...

In this guide, we will refer to this file often and will go more in detail on configuring this file in the later chapters). Here is the example shrine.conf file from shrine-setup.zip. You will need to customize it for your own node on your network.  In the example below, the first four lines in the shrine section define values for parameters that are used throughout the configuration file. 

...

Configure For AWS SQS

Create an AWS Account

Create an AWS account if you do not already have one. See https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/ 

Create an AWS user for Your SHRINE Node

Create a user for your SHRINE node's tomcat in the AWS console. Give it a name that will be distinct both at your institution and this shrine network.

...

Do not make it a member of a group, copy permissions, or attach permissions. You'll configure permissions in a moment for tomcat to use AWS SQS.

Create an Access Key and Configure password.conf

Create an access key and secret for the tomcat user - not the admin user - as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html .

...

shrine.aws.accessKeyId = "NODEAWSKEYID" //the node's AWS access key id - usually all capitals and numbers
shrine.aws.secretAccessKey = "nodeAwsSecretKey" //the node's AWS secret key - very long, mixed case letters and numbers

Share the User ID with the Hub Admin

In the IAM > User > Summary section, find the ARN for the tomcat user, which identifies your specific AWS account and IAM user identity. It will look something like this: arn:aws:iam::9876543210:user/yourHospital-Shrine.

Send this to your hub admins so that they can add your node to the network. It is not secret, so sending in the clear is fine.

Run shrineDownstream setMomUserPolicy

The hub admins will reply with two ARNs: one for the hub's inbound AWS SQS queue, and one for your node's inbound AWS SQS queue.

Download and unzip the shrineDownstream tool from https://repo.open.catalyst.harvard.edu/nexus/content/groups/public/net/shrine/downstream-setup-tool/4.24.0-RC1/downstream-setup-tool-4.24.0-RC1-dist.zip

Create an access key and secret for your admin user - not the tomcat user - as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html .

...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MaySendShrine",
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueUrl",
                "sqs:SendMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:1234567890:best-hospital"
        }
    ]
}

Configure For Kafka

Receive a Kafka User Name and Password

The hub admin will create an account on the Kafka server for your node, and send you the user name and password via a secure channel.

...

shrine.kafka.sasl.jaas.password = "yourKafkaUserPassword"

Create a Kafka client certificate truststore

In order to secure traffic through the internet with TLS/SSL, Kafka requires clients to authenticate servers via public key infrastructure (PKI). Each client needs a client truststore, in PKCS12 format, containing a list of individual server certificates signed by a Certificate Authority (CA), or alternatively the CA's cert itself.  Ask the hub admin for the certificate(s), and import them each with Java keytool:

...