try (var cf =
Epa4AllClientFactoryBuilder.newBuilder()
.konnektorProxyAddress(
new InetSocketAddress(KONNEKTOR_PROXY_HOST, KONNEKTOR_PROXY_PORT))
.konnektorService(TestKonnektors.riseKonnektor_RU())
.environment(Environment.RU)
.build()) {
final var insurantId = "X11...";
var client = cf.newClient();
var document = ExportFixture.buildFhirDocument(client.authorInstitution(), insurantId);
assertDoesNotThrow(() -> client.writeDocument(insurantId, document));
}<dependency>
<groupId>com.oviva.telematik</groupId>
<artifactId>epa4all-client</artifactId>
<version>0.0.2-rc.0</version>
</dependency>A thin adapter of a REST api to the client can be found at epa4all-rest-service.
In very short:
docker run --rm \
-e 'EPA4ALL_KONNEKTOR_URI=https://10.156.145.103:443' \
-e 'EPA4ALL_PROXY_ADDRESS=host.docker.internal' \
-e 'EPA4ALL_CREDENTIALS_PATH=/credentials.p12' \
-e 'EPA4ALL_ENVIRONMENT=RU' \
-v './credentials.p12:/credentials.p12' \
-p '127.0.0.1:8080:8080' \
ghcr.io/oviva-ag/epa4all-rest-service:latestThis would be an example on how to run the epa4all-rest-service with a VPN connection to the Konnektor. The VPN connection is established via a userspace wireguard implementation. The service uses the network stack of the VPN container.
To achieve this, not setting the EPA4ALL_PROXY_ADDRESS is enough.
Note
This will most likely not work on GKE or other managed Kubernetes solutions due to the required NET_ADMIN capability.
Note
A userspace wireguard implementation is not as performant as a kernel implementation. If you want to use a kernel implementation, you need to run the VPN container in host network mode.
services:
epa4all-rest:
container_name: epa4all-rest
image: epa4all-rest-service:latest
ports:
- '127.0.0.1:8099:8080'
volumes:
- ./vKon_Client_XXX.p12:/credentials.p12
environment:
- EPA4ALL_KONNEKTOR_URI=https://10.156.145.103:443
- EPA4ALL_ENVIRONMENT=RU
- EPA4ALL_CREDENTIALS_PATH=/credentials.p12
- EPA4ALL_WORKPLACE_ID=test-arbeitsplatz
- EPA4ALL_CLIENT_SYSTEM_ID=test-api
- EPA4ALL_MANDANT_ID=test-mandant
- EPA4ALL_USER_ID=admin
epa4all-vpn:
container_name: epa4all-vpn
image: qmcgaw/gluetun:v3
cap_add:
- NET_ADMIN
network_mode: "service:epa4all-rest"
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- WIREGUARD_IMPLEMENTATION=userspace
- DNS_KEEP_NAMESERVER=on
- PUBLICIP_ENABLED=off
- HEALTH_TARGET_ADDRESS=10.156.145.103:443
- HEALTH_VPN_DURATION_INITIAL=24h
- HEALTH_VPN_DURATION_ADDITION=24h
- HEALTH_SUCCESS_WAIT_DURATION=24h
volumes:
- ./VPN_Configuration_XXX.conf:/gluetun/wireguard/wg0.conf
healthcheck:
test: "ping -c 1 10.156.145.103:443 || exit 1"
interval: 1s
retries: 1
timeout: 5s
start_period: 5s- client traffic routed via HTTP forward proxy into the telematik infrastructure - applications and developers go via proxy
- card terminal hosted separately, e.g. in a self-hosted datacenter (or closet)
- Konnektor etc. can be provisioned from an enabler such as RISE
- TI Leitfaden for DiGAs
- GemSpec Trusted-Environment Authorization, chapter 3.3
- Gematik OpenAPI Spec I_Authorization_Service
- Authorization Code: Structure
- LEI - Service Provider (Leistungs Institution)
- TI - Telematik Infrastruktur
from ILF PS ePA4all