OHDSI Home | Forums | Wiki | Github

WebAPI installation on production system


We have followed the WebAPI installation guide and successfully installed WebAPI and Atlas on our test application server. We are moving to install them on the production server.

The WebAPI installation guide states that " This guide is not intended for setting up production systems.", and recommends either Broadsea or OHDSI on AWS using Docker.

Would you please provide some insights and/or details of why we need to use other methods? What are the downside of repeating the installation steps in the installation guide on production application server?

Thank you

The passwords and security to be used in your production system. The guide does not use https but in production this is important. Docker can be very helpful but to understand this you need to know about docker and how to setup tomcat within a docker container.

@jcabrerazuniga is correct: the guide is giving the simplest path to deployment while ignoring some security considerations (ie: don’t use the example passwords in the guide in your production system). There may be other security considerations that you need to understand in your own environment that the guide could not be able to predict. So, we just add a scary note about setting up production systems to trigger critical questions about your own implementation. In that regard, the documentation was successful!

@jcabrerazuniga @Chris_Knoll Thank you for your responses. Both of the suggested approaches for installing WebAPI in production system (i.e. Broadsea and OHDSI on AWS) require Docker, this technology isn’t regularly utilized and supported by our health IT. The scary note DOES work, but it would be very helpful to elaborate the security considerations in the guide to trigger critical questions for institutions who don’t or couldn’t support Docker.

@Chris_Knoll does this mean that as long as we use secure passwords and enable https, the guide would actually be a viable option for Production systems?

The guide is suitable for production systems except for the context of proper security protocols (https, keeping your passwords secure, and any other site-specific rules your IT team has determined for your environment). Just to be clear: the documentation can not be aware of the specific security concerns of your own IT department (but makes the assumptions that there are some kind of concerns that you should be aware of).

I think the document could be clarified/made more precise by saying that from a security perspective: the document is not meant to illustrate production-oriented configuration, and you should take additional steps to ensure that when you install the software, you accomodate all IT concerns related to securing your environment.

All that being said, if you do take those additional steps in your production environment to ensure secure configuration, then you can follow the document to deploy to your production environment. That’s what we do at our own company. We don’t use docker, we build from the release and apply additional measures to ensure the application is secure (ie: we set up the SSL certs for HTTPS, we have protocols around database/service accounts, we grant specific permissions to specific accounts for accessing specific schemas, etc).

Thank you for that clarification.

@Chris_Knoll Thank you for clarification.

Docker is free of charge for educational purposes and you could get Docker-ce for a Linux distribution like Fedora or Ubuntu. It will be a great opportunity for you to learn something very interesting and helpful.