1. Komponenter

Dette dokument dækker følgende komponenter på NSP:

  • Dokumentregistrerings- og oprettelsesservice

  • Type: Webservice

  • Filnavn: sfsk.war

  • Url: <serverurl>/sfsk

  • Servicecheckurl: <serverurl>/sfsk/status

  • Versionurl: <serverurl>/sfsk/health returnerer en json struktur med denne

2. Konfiguration

2.1.1. Servicekonfiguration

Grundlæggende konfiguration foregår ved redigering i filen sfsk.properties,  der placeres i følgende WildFly modul:

/pack/wildfly8/modules/sds/sfsk/configuration/main/

Moduldefinitionen er at finde i sourcekoden til SFSK under:

/sfsk-war/etc/modules/sds/sfsk/configuration/main/module.xml

I filen skal følgende properties være definerede:

Property

Beskrivelse

sfsk.url.prefix

URL prefix der indsættes i wsdl'er og bruges af dks-servlet.

sfsk.app.nameAnvendes af dks-servlet

iti18.service.endpoint

Endpoint på ITI18-backend.
iti43.service.endpointEndpoint på ITI42-backend.

sfsk.backend.failure.threshold

Tærskel for, hvor mange gang i træk et kald til en backend må fejle, før denne backend betragtes som 'død' af status-siden.

consent.verification.endpointEndpoint til MinSpærring verifikationssnitflade.
consent.hsuid.issuerNavn på 'Issuer' i HSUID-header, der sendes til MinSpærring verifikationssnitflade.
consent.hsuid.system.owner.nameNavn på SystemOwner-attribut i HSUID-header, der sendes til MinSpærring verifikationssnitflade.
consent.hsuid.system.nameNavn på SystemName-attribut i HSUID-header, der sendes til MinSpærring verifikationssnitflade.
consent.hsuid.org.responsible.nameNavn på OrgResponsible-attribut (driftsansvarlig) i HSUID-header, der sendes til MinSpærring verifikationssnitflade.

2.1.2. log4j konfiguration

Log4j konfiguration findes i samme wildfly modul som servicekonfigurationen

Se yderligere opsætning i installationsvejledningen.

3. Log

3.1. Auditlog

Her logges forespørgsler til servicen.

Eksempler:


auditlog_RegistryStoredQuery 
{
  "time": "2021-07-01T07:33:05.616Z",
  "category": "dk.sds.nsp.audit.log.sfsk",
  "audit": {
    "timestamp": "2021-07-01T09:32:59.347+02:00",
    "components": [
      {
        "component": "SFSK",
        "contexts": [
          {
            "context": "DocumentRegistry_RegistryStoredQuery",
            "information": [
              {
                "key": "patient-cpr",
                "type": "RPI",
                "value": "2222222222"
              },
              {
                "key": "værdispring",
                "type": "RPI",
                "value": "false"
              },
              {
                "key": "document_entry.0.homecommunityid",
                "type": "RPI",
                "value": "1.2.208.176.8.1.12"
              },
              {
                "key": "document_entry.0.repositoryid",
                "type": "RPI",
                "value": "1.2.208.176.43210.8.10.12"
              },
              {
                "key": "document_entry.0.documentid",
                "type": "RPI",
                "value": "1.2.208.176.43210.8.10.12^3ae0c14f-723f-422c-9f19-711681ccb461"
              },
              {
                "key": "document_entry.0.typecode",
                "type": "RPI",
                "value": "52460-3"
              },
              {
                "key": "document_entry.1.homecommunityid",
                "type": "RPI",
                "value": "1.2.208.176.8.1.12"
              },
              {
                "key": "document_entry.1.repositoryid",
                "type": "RPI",
                "value": "1.2.208.176.43210.8.10.12"
              },
              {
                "key": "document_entry.1.documentid",
                "type": "RPI",
                "value": "1.2.208.176.43210.8.10.12^124661e5-04a1-478b-b2d9-640cf8360044"
              },
              {
                "key": "document_entry.1.typecode",
                "type": "RPI",
                "value": "PDC"
              }
            ]
          }
        ]
      }
    ]
  },
  "access": {
    "code": 200,
    "duration": 4961,
    "httpHeaders": {
      "Content-Type": "application/soap+xml; charset=UTF-8"
    },
    "httpHost": "localhost",
    "idCardAttributes": {
      "medcom:CareProviderID": "33257872",
      "medcom:CareProviderName": "Sundhedsdatastyrelsen",
      "medcom:ITSystemName": "SFSK",
      "sosi:AuthenticationLevel": "3",
      "sosi:IDCardID": "F5qM/3t3mok2gDB/GAY1Fw==",
      "sosi:IDCardType": "system",
      "sosi:IDCardVersion": "1.0.1"
    },
    "method": "POST",
    "path": "/sfsk/iti18",
    "query": "",
    "port": 8060,
    "protocol": "http",
    "reqSize": 7413,
    "resSize": 10996,
    "soapHeaders": {
      "Issuer": "TEST2-NSP-STS",
      "MessageID": "AAABemD8KLJdrkK40FkOylNPU0k=",
      "NameID": "SubjectDN={SERIALNUMBER=CVR:33257872-FID:28250866 + CN=SFSK (funktionscertifikat), O=Sundhedsdatastyrelsen // CVR:33257872, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXXIV CA, O=TRUST2408, C=DK},CertSerial={1604117906}",
      "w3Action": "urn:ihe:iti:2007:RegistryStoredQuery",
      "w3MessageID": "urn:uuid:104cf5c8-b8d4-499e-bfd1-fa4a1deba449",
      "w3To": "http://localhost:8060/sfsk/iti18"
    },
    "threadId": "default task-1",
    "time": "2021-07-01T09:32:59.321+02:00",
    "stats": {
      "handlerDuration": 1237,
      "RequestContentDuration": 45,
      "ResponseContentDuration": 0,
      "SecurityProtocolRequestDuration": 835,
      "SecurityProtocolResponseDuration": 0,
      "bufferAllocated": true,
      "usedBuffers": 1,
      "activeBuffersInPool": 1,
      "idleBuffersInPool": 0
    }
  }
}
auditlog_RetrieveDocumentSet 
{
  "time": "2021-07-01T07:33:11.443Z",
  "category": "dk.sds.nsp.audit.log.sfsk",
  "audit": {
    "timestamp": "2021-07-01T09:33:10.007+02:00",
    "components": [
      {
        "component": "SFSK",
        "contexts": [
          {
            "context": "DocumentRepository_RetrieveDocumentSet",
            "information": [
              {
                "key": "værdispring",
                "type": "RPI",
                "value": "false"
              },
              {
                "key": "document_entry.0.homecommunityid",
                "type": "RPI",
                "value": ""
              },
              {
                "key": "document_entry.0.repositoryid",
                "type": "RPI",
                "value": "1.1.1"
              },
              {
                "key": "document_entry.0.documentid",
                "type": "RPI",
                "value": "1.2.208.176.43210.8.10.12^91a2307e-f948-4c71-aa69-d72c5e41dac9"
              }
            ]
          }
        ]
      }
    ]
  },
  "access": {
    "code": 200,
    "duration": 1017,
    "httpHeaders": {
      "Content-Type": "multipart/related; type=\"application/xop+xml\"; boundary=\"uuid:ce184aa9-46e0-4dd5-b4d4-3906cc232ed3\"; start=\"<root.message@cxf.apache.org>\"; start-info=\"application/soap+xml\""
    },
    "httpHost": "localhost",
    "idCardAttributes": {
      "medcom:CareProviderID": "33257872",
      "medcom:CareProviderName": "Sundhedsdatastyrelsen",
      "medcom:ITSystemName": "SFSK",
      "sosi:AuthenticationLevel": "3",
      "sosi:IDCardID": "F5qM/3t3mok2gDB/GAY1Fw==",
      "sosi:IDCardType": "system",
      "sosi:IDCardVersion": "1.0.1"
    },
    "method": "POST",
    "path": "/sfsk/iti43",
    "query": "",
    "port": 8060,
    "protocol": "http",
    "reqSize": 7191,
    "resSize": 7940,
    "soapHeaders": {
      "Issuer": "TEST2-NSP-STS",
      "MessageID": "AAABemD8XsT8P8AKfoFPvVNPU0k=",
      "NameID": "SubjectDN={SERIALNUMBER=CVR:33257872-FID:28250866 + CN=SFSK (funktionscertifikat), O=Sundhedsdatastyrelsen // CVR:33257872, C=DK},IssuerDN={CN=TRUST2408 Systemtest XXXIV CA, O=TRUST2408, C=DK},CertSerial={1604117906}",
      "w3Action": "urn:ihe:iti:2007:RetrieveDocumentSet",
      "w3MessageID": "urn:uuid:ad9bc9e1-dced-4ae9-8065-a6d56631cdff",
      "w3To": "http://localhost:8060/sfsk/iti43"
    },
    "threadId": "default task-1",
    "time": "2021-07-01T09:33:10.007+02:00",
    "stats": {
      "handlerDuration": 390,
      "RequestContentDuration": 161,
      "ResponseContentDuration": 0,
      "SecurityProtocolRequestDuration": 184,
      "SecurityProtocolResponseDuration": 0,
      "bufferAllocated": false,
      "usedBuffers": 1,
      "activeBuffersInPool": 1,
      "idleBuffersInPool": 1
    }
  }
}


4. Whitelisting af anvendere

De enkelte anvendere skal whitelistes til at bruge SFSK. Der findes en tabel whitelist til dette formål. Det er anvenders certifikat, der whitelistes.

Følgende eksempel er output fra openssl visning af et PEM encodet certifikat:


$ openssl x509 -in example.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1495058165 (0x591cc6f5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DK, O=TRUST2408, CN=TRUST2408 Systemtest XXII CA
        Validity
            Not Before: Aug 29 06:25:19 2018 GMT
            Not After : Aug 29 06:24:05 2021 GMT
        Subject: C=DK, O=Statens Serum Institut // CVR:46837428/serialNumber=CVR:46837428-UID:27910135, CN=Statens Serum Institut - Test VOCES
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:97:4a:f0:06:41:7a:8f:b5:bd:50:49:bf:68:24:
                    b6:3b:94:54:06:88:9b:78:8b:31:cf:59:19:ea:46:
                    9a:89:45:74:15:c4:98:2f:2f:4f:8f:dc:db:44:b6:
                    ce:f9:25:ff:d9:00:50:ef:0a:18:d7:c5:53:8f:ff:
                    66:ff:32:20:ae:f0:ad:c1:36:48:69:66:62:d0:c6:
                    45:35:7e:94:6d:c4:b3:ae:95:b6:1d:3d:7c:0d:17:
                    70:44:8d:05:8e:6d:d4:d0:5b:24:03:19:78:ec:f9:
                    de:2e:6a:77:64:39:59:5c:e2:c4:e0:74:4f:26:23:
                    45:06:f4:f8:50:9c:49:5b:de:af:60:29:38:df:fc:
                    2e:dc:27:c6:19:fc:54:ec:55:b6:77:b6:73:73:19:
                    86:d9:8f:1f:2f:36:e5:9b:de:ca:c7:d1:5d:a7:06:
                    8e:fb:cc:4c:cf:3b:d9:6b:79:c9:eb:80:6f:97:df:
                    c5:69:cd:28:ef:42:7c:84:1d:6a:af:82:38:46:2b:
                    7f:5c:21:71:1f:13:52:f0:a5:97:91:a2:75:98:4c:
                    91:90:0c:88:9b:76:d8:f9:4e:65:c2:54:04:7b:87:
                    a0:ae:c5:dc:12:3e:67:34:ac:59:f0:91:7b:fb:38:
                    76:d5:64:4c:50:96:2d:70:37:0f:41:cb:99:1d:c4:
                    06:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
            Authority Information Access: 
                OCSP - URI:http://ocsp.systemtest22.trust2408.com/responder
                CA Issuers - URI:http://v.aia.systemtest22.trust2408.com/systemtest22-ca.cer

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.31313.2.4.6.3.4
                  CPS: http://www.trust2408.com/repository
                  User Notice:
                    Organization: DanID
                    Number: 1
                    Explicit Text: DanID test certifikater fra denne CA udstedes under OID 1.3.6.1.4.1.31313.2.4.6.3.4. DanID test certificates from this CA are issued under OID 1.3.6.1.4.1.31313.2.4.6.3.4.

            X509v3 Subject Alternative Name: 
                email:testcertifikat@ssi.dk
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.systemtest22.trust2408.com/systemtest221.crl

                Full Name:
                  DirName: C = DK, O = TRUST2408, CN = TRUST2408 Systemtest XXII CA, CN = CRL76

            X509v3 Authority Key Identifier: 
                keyid:AB:A8:01:44:19:B0:B3:43:99:DA:FA:7C:CC:D2:00:18:03:E7:3C:BF

            X509v3 Subject Key Identifier: 
                7F:C5:FF:5C:F1:AC:64:D4:08:1C:BB:65:78:01:D4:78:B6:57:71:0C
            X509v3 Basic Constraints: 
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         80:c1:84:cd:ea:4f:27:51:33:d5:61:6a:66:b5:5e:54:74:02:
         d6:f8:a7:86:75:45:1a:e4:5a:3b:28:d5:3d:24:7b:cf:91:ef:
         ce:2e:8d:f4:cf:61:1b:2b:ff:c9:54:12:92:a7:53:58:0d:45:
         ba:6d:ec:23:b9:0c:1f:ab:90:d8:de:a6:35:f3:ed:46:63:a3:
         06:a0:8b:53:3a:90:d3:d7:fd:4e:70:2e:fc:68:a4:65:d0:62:
         0c:bd:21:e3:83:32:7b:2d:cf:82:95:53:c6:1e:24:45:62:b1:
         a7:a4:aa:2c:39:60:c3:94:61:b5:ae:5d:30:e3:08:5b:33:89:
         c2:44:59:f5:82:e0:62:73:62:9c:a9:c6:49:6a:a0:d7:a8:af:
         ee:a2:45:fd:20:58:cf:85:5b:5a:b9:9f:49:78:4d:bb:e4:36:
         0c:dc:a3:b0:52:e5:b9:5b:a6:46:0e:70:19:90:c1:96:c5:16:
         d9:d1:52:63:df:a8:95:a4:0c:77:ca:e0:bc:c3:31:f4:1c:95:
         42:0b:c5:17:e4:b5:d3:d7:ef:f7:5b:b0:ef:57:ac:04:ac:f0:
         6c:4a:69:16:d2:ca:35:4a:8e:bb:df:9d:8b:41:80:59:0d:8d:
         cb:e6:88:ce:11:b8:dd:6c:76:99:ac:0b:ed:a9:cb:c3:94:05:
         1d:9c:84:22
-----BEGIN CERTIFICATE-----
MIIGRTCCBS2gAwIBAgIEWRzG9TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJE
SzESMBAGA1UECgwJVFJVU1QyNDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVt
dGVzdCBYWElJIENBMB4XDTE4MDgyOTA2MjUxOVoXDTIxMDgyOTA2MjQwNVowgY4x
CzAJBgNVBAYTAkRLMS8wLQYDVQQKDCZTdGF0ZW5zIFNlcnVtIEluc3RpdHV0IC8v
IENWUjo0NjgzNzQyODFOMCAGA1UEBRMZQ1ZSOjQ2ODM3NDI4LVVJRDoyNzkxMDEz
NTAqBgNVBAMMI1N0YXRlbnMgU2VydW0gSW5zdGl0dXQgLSBUZXN0IFZPQ0VTMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0rwBkF6j7W9UEm/aCS2O5RU
BoibeIsxz1kZ6kaaiUV0FcSYLy9Pj9zbRLbO+SX/2QBQ7woY18VTj/9m/zIgrvCt
wTZIaWZi0MZFNX6UbcSzrpW2HT18DRdwRI0Fjm3U0FskAxl47PneLmp3ZDlZXOLE
4HRPJiNFBvT4UJxJW96vYCk43/wu3CfGGfxU7FW2d7ZzcxmG2Y8fLzblm97Kx9Fd
pwaO+8xMzzvZa3nJ64Bvl9/Fac0o70J8hB1qr4I4Rit/XCFxHxNS8KWXkaJ1mEyR
kAyIm3bY+U5lwlQEe4egrsXcEj5nNKxZ8JF7+zh21WRMUJYtcDcPQcuZHcQGQwID
AQABo4IC7jCCAuowDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8
BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5j
b20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vdi5haWEuc3lzdGVtdGVz
dDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDIyLWNhLmNlcjCCASAGA1UdIASC
ARcwggETMIIBDwYNKwYBBAGB9FECBAYDBDCB/TAvBggrBgEFBQcCARYjaHR0cDov
L3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwW
BURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUg
Q0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMu
NC4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1
ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjMuNC4wIAYDVR0R
BBkwF4EVdGVzdGNlcnRpZmlrYXRAc3NpLmRrMIGsBgNVHR8EgaQwgaEwPaA7oDmG
N2h0dHA6Ly9jcmwuc3lzdGVtdGVzdDIyLnRydXN0MjQwOC5jb20vc3lzdGVtdGVz
dDIyMS5jcmwwYKBeoFykWjBYMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1Qy
NDA4MSUwIwYDVQQDDBxUUlVTVDI0MDggU3lzdGVtdGVzdCBYWElJIENBMQ4wDAYD
VQQDDAVDUkw3NjAfBgNVHSMEGDAWgBSrqAFEGbCzQ5na+nzM0gAYA+c8vzAdBgNV
HQ4EFgQUf8X/XPGsZNQIHLtleAHUeLZXcQwwCQYDVR0TBAIwADANBgkqhkiG9w0B
AQsFAAOCAQEAgMGEzepPJ1Ez1WFqZrVeVHQC1vinhnVFGuRaOyjVPSR7z5Hvzi6N
9M9hGyv/yVQSkqdTWA1Fum3sI7kMH6uQ2N6mNfPtRmOjBqCLUzqQ09f9TnAu/Gik
ZdBiDL0h44Myey3PgpVTxh4kRWKxp6SqLDlgw5Rhta5dMOMIWzOJwkRZ9YLgYnNi
nKnGSWqg16iv7qJF/SBYz4VbWrmfSXhNu+Q2DNyjsFLluVumRg5wGZDBlsUW2dFS
Y9+olaQMd8rgvMMx9ByVQgvFF+S109fv91uw71esBKzwbEppFtLKNUqOu9+di0GA
WQ2Ny+aIzhG43Wx2mawL7anLw5QFHZyEIg==
-----END CERTIFICATE-----

Det er oplysningen subject serialnumber der skal anvendes i til at indsætte i whitelisting tabellen.

Certifikatet whitelistes ved følgende SQL:

SQL til at indsætte certifkatoplysninger i whitelisttabel
INSERT INTO whitelist (subjectserialnumber, note) VALUES ('CVR:46837428-UID:27910135', 'Oprettet fra supportsag ASCP00155779');


5. Overvågning

SFSK udstiller en overvågningsside, som findes i listen af komponenter i afsnit 2.

5.1. 5.1. Fortolkning af HTML overvågningsside

DROS-overvågningssiden returnerer enten:

  • HTTP 200, hvis servicen i øjeblikket kører fint.
  • HTTP 500, hvis der er opstået en fejl der kræver indgriben.

5.2. 5.2. Overvågningstyper

Det overvåges for hver backend, om kaldene til backenden går galt. Det kan konfigureres, hvor mange kald i træk der må gå galt, før en backend betragtes som 'død'.

5.3. Eksempler på status-sider

5.3.1. 200 OK

200 OK
---------------------------------------
STATUS

ITI18 backend alive: true
ITI43 backend alive: true

Det fremgår for hver backend, om kaldene til den går godt eller ej.

5.3.2. 500 Internal Server Error

500 Internal Server Error
---------------------------------------
STATUS

ITI18 backend alive: true
ITI54 backend alive: false

Hvis kaldene til backend ikke kan udføres, så returneres statuskode 500.


  • No labels