protocol="ajp/1.3"emptysessionpath="true" enalelookups="false" redirectport="8443" /> c <Engine name="joss.we" defaulthost="localhost" jvmroute="nodea"> Save and close the file. Restart JBoss: Navigate to Start>Programs>Administrative Tools>Services Click on the JBoss server listing, right click and select Restart. 6 Populate the Apache htdocs directory. For each deployment (for example, the training dataase and the production dataase), copy the contents of joss\server\default\deploy\<deployname>.emrgwt.war to htdocs\centricity\<deployname>\emrgwt Note: The default configuration has two deployments, for example, logician-tut and logician-ml. Each time you update the Centricity rowser and moile software via the SetStage Install/update Service Layer utility, repeat this step to update the Apache htdocs directory with the new content. Figure 2 shows an example of Apache htdocs directory population. Figure 2: Populating Apache htdocs 3 May 2009
7 Configure the Apache server: a Edit the configuration file apache/conf/httpd.conf. Add this text to the ottom of the file: #load SSL LoadModule ssl_module modules/mod_ssl.so # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf # ajp proxy stuff LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_alancer_module modules/mod_proxy_alancer.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so <Proxy alancer://mycluster> Order deny,allow Deny from all Allow from 127.0.0.1 </Proxy> ProxyPass /Centricity/<deployname-tut>/EMRGWTServices ajp://localhost:9009/centricity/<deployname-tut>/emrgwtservices ProxyPass /Centricity/<deployname-ml>/EMRGWTServices ajp://localhost:9009/centricity/<deployname-ml>/emrgwtservices # Redirect emr.html for convenience Redirect /Emrtut.html /Centricity/<deployname-tut>/emrgwt/Emr.html Redirect /emrtut.html /Centricity/<deployname-tut>/emrgwt/Emr.html Redirect /Emr.html /Centricity/<deployname-ml>/emrgwt/Emr.html Redirect /emr.html /Centricity/<deployname-ml>/emrgwt/Emr.html Save and close the file. 4 May 2009
c In the directory apache2/conf, create a new file named workers.properties and add this text: # Define list of workers that will e used # for mapping requests # The configuration directives are valid # for the mod_jk version 1.2.18 and later # worker.list=loadalancer,status # Define NodeA # modify the host as your host IP or DNS name. worker.nodea.port=9009 worker.nodea.host=localhost worker.nodea.type=ajp13 worker.nodea.lfactor=1 # worker.nodea.connection_pool_size=10 (1) # Load-alancing ehavior worker.loadalancer.type=l worker.loadalancer.alance_workers=nodea # Status worker for managing load alancer worker.status.type=status d e Save and close the file. In the directory apache2/conf, create a new file named uriworkermap.properties and add this text: # Simple worker configuration file # # Mount the Servlet context to the ajp13 worker /jmx-console=loadalancer /jmx-console/*=loadalancer /we-console=loadalancer /we-console/*=loadalancer f Save and close the file. 8 Verify the Apache installation is correctly installed: a Start Apache. In a command window, type: httpd k restart or navigate to Start>Programs>Administrative Tools>Services. Click on the Apache server listing, right click and select Restart. Test the installation: Test http (port 80 access.) If the installation is correctly configured, the window appears. In the rowser address ar, type: http://<hostname> Test https (port443 access.) If the installation is correctly configured, the window appears. In the rowser address ar, type: https://<hostname> 5 May 2009
9 Secure the server: a Disale port 80: i Edit the file httpd.conf: #Listen 80 ii Save and close the file. Enale Windows firewall or other mechanism to limit access to server to only the desired ports (in this example, port 443). c Test the installation. i In the rowser address ar, type: http://<hostname>/emr.html If the installation is correctly configured, the window does not appear ecause port 80 is disaled. ii In the rowser address ar, type: https://<hostname>/emr.html If the installation is correctly configured, the window appears. d Engage your security team to test and monitor to ensure your site is secure. 6 May 2009