EHR Connectivity

EHR Connectivity to Ontario eHealth resources.

 

OSCAR conforms to the eHealth OAUTH 2.0 Integration Specification. This allows for Health Care Providers with OneID credentials to

 

  1. Use Single Sign On (SSO) to OSCAR. (log in to OSCAR using OneID login)

  2. Access and Submit EHR resources such as DHIR and DHDR.

 

In order to use this functionality, the clinic will need to engage with eHealth and/or their OSP to get access. Some information will be required in order to configure OSCAR.

 

 

Installation

 

  1. HCP contacts eHealth and provides information required to have a client profile created.

  2. Generate a key pair, and provider eHealth with public key so they can validate signed JWTs

  3. Update properties file. I’ve provided some example data (you’ll have to set your own)

 

#OAUTH2 / OneID settings
oneid.enabled=true
oneid.oauth2.enabled=true
oneid.oauth2.authorizeUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/authorize

oneid.oauth2.callbackUrl=https://test.oscar.org/oscar/eho/callback.jsp
oneid.oauth2.clientId=OSCAR_EMR_PST_TEST1

oneid.oauth2.tokenUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/access_token

oneid.oauth2.audUrl=https://login.pst.oneidfederation.ehealthontario.ca/sso/oauth2/realms/root/realms/idaaspstoidc/access_token
oneid.oauth2.audUrl1=https://provider.ehealthOntario.ca

 

Enable OneID/OAUTH2 workflows. You will need to provide the authorize and token URLs and provide a callback URL to eHealth when they setup your client profile. This URL needs to be publicly accessible. Point to your oscar installation /eho/callback.jsp

ClientID is provided by eHealth

The audURLs are used for JWT and are provided by ehealth

 

 

oneid.oauth2.keystore=/var/lib/tomcat8/certs/oauth_pst.jks
oneid.oauth2.keystore.password=changeme
oneid.oauth2.keystore.alias=oscar pst
oneid.oauth2.verifyTokens=true

 

oneid.oauth2.certsUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/connect/jwk_uri
oneid.oauth2.logoutUrl=https://login.pst.oneidfederation.ehealthontario.ca/oidc/logout

 

This is your certificate to access oauth2 on the back channel once the callback.jsp is called.

verifyTokens when enabled, will check the signing of all JWTs against public keys

 

#used to encrypt parameters for logging in
oneid.encryptionKey=0000000000000000

 

the encryption key here is a 16 character hex string (0-9, A-F). It’s used to sign parameters to log you into OSCAR. You can choose what you want to use; don’t share.

 

#gateway settings
oneid.consumerKey=<provided_by_ehealth>
oneid.consumerSecret=<provided_by_ehealth>
oneid.gateway.url=https://provider.pst.ehealthontario.ca/api2/fhir/Immunization
oneid.gateway.keystore=/var/lib/tomcat8/certs/pst.jks
oneid.gateway.keystore.password=changeme

oneid.gateway.dhir.submissionUrl=https://provider.pst.ehealthontario.ca/api2/fhir/$process-message

 

These are the oauth consumer key / secret values and the keystore for accessing the provider gateway (provider gateway is the “hial”, or the gateway to the resources).

 

#enable DHIR
dhir.enabled=true

#enable CVC
cvc.url=https://cvc.canimmunize.ca/v3

 

 

Certificates

Create a key pair (for JWT signing)

convert to P12 file , then extract cert

openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem