This test profile deploys 3 MedCo nodes on a single machine for test purposes. It can be used either on your local machine, or any other machine to which you have access. The version of the docker images used are the latest released versions. This profile is for example used for the MedCo public demo.

MedCo Stack Deployment

First step is to get the MedCo latest release and download the docker images. Adapt ${MEDCO_SETUP_DIR} to where you wish to install MedCo.

export MEDCO_SETUP_DIR=~/medco MEDCO_SETUP_VER=v3.0.0
git clone --depth 1 --branch ${MEDCO_SETUP_VER} https://github.com/ldsec/medco.git ${MEDCO_SETUP_DIR}
cd "${MEDCO_SETUP_DIR}/deployments/test-local-3nodes"
make pull

The default configuration of the deployment is suitable if the stack is deployed on your local host, and if you do not need to modify the default passwords. To change the default passwords check out this page. For the other settings, check out the following example of modifying the file ${MEDCO_SETUP_DIR}/deployments/test-local-3nodes/.env to reflect your configuration. For example:

MEDCO_NODE_HOST=medco-demo.epfl.ch
MEDCO_NODE_HTTP_SCHEME=https

MEDCO_NODE_HOST should be the fully qualified domain name of the host, MEDCO_NODE_HTTP_SCHEME should be http or https.

Final step is to run the nodes, all three will run simultaneously:

cd "${MEDCO_SETUP_DIR}/deployments/test-local-3nodes"
make up

Wait some time for the initialization of the containers to be done (up to the message: “i2b2-medco-srv… - Started x of y services (z services are lazy, passive or on-demand)”), this can take up to 10 minutes. For the subsequent runs, the startup will be faster. In order to stop the containers, hit Ctrl+C in the active window.

Keycloak Configuration

Follow the instructions for configuring the MedCo OpenID Connect client in Keycloak to be able to login in Glowing Bear.

Test the deployment

In order to test that the local test deployment of MedCo is working, access Glowing Bear in your web browser at http(s)://${MEDCO_NODE_HOST} and use the default credentials specified in Keycloak user management. If you are new to Glowing Bear you can watch the Glowing Bear user interface walkthrough video. You can also use the CLI client to perform tests.

By default MedCo loads a specific test data, refer to Description of the default test data for expected results to queries. To load a dataset, follow the guide Loading Data. To load some additional test data by performing a simple data loading you can execute the following:

make load_test_data

This set of pages provide configuration instructions for MedCo. Note that all of them are not necessarily always needed, follow one of the deployment instructions to know which ones are.

Each deployment scenario corresponds to a deployment profile, as described below. All these instructions use the deployment scripts from the medco repository.

If you are new to MedCo…

… and want to try to deploy the system on a single machine to test it, you should should follow the Local Test Deployment guide.

… and want to create or join a MedCo network, you should follow the Network Deployment guide.

… and want to develop around MedCo, you should follow the Local Development Deployment guide.

Deployment Profiles

A deployment profile is composed of two things:

• deployment files medco/deployments/<profile name>/: docker-compose file and parameters like ports to expose, log level, etc.

• configuration files medco/deployments/<profile name>/configuration/: files mounted in the docker containers, containing the cryptographic keys, the certificates, etc.

Some profiles are provided by default, for development or testing purposes. Those should not be used in a production scenario with real data, as the private keys are set by default, thus not private. Other types of profiles must generated using the script in medco/scripts/network-profile-tool/.

The different profiles are the following:

test-local-3nodes (Local Test Deployment)

• for test on a single machine (used by the MedCo live demo)

• 3 nodes on any host

• using the latest release of the source codes

• no debug logging

• profile pre-generated

network (Network Deployment)

• for test or production deployment on several different hosts

• a single node on a host part of a MedCo network

• using the latest release of the source codes

• no debug logging

• profile must be generated prior to use with the provided scripts

dev-local-3nodes (Local Development Deployment)

• for software development

• 3 nodes on the local host

• using development version of source codes

• debug logging enabled

• profile pre-generated

You will find below the documentation for each authorization available in MedCo. Follow this section to know how to modify those authorizations for your users.

Authorizations

REST API Authorizations

Those authorizations allow the user to interact with API endpoints of the MedCo connector.

medco-network

This covers the calls related to the network metadata: list of nodes, keys, URLs, etc.

medco-explore

This covers the calls related to the building and requesting of explore queries and cohort saving. Note that an additional authorization among the explore query authorizations is needed to be able to make explore queries.

medco-genomic-annotations

This covers the genomic annotations auto-completion and the querying of genomic variants.

medco-survival-analysis

This covers the calls needed for requesting computations of survival curves.

Explore Query Authorizations

Those authorizations set the types of result users will be able to get when making an explore query.

1. patient_list: exact counts and list of patient identifiers from all sites

2. count_per_site: exact counts from all sites

3. count_per_site_obfuscated: obfuscated counts from all sites

4. count_per_site_shuffled: exact counts from all sites, but without knowing which count came from which site

5. count_per_site_shuffled_obfuscated: obfuscated counts from all sites, but without knowing which count came from which site

6. count_global: exact aggregated global count

7. count_global_obfuscated: obfuscated (at the site level) aggregated global count

This profile deploys an arbitrary set of MedCo nodes independently in different machines that together form a MedCo network. This deployment assumes each node is deployed in a single dedicated machine. All the machines have to be reachable between each other. Nodes should agree on a network name and individual indexes beforehand (to be assigned a unique ID).

Pre-requisites

First step is to get the MedCo Deployment latest release at each node. Adapt ${MEDCO_SETUP_DIR} to where you wish to install MedCo.

export MEDCO_SETUP_DIR=~/medco MEDCO_SETUP_VER=v3.0.0
git clone --depth 1 --branch ${MEDCO_SETUP_VER} https://github.com/ldsec/medco.git ${MEDCO_SETUP_DIR}

Generation of the deployment Profile

Next the compose and configuration profiles must be generated using a script, executed in two steps.

• Step 1: each node generates its keys and certificates, and shares its public information with the other nodes

• Step 2: each node collects the public keys and certificates of the all the other nodes

Step 1

For step 1, the network name ${MEDCO_SETUP_NETWORK_NAME} should be common to all the nodes. ${MEDCO_SETUP_NODE_DNS_NAME} corresponds to the machine domain name where the node is being deployed. As mentioned before the different parties should have agreed beforehand on the members of the network, and assigned an index ${MEDCO_SETUP_NODE_IDX} to each different node to construct its UID (starting from 0, to n-1, n being the total number of nodes).

$ bash step1.sh MANDATORY [OPTIONAL]
MANDATORY:
  -nn,   --network_name  VAL  Network name (e.g. test-network-deployment)
  -ni,   --node_index    VAL  Node index (e.g. 0, 1, 2)
  -dns,  --node_dns_name VAL  Server dns name

OPTIONAL:
  -pk,   --public_key    VAL  Unlynx node public key
  -sk,   --secret_key    VAL  Unlynx node private key
  -crt,  --certificate   VAL  Filepath to certificate (*.crt)
  -k,    --key           VAL  Filepath to certificate key (*.key)
  -h,    --help 

export MEDCO_SETUP_NETWORK_NAME=example \
    MEDCO_SETUP_NODE_IDX=0 \
    MEDCO_SETUP_NODE_DNS_NAME=medconode0.example.com
cd "${MEDCO_SETUP_DIR}/scripts/network-profile-tool"
bash step1.sh -nn ${MEDCO_SETUP_NETWORK_NAME} -ni ${MEDCO_SETUP_NODE_IDX} -dns ${MEDCO_SETUP_NODE_DNS_NAME}

This script will generate the compose profile and part of the configuration profile, including a file srv${MEDCO_SETUP_NODE_IDX}-public.tar.gz. This file should be shared with the other nodes, and all of them need to place it in their configuration profile folder (${MEDCO_SETUP_DIR}/deployments/test-network-${MEDCO_SETUP_NETWORK_NAME}-node${MEDCO_SETUP_NODE_IDX}/configuration).

Step 2

Once all nodes have shared their srv${MEDCO_SETUP_NODE_IDX}-public.tar.gz file with all other nodes, step 2 can be executed:

$ bash step2.sh MANDATORY [OPTIONAL]
MANDATORY:
  -nn,   --network_name  VAL  Network name (e.g. test-network-deployment)
  -ni,   --node_index    VAL  Node index (e.g. 0, 1, 2)
OPTIONAL:
  -s,    --secrets       VAL  Secret0,Secret1,...
  -h,    --help

cd "${MEDCO_SETUP_DIR}/scripts/network-profile-tool"
bash step2.sh -nn ${MEDCO_SETUP_NETWORK_NAME} -ni ${MEDCO_SETUP_NODE_IDX}

At this point, it is possible to edit the default configuration generated in ${MEDCO_SETUP_DIR}/deployments/test-network-${MEDCO_SETUP_NETWORK_NAME}-node${MEDCO_SETUP_NODE_IDX}/.env This is needed in order to modify the default passwords. When editing this file, be careful to change only the passwords and not the other values.

The deployment profile is now ready to be used.

MedCo Stack Deployment

Next step is to download the docker images and run the node:

cd "${MEDCO_SETUP_DIR}/deployments/test-network-${MEDCO_SETUP_NETWORK_NAME}-node${MEDCO_SETUP_NODE_IDX}"
make pull
make up

Wait some time for the initialization of the containers to be done, this can take up to 10 minutes. For the subsequent runs, the startup will be faster. You can use make stop to stop the containers and make down to delete them.

Keycloak Configuration

You will need to follow two sets of instruction to make Keycloak functional and be able to log in. Access the Keycloak administration interface and then:

• Update the MedCo OIDC client

• Update the Keycloak realm keys

Test the deployment

Run first the MedCo loader (see Loading Data) to load some data and be able to test this deployment. Or to load some test data by performing a simple data loading you can execute the following:

make load_test_data

Then access Glowing Bear in your web browser at https://${MEDCO_SETUP_NODE_DNS_NAME} and use the default credentials specified in Keycloak user management. If you are new to Glowing Bear you can watch the Glowing Bear user interface walkthrough video. You can also use the CLI client to perform tests.

Passwords Configuration

In each compose profile you will find a .env file containing configuration options. Among them are the passwords to be set. Note that most of those passwords configured that way will only work on a fresh database. Example:

POSTGRES_PASSWORD=postgres_password
PGADMIN_PASSWORD=pgadmin_password
KEYCLOAK_PASSWORD=keycloak_password
I2B2_WILDFLY_PASSWORD=i2b2_wildfly_password
I2B2_SERVICE_PASSWORD=i2b2_service_password
I2B2_USER_PASSWORD=i2b2_user_password

PostgreSQL administration user

POSTGRES_PASSWORD configures the password for the postgres administration user of the PostgreSQL database.

PgAdmin user

PGADMIN_PASSWORD configures the password for the admin user of the PgAdmin web interface. Note that it is necessary to set it only if your deployment profile deploys this tool.

Keycloak administration user

KEYCLOAK_PASSWORD configures the password for the keycloak administration user of the default master realm of Keycloak.

I2b2 Wildfly administration user

I2B2_WILDFLY_PASSWORD configures the password for the admin user of the wildfly instance hosting i2b2.

I2b2 service user

I2B2_SERVICE_PASSWORD configures the password for the AGG_SERVICE_ACCOUNT user of i2b2, used to operate background automated tasks by the i2b2 services.

I2b2 default user

I2B2_USER_PASSWORD configures the password for the default i2b2 and demo users used by MedCo.

Here follows some MedCo-specific instructions for the administration of Keycloak. For anything else, please refer to the Keycloak Server Administration Guide. Those instructions do not necessarily need to be all followed for all deployments, refer to the deployment guide to know which ones are important.

Accessing the web administration interface

You can access the Keycloak administration interface at http(s)://<node domain name>/auth/admin. For example if MedCo is deployed on your local host, you can access it at http://localhost/auth/admin. Use the admin default credentials if you had just deployed MedCo.

User Management

Default users

The default configuration shipped with the MedCo deployments come with several users.

Admin user

The default admin credentials has all the admin access to Keycloak, but no access rights to MedCo. Its credentials are :

• User keycloak

• Password keycloak (unless configured otherwise through the .env file)

Test users

They all have the password test and have different authorizations that are obvious from their names.

• User test: this user has all the authorizations to run all types of MedCo explore queries. it will default to the highest authorization being patient_list.

• User test_explore_count_global

• User test_explore_count_global_obfuscated

• User test_explore_count_per_site

• User test_explore_count_per_site_obfuscated

• User test_explore_count_per_site_shuffled

• User test_explore_count_per_site_shuffled_obfuscated

• User test_explore_patient_list

Add a user

• Go to the configuration panel Users, click on Add user.

• Fill the Username field, toggle to ON the Email Verified button and click Save.

• In the next window, click on Credentials, enter twice the user’s password, toggle to OFF the Temporary button if desired and click Reset Password.

Give query permissions to a user

• Go to the configuration panel Users, search for the user you want to give authorization to and click on Edit.

• Go to the Role Mappings tab, and select medco (or another client ID set up for the MedCo OIDC client) in the Client Roles.

• Add the roles you wish to give the user, each of the roles maps to a query type.

MedCo Default Settings

medco OpenID Connect client

The default Keycloak configuration provides an example of a fully working configuration for deployments on your local host. In other cases, you will need to modify this configuration.

Access the configuration panel of the MedCo client by going to the Clients tab, and click on the medco client. Then, in the Settings tab, fill Valid Redirect URIs to reflect the following table (you can delete the existing entries):

In the same tab, fill Web Origins with + and save.

Securing a production deployment

Changing default passwords

Both keycloak and test users comes with default passwords. For a production deployment they need to be changed:

• Go to the configuration panel Users, click on View all users.

• For each of the users you want to change the password of:

  • Click on Edit, then go the Credentials tab.

  • Enter the new password of the user

  • Optionally toggle to OFF the Temporary button; if ON the user at the next login will need to update his password.

  • Click on Reset Password.

Changing default realm keys

The example configuration comes with default keys. They have to be changed for a network deployment where there are several Keycloak instances.

• Go to the configuration panel Realm Settings, then to the Keys tab and Providers subtab.

• Click on Add keystore... and add the three following providers:

  • aes-generated

    • Console Display Name: aes-medco

    • Priority: 100

  • hmac-generated

    • Console Display Name: hmac-medco

    • Priority: 100

• • rsa-generated

    • Console Display Name: rsa-medco

    • Priority: 100

• Finally, delete all the other key providers listed that you did not just add. They should be named xxx-generated. Note that it is normal if you get logged out during the operation, just log back in and continue the process.

Enabling brute force detection

• Go to the configuration panel Realm Settings, then to the Security Defenses tab and Brute Force Detection subtab.

• Toggle to ON the Enabled button.

• Fill the following:

  • Max Login Failures: 3

  • Wait Increment: 30 Seconds

  • Save the configuration.

HTTPS is supported for the profiles test-local-3nodes and test-network.

Certificate

The certificates are held in the configuration profile folder (e.g, ${MEDCO_SETUP_DIR}/deployments/test-local-3nodes/configuration):

• certificate.key: private key

• certificate.crt: certificate of own node

• srv0-certificate.crt, srv1-certificate.crt, …: certificates of all nodes of the network

Enable HTTPS for the Local Local Deployment

To enable HTTPS for the profile test-local-3nodes, replace the files certificate.key and certificate.crt from the configuration profile folder with your own versions. Such a certificate can be obtained for example through .

Then edit the file .env from the compose profile, replace the http with https, and restart the deployment.

Configure HTTPS for the Network Deployment

For this profile, HTTPS is mandatory. The profile generation script generates and uses default self-signed certificates for each node. Those are perfectly fine to be used, but because they are self-signed, an HTTPS warning will be displayed to users in their browser when accessing one of the Glowing Bear instance.

There is currently only one way of avoiding this warning: configuring the browsers of your users to trust this certificate. This procedure is specific to the browsers and operating systems used at your site.

Prerequisites

• A MedCo network is up and running, with one or more functional Keycloak within the network.

• One or several identity provider(s) part of the SwitchAAI federation is/are chosen to be used as user source.

• The institution at which the Keycloak of MedCo is deployed is ready to accept being registered as the home organization.

• You have access to the .

Configure the identity provider(s) in Keycloak

The following instructions are to be executed on the administration UI of Keycloak, e.g. https://medco-demo.epfl.ch/auth/admin.

Configure the first login flow

The behavior of Keycloak during the very first login of users through the identity provider is highly customisable. We propose below an example of a working flow but this can be changed to fit your need.

• Navigate to Authentication > Flows, select First Broker Login and make a Copy of it. Name it for example SwitchAAI-Test Demo IdP First Broker Login.

• Change the list of executions to make it look like the following image.

Add the identity provider

• In the Identity Providers menu, choose Add provider... > SAML v2.0

• Specify an Alias. Note this will not be changeable later without redoing the whole process. Example: SwitchAAI-Test.

• Specify a Display Name, which will be displayed to the user in the login page. Example: SwitchAAI-Test Demo IdP.

• Specify the Single Sign-On Service URL of the identity provider you are linking with. Example: https://aai-demo-idp.switch.ch/idp/profile/SAML2/POST/SSO.

• Specify the First Login Flow previously configured to use. Example: SwitchAAI-Test Demo IdP First Broker Login.

• Toggle to ON the following buttons:

  • Enabled

  • Trust Email

  • HTTP-POST Binding Response

  • HTTP-POST Binding for AuthnRequest

  • Validate Signature

• Specify the NameID Policy Format as Persistent.

• Add the certificate(s) (PEM format, separated by commas if there are several of them) of the identity provider you are linking with in Validating X509 Certificates.

• Save the changes.

Add the username mapper

We need to import a unique but intelligible username in Keycloak from the identity provider. For this we use the SwitchAAI mandatory attribute swissEduPersonUniqueID.

• Open the Mappers tab and click Create.

• Fill the field as:

  • Name: SwitchAAI Unique ID.

  • Mapper Type: Username Template Importer.

  • Template: ${ATTRIBUTE.swissEduPersonUniqueID}

• Save the changes.

Setup a certificate

• Its FQDN (fully-qualified domain name). Example: medco-demo.epfl.ch.

• Its SAML entityID, that you can find out in the XML descriptor from the Export tab of the previously configured Keycloak identity provider. Example: https://medco-demo.epfl.ch/auth/realms/master.

Once you have generated the certificate, set it up in Keycloak:

• Navigate to the settings page Realm Settings > Keys > Providers and select Add Keystore... > rsa.

• Specify a name in Console Display Name. Example: rsa-switchaaitest.

• Specify a Priority higher than any other RSA key. Example: 150.

• In Private RSA Key and X509 Certificate fields, copy/paste the respective PEM parts of both the private key and the certificate that were previously generated.

Register Keycloak instance as a Service Provider in SwitchAAI

Register new resource

Click Add a Resource Description and fill the 7 categories of information according to the following instructions. Note that if some fields are not listed in this documentation, their value are not important for the registration of the Keycloak instance and can be set according to the explanations provided by the resource registry.

1. Basic Resource Information

• Entity ID: the same SAML entityID you used to generate the certificate. Example: https://medco-demo.epfl.ch/auth/realms/master.

• Home Organization: the organization that hosts the Keycloak instance currently being registered. The responsible persons of the organization specified here will need to approve the registration. This will typically be the the institution where the MedCo node is deployed. For the purpose of our test we are using AAI Demo Home Organization (aai-demo-idp.switch.ch, AAI Test).

• Home URL: the address of the MedCo node, at which the UI Glowing Bear can be accessed. Example: https://medco-demo.epfl.ch/.

2. Descriptive Information

3. Contacts

4. Service Locations

• SAML2 HTTP POST binding (x2): the URL at witch the SwitchAAI infrastructure will communicate with the Keycloak instance. You will find it in the configuration page of the configured identity provider in Keycloak under Redirect URI. Example: https://medco-demo.epfl.ch/auth/realms/master/broker/SwitchAAI-Test/endpoint

5. Certificates

Copy/paste in this field the PEM part of the certificate that was previously generated. Note that in the example showed below the certificate has already been validated through a separate channel.

6. Requested Attributes

Put on Required at least the following attributes. Note that the release of attributes needs to have a justification.

• E-mail (email). Example reason: Identify user for being able to assign them specific authorizations.

• Unique ID (swissEduPersonUniqueID). Example reason: Get a unique ID of user.

7. Intended Audience and Interfederation

Get the new resource approved

Once submitted, the responsible persons from the home organization will need to approve the new resource and validate the fingerprint of the certificate submitted. This is a manual process that will most likely be done through email.

Once this is done, the setup should be functional, and the users will be able to select the configured identity provider to login. Don't forget that this covers only users' authentication, their authorization needs to be handled manually through Keycloak after they login at least once.