OpenNCP Installation Manual
The main goal of this page is to provide an installation manual for new OpenNCP adopters.
It tries to cover all possible setup and configuration operations and it can be used not only as a step-by-step guide but also as a supporting guide to install a certain component - you can check the table of contents on the right side of the page.
Please feel free to leave suggestions or expose your doubts at the bottom of the page.
0. Recommendations
Before proceeding with the installation of OpenNCP please refer to OpenNCP Installation Overview page for the basic information about OpenNCP installation and architecture.
This installation manual was based on an installation with the following software:
- Java 1.7.0_80
- GNU/Linux x86_64
- MySQL 5.6.25
- Apache Tomcat 7.0.70
- Liferay 6.2.5 CE GA6
1. Setup application server
We strongly recommend using the version 1.7_80 (known issues with earlier versions) which is the latest public update of the JDK 1.7 as some of OpenNCP component are not fully compatible with the JDK 1.8.
The software components are able to run on all Java application servers, but we recommend you to install them at an Apache Tomcat instance.
You can download it at http://tomcat.apache.org/ and you should use Tomcat version 7 (version 8 is still not supported).
To perform the installation of the server you may also follow this instructions: http://tomcat.apache.org/tomcat-7.0-doc/setup.html (for Apache Tomcat 7.0)
Don't forget to give execution permission to the files in the bin folder. Also, add the JDBC connector (JAR file) of your database to your Tomcat's lib folder.
You must check if you have some other service running in Tomcat's default ports (defined in its conf/server.xml file) and change them if you do.
You need to define JNDI DataSources to the Apache Tomcat configuration. This is done in the conf/context.xml file. Here is an example file for Tomcat 6.0: context.xml. Just add the definition of the JNDI data sources and change the connection string depending on the DBMS you're using (for MySQL there's no need to change). We'll configure each one of them as we progress through the installation (keep them commented and uncomment when you configure).
For more background information and configuration tips on the JNDI please refer to this JIRA:
2. Adjust configuration parameters
First, you'll need to have a folder named "epsos-configuration" that will hold your configuration files (you can take a quick look at the last step of the guide to see a recommended folder structure for the NCP). The folder is provided hereafter as a zipped file:
Folder content:
/epsos-configuration |-- /ATNA_resources |-- /audit-backup |-- /EADC_resources |-- /forms |-- /TM_resources |-- configmanager.hibernate.xml |-- hcer.properties |-- ISO_3166-1.xml |-- pn-oid.xml |-- tm.properties +-- tsam.properties
All the provided files will be used and configured in this manual.
At this step you need to add entries to your country at pn-oid.xml.
OIDs were defined within epSOS-I. It seems that the root used (2.16.17) is not officially assigned. Was it defined by IHE Services? Then we simply incremented the 8xx number for each country (2.16.17.710.8xx.1000.990.1). At the end, at least for PRODUCTION, each country should get (buy) its own OID from HL7.
The sharing of International Search Masks (forms folder) is a manual process. Currently they're being shared by email between OpenNCP adopters. The central services could be used for that, using their public folder at: https://webgate.ec.europa.eu/ehealth/tsl/common_files/
Then set the EPSOS_PROPS_PATH environment variable to the path of configuration files folder. You can do this by executing the following command in the terminal window:
export EPSOS_PROPS_PATH=/opt/epsos-configuration/
For more information about environment variables, you can check: https://help.ubuntu.com/community/EnvironmentVariables for Ubuntu, but that can be applicable to other distros.
2.1 Configuration Manager Database
The bulk of NCP configuration properties (i.e. countries endpoints, truststore locations, and others) is stored in the Configuration Manager database.
The "Setup" section of Configuration Manager explains how to create a database and a hibernate configuration file.
(If you already have an existent setup with the old configuration files - epsos.properties and others - you can also follow the "How To Migrate" section. If you are doing a fresh install please ignore this line.)
2.2 Creation of certificates
You can find more details on how to create epSOS certificates here.
After that, you need to add a new Connector to your Tomcat's conf/server.xml file, in order to configure SSL connections to use the generated keystores and certificates:
<Connector port="PORT" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keyAlias="service.provider.certificate.alias" keystoreFile="/path/to/your/service-provider-keystore.jks" keystorePass="testKS" truststoreFile="path/to/your/truststore.jks" truststorePass="changeit"/>
- port: should be the port that you want to use for SSL connections. It'll be the port where your web services (PatientIdentification, Consent, etc.) will be exposed;
- keyAlias: your service provider certificate alias;
- keystoreFile: the path to your service provider keystore. This means that your Tomcat will act as a service provider;
- keystorePass: your service provider keystore password;
- truststoreFile: the path to your truststore. This means that your Tomcat will only accept connections from your trusted third-parties;
- truststorePass: your truststore password.
If you are using self-signed certificates, you have to set the property clientAuth to false into the Tomcat Connector node defined just above in order to bypass the security restriction related to the certificate issuer.
Then, you should restart your Tomcat instance for the changes to take effect.
2.3 NCP First-Time Configuration Utility
To facilitate the process of setting up your NCP instance, you can use a special utility to populate your database with the basic required parameters, related to your scenario.
To do that you just need to fill a provided unfilled properties file according to your scenario, configure the database connection file and execute the utility JAR.
You must have the properties database (with no tables) already created, before using this utility.
Find the JAR file in section 3.1 of this manual. You can download the properties and database files here:
Once you have run the utility with success, you may delete both files and the JAR and check if the database was correctly filled, using the appropriate database administration tool.
Be aware that this configuration utility will ignore properties with no value set, so these ones should be added manually to your database.
Note: properties should not use environment variables like '$EPSOS_PROPS_PATH/...'. Instead, the full path should be used.
A full list of the OpenNCP properties can be found here: OpenNCP properties
The following table also provides some important information about the central services (for configurations and terminologies):
Service | Mode | URL | Port |
---|---|---|---|
SFTP | PPT | sftp://fts.ec.europa.eu | 22 |
SFTP | PROD | sftp://fts.ec.europa.eu | 22 |
TSAM | PPT | Currently not available. | |
TSAM | PROD | Currently not available. | |
TSL | PPT | https://webgate.acceptance.ec.europa.eu/ehealth/tsl/ | None |
TSL | PROD | https://webgate.ec.europa.eu/ehealth/tsl/ | None |
3. Install and setup components
3.1 OpenNCP artifacts
In order to install OpenNCP, you must obtain the following artifacts (please use the latest versions for each component):
- First-Time Configuration Utility: https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/ncp-configuration-util/
- TRC-STS (WAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-trc-sts/
- TSL-Sync (WAR / JAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-tslutils/epsos-tsl-sync/
- TSAM-Sync (JAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-tsam-sync/
- Server Side - NCP-A (WAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-protocol-terminators/epsos-ncp-server/epsos-ws-server/
- Client Side - NCP-B (WAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-protocol-terminators/epsos-ncp-client/epsos-client-connector/
- OpenATNA (WAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-openatna/openatna-web/
- Portal (WAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/openncp-portal/
- TSAM-Exporter (JAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-cdadisplaytool/epsos-tsamexporter/
- TSL-Editor (JAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/epsos-tslutils/epsos-tsl-editor/
- RichClient - eID Level 1 (JAR): https://joinup.ec.europa.eu/nexus/content/repositories/releases/eu/europa/ec/joinup/ecc/org/openecard/richclient/
3.2 TRC-STS
The main purpose of this component it to generate and return security assertions on demand. It is a WAR application that will run also on your Application Server instance.
In order to install it, you will need to obtain the artifact, named epsos-TRC-STS-X.X.X.war, then it is advised to rename it to just TRC-STS.war (so the database property of the exposed service remains the same between different versions of TRC-STS).
Before the deploy, configure the jdbc/ConfMgr data source in your Tomcat conf/context.xml to connect to your epSOS properties database.
Next you can just deploy it in your Application Server instance. You can follow this instructions for Tomcat 7: http://tomcat.apache.org/tomcat-7.0-doc/deployer-howto.html
This will deploy the Secure Token Service at http://<hostname>:<port>/TRC-STS/STSServiceService , where <hostname> and <port> are the hostname or IP address of the machine Tomcat is running and the port Tomcat is using (you can check it in Tomcat's conf/server.xml file).
After that, you can add/update the property "secman.sts.url" at your NCP properties database with the aforementioned URL.
3.3 TSL (Trusted Service List)
OpenNCP instances need to share their configurations (endpoints, certificates, etc) with each other. The current way to do this is by placing those configurations in the central services, providing a specific kind of file: the TSL file. Each country needs to create a TSL file with its configuration and upload it to the central services. This can be done with the help of the TSL-Editor. Each country can download these files from the central services and update their local installation by running the TSL-Sync.
3.3.1 TSL Files
The complete specification of the TSL files and its usage in the eHealth domain (the specific fields and values to be used) can be found in epSOS Deliverable 3.4.2 - section 4.4 "epSOS Trusted Service List" or in Fraunhofer's Wiki page on epSOS Trust Service List - ETSI TS 102 231 Binding.
3.3.2 TSL-Editor
You can find a video tutorial on how to use the TSL-Editor in the following attachment: Webinar TSL-Editor & SyncApp (name of file: 3_Massi_webminar_TSL-Editor. It has to be run with Netviewer_NetPlayer, also provided in the folder). In this other attachment - TSL-Editor 2.3 -, you can find some old version of TSL-Editor which packages some documentation (namely /Doc/TSL_Creation_SbS.doc) as well as a properties file (/TslEditor2.3/tsleditor.properties) that may be useful.
Regarding the "Distribution point" field, it must point to the current central services provider:
- PPT: https://webgate.acceptance.ec.europa.eu/ehealth/tsl/
- Production: https://webgate.ec.europa.eu/ehealth/tsl/
In order to be able to upload the file to the central services, a pair of SSH keys must be generated, with the public key being sent to the European Commission (DG Sante), whom must also create the username and folder for the country. For more information about DG Sante's contact point on this topic, please leave a request to the OpenNCP Community (for now, use the comments section of this page). The upload path will vary: in PPT environment, it'll be /sftp/<CCC>/PPT ; in Production, it'll be /sftp/<CCC> , with <CCC> being the 3-letter country code, like "GRE" for Greece, "ITA" for Italy, and so on. The uploaded file can be retrieved using the URLs listed above (port: 8445).
The "Server" field in the upload dialog box of TSL-Editor has to contain "https://webgate.acceptance.ec.europa.eu/ehealth/tsl/" for PPT and "https://webgate.ec.europa.eu/ehealth/tsl/" for Production.
It is possible to override TSL-Editor properties by having a "tsleditor.properties" file in the same folder as the JAR file (e.g. to extend the list of supported locales / countries for the Scheme Territory field).
To use the SMP capabilities of TSL-Editor, please check the following tutorial: TSL-Editor: SMP workflow (for configurations management, powered by e-SENS).
3.3.3 TSL-Sync
This component will connect to the central services and fetch all the other countries configuration elements (such as endpoints) to your local properties database, together with all the certificates.
Before running this component, make sure that you already have your trust store and key store created (under your EPSOS_PROPS_PATH, i.e: $EPSOS_PROPS_PATH/cert), together with their passwords and alias.
In order to install this component, you need to download the WAR file, following the link in step 3.1 and deploy it to your server.
Then, according to you configuration. present in the properties database, it will fetch all the central services informations and sync them to your key stores and properties database.
For each country <cc> (2-letter country code) listed in ncp.countries property, it will retrieve the TSL file stored in the country's tsl.location.<cc> property. It reads the TSL file and updates the internal configuration by:
- Writing the web services endpoints to the database;
- Extracting the TLS and VPN certificates, writing their information (serial number and alias) in the database, saving them as .der files in the certificates folder (given by certificates.storepath property) and adding them to the truststore (given by TRUSTSTORE_PATH property);
- Extracting the signature certificate, saving it in the certificates folder and truststore;
- In the end, an audit log is written.
This tool will execute every 5 seconds, you can adjust this time by editing this file, present at the deploy dir:
<application server root>/webapps/epsos-tsl-sync/WEB-INF/classes/quartz_data.xml
Since version 2.8.9 TSL-Sync is also available as a standalone JAR file that should be placed and run (from command-line) in a custom location:
/tsl-sync-custom-location |-- tsl.sync.jar
For compliance with the ATNA Secure Node requirements, this JAR must be associated with a scheduler (e.g., cron), in order to be run with no human intervention.
Additional information is available at TSLSync Home.
3.4 TSAM-Sync
The TSAM-Sync component will connect to HealthTerm repository to fetch your country terminologies and load them in your LTR database.
The OpenNCP community is currently analysing and implementing a new health terms repository solution that should be available soon.
This application is a standalone JAR that can be placed in custom location, together with a required group of folders.
For instance:
tsam-sync-custom-location |-- conf | |-- epsos.properties | |-- hibernate.cfg.xml | |-- log4j.xml | |-- logging.properties | +-- settings.properties |-- lib | +-- jdbc-connector.jar |-- tsam-sync.jar +-- sync.sh
The conf folder will contain several configuration files that you need to adjust to your scenario. Please pay special attention to:
- hibernate.cfg.xml: where you will place your LTR database configuration;
- settings.properties: where you will define your credentials to access HealthTerm servers.
Fill the webservice URL with one of the following, according to the type of environment you're deploying:
PPT: webservice.url = Currently not available.
Production: webservice.url = Currently not available.
The lib folder will contain your JDBC drivers.
In the root folder you will find sync.sh, which is a script to help you pass the required parameters to the JAR execution. This sync.sh script has to be run manually.
Edit log4j reference in sync.sh to:
# $TSAM_DIR should be a script variable that references tsam-sync folder -Dlog4j.configuration=file:///$TSAM_DIR/conf/log4j.xml
You'll need to add the Conet certificate to your JVM's truststore (cacerts). See this link for help on this step.
When you have set up the folder structure you should download the JAR from the repository mentioned in step 3.1 and place it at the folder root - also you may adjust the sync.sh script to match the JAR name.
Before the deploy, configure the jdbc/TSAM data source in your Tomcat conf/context.xml to connect to LTR database (ltrdb).
If you do not have the LTR database already, you can just create it in the same way you create the properties database. Then adjust the TSAM-Sync configuration, present in the conf folder and run the JAR. It will create your tables and fill the database with the terminologies.
You can download the folder contents here:
3.5 Transformation Synchronization Access Manager (TSAM)
In order for the TSAM to work properly, you should setup the tsam.properties file, already provided and located under your EPSOS_PROPS_PATH. You can find an example bellow:
Give special importance to:
Languages
- translationLanguage: here you will place your country language;
- transcodingLanguage: this property will hold the country A language, defined as "en" in epSOS;
Database Setup (you will need to fill these parameters according to the database you created in step 3.4)
- ltr.hibernate.dialect: the dialect used for DB connections
After setting up your config file for TSAM, please add the required library for DB connection, at server lib folder.
You can find more on TSAM implementation here: epSOS_TM_TSAM_implementation_v7.
3.6 Transformation Manager (TM)
This component is used for data transformation from a national language to the epSOS Reference Terminology or for data transformation from the epSOS Reference Terminology to a national language.
In order for the TM to work properly, you should setup the tm.properties file, also provided and located under your EPSOS_PROPS_PATH.
It'll probably suit your needs with the default values, but you can always take a look at it.
You can find an example bellow:
You can find information on TM specifications in TM_specs_v0.7 and on the implementation (helpful to understand the previous properties) in epSOS_TM_TSAM_implementation_v7.
3.7 Automatic Data Collector (eADC)
Automatic data collection is a feature requested to the NCP to provide information to evaluate the epSOS interoperability system performance and to collect statistics on the population using epSOS services.
To setup and install the Automatic Data Collector you can follow the instructions present on the following page: Setup eADC in OpenNCP
3.8 Audit Repository (OpenATNA)
You'll need to deploy the openatna-web WAR to your Tomcat, but before that you need to do the following configurations:
- TLS configuration: parameters in section arr-tls of file $EPSOS_PROPS_PATH/ATNA_resources/ArrConnections.xml have to reflect the values of epsos properties database:
- HostName -> audit.repository.url
- Port (default: 2862) -> audit.repository.port (default: 6514)
- Certificates:
- copy your ServiceProvider.jks and ServiceConsumer.jks keystores into $EPSOS_PROPS_PATH/ATNA_resources/certs and refer to them in $EPSOS_PROPS_PATH/ATNA_resources/ArrConnections.xml (KeyStore --> ServiceProvider.jks and TrustStore --> ServiceConsumer.jks) OR:
- In ArrConnections.xml, point to the keystore and truststore (ServiceProvider.jks and ServiceConsumer.jks, respectively) in $EPSOS_PROPS_PATH/cert/PPT instead of copying those to $EPSOS_PROPS_PATH/ATNA_resources/certs folder and change the passwords (don't use environment variables, use full paths instead).
- Example configuration can be seen in step 4: OpenATNA Home
- Follow step 1 to set up the database: OpenATNA Home.
- In $EPSOS_PROPS_PATH/ATNA_resources/openatna.properties, you will need to change password of the DB and edit ihe.actors.dir to point to the ATNA_resources folder.
- If you want to use the logviewer war, you have to add the openatna.properties files to atna.war/WEB-INF/classes
- If you want to use the logviewer war with MySQL, you have to add the jdbc-connector.jar to atna.war/WEB-INF/lib
- You also may need to extend the MaxPermSize of your Tomcat instance (adding -XX:MaxPermSize=256m to your CATALINA_OPTS)
You should add this line to the TOMCAT setenv.sh script:
JAVA_OPTS="-DopenATNA.properties.path=file:$EPSOS_PROPS_PATH/ATNA_resources/openatna.properties $JAVA_OPTS"
- OpenATNA uses property with name scheduled.time.between.failed.logs.handling.minutes in ConfigurationManager database to define the interval in which OpenATNA checks if some audit log was not persisted. In case these logs are found, they will be attempted to re-persist. The default value is 60 (minutes).
- Configure epsos properties to write test audits (see step 5: OpenATNA Home)
Now you can deploy the WAR file in your Tomcat. If everything is OK your OpenATNA database structure should've been created and you should see the following lines at the end of the OpenATNA log file:
Starting OpenATNA service.. TLS Server running on port:2862 UDP server started on port 2861
3.9 Server Side (NCP-A)
At this moment you probably have all the configurations finished and correctly adjusted. So in order to install the Server Side (NCP-A) you will need to obtain the artifact named epsos-ws-server-X.X:X.war, as explained in step 3.1.
It is advised to rename the file to simply epsos-ws-server.war, then you should deploy it on your Tomcat instance (to deploy the application you may follow this instructions: http://tomcat.apache.org/tomcat-7.0-doc/deployer-howto.html for Tomcat 7).
In case you change the default port, you have to modify the WEB-INF/conf/axis2.xml file to reflect the change (default: port 8080 / 8443). If not, and according to the configuration made in section 2.2, your web services will be exposed in the following URLs:
- https://<hostname>:<SSLport>/epsos-ws-server/services/XCPD_Service
- https://<hostname>:<SSLport>/epsos-ws-server/services/XCA_Service
- https://<hostname>:<SSLport>/epsos-ws-server/services/XDR_Service
- And so on.
In order to implement a National Connector to connect OpenNCP to your National Infrastructure, you have to develop some services. OpenNCP Bitbucket provides a skeleton where you can start to work: epsos-nc-mock-it.
The following page provides some guidance on this task: National Connector Implementation.
3.10 Client Side (NCP-B)
For client side it is used the same approach used in Server side. You should download the artifact named: epsos-client-connector-X.X.X.war, as explained in Step 3.1.
It is also advised to rename the file to just epsos-client-connector.war, then you should deploy it on your Tomcat instance (to deploy the application you may follow this instructions: http://tomcat.apache.org/tomcat-7.0-doc/deployer-howto.html for Tomcat 7).
In case you change the default port, you have to modify the WEB-INF/conf/axis2.xml file to reflect the change (default: port 8080 / 8443). If not, the following web service that allows the Portal to communicate with the OpenNCP will be exposed:
- http://<hostname>:<port>/epsos-client-connector/services/ClientConnectorService
3.11 OpenNCP Portal or epSOS-Web
At this point, you'll either install OpenNCP Portal or epSOS-Web. OpenNCP Portal is the reference implementation and should be your choice in case you're following this manual and want to use the eID capabilities. epSOS-Web requires a set of different properties in the database. CDA Display Tool shall be used in both cases.
3.11.1 OpenNCP Portal
To install the OpenNCP Portal, you may follow the provided instructions, available at:
3.11.2 epSOS-Web
To install epSOS-Web follow the instructions available at: epSOS-Web Get Started.
3.11.3 CDA Display Tool (TSAM-Exporter)
In order to correctly translate the CDA, you must run the TSAM-Exporter (make sure you have fetched your country terminologies into your LTR database): TSAM Exporter.
4. Database Logging
You can see how to setup database logging for several components in the following link: How to configure Database Appender for logging purposes to OpenNCP.
5. Final Considerations
After performing the installation of all components you may end with this sample folder setup (considering that we placed all the files under the /opt folder):
/opt |-- /apache-tomcat-7.X.XX | |-- /bin | +-- /conf | |-- context.xml | |-- /logs | |-- /temp | |-- /work | +-- /webapps | |-- /epsos-client-connector | |-- /epsos-ws-server | |-- /TRC-STS | +-- /atna |-- /tsam-sync | |-- /conf | | |-- epsos.properties | | |-- hibernate.cfg.xml | | |-- log4j.xml | | |-- logging.properties | | +-- settings.properties | |-- /lib | | +-- jdbc-connector.jar | |-- tsam-sync.jar | +-- sync.sh |-- /tsl-sync | |-- epsos-tsl-sync.jar |-- /tsam-exporter | |-- epsos-tsamexporter.jar | |-- logging.properties | |-- run.sh | +-- settings.properties +-- /epsos-configuration |-- /ATNA_resources |-- /cert |-- /EADC_resources |-- /EpsosRepository |-- /forms |-- /TM_resources |-- configmanager.hibernate.xml |-- hcer.properties |-- pn-oid.xml |-- ISO_3166-1.xml |-- tm.properties +-- tsam.properties
Please do not forget to leave suggestions or expose your doubts at the comments section of this page.