Giter Club home page Giter Club logo

moh-hnclient-v2's Introduction

Lifecycle:Experimental

MOH HNClient V2

The hnclient-v2 application will receive an HL7v2 message over plain TCP and forward it to a secure endpoint over HTTPS with an OAuth2 access token (retrieved using the OAuth Client Credential Grant).

This project also includes applications that mock-out dependencies or provide additional functionality:

  • mock-point-of-service: a point of service application that sends an HL7v2 message over MLLP.
  • renew-client-auth-certs: a tool to renew the jks file used to authenticate to Keycloak an retreive an access token. The functionality of this tool is also built into hnclient-v2 but in that case will only run once the certificate has reached 30 days from expiry.

hnclientv2

Configuration

Prerequisites:

  • Apache Maven 3.6.1+
  • Java 11

Step 1: Configure client authentication

Signed JWT (default)

By default, hnclient-v2 and our Keycloak development server are configured to use "Signed JWT" client authentication. To use our Keycloak development server with HNClient:

  1. Retrieve the moh-hnclient JKS file from KeePass in the IAM directory.
  2. In hnclient-v2's application.properties file, set jks-file=JKS_FILE_LOCATION.
  3. Set MOH_HNCLIENT_KEYSTORE_PASSWORD as an operating system environment variable. The password is also in KeePass on the moh-hnclient record.
  4. In the hnclient-v2 application.properties file, ensure that client-auth-type = SIGNED_JWT.

On startup hnclient-v2 will automatically renew the JKS file and upload the public key to keycloak if the certificate is within 30 days from expiry. (11 months old based on the codes current configuration). When this happens the new key will need to be stored in KeePass so that other developers can get the new key. If you are testing or modifying this feature be sure to use a different client in Keycloak so that you don't change the key for the moh-hnclient client in Keycloak that other developers may be using. To do this you will need to update the JKS properties in application.properties and the keystorePassword in route.java.

Client ID and Password (optional)

hnclient-v2 also supports "Client ID and Secret" client authentication. To use it, the Keycloak server must be configured to use "Client ID and Secret".

  1. Go to the Keycloak development server and look-up the client secret for moh-hnclient.
  2. Set MOH_HNCLIENT_SECRET as an operating system environment variable.
  3. In the hnclient-v2 application.properties file, ensure that client-auth-type = CLIENT_ID_SECRET.

Step 2: Add the Keycloak certificate to the Java TrustStore

In order for hnclient-v2 to get access tokens from Keycloak, it needs to trust the Keycloak development server, which uses a self-signed certificate. Download the certificate from https://common-logon-dev.hlth.gov.bc.ca and add it to Java's truststore (e.g. "C:\Dev\AdoptOpenJDK11\lib\security\cacerts").

Run the applications

NB: The hnclient-v2 application requires the HNS-ESB application to be running so that it has somewhere to send messages to. The hnsecure- properties in the application.properties are used to specify the endpiont of the HNS-ESB.

hnclient-v2 can be run from the command line:

cd hnclient-v2
mvn compile camel:run

After hnclient-v2 is running, you can send a message using mock-point-of-service:

cd mock-point-of-service
mvn compile exec:java

Integrating with Kong (optional)

The IAM project is evaluating using an API Gateway (Kong) between HNClient and HNSecure, which would implement the architecture shown here:

hnclientv2 with kong

In production this would be the DataBC API Gateway, powered by Kong. To set-up a local Kong instance for development, I recommend kong-vagrant. Additional instructions on setting-up kong-vagrant are in the moh-iam-kong-plugin repo.

Kong configuration

Create a service that sends requests to HNSecure:

# 10.0.2.2 is the default IP for the Kong host machine inside VirutalBox used by kong-vagrant
$ curl -i -X POST \
 --url http://localhost:8001/services/ \
 --data 'name=hnsecure' \
 --data 'url=http://10.0.2.2:9090/hl7v2'

$ curl -i -X POST \
 --url http://localhost:8001/services/hnsecure/routes \
 --data 'paths[]=/hl7v2'

Add the custom plugin from the moh-iam-kong-plugin repo:

$ curl -i -X POST \
  --url http://localhost:8001/services/mockbin/plugins \
  --data 'name=myplugin'

Note that the kong-plugin-jwt-keycloak plugin is available on luarocks, but the custom plugin must be built and installed manually. Find instructions on the Kong website.

Install and add the Keycloak plugin:

luarocks install kong-plugin-jwt-keycloak

curl -X POST http://localhost:8001/services/hnsecure/plugins \
--data "name=jwt-keycloak" \
--data "config.allowed_iss=https://common-logon-dev.hlth.gov.bc.ca/auth/realms/moh_applications"

You could also import the configuration file using decK.

moh-hnclient-v2's People

Stargazers

avatar

Watchers

avatar avatar avatar avatar

moh-hnclient-v2's Issues

It's Been a While Since This Repository has Been Updated

This issue is a kind reminder that your repository has been inactive for 180 days. Some repositories are maintained in accordance with business requirements that infrequently change thus appearing inactive, and some repositories are inactive because they are unmaintained.

To help differentiate products that are unmaintained from products that do not require frequent maintenance, repomountie will open an issue whenever a repository has not been updated in 180 days.

  • If this product is being actively maintained, please close this issue.
  • If this repository isn't being actively maintained anymore, please archive this repository. Also, for bonus points, please add a dormant or retired life cycle badge.

Thank you for your help ensuring effective governance of our open-source ecosystem!

Add project lifecycle badge

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)

It's Been a While Since This Repository has Been Updated

This issue is a kind reminder that your repository has been inactive for 180 days. Some repositories are maintained in accordance with business requirements that infrequently change thus appearing inactive, and some repositories are inactive because they are unmaintained.

To help differentiate products that are unmaintained from products that do not require frequent maintenance, repomountie will open an issue whenever a repository has not been updated in 180 days.

  • If this product is being actively maintained, please close this issue.
  • If this repository isn't being actively maintained anymore, please archive this repository. Also, for bonus points, please add a dormant or retired life cycle badge.

Thank you for your help ensuring effective governance of our open-source ecosystem!

From v4.6 to v2?

As of f22cb65, docs mention v2. v4.6 has been used for several years in production

image

Is v2 going to replace v4.6? I don't see any tags or releases in this repo and I'm curious about the conventions used to label new versions.

Thanks,

Add missing topics

TL;DR

Topics greatly improve the discoverability of repos; please add the short code from the table below to the topics of your repo so that ministries can use GitHub's search to find out what repos belong to them and other visitors can find useful content (and reuse it!).

Why Topic

In short order we'll add our 800th repo. This large number clearly demonstrates the success of using GitHub and our Open Source initiative. This huge success means it's critical that we work to make our content as discoverable as possible. Through discoverability, we promote code reuse across a large decentralized organization like the Government of British Columbia as well as allow ministries to find the repos they own.

What to do

Below is a table of abbreviation a.k.a short codes for each ministry; they're the ones used in all @gov.bc.ca email addresses. Please add the short codes of the ministry or organization that "owns" this repo as a topic.

add a topic

That's it, you're done!!!

How to use

Once topics are added, you can use them in GitHub's search. For example, enter something like org:bcgov topic:citz to find all the repos that belong to Citizens' Services. You can refine this search by adding key words specific to a subject you're interested in. To learn more about searching through repos check out GitHub's doc on searching.

Pro Tip ๐Ÿค“

  • If your org is not in the list below, or the table contains errors, please create an issue here.

  • While you're doing this, add additional topics that would help someone searching for "something". These can be the language used javascript or R; something like opendata or data for data only repos; or any other key words that are useful.

  • Add a meaningful description to your repo. This is hugely valuable to people looking through our repositories.

  • If your application is live, add the production URL.

Ministry Short Codes

Short Code Organization Name
AEST Advanced Education, Skills & Training
AGRI Agriculture
ALC Agriculture Land Commission
AG Attorney General
MCF Children & Family Development
CITZ Citizens' Services
DBC Destination BC
EMBC Emergency Management BC
EAO Environmental Assessment Office
EDUC Education
EMPR Energy, Mines & Petroleum Resources
ENV Environment & Climate Change Strategy
FIN Finance
FLNR Forests, Lands, Natural Resource Operations & Rural Development
HLTH Health
IRR Indigenous Relations & Reconciliation
JEDC Jobs, Economic Development & Competitiveness
LBR Labour Policy & Legislation
LDB BC Liquor Distribution Branch
MMHA Mental Health & Addictions
MAH Municipal Affairs & Housing
BCPC Pension Corporation
PSA Public Service Agency
PSSG Public Safety and Solicitor General
SDPR Social Development & Poverty Reduction
TCA Tourism, Arts & Culture
TRAN Transportation & Infrastructure

NOTE See an error or omission? Please create an issue here to get it remedied.

Lets use common phrasing

TL;DR ๐ŸŽ๏ธ

Teams are encouraged to favour modern inclusive phrasing both in their communication as well as in any source checked into their repositories. You'll find a table at the end of this text with preferred phrasing to socialize with your team.

Words Matter

We're aligning our development community to favour inclusive phrasing for common technical expressions. There is a table below that outlines the phrases that are being retired along with the preferred alternatives.

During your team scrum, technical meetings, documentation, the code you write, etc. use the inclusive phrasing from the table below. That's it - it really is that easy.

For the curious mind, the Public Service Agency (PSA) has published a guide describing how Words Matter in our daily communication. Its an insightful read and a good reminder to be curious and open minded.

What about the master branch?

The word "master" is not inherently bad or non-inclusive. For example people get a masters degree; become a master of their craft; or master a skill. It's generally when the word "master" is used along side the word "slave" that it becomes non-inclusive.

Some teams choose to use the word main for the default branch of a repo as opposed to the more commonly used master branch. While it's not required or recommended, your team is empowered to do what works for them. If you do rename the master branch consider using main so that we have consistency among the repos within our organization.

Preferred Phrasing

Non-Inclusive Inclusive
Whitelist => Allowlist
Blacklist => Denylist
Master / Slave => Leader / Follower; Primary / Standby; etc
Grandfathered => Legacy status
Sanity check => Quick check; Confidence check; etc
Dummy value => Placeholder value; Sample value; etc

Pro Tip ๐Ÿค“

This list is not comprehensive. If you're aware of other outdated nomenclature please create an issue (PR preferred) with your suggestion.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.