HealthShare Personal Community Virus Scanner Setup Guide
1. Introduction
The virus scanner is designed to be run on a distinct instance where appropriate antivirus software is installed and where the operating system and network have been configured to isolate the machine appropriately. The service is called by remote clients wishing to scan files.
2. Extending the Virus Scanner Framework (Optional)
Sites may decide to extend the framework to use any preferred virus scanning software.
The specific implementation class should be written to use the HealthShare Configuration Registry for any configuration settings, and should use the following naming conventions for setting names:
\VirusScanner\{keyname}\{HSNetworkName}
. Note that configuration settings are only editable on the actual Unified Care Record Registry instance. Available Configuration Registry entries are defined in chapter 3.
To create a virus scanning implementation class specific to your anti-virus software, perform the following steps:
- Create a new class that extends the HS.Util.VirusScanner.Implementation class
- Override the PerformScan () method to communicate with the anti-virus software and scan the file specified in the pTempFileName argument
PerformScan() must handle the following:
- Calling the virus scanner. Your anti-virus software may support interactions via SOAP or some other protocol but it is likely that you will need to interact via command line instructions using the $ZF callouts. More information on this can be found at Using the $ZF Callout Interface .
-
Analyzing the result. The implementation class must populate the following properties of the scan response:
- ScanWasPerformed
- FileIsClean
- ScanMessage
IMPORTANT
InterSystems strongly suggests testing the implementation of the virus scanner before enabling the service for general use. Testing is documented in the class documentation and looking at HS.Util.VirusScanner.HSWS.WebServicesClient.TestScan() .
3. Enabling and Configuring the Virus Scanner
3.1. Creating the Virus Scanner Namespace
To create a virus scanner namespace, use the Personal Community Installer Wizard:
- Log in to the Management Portal.
-
Run the HealthShare Installer Wizard :
-
On the Management Portal home page, select HealthShare . This displays the HealthShare Management Portal .
-
In the banner of the HealthShare Management Portal , select Installer Wizard .
-
-
In the Installer Wizard , select Configure Personal Community . This displays the Configuration page for Personal Community.
-
On this page, specify values for the following fields:
-
Local name — Required. The name of the virus scanning namespace for Personal Community. (Subsequent examples in this documentation refer to the VirusScanner namespace.)
-
Network Name — Required. The unique identifier for Personal Community on the network. The Installer Wizard populates this field with a string that is the network hostname, a colon, and the value of Local name , such as VirusScanner ; you can, but are not required to, use this string.
-
Description — Optional. Any additional information about the local copy of the virus scanner.
-
Disabled — Whether or not the local copy of the virus scanner is available for use. This is enabled by default.
-
Production — Required. The name of the business production for Personal Community. The Installer Wizard populates this field with a string that combines the value of Local name and the string PKG:HSCOMMProduction , such as VirusScannerPKG:HSCOMMProduction ; you are not required to use this string.
-
Template — Required. The template for the Personal Community production. Select the HSPortal.Production.SampleProduction.VirusScannerProduction template.
-
Alternate Database Location — Optional. The default location for the production database, IRIS.DAT , is installDir /mgr/ localName . To specify a location for the database other than the default, enter the alternate location in the Alternate Database Location field. If you specify an absolute location, then that location will be created if it does not exist. Your database will be in alternateDatabaseLocation / localName . If you specify a relative location then the database will be created in installDir /mgr/hslib/ alternateDatabaseLocation / localName .
- Registration ID – Optional. A unique value that identifies this configuration. It will be generated automatically if you leave this field blank. If you wish to enter a specific value, you may enter it here. Once a configuration has been saved, this value cannot be changed.
-
Enter a Hub Host — Required. The name of the machine where the Unified Care Record Registry is located.
-
Enter a Hub Port — Required. The web server port number on which the Unified Care Record Registry accepts connections.
-
Enter a Hub Name — Required. The namespace of the Unified Care Record Registry, such as HSRegistry .
-
Connect to Hub Securely — Required if this is a production system. Optionally select it for a development or test system.
-
The web server on your Registry instance should be configured to only allow secure connections to the Registry.
-
You should have an SSL/TLS configuration on this instance that can communicate with the Unified Care Record Registry (see “ Using SSL/TLS ” in the “Setting Up Secure Communication in Unified Care Record” chapter of Securing Unified Care Record Instances ). This SSL/TLS configuration should have the same name as the SSL/TLS configuration on the Unified Care Record Registry, as all instances in a federation share a single service registry, and the HSRegistry service registry identifies which SSL/TLS configuration to use.
Once you select Connect to Hub Securely , enter the SSL/TLS configuration in the SSL Configuration field that appears. Now, the Hub endpoint URL will be created using “https” rather than “http”, and the identified SSL/TLS configuration will allow the Gateway to connect to the Unified Care Record Registry securely at initial startup.
-
-
Initial Hub End Point — Required. The web address for the HealthShare Registry. The Installer Wizard populates this field; you can, but are not required to, use the auto-populated string. The string is of the form:
protocol :// registry-host : registry-port /csp/healthshare/ registry-name /services /HS.Hub.HSWS.WebServices.cls
where the portions of the address in italics are:
-
protocol — https or http , depending on whether you selected the Connect to Hub Securely option.
-
registry-host — The name of the machine where the Unified Care Record Registry is located.
-
registry-port — The port number on which the Unified Care Record Registry accepts connections.
-
registry-name — The namespace of the Unified Care Record Registry.
For example, a Registry has an address such as:
http://RegistryHost:57772/csp/healthshare/HSREGISTRY/services/HS.Hub.HSWS.WebServices.cls
-
-
-
Select Save at the bottom of the page. Your configurations should now appear in the Defined Configurations table.
-
In your configuration’s row of the Defined Configurations table, select Activate . This displays the Activate Configuration dialog.
-
In the Activate Configuration dialog, select Start . This sets up the Personal Community namespaces, databases, and production mappings.
-
When activation is completed, the dialog displays an Activation Done message. Select Close to dismiss the dialog.
This will create the virus scanner namespace, two SOAP services in the Unified Care Record Service Registry, and will also create certain necessary entries in the Unified Care Record Configuration Registry.
3.2. Configuring a Virus Scanner
3.2.1. Review the Unified Care Record Configuration Registry
Once you have set up your virus scanner namespace, there are a few additional settings that you may need to configure manually. All settings for the virus scanner are stored in the Unified Care Record Configuration Registry.
To access the Unified Care Record Configuration Registry:
- Logon to the Management Portal as a user with the %HS_Administrator role.
- Select HealthShare from the main menu.
- Select the Unified Care Record Registry.
- Navigate to Registry Management > Configuration Registry
The following Configuration Registry entries will have been created and should not need to be modified:
-
\VirusScanner\ImplementationClass\ { HSNetworkName } — Name of the class that implements the OS call out to the virus scanner.
-
\VirusScanner\TempFileFolder\ { HSNetworkName } — Path for where files are temporarily stored until they are scanned. This is a relative path from the installation directory and should not begin with a leading slash or backslash.
-
\VirusScanner\ScanExe\ { HSNetworkName } — The shell command for running the anti-virus executable.
-
It is important to note that ScanExe may only be needed for an implementation of ClamAV®.
-
-
\VirusScanner\ServiceComponent — A comma-separated list of namespaces (specified by Network Name) in which virus scanners are permitted to run. The network name needs to be in this list before the namespace can be tested.
3.2.2. Configure the Service Registry Entry for the Virus Scanner Web Service
To communicate with the Virus Scanner Web Service, as Service Registry entry must be defined.
To access the Unified Care Record Service Registry:
- Navigate to Registry Management > Service Registry
-
Restrict the available services to
SOAP
endpoints by selectSOAP
from the Service Type drop down menu. -
Create a Service Registry entry for the virus scanner, as follows:
-
Click the Add Service button.
-
Enter the following values for the fields:
- Name - Enter a name of your choice.
-
Service Type
- Select
SOAP
. - Host - Enter the host name for the virus scanner web service.
- Port - Enter the HTTP port for the virus scanner web service.
- URL - Enter the full path to the virus scanner web service.
- HTTPCredentialsConfig - Enter the name of the credentials object you created for this entry.
-
3.2.3. Create a Configuration Registry entry that points to the service:
This setting should only be specified after testing the virus scanner
- Navigate to Registry Management > Configuration Registry
-
Click the
Add Value
button
- Key - \VirusScanner\ServiceName
- Value - the name of the service registry entry from the previous step.
- Click Save.
3.2.4. Synchronize the Unified Care Record Registry to the Virus Scanner Instance
For these settings to be available on the virus scanner instance, they must be synchronized from the Unified Care Record Registry.
To synchronize the Unified Care Record Registry:
- Access the Terminal for the virus scanner instance
- Switch to the virus scanner namespace
-
Run the following command
set tSC=##class(%ZHSLIB.Services.Client).SyncConfiguration(,,,0)
Any time a change is made to the Unified Care Record Registry, the above method needs to be run again to sync it to the virus scanner namespace.
3.3. Enabling Virus Scanning in the Workbench
-
Log into the Workbench as a user with the
Configuration Manager
role. - Go to the Configuration Application page ( Setup > Configuration Application ) and select the Feature Control tab.
- Select Edit Mode to make edits to the fields described in the following steps.
- In the Patient Document Uploads box, select the Enable Virus Scanner checkbox.
- After you have finished, select Submit at the bottom of the page to save your changes.