Difference between revisions of "OpenVistA-CIS client package"
Perspectoff (talk | contribs) (→Connect OpenVistA-CIS to a server through an SSH tunnel) |
(Added glossary link to Configuration~) |
||
(86 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
The [https://medsphere.org/community/project/openvista-cis Medsphere OpenVista-CIS] package is a modification of CPRS which has image viewing and other commercial ehancements added. (See [http://medsphere.org/community/project this] for a list of all Medsphere projects.) | The [https://medsphere.org/community/project/openvista-cis Medsphere OpenVista-CIS] package is a modification of CPRS which has image viewing and other commercial ehancements added. (See [http://medsphere.org/community/project this] for a list of all Medsphere projects.) | ||
− | It uses the [http://en.wikipedia.org/wiki/.NET_Framework .NET framework] in Windows or the [http://en.wikipedia.org/wiki/Mono_%28software%29 MONO framework] in Linux. There are versions for both platforms. | + | It uses the [http://en.wikipedia.org/wiki/.NET_Framework .NET framework] in Windows or the [http://en.wikipedia.org/wiki/Mono_%28software%29 MONO framework] in Linux. (There are versions for both platforms. Mac users may be able to adapt the Linux version.) OpenVistA-CIS was developed on the [http://en.wikipedia.org/wiki/GTK%2B Gtk] platform (a widely-used Linux development platform). |
== Installation on Windows == | == Installation on Windows == | ||
Line 11: | Line 11: | ||
*If using Windows VistA or Windows 7, see [http://medsphere.org/message/3233;jsessionid=CD2ABE32FE1934D62D9D1654A3C35409.node0 this troubleshooting thread]. | *If using Windows VistA or Windows 7, see [http://medsphere.org/message/3233;jsessionid=CD2ABE32FE1934D62D9D1654A3C35409.node0 this troubleshooting thread]. | ||
− | *If using an Astronaut OpenVistA server package, it is easiest to start OpenVistA-CIS using the [[Astronaut_CPRS_client_package#Using_Astronaut_with_OpenVistA-CIS|Astronaut shortcut]]. | + | *If using an Astronaut OpenVistA server package, it is easiest to start OpenVistA-CIS using the [[Astronaut_CPRS_client_package#Using_Astronaut_with_OpenVistA-CIS|Astronaut shortcut]]. Also see the section on [[Astronaut_CPRS_client_package#Use_an_SSH_keypair_instead_of_password_authentication|using an SSH keypair instead of password authentication]]. |
== Installation on Linux == | == Installation on Linux == | ||
− | (These instructions are oriented towards Ubuntu/Kubuntu users). | + | (These instructions are oriented towards Ubuntu/Kubuntu users). For more information about the required dependencies see [http://medsphere.org/docs/DOC-1411 this Medsphere forum page]. |
*Install the Mono platform and other required dependencies in Ubuntu 9.10 (Karmic): | *Install the Mono platform and other required dependencies in Ubuntu 9.10 (Karmic): | ||
:* mono-runtime | :* mono-runtime | ||
Line 24: | Line 24: | ||
:* libmono-system-runtime2.0-cil | :* libmono-system-runtime2.0-cil | ||
− | You can install all of the dependencies at once | + | You can install all of the dependencies at once: |
sudo apt-get install mono-runtime libmono-corlib2.0-cil libgtk2.0-cil libglade2.0-cil libmono-cairo2.0-cil libmono-winforms2.0-cil libmono-system-runtime2.0-cil | sudo apt-get install mono-runtime libmono-corlib2.0-cil libgtk2.0-cil libglade2.0-cil libmono-cairo2.0-cil libmono-winforms2.0-cil libmono-system-runtime2.0-cil | ||
− | *Create directories and | + | *Create directories then download and unzip the [http://sourceforge.net/projects/openvista/files/ OpenVistA-CIS] binaries into them: |
− | mkdir | + | mkdir /etc/''openvistacisclient'' |
− | cd | + | cd /etc/''openvistacisclient'' |
wget <nowiki>http://sourceforge.net/projects/openvista/files/OpenVista%20CIS/1.0%20RC2/openvistacis-0.9.96-client.zip/download</nowiki> | wget <nowiki>http://sourceforge.net/projects/openvista/files/OpenVista%20CIS/1.0%20RC2/openvistacis-0.9.96-client.zip/download</nowiki> | ||
− | mkdir | + | unzip openvistacis-0.9.96-client.zip |
− | cd | + | |
+ | :and | ||
+ | |||
+ | mkdir /etc/''openvistacisvitals'' | ||
+ | cd /etc/''openvistacisvitals'' | ||
wget <nowiki>http://sourceforge.net/projects/openvista/files/OpenVista%20CIS/1.0%20RC2/openvistacis-0.9.96-vitals.zip/download</nowiki> | wget <nowiki>http://sourceforge.net/projects/openvista/files/OpenVista%20CIS/1.0%20RC2/openvistacis-0.9.96-vitals.zip/download</nowiki> | ||
+ | unzip openvistacis-0.9.96-vitals.zip | ||
− | + | Note: You could also install the clients in ''~/openvistaclients'' (or /home/''user''/''openvistaclients'') if you don't have root privileges on your system. | |
− | |||
− | |||
− | |||
− | |||
*Run (or create a shortcut to run) the OpenVistA-CIS client: | *Run (or create a shortcut to run) the OpenVistA-CIS client: | ||
− | cd | + | cd /etc/''openvistacisclient'' |
mono OpenVistaCIS.exe --server=''myserver.mydomain.org'' --port=''9260'' | mono OpenVistaCIS.exe --server=''myserver.mydomain.org'' --port=''9260'' | ||
:and the OpenVistA-CIS Vitals module: | :and the OpenVistA-CIS Vitals module: | ||
− | cd | + | cd /etc/''openvistacisvitals'' |
mono OpenVistaVitals.exe --server=''myserver.mydomain.org'' --port=''9260'' | mono OpenVistaVitals.exe --server=''myserver.mydomain.org'' --port=''9260'' | ||
− | The options --server=''myserver.mydomain.org'' and --port=''9260'' are not required, but if not included in the command-line, the user will be prompted to enter them. (Medsphere uses default port 9201, but Astronaut OpenVistA server uses default port 9260.) | + | The options --server=''myserver.mydomain.org'' and --port=''9260'' are not required, but if they are not included in the command-line, the user will be prompted to enter them. (Medsphere uses default port 9201, but the Astronaut OpenVistA server uses default port 9260.) |
Note: If running from a menu item shortcut, make sure you set the directory as the workpath: | Note: If running from a menu item shortcut, make sure you set the directory as the workpath: | ||
Line 55: | Line 56: | ||
:-> General -> Name: OpenVistA-CIS Client | :-> General -> Name: OpenVistA-CIS Client | ||
:-> Command: mono OpenVistaCIS.exe --server=''myserver.mydomain.org'' --port=''9260'' | :-> Command: mono OpenVistaCIS.exe --server=''myserver.mydomain.org'' --port=''9260'' | ||
− | :-> Advanced -> Work path: ''~/ | + | :-> Advanced -> Work path: /etc/''openvistacisclient'' |
+ | |||
+ | :and | ||
+ | |||
+ | :Menu Editor -> New item | ||
+ | :-> General -> Name: OpenVistA-CIS Vitals | ||
+ | :-> Command: mono OpenVistaVitals.exe --server=''myserver.mydomain.org'' --port=''9260'' | ||
+ | :-> Advanced -> Work path: /etc/''openvistacisvitals'' | ||
+ | |||
+ | Note: Menu items and shortcuts do not allow the use of the ~ symbol. You must use the full name of the directory (i.e. /home/''user''/openvistaclients) if you have installed into your user directory. | ||
=== Connect OpenVistA-CIS to a server through an SSH tunnel === | === Connect OpenVistA-CIS to a server through an SSH tunnel === | ||
− | These instructions are for Linux. If using Windows, use the [[Astronaut_CPRS_client_package#Using_Astronaut_with_OpenVistA-CIS|Astronaut CPRS package]], which has a PuTTY utility and Astronaut SSH shortcut to initiate the SSH tunnel as well as a shortcut (stub) to start the OpenVistA-CIS Client. | + | These instructions are for Linux. If using Windows, use the [[Astronaut_CPRS_client_package#Using_Astronaut_with_OpenVistA-CIS|Astronaut CPRS package]] (after installing OpenVistA-CIS separately), which has a PuTTY SSH utility and Astronaut SSH shortcut to initiate the SSH tunnel, as well as a shortcut (stub) to start the OpenVistA-CIS Client. A full list of SSH commands is [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 here]. |
− | * | + | *Start the SSH tunnel to the remote server. (''remoteserver.computer.xyz'' can be either a URL or an IP address.) |
<!---> ssh -C remote.computer.xyz -p 11022 -l joe.friday<---> | <!---> ssh -C remote.computer.xyz -p 11022 -l joe.friday<---> | ||
ssh -l client9260 -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p ''22'' | ssh -l client9260 -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p ''22'' | ||
− | This command uses the client9260 SSH user (the default on the Astronaut OpenVistA server), the local 9201 port (default on OpenVistA-CIS clients), the remote 9260 port (the default on the Astronaut OpenVistA server), and the SSH 22 port (the default). Any of these can be changed, of course (depending on your configuration). | + | This command uses the client9260 SSH user (the default on the Astronaut OpenVistA server), the local 9201 port (default on OpenVistA-CIS clients), the remote 9260 port (the default on the Astronaut OpenVistA server), and the SSH 22 port (the default). Any of these can be changed, of course (depending on your [[configuration~|Configuration]]). |
− | Note: This method requires a password authentication | + | Note: This method requires a password authentication manually in a command-line terminal, so if a corresponding Menu item / shortcut for this command is created, make sure the ''Advanced -> Run in terminal'' option is ticked. |
− | *Start the OpenVistA-CIS Client: | + | *Start the OpenVistA-CIS Client (as in the preceding section): |
− | mono OpenVistaCIS.exe --server= | + | mono OpenVistaCIS.exe --server=127.0.0.1 --port=9201 |
==== Automated SSH password authentication script ==== | ==== Automated SSH password authentication script ==== | ||
− | + | *Install the expect utility: | |
+ | sudo apt-get install expect | ||
− | == | + | *If your password is still set at the Astronaut SSH default (i.e. ''not#1sostrong''), then use this command to start the SSH tunnel: |
+ | expect -c 'spawn ssh -l client9260 -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p ''22''; expect assword ; send "''not#1sostrong''\n" ; interact' | ||
+ | |||
+ | :Obviously use the values that correspond to your own setup. | ||
+ | |||
+ | *I place this command in a Menu Item / Shortcut that I name ''Astronaut SSH'' (to keep it consistent with the Astronaut shortcut-naming scheme used elsewhere). It seems to run for me properly only if the ''Advanced -> Run in terminal'' option is also ticked. | ||
+ | |||
+ | *Start the OpenVistA-CIS Client (as in the preceding section): | ||
+ | mono OpenVistaCIS.exe --server=127.0.0.1 --port=9201 | ||
+ | |||
+ | ==== SSH tunnel using a key pair ==== | ||
+ | Password authentication (as in the previous step) is not a preferred method of routine SSH connection, as it leaves the SSH server exposed to [http://en.wikipedia.org/wiki/Password_cracking#Brute_force_attack brute force password cracking] attempts. | ||
+ | |||
+ | The preferred method is to generate a [http://en.wikipedia.org/wiki/Public-key_cryptography public/private authentication key pair] and store the keys on the server and client. | ||
+ | |||
+ | See the [http://sial.org/howto/openssh/publickey-auth/ OpenSSH] instructions for generating and using key pairs, or see the [https://help.ubuntu.com/9.10/serverguide/C/openssh-server.html Ubuntu Server manual] or the [http://ubuntuguide.org/wiki/Ubuntu:Karmic#Setup_an_SSH_server Ubuntuguide simplified instructions]. (Remember that an OpenSSH server was installed as a pre-requisite to installing the Astronaut OpenVistA server.) | ||
+ | |||
+ | [http://en.wikipedia.org/wiki/Ssh-agent SSH-agent] provides another method of storing a passphrase in a key pair. | ||
+ | |||
+ | *To further secure the SSH tunnel and restrict it only to the Astronaut VistA SSH users (client9260 and text9260), the VistA server can be set to accept only those two users for SSH. See [http://ubuntuguide.org/wiki/Ubuntu:Feisty#How_to_limit_the_user_accounts_that_can_connect_through_ssh_remotely How to limit the user accounts that can connect through SSH remotely]. | ||
+ | |||
+ | *In brief, on a '''client''' machine generate a key pair (by default, a 2048-bit RSA key pair is created): | ||
+ | ssh-keygen | ||
+ | |||
+ | :*Accept the default location for the key file ( /home/''user''/.ssh/id_rsa ). | ||
+ | :*Leave the passphrase empty | ||
+ | :*Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the VistA server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility: | ||
+ | ssh-copy-id ''serveruser''@''remoteserver.computer.xyz'' | ||
+ | |||
+ | :*The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file): | ||
+ | mkdir ~/.ssh | ||
+ | cd ~/.ssh | ||
+ | touch authorized_keys | ||
+ | Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.): | ||
+ | cd ~/.ssh | ||
+ | sudo chown ''serveruser'' id_rsa.pub | ||
+ | cat authorized_keys id_rsa.pub >> authorized_keys | ||
+ | |||
+ | *Make sure the OpenSSH server knows to look for the key file. On the VistA server, edit the OpenSSH [[configuration~|Configuration]] file: | ||
+ | sudo nano /etc/ssh/sshd_config | ||
+ | |||
+ | :*Uncomment the line (i.e. remove the # at the beginning of the line): | ||
+ | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
+ | |||
+ | *Remove the ability to login to the OpenSSH server using a password: | ||
+ | sudo nano /etc/ssh/sshd_config | ||
+ | |||
+ | :*Change the line | ||
+ | #PasswordAuthentication yes | ||
+ | :to | ||
+ | PasswordAuthentication no | ||
+ | |||
+ | *Restart the OpenSSH server: | ||
+ | sudo /etc/init.d/ssh restart | ||
+ | |||
+ | *Now you can [[#Connect_OpenVistA-CIS_to_a_server_through_an_SSH_tunnel|connect securely with an SSH tunnel]] without requiring a password, but only if you login as ''serveruser''. | ||
+ | |||
+ | ssh -l ''serveruser'' -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p ''22'' | ||
+ | |||
+ | *I prefer to keep the Astronaut structure, so I copy the keys to a folder for client9260. Again on the VistA server: | ||
+ | sudo mkdir /home/client9260 | ||
+ | sudo mkdir /home/client9260/.ssh | ||
+ | sudo cp /home/''serveruser''/.ssh/* /home/client9260/.ssh/ | ||
+ | sudo chown -R client9260 /home/client9260 | ||
+ | |||
+ | :*This time make sure the OpenSSH server knows the new location to look for the key file. On the VistA server, edit the OpenSSH [[configuration~|Configuration]] file: | ||
+ | sudo nano /etc/ssh/sshd_config | ||
+ | |||
+ | :*Change the appropriate line to: | ||
+ | AuthorizedKeysFile /home/client9260/.ssh/authorized_keys | ||
+ | |||
+ | :and restart the OpenSSH server ( sudo /etc/init.d/ssh restart ). | ||
+ | |||
+ | :*[[#Connect_OpenVistA-CIS_to_a_server_through_an_SSH_tunnel|Connect securely with an SSH tunnel]] without requiring a password: | ||
+ | ssh -l client9260 -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p ''22'' | ||
+ | |||
+ | *Now you can connect with a single command | ||
+ | ssh -f -l client9260 -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p 22 sleep5; mono /etc/openvistacisclient/OpenVistaCIS.exe --server=127.0.0.1 --port=9201 | ||
+ | |||
+ | :*Alternatively (and probably preferably) you can create a Menu Item / Shortcut either with the command above or with the simpler command: | ||
+ | ssh -f -l client9260 -L 9201:127.0.0.1:9260 ''remoteserver.computer.xyz'' -p 22 sleep5; mono OpenVistaCIS.exe --server=127.0.0.1 --port=9201 | ||
+ | |||
+ | :but with ''Advanced -> Work path:'' /etc/openvistacisclient configured in the Menu Item / Shortcut settings. It is not necessary to have the ''Advanced -> Run in terminal'' box ticked. | ||
− | |||
=== Connect OpenVistA-CIS Client to an Astronaut OpenVistA server on the same computer === | === Connect OpenVistA-CIS Client to an Astronaut OpenVistA server on the same computer === | ||
− | *If you installed the OpenVistA-CIS Client(s) on the same computer as an Astronaut OpenVistA server, and port 9260 is open (in the firewall), you can connect directly: | + | *If you installed the [[#|OpenVistA-CIS Client(s)]] on the same computer as an [[Astronaut_OpenVistA_on_Ubuntu|Astronaut OpenVistA server]], and port 9260 is open (in the [http://ubuntuguide.org/wiki/Ubuntu:All#Firewall firewall]), you can connect directly: |
− | + | mono OpenVistaCIS.exe --server=127.0.0.1 --port=9260 | |
*Use your Access Code / Verify Code as the LoginID / Password ( default at installation for Astronaut systems is sys.admin / vista!123 ). | *Use your Access Code / Verify Code as the LoginID / Password ( default at installation for Astronaut systems is sys.admin / vista!123 ). | ||
+ | == Installation on Mac == | ||
+ | (No current information.) | ||
+ | |||
+ | == Open your firewalls == | ||
+ | Don't forget to open your firewalls '''on both sides''' of the connection. If you are using an SSH tunnel, the port used for SSH (default is 22) must be open in the firewall on both ends of the connection. | ||
+ | |||
+ | If you are connecting (without an SSH tunnel) using port 9260 or 9201 (or another port), make sure the port(s) used are allowed by the firewalls on each side of the connection. | ||
+ | |||
+ | == Connect to a demo server == | ||
=== Connect to the Medsphere Demo server === | === Connect to the Medsphere Demo server === | ||
*Test your setup by connecting to the Medsphere Demo server. Instructions are [http://medsphere.org/docs/DOC-1003 here]. | *Test your setup by connecting to the Medsphere Demo server. Instructions are [http://medsphere.org/docs/DOC-1003 here]. | ||
Line 92: | Line 193: | ||
:* Port: 9202 for the original demo database | :* Port: 9202 for the original demo database | ||
− | Note: if you're not running the latest version of OpenVista-CIS, you must use --proxy-mode=builtin to connect. | + | Note: if you're not running the latest version of OpenVista-CIS, you must use --proxy-mode=builtin as a command-line option to connect. The demo server no longer runs the bridge. |
*Other OpenVista user accounts include: | *Other OpenVista user accounts include: |
Latest revision as of 17:52, 15 November 2012
The Medsphere OpenVista-CIS package is a modification of CPRS which has image viewing and other commercial ehancements added. (See this for a list of all Medsphere projects.)
It uses the .NET framework in Windows or the MONO framework in Linux. (There are versions for both platforms. Mac users may be able to adapt the Linux version.) OpenVistA-CIS was developed on the Gtk platform (a widely-used Linux development platform).
Contents
Installation on Windows
- Download and install the Gtk runtime environment for Windows
- Download and install the OpenVistA-CIS Windows installer
- If using Windows VistA or Windows 7, see this troubleshooting thread.
- If using an Astronaut OpenVistA server package, it is easiest to start OpenVistA-CIS using the Astronaut shortcut. Also see the section on using an SSH keypair instead of password authentication.
Installation on Linux
(These instructions are oriented towards Ubuntu/Kubuntu users). For more information about the required dependencies see this Medsphere forum page.
- Install the Mono platform and other required dependencies in Ubuntu 9.10 (Karmic):
- mono-runtime
- libmono-corlib2.0-cil
- libgtk2.0-cil
- libglade2.0-cil
- libmono-cairo2.0-cil
- libmono-winforms2.0-cil
- libmono-system-runtime2.0-cil
You can install all of the dependencies at once:
sudo apt-get install mono-runtime libmono-corlib2.0-cil libgtk2.0-cil libglade2.0-cil libmono-cairo2.0-cil libmono-winforms2.0-cil libmono-system-runtime2.0-cil
- Create directories then download and unzip the OpenVistA-CIS binaries into them:
mkdir /etc/openvistacisclient cd /etc/openvistacisclient wget http://sourceforge.net/projects/openvista/files/OpenVista%20CIS/1.0%20RC2/openvistacis-0.9.96-client.zip/download unzip openvistacis-0.9.96-client.zip
- and
mkdir /etc/openvistacisvitals cd /etc/openvistacisvitals wget http://sourceforge.net/projects/openvista/files/OpenVista%20CIS/1.0%20RC2/openvistacis-0.9.96-vitals.zip/download unzip openvistacis-0.9.96-vitals.zip
Note: You could also install the clients in ~/openvistaclients (or /home/user/openvistaclients) if you don't have root privileges on your system.
- Run (or create a shortcut to run) the OpenVistA-CIS client:
cd /etc/openvistacisclient mono OpenVistaCIS.exe --server=myserver.mydomain.org --port=9260
- and the OpenVistA-CIS Vitals module:
cd /etc/openvistacisvitals mono OpenVistaVitals.exe --server=myserver.mydomain.org --port=9260
The options --server=myserver.mydomain.org and --port=9260 are not required, but if they are not included in the command-line, the user will be prompted to enter them. (Medsphere uses default port 9201, but the Astronaut OpenVistA server uses default port 9260.)
Note: If running from a menu item shortcut, make sure you set the directory as the workpath:
- Menu Editor -> New item
- -> General -> Name: OpenVistA-CIS Client
- -> Command: mono OpenVistaCIS.exe --server=myserver.mydomain.org --port=9260
- -> Advanced -> Work path: /etc/openvistacisclient
- and
- Menu Editor -> New item
- -> General -> Name: OpenVistA-CIS Vitals
- -> Command: mono OpenVistaVitals.exe --server=myserver.mydomain.org --port=9260
- -> Advanced -> Work path: /etc/openvistacisvitals
Note: Menu items and shortcuts do not allow the use of the ~ symbol. You must use the full name of the directory (i.e. /home/user/openvistaclients) if you have installed into your user directory.
Connect OpenVistA-CIS to a server through an SSH tunnel
These instructions are for Linux. If using Windows, use the Astronaut CPRS package (after installing OpenVistA-CIS separately), which has a PuTTY SSH utility and Astronaut SSH shortcut to initiate the SSH tunnel, as well as a shortcut (stub) to start the OpenVistA-CIS Client. A full list of SSH commands is here.
- Start the SSH tunnel to the remote server. (remoteserver.computer.xyz can be either a URL or an IP address.)
ssh -l client9260 -L 9201:127.0.0.1:9260 remoteserver.computer.xyz -p 22
This command uses the client9260 SSH user (the default on the Astronaut OpenVistA server), the local 9201 port (default on OpenVistA-CIS clients), the remote 9260 port (the default on the Astronaut OpenVistA server), and the SSH 22 port (the default). Any of these can be changed, of course (depending on your Configuration).
Note: This method requires a password authentication manually in a command-line terminal, so if a corresponding Menu item / shortcut for this command is created, make sure the Advanced -> Run in terminal option is ticked.
- Start the OpenVistA-CIS Client (as in the preceding section):
mono OpenVistaCIS.exe --server=127.0.0.1 --port=9201
Automated SSH password authentication script
- Install the expect utility:
sudo apt-get install expect
- If your password is still set at the Astronaut SSH default (i.e. not#1sostrong), then use this command to start the SSH tunnel:
expect -c 'spawn ssh -l client9260 -L 9201:127.0.0.1:9260 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'
- Obviously use the values that correspond to your own setup.
- I place this command in a Menu Item / Shortcut that I name Astronaut SSH (to keep it consistent with the Astronaut shortcut-naming scheme used elsewhere). It seems to run for me properly only if the Advanced -> Run in terminal option is also ticked.
- Start the OpenVistA-CIS Client (as in the preceding section):
mono OpenVistaCIS.exe --server=127.0.0.1 --port=9201
SSH tunnel using a key pair
Password authentication (as in the previous step) is not a preferred method of routine SSH connection, as it leaves the SSH server exposed to brute force password cracking attempts.
The preferred method is to generate a public/private authentication key pair and store the keys on the server and client.
See the OpenSSH instructions for generating and using key pairs, or see the Ubuntu Server manual or the Ubuntuguide simplified instructions. (Remember that an OpenSSH server was installed as a pre-requisite to installing the Astronaut OpenVistA server.)
SSH-agent provides another method of storing a passphrase in a key pair.
- To further secure the SSH tunnel and restrict it only to the Astronaut VistA SSH users (client9260 and text9260), the VistA server can be set to accept only those two users for SSH. See How to limit the user accounts that can connect through SSH remotely.
- In brief, on a client machine generate a key pair (by default, a 2048-bit RSA key pair is created):
ssh-keygen
- Accept the default location for the key file ( /home/user/.ssh/id_rsa ).
- Leave the passphrase empty
- Copy the public key ( /home/user/.ssh/id_rsa.pub ) to the server that is hosting the VistA server, into the /home/serveruser/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id serveruser@remoteserver.computer.xyz
- The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/user/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/serveruser/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as serveruser (the touch command creates an empty file):
mkdir ~/.ssh cd ~/.ssh touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is serveruser.):
cd ~/.ssh sudo chown serveruser id_rsa.pub cat authorized_keys id_rsa.pub >> authorized_keys
- Make sure the OpenSSH server knows to look for the key file. On the VistA server, edit the OpenSSH Configuration file:
sudo nano /etc/ssh/sshd_config
- Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys
- Remove the ability to login to the OpenSSH server using a password:
sudo nano /etc/ssh/sshd_config
- Change the line
#PasswordAuthentication yes
- to
PasswordAuthentication no
- Restart the OpenSSH server:
sudo /etc/init.d/ssh restart
- Now you can connect securely with an SSH tunnel without requiring a password, but only if you login as serveruser.
ssh -l serveruser -L 9201:127.0.0.1:9260 remoteserver.computer.xyz -p 22
- I prefer to keep the Astronaut structure, so I copy the keys to a folder for client9260. Again on the VistA server:
sudo mkdir /home/client9260 sudo mkdir /home/client9260/.ssh sudo cp /home/serveruser/.ssh/* /home/client9260/.ssh/ sudo chown -R client9260 /home/client9260
- This time make sure the OpenSSH server knows the new location to look for the key file. On the VistA server, edit the OpenSSH Configuration file:
sudo nano /etc/ssh/sshd_config
- Change the appropriate line to:
AuthorizedKeysFile /home/client9260/.ssh/authorized_keys
- and restart the OpenSSH server ( sudo /etc/init.d/ssh restart ).
- Connect securely with an SSH tunnel without requiring a password:
ssh -l client9260 -L 9201:127.0.0.1:9260 remoteserver.computer.xyz -p 22
- Now you can connect with a single command
ssh -f -l client9260 -L 9201:127.0.0.1:9260 remoteserver.computer.xyz -p 22 sleep5; mono /etc/openvistacisclient/OpenVistaCIS.exe --server=127.0.0.1 --port=9201
- Alternatively (and probably preferably) you can create a Menu Item / Shortcut either with the command above or with the simpler command:
ssh -f -l client9260 -L 9201:127.0.0.1:9260 remoteserver.computer.xyz -p 22 sleep5; mono OpenVistaCIS.exe --server=127.0.0.1 --port=9201
- but with Advanced -> Work path: /etc/openvistacisclient configured in the Menu Item / Shortcut settings. It is not necessary to have the Advanced -> Run in terminal box ticked.
Connect OpenVistA-CIS Client to an Astronaut OpenVistA server on the same computer
- If you installed the OpenVistA-CIS Client(s) on the same computer as an Astronaut OpenVistA server, and port 9260 is open (in the firewall), you can connect directly:
mono OpenVistaCIS.exe --server=127.0.0.1 --port=9260
- Use your Access Code / Verify Code as the LoginID / Password ( default at installation for Astronaut systems is sys.admin / vista!123 ).
Installation on Mac
(No current information.)
Open your firewalls
Don't forget to open your firewalls on both sides of the connection. If you are using an SSH tunnel, the port used for SSH (default is 22) must be open in the firewall on both ends of the connection.
If you are connecting (without an SSH tunnel) using port 9260 or 9201 (or another port), make sure the port(s) used are allowed by the firewalls on each side of the connection.
Connect to a demo server
Connect to the Medsphere Demo server
- Test your setup by connecting to the Medsphere Demo server. Instructions are here.
- Connection Information
- Login ID: PU1234 -> Password: PU1234!!
- Server: openvista.medsphere.org
- Port: 9201 for the newer demo database
- Port: 9202 for the original demo database
Note: if you're not running the latest version of OpenVista-CIS, you must use --proxy-mode=builtin as a command-line option to connect. The demo server no longer runs the bridge.
- Other OpenVista user accounts include:
- MANAGER,SYSTEM: -> access/verify/e-sig: SM1234 / SM1234!! / SM1234
- USER, PHYSICIAN: -> access/verify/e-sig: PU1234 / PU1234!! / PU1234
- USER,NURSE: -> access/verify/e-sig: NU1234 / NU1234!! / NU1234