Skip to main content

Post-Deployment Tasks

This page describes the final setup tasks you must complete before you can begin using your new InterSystems® Healthcare Action Engine deployment to develop and serve synchronous CDS Hooks notification services.

Configure Authorization for Client Applications

The Healthcare Action Engine requires that all CDS Hooks requests from client applications include bearer tokens from an authorization server as prescribed by the CDS Hooks specification (see https://cds-hooks.hl7.org/2.0/#trusting-cds-clientsOpens in a new tab). Before you deploy the Healthcare Action Engine, your client application must have access to an OAuth 2.0 server which can perform this function.

Note:

If you want to use a HealthShare Unified Care Record instance’s OAuth 2.0 server to perform this function, ensure that the instance’s HealthShare OAuth 2.0 server is set upOpens in a new tab and then follow the instructions described in Customize a HealthShare OAuth 2.0 Server.

For each client application, you must ensure that the following conditions are met:

  • In the Settings tab of the Healthcare Action Engine configuration page you must add the issuer endpoint for the client application’s authorization server to the CDS Hooks Allow List as a trusted iss URI.

  • HAE must have access to the public key set which contains the client application’s public key (or keys). This can be accomplished in one of two ways:

    • Recommended: the authorization server can provide the URL for the JWK Set containing the client application’s public keys in the bearer token’s jku header. If this is the case, you must add this URL to the Healthcare Action Engine’s CDS Hooks Allow List as a trusted jku URI.

    • If the authorization server does not use a jku header, you can implement a custom GetPublicKeySet method which allows HAE to retrieve the client application’s public key set.

Optional: Implement a Custom GetPublicKeySet Method to Return the Public Key Set

If your authorization server does not include a jkuOpens in a new tab header in its bearer tokens, you must create a custom GetPublicKeySet method which returns the set of public keys for your authorization system. When no jku is available, the Healthcare Action Engine invokes this method to acquire the public keys needed to validate your client.

To do so:

  1. In your Healthcare Action Engine namespace, open the HS.Local.EDS.CDSHooks.Server class using a supported IDE.

  2. Create the GetPublicKeySet method, with the following method signature:

     ClassMethod GetPublicKeySet(
                             pTokenHeader As %DynamicObject,
                             pTokenBody As %DynamicObject,
                             Output pJWKS As %String)
                             As %Status
{}

    This method should return the public key set as a string in the pJWKS parameter. The logic that this method will use to do so will be specific to your implementation.

  3. Compile the subclass.

Create a Healthcare Action Engine User

You must create a user (or multiple) that has the requisite privileges to use the Healthcare Action Engine. The relevant roles are outlined below:

  • %HSEDS_CDSHooks — Grants privileges needed to invoke the CDS Hooks endpoints.

  • %HSEDS_ClientConfig — Grants privileges needed to use the Client Configuration UI and REST API.

  • %HSEDS_RulesDeveloper — Grants privileges needed to access and use the Rule Editor.

Remove or Uninstall the Healthcare Action EngineNext section
Previous sectionDeploy a Healthcare Action Engine Container Stack
FeedbackOpens in a new tab