...

shrine.aws.accessKeyId = "NODEAWSKEYID" //the node's AWS access key id - usually all capitals and numbers
shrine.aws.secretAccessKey = "nodeAwsSecretKey" //the node's AWS secret key - very long, mixed case letters and numbers

Share the User ID with the Hub Admin

In the IAM > User > Summary section, find the ARN for the tomcat user, which identifies your specific AWS account and IAM user identity. It will look something like this: arn:aws:iam::9876543210:user/yourHospital-Shrine .At the top level of the IAM console, far right column, find your account ID. It will be a long number.

Send both of these this to your hub admins so that they can add your node to the network. Neither It is not secret; , so sending them in the clear is fine.

Run shrineDownstream setMomUserPolicy

...

Download and unzip the shrineDownstream tool from TODO https://repo.open.catalyst.harvard.edu/nexus/content/groups/public/net/shrine/downstream-setup-tool/4.1.0/downstream-setup-tool-4.1.0-dist.zip

Create an access key and secret for your admin user - not the tomcat user - as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html .

...

shrine.aws.accessKeyId = "NODEAWSKEYIDNODEADMINAWSKEYID" //the node's AWS access key id - usually all capitals and numbers
shrine.aws.secretAccessKey = "nodeAwsSecretKeynodeAdminAwsSecretKey" //the node's AWS secret key - very long, mixed case letters and numbers

...

./shrineDownstream setMomUserPolicy yourHospital-Shrine hubQueueArn="arn:aws:sqs:us-east-1:1234567890:network-hub" nodeQueueArn="arn:aws:sqs:us-east-1:1234567890:best-hospital"

That will set the policy policies for your tomcat user to something like:

...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MayReceiveShrine",
            "Effect": "Allow",
            "Action": [
                "SQS:ChangeMessageVisibility",
                "SQS:DeleteMessage",
                "SQS:ReceiveMessage",
                "SQS:GetQueueUrl"
            ],
            "Resource": "arn:aws:sqs:us-east-1

...

:1234567890:network-hub"
        }
    ]
}

and

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MaySendShrine",
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueUrl",
                "sqs:SendMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1

...

:1234567890:best-hospital"
        }
    ]
}

Configure For Kafka

Receive a Kafka User Name and Password

The hub admin will create an account on the Kafka server for your node, and send you the user name and password via a secure channel.

Add the user name to your shrine.conf:

shrine {
...
  kafka {
    sasl.jaas.username = "yourKafkaUserName"
  }
...
}//shrine

Add the password to your password.conf:

shrine.kafka.sasl.jaas.password = "yourKafkaUserPassword"

Create a Kafka client certificate truststore

In order to secure traffic through the internet with TLS/SSL, Kafka requires clients to authenticate servers via public key infrastructure (PKI). Each client needs a client truststore, in PKCS12 format, containing a list of individual server certificates signed by a Certificate Authority (CA), or alternatively the CA's cert itself.  Ask the hub admin for the certificate(s), and import them each with Java keytool:

keytool -keystore kafka_client_truststore.pkcs12 -alias <name of cert> -import -file <certificate-file>

This will create the truststore file if it does not exist. You will be prompted for a password, despite the trustore containing no secret material since certificates are public.

Add the truststore's location and password to the same two sections as your Kafka user credentials:

shrine {
...
  kafka {
  ...
    ssl.truststore.location = "/path/to/your/kafka_client_truststore.pkcs12"
  }
...
}}//shrine

shrine.kafka.ssl.truststore.password = "yourClientTruststorePassword"

...

Configure For Kafka

...