For installation using docker-compose, see glowing-bear-docker.
For installation using Puppet, follow the instructions on puppet-transmart_core.
This section contains instructions for setting up:
- Keycloak and its database;
- The backend services
, and their databases; - An nginx web server that serves the Glowing Bear application and functions as a gateway for the backend services. The web server also provides the SSL secured access.
The official installation documentation for Keycloak is available on the Keycloak documentation site.
The instructions here describe installation of a new distribution named Keycloak.X, running on a Quarkus JVM (embedded), which is easier to configure and runs faster than the traditional version.
Keycloak requires:
- a PostgreSQL database server
Installation steps for Keycloak:
Create a database
and a rolekeycloak
granted all privileges on the database. Choose a strong password for the role. The password must not contain whitespace.create database keycloak; create role keycloak with password 'choose-a-strong-keycloak-password' login; grant all on database keycloak to keycloak;
Ensure that a system user
exists with home directory/home/keycloak
.adduser --system keycloak
Download the Keycloak.X preview release from:
Commands to download and configure in
:KEYCLOAK_VERSION=12.0.4 curl -f -L "${KEYCLOAK_VERSION}/keycloak.x-preview-${KEYCLOAK_VERSION}.tar.gz" -o "keycloak.x-preview-${KEYCLOAK_VERSION}.tar.gz" tar xfz "keycloak.x-preview-${KEYCLOAK_VERSION}.tar.gz" cd "keycloak.x-${KEYCLOAK_VERSION}" KEYCLOAK_SERVER_URL= # CHANGE ME KEYCLOAK_DB_PASSWORD=choose-a-strong-keycloak-password # CHANGE ME KEYCLOAK_DB_PORT=5432 bin/ config --http-enabled=true --metrics-enabled=true \ --features-account2=disabled --features-token_exchange=enabled \ --db=postgres"localhost:${KEYCLOAK_DB_PORT:-5432}" --db-username=keycloak --db-password=${KEYCLOAK_DB_PASSWORD} \ --hostname-frontend-url=${KEYCLOAK_SERVER_URL}/
Create a systemd service
:[Unit] Description=Keycloak server [Service] User=keycloak ExecStart=/home/keycloak/keycloak.x-12.0.4/bin/ StandardOutput=journal+console Restart=always [Install]
Ensure the
user has write access to:/tmp/kc-gzip-cache/
. -
Start the Keycloak service:
systemctl start keycloak.service
Connect to the service at http://localhost:8080 to configure an admin account (when installing on a remote machine, create an SSL tunnel).
Setup an SSL proxy. E.g., with nginx, create a file
:server { listen *:443 ssl; server_name; ssl_certificate /etc/ssl/certs/; ssl_certificate_key /etc/ssl/private/; index index.html; access_log /var/log/nginx/ combined; error_log /var/log/nginx/; location / { proxy_pass http://localhost:8080; proxy_read_timeout 90s; proxy_connect_timeout 90s; proxy_send_timeout 90s; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Proxy ""; } }
Note that Keycloak requires the
headers to be set correctly. Please ensure that proper SSL certificates are installed. -
Reload nginx configuration:
systemctl reload nginx.service
Below are steps on how to set up Keycloak for Glowing Bear/TranSMART using the admin console.
The prerequisite is to have admin credentials to a Keycloak instance.
Login to
Create a realm, e.g.,
Create a client
:- Client Protocol:
- Root URL:
- Access Type:
- Standard Flow Enabled:
- Implicit Flow Enabled:
- Root URL:
- Valid Redirect URIs:
- Base URL:
- Web Origins:
- Client Protocol:
Add a client mapper to include an
(audience) claim to the token (see the official Keycloak documentation). -
Create administrator role:
Add users
Keycloak supports identity brokering, or user federation for integration with existing organisational identity providers.
To add users manually:- Go to
- Click
Add user
, enter a username and clickSave
. - Select the
tab, enter a password and clickReset Password
. - If the user should have administrator access:
- Go to
Role Mappings
tab. - Then select
in theClient Roles
dropdown and assure thatROLE_ADMIN
is in the list of assigned roles.
- Go to
- Go to
Add a system user for asynchronous job handling by the Glowing Bear backend Transmart Packer.
Go to
Add user
, enter usernamesystem
and clickSave
. -
Select the
tab, enter a strong password and clickReset Password
. -
Go to
Role Mappings
tab.- Ensure that the
realm role is assigned. - Select
in theClient Roles
dropdown and assure theview-users
roles are assigned.
- Ensure that the
Request an offline token for the system
user, to be used by Glowing Bear backend and Transmart Packer.
SYSTEM_PASSWORD=choose-a-strong-system-password # CHANGE ME
curl -f --no-progress-meter \
-d "client_id=${KEYCLOAK_CLIENT_ID}" \
-d "username=${SYSTEM_USERNAME}" \
-d "password=${SYSTEM_PASSWORD}" \
-d 'grant_type=password' \
-d 'scope=offline_access' \
"${KEYCLOAK_SERVER_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" | jq -r '.refresh_token'
The value of the refresh_token
field in the response is the offline token.
Availability of the Keycloak application can be tested using the following public endpoints:
- The realm specific endpoint
should return status200
. - The health endpoint
should return a JSON message with valueUP
in thestatus
field:{ "status": "UP", "checks": [ { "name": "Keycloak database connections health check", "status": "UP" } ] }
TranSMART API server requires:
- JDK 8
- a PostgreSQL database server
Installation steps for TranSMART API server:
Install the
extension, e.g., for PostgreSQL 12:POSTGRESQL_VERSION=12 curl -f -L -o postgresql-${POSTGRESQL_VERSION}-pg-bitcount_0.0.3-2_amd64.deb \${POSTGRESQL_VERSION}-pg-bitcount_0.0.3-2_amd64.deb && \ sudo dpkg -i postgresql-${POSTGRESQL_VERSION}-pg-bitcount_0.0.3-2_amd64.deb
Create a database
a rolebiomart_user
granted all privileges on the database. Choose a strong password for thebiomart_user
role.create database transmart; create role biomart_user with password 'choose-a-strong-transmart-password' login; -- CHANGE ME grant all on database transmart to biomart_user;
Install the
extension usingsudo -u postgres psql -d transmart
:create extension pg_bitcount version '0.0.3'; select extname, extversion from pg_extension where extname = 'pg_bitcount';
Expected output:
extname | extversion -------------+------------ pg_bitcount | 0.0.3 (1 row)
Ensure that a system user
exists with home directory/home/transmart
.adduser --system transmart
Download the application in the
directory:TRANSMART_VERSION=17.2.11 curl -f -L -o "/home/transmart/transmart-api-server-${TRANSMART_VERSION}.war" \ "${TRANSMART_VERSION}/transmart-api-server-${TRANSMART_VERSION}.war"
Create config file
:dataSource: driverClassName: org.postgresql.Driver dialect: org.hibernate.dialect.PostgreSQLDialect url: jdbc:postgresql://localhost:5432/transmart?currentSchema=public username: biomart_user password: choose-a-strong-transmart-password # CHANGE ME dbCreate: none pooled: true jmxExport: true logSql: false formatql: false properties: minimumIdle: 15 maximumPoolSize: 50 keycloak: auth-server-url: # CHANGE ME realm: example # CHANGE ME resource: transmart-client bearer-only: true use-resource-role-mappings: true verify-token-audience: true org.transmartproject.system.numberOfWorkers: 2 org.transmartproject.patientCountThreshold: 0 grails.plugin.databasemigration: updateOnStartFileName: classpath:db/changelog/db.changelog-master.yaml updateOnStart: true # If true, schema update scripts are executed at startup org.transmartproject.system.writeLogToDatabase: false # write log messages to the searchapp.search_app_access_log table
Create a systemd service
:[Unit] Description=TranSMART API server [Service] User=transmart WorkingDirectory=/home/transmart ExecStart=java -jar -server -Xms8g -Xmx8g -Djava.awt.headless=true -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true -Dmail.mime.decodeparameters=true -Dserver.port=8081 -Dspring.config.location=/home/transmart/transmart-api-server.config.yml /home/transmart/transmart-api-server-17.2.11.war StandardOutput=journal+console Restart=always [Install]
Start the service:
systemctl start transmart-api-server.service
The Glowing Bear backend server requires:
- JDK 8
- a PostgreSQL database server
- an SMTP email server
Installation steps for the Glowing Bear backend server:
Create a database
a rolebiomart_user
granted all privileges on the database. Choose a strong password for thebiomart_user
role.create database gb_backend; create role gb_backend with password 'choose-a-strong-gb_backend-password' login; -- CHANGE ME grant all on database gb_backend to gb_backend;
Ensure that a system user
exists with home directory/home/gb
.adduser --system gb
Download the application in the
directory:GB_BACKEND_VERSION=1.0.6 curl -f -L -o "/home/gb/gb-backend-${GB_BACKEND_VERSION}.war" \ "${GB_BACKEND_VERSION}/gb-backend-${GB_BACKEND_VERSION}.war"
Ensure that you have a valid offline token, for asynchronous data access. See Offline token.
Create configuration file
:transmart: server-url: http://localhost:8081 api-version: v2 keycloak: auth-server-url: # CHANGE ME realm: example # CHANGE ME resource: transmart-client keycloakOffline: offlineToken: <OFFLINE TOKEN FOR ASYNCHRONOUS ACCESS TO TRANSMART SERVER> # CHANGE ME dataSource: driverClassName: org.postgresql.Driver dialect: org.hibernate.dialect.PostgreSQLDialect username: gb_backend password: choose-a-strong-gb_backend-password # CHANGE ME url: jdbc:postgresql://localhost:5432/gb_backend # enable daily and weekly notification jobs enabled: true # max number of query sets returned in a subscription email maxNumberOfSets: 20 # daily cron job trigger time in format: hh-mm # hh: Hour, range: 0-23; # mm: Minute, range: 0-59; dailyJobTriggerTime: 13-0 # Name of the client application on behalf of which gb-backend will send notification email. clientApplicationName: Glowing Bear # CHANGE ME clientApplicationUrl: # CHANGE ME grails: mail: 'default': from: noreply@localhost # CHANGE ME
Create a systemd service
:[Unit] Description=Glowing Bear backend server [Service] User=gb WorkingDirectory=/home/gb ExecStart=java -jar -server -Djava.awt.headless=true -Dmail.mime.decodeparameters=true -Dserver.port=8083 -Dspring.config.location=/home/gb/application.yml /home/gb/gb-backend-1.0.6.war StandardOutput=journal+console Restart=always [Install]
Start the service:
systemctl start gb-backend.service
Transmart Packer consists of a worker service that performs the export tasks and a webapp services that handles export requests, task management and export file downloads.
Transmart Packer requires:
- Python 3.7 or newer
- Redis server
Installation steps for the Transmart Packer services:
Ensure that a system user
exists with home directory/home/packer
.adduser --system packer
Create a Python 3 virtual environment in
:python3 -m venv venv
Install Transmart Packer:
source venv/bin/activate pip install --no-cache-dir --upgrade "transmart-packer == 0.6.1"
Ensure that you have a valid offline token, for asynchronous data access. See Offline token.
Create a start script
with the configuration:#!/usr/bin/env bash set -e here=$(dirname "${0}") source ${here}/venv/bin/activate export KEYCLOAK_SERVER_URL= # CHANGE ME export KEYCLOAK_REALM=example # CHANGE ME export KEYCLOAK_CLIENT_ID=transmart-client export KEYCLOAK_OFFLINE_TOKEN="<offline token>" # CHANGE ME export TRANSMART_URL=http://localhost:8081 export REDIS_URL=redis://localhost:6379 export DATA_DIR=/home/packer/data export CLIENT_ORIGIN_URL='*' export VERIFY_CERT=true exec "$@"
Create a systemd service
:[Unit] Description=Transmart Packer worker [Service] User=packer WorkingDirectory=/home/packer ExecStart=/home/packer/start celery -A packer.tasks worker -c 4 --loglevel info StandardOutput=journal+console Restart=always [Install]
Create a systemd service
:[Unit] Description=Transmart Packer web app [Service] User=packer WorkingDirectory=/home/packer ExecStart=/home/packer/start transmart-packer StandardOutput=journal+console Restart=always [Install]
Start the services:
systemctl start transmart-packer-worker.service systemctl start transmart-packer-webapp.service
Glowing Bear requires:
- nginx
Download the application and extract the contents in the
directory:GLOWING_BEAR_VERSION=2.0.17 curl -f -L -o "glowing-bear-${GLOWING_BEAR_VERSION}.tar" \ "${GLOWING_BEAR_VERSION}/glowing-bear-${GLOWING_BEAR_VERSION}.tar" sudo mkdir -p /var/www/glowingbear sudo tar xf glowing-bear-${GLOWING_BEAR_VERSION}.tar -C /var/www/glowingbear
Override environment file
with the following:{ "env": "default" }
Edit configuration file
(overwrites the default config file in thetar
):{ "oidc-server-url": "CHANGE ME", "oidc-client-id": "transmart-client", "api-url": "/api/transmart-api-server", "gb-backend-url": "/api/gb-backend", "export-mode": { "name": "packer", "data-view": "csr_export", "export-url": "/api/transmart-packer" }, "enable-fractalis-analysis": false, "fractalis-url": null, "fractalis-datasource-url": "/api/transmart-api-server", "autosave-subject-sets": false, "show-observation-counts": false, "instant-counts-update": false, "include-data-table": false, "include-cohort-subscription": true, "check-server-status": true, "deny-access-to-users-without-role": false, "api-version": "v2", "doc-url": "" }
should be of the form
. -
Configure a web server to serve the application and to function as a gateway for the backend services E.g., with nginx, create a file
:server { listen *:443 ssl; server_name; # CHANGE ME ssl_certificate /etc/ssl/certs/; ssl_certificate_key /etc/ssl/private/; index index.html; access_log /var/log/nginx/ combined; error_log /var/log/nginx/; location / { root /var/www/glowingbear/glowing-bear-2.0.17; index index.html index.htm; try_files $uri $uri/ /index.html =404; } location /api/transmart-api-server/ { proxy_pass http://localhost:8081/; proxy_read_timeout 90s; proxy_connect_timeout 90s; proxy_send_timeout 90s; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; proxy_redirect default; } location /api/gb-backend/ { proxy_pass http://localhost:8083/; proxy_read_timeout 90s; proxy_connect_timeout 90s; proxy_send_timeout 90s; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; proxy_redirect default; } location /api/transmart-packer/ { proxy_pass http://localhost:8999/; proxy_read_timeout 90s; proxy_connect_timeout 90s; proxy_send_timeout 90s; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; proxy_redirect default; } }
Please ensure that proper SSL certificates are installed.
Reload nginx configuration:
systemctl reload nginx.service
Availability of the Transmart API and GB backend applications can be tested using the following public endpoints:
- Transmart API server: the health endpoint
should return status200
and a JSON message with valueUP
in thestatus
field:{ "status": "UP" }
- Glowing Bear backend: the health endpoint
should return status200
and a JSON message with valueUP
in thestatus
field:{ "status": "UP" }
- Transmart Packer: no health endpoint