The minimum hardware requirements below are suggested for a new DATIM4U implementation. Requirements will be highly dependent upon how you intend to use the DATIM Global implementation and the amount of data being stored and processed.
Quad core CPU
32 GB Memory
At least 500 GB of disk space
Ubuntu 14.04 64-bit
Internet access
Depending upon the need for the environment (testing, production or other need), the installer will need to determine which versions of the OpenHIM and OpenInfoman packaging to install.
Using the following commands, add the necessary software repositories.
sudo add-apt-repository ppa:webupd8team/java sudo add-apt-repository ppa:openhie/release sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 (Mongodb key) sudo echo deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list sudo apt-get update sudo apt-get install nginx sudo wget -P /usr/share/ohie-datim-global/ https://dl.eff.org/certbot-auto sudo chmod a+x /usr/share/ohie-datim-global/certbot-auto sudo /usr/share/ohie-datim-global/certbot-auto certonly --webroot -w /usr/share/nginx/html -d servername sudo apt-get install libxml2 sudo apt-get install libxml2-dev sudo apt-get install oracle-java8-installer |
sudo apt-get install openhim-console |
sudo apt-get install openinfoman sudo apt-get install openinfoman-datim |
External url - https://yourserver:8443
Create/Edit Config files in Nginx
For openhim-console, edit /etc/nginx/sites-available/openhim-console
# Site config for the OpenHIM-console server{ listen 80; return 301 https://$host$request_uri; } server { listen 443 ssl; ssl_certificate /etc/letsencrypt/live/yourglobalserver/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourglobalserver/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; proxy_connect_timeout 36000; proxy_send_timeout 36000; proxy_read_timeout 36000; send_timeout 36000; root /usr/share/openhim-console; index index.html; location / { try_files $uri $uri/ =404; } large_client_header_buffers 4 32k; } |
For openhinfoman, create /etc/nginx/sites-available/openinfoman
server { listen 8443 ssl; ssl_certificate /etc/letsencrypt/live/yourglobalserver/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourglobalserver/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; proxy_connect_timeout 36000; proxy_send_timeout 36000; proxy_read_timeout 36000; send_timeout 36000; location / { proxy_pass http://127.0.01:8984; proxy_buffering off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-NginX-Proxy true; } large_client_header_buffers 4 32k; } |
It is recommended that implementers configure their system to alert systems administrators when transactions fail to exchange. Directions to configure this can be found here: OpenHIM User Guide -> Alerting and Reports -> Failure Alerting.
Depending upon how you obtained your certificates, the certificate files may end in .pem, .crt, .cer or .der. Also note that the administrator will need to ensure that the certificate expiration dates are managed. When the certificate expires, the administrator will need to exchange certificates again. To install certificates from a CA to replace the self-signed certificates generated during installation, perform the following steps:
We support Chrome for the installation and configuration process. The steps for 3.2.2.1 vary significantly when using different browsers as the browsers view the OpenHim as the browsers view the newly installed application as coming from an unverified source until the actual certificate is installed in the OpenHIM. Also we recommend performing Step 3.2.2.1 in an incognito mode.
3.2.2.1 - Login to OpenHim by going to http://GlobalDNSName. (where GlobalDNSName is the DNS name).
Default credentials are: root@openhim.org/openhim-password.
Note: If prompted, click on the "Advanced" (in grey) link, then "proceed..." link. The first time you login you may get the following screen:
This occurs because our installation certificate is self-signed. These and other issues may occur in Safari and Firefox browsers. Follow instructions given on the error message.
3.2.2.2 Click on the "link" in the dialog, a new page will open, click on the "Advanced" (in grey) link, then "proceed..." link. Once the certificate is accepted navigate back to the log in page and sign in again.
Note: If you continue to have issues, you may ask your browser to ignore certificate errors. The steps to do this differs from operating system to operating system. You may also accomplish this by starting your browser with the '--ignore-certificate-errors --test-type’ flag. This can be done by changing chrome properties via chrome (right click) -> properties -> edit 'target' field to add the aforementioned flag.
3.2.2.3 - When logging in, a prompt will appear to change your password. Follow the on-screen directions to complete these steps.
3.2.2.4 - After successful login, on the left sidebar menu, select Certificates to display the certificates interface.
3.2.2.5 - Using the directions on screen, upload your machines's certificate and key. Please note that for "certificate expiration date", -1 does not indicate "never".
The common name should be the DNS of your server or include a wild card that includes your DNS. For example, www.DNSNAME.ohie.org. (where DNSNAME is the DNS name of your node).
Note: If your certificates were generated by the script and you are running that on a remote server then you could get the certificates your machine at yourpath location using the following command.
scp user@datim.example.com:/etc/letsencrypt/live/datim.example.com/* /yourpath .
3.2.2.6 - After uploading both the certificate and the key, the OpenHim will verify that the keys match. Note that the system will notify you that the keys will not match until both files are uploaded.
3.2.2.7 - OpenHim will prompt you to re-start the system. Proceed with the re-start.
The following mediators are used by the Global OpenHim:
git clone
both of the mediators to /usr/share/Copy the openhim-mediator-basicauth-map.conf and openhim-mediator-openinfoman-dhis2-sync.conf from /etc/init/ on the current working global instance to the new instance (this gets the mediator starting up automatically)
# OpenHIM basicauth-map mediator description "OpenHIM basicauth-map mediator" # logs to /var/log/upstart/openhim-mediator-basicauth-map.log console log start on runlevel [2345] stop on runlevel [!2345] respawn setuid openhim setgid openhim script export PATH=/home/openhim/.nvm/versions/node/v0.12.7/bin/:$PATH export NODE_TLS_REJECT_UNAUTHORIZED=0 cd /usr/share/openhim-mediator-basicauth-map exec bash -c "source /home/openhim/.nvm/nvm.sh && nvm use 4 && npm start" end script |
# OpenHIM openinfoman-dhis2-sync mediator description "OpenHIM openinfoman-dhis2-sync mediator" # logs to /var/log/upstart/openhim-mediator-openinfoman-dhis2-sync.log console log start on runlevel [2345] stop on runlevel [!2345] respawn setuid openhim setgid openhim script export PATH=/home/openhim/.nvm/versions/node/v0.12.7/bin/:$PATH export NODE_TLS_REJECT_UNAUTHORIZED=0 cd /usr/share/openhim-mediator-openinfoman-dhis2-sync exec bash -c "source /home/openhim/.nvm/nvm.sh && nvm use 4 && npm start" end script |
sudo start openhim-mediator-basicauth-map
and sudo start openhim-mediator-basicauth-map
# as openhim user sudo su openhim nvm install 4 exit # now as root sudo su source /home/openhim/.nvm/nvm.sh nvm use 4 cd /usr/share/openhim-mediator-openinfoman-dhis2-sync npm install npm run prepublish restart openhim-mediator-openinfoman-dhis2-sync cd /usr/share/openhim-mediator-basicauth-map npm install restart openhim-mediator-basicauth-map |
To install these????
The following channels are used in the DATIM-Global transactions:
To set up the channels you can export the base channel configuration from an existing global instance by using the export page to select the channels you want to configure (depicted below). Then you can select generate export script. This can then be imported into your new system.
3.2.5 Setting up Global OpenHim Clients
The following clients need to be included
The Infoman will need to be configured to have the following documents:
For each OU node that needs to work with DATIM-Global, there needs to be an extract document that contains the current OU country data that will the the source for seeding the node with their DATIM4U sites.
To create the documents use this command: curl -sL -o /dev/null --data "directory=XXOU-Extract” -X POST http://localhost:8984/CSD/createDirectory
To populate each extract document, use these directions: https://wiki.ohie.org/display/resources/How+to+Configure+DATIM+Global#HowtoConfigureDATIMGlobal-ManuallypopulatingtheXXOU-Extractdocument
Increase Timeout and allowed size in nginx.conf
To add nodes as trading partners' follow the following directions for adding a node as a trading partner for each node that this global system will be exchanging data with.
Debug Commands -
To set up the ADX transactions, you will need to create a DHIS2 Account (for ex - system_ug_import is used for Uganda) for importing ADX information in the global DHIS2 system. The DHIS2 Account will need Data Entry SI and Data Exchange roles.
Once the credentials are created in the global DHIS2 system, they need to be mapped in the OpenHIM.
4. Configure the mediator for each node that will be sending ADX messages as follows:
Client ID - This is the node's client id that has already been configured in the OpenHIM. Get this from the Client menu. An example might be "lesotho-DATIM4U"
Username - This is the DHIS2 user name for the account that will be used for that client.
Password - This is the DHIS2 password for the account that was entered in Username.
5. Select "+ Passwords Map" to configure additional nodes.