My Healthe Vet

My Healthe Vet (MHV)

My Healthe Vet is our third most common login type, accounting for roughly 20% of all logins.

MHV APIs provide Secure Messaging (SM), Prescriptions (RX), View Test and Lab Results, and Health Records aka Blue Button (BB) support as well as authentication. The integration with MHV is provided via NSOC configured tunnels to the MHV HA systems in Terremark, within the VA network. As of 2/2017, MHV provides a single API gateway for all services; it acts as a façade in front of two independent services for (RX + BB) and (SM). So it is possible for one or the other of the backing services to be down while the other is up.

Network connectivity and L7 status checks reported by the External Service Status dashboard (SOCKS proxy access is required).

Integration Points

Prescriptions (RX)

• Type: REST

• Endpoint: #{ENV['MHV_HOST']}/mhv-api/patient/v1/

• Error Indicator:

  • StatsD: api.external_http_request.Rx

  • Datadog:

  CODE

  vets_api.statsd.api_external_http_request_Rx_success
  vets_api.statsd.api_external_http_request_Rx_failed
  vets_api.statsd.api_external_http_request_Rx_skipped

Secure Messaging (SM)

• Type: REST

• Endpoint: #{ENV['MHV_SM_HOST']}/mhv-sm-api/patient/v1/

• Error Indicator:

  • StatsD: api.external_http_request.SM

  • Datadog:

  CODE

  vets_api.statsd.api_external_http_request_SM_success
  vets_api.statsd.api_external_http_request_SM_failed
  vets_api.statsd.api_external_http_request_SM_skipped

Authentication

We don't connect directly to MHV for authentication. Instead, we redirect to http://id.me who redirects to MHV and redirects back to http://id.me who redirects back to http://va.gov. More details on the login flow are in the vets.gov-team repository.

Trust Chains

essapi-sysb.myhealth.va.gov (login required)

   0 s:/DC=gov/DC=va/OU=devices/CN=essapi-sysb.myhealth.va.gov
     i:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
   1 s:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
     i:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
   2 s:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
     i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA

essapi.myhealth.va.gov (login required)

   0 s:/DC=gov/DC=va/OU=devices/CN=essapi.myhealth.va.gov
     i:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
   1 s:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
     i:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
   2 s:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
     i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
   3 s:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
     i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA

Required Configuration

The following environment variables must be set to establish connectivity:

• MHV_HOST

• MHV_APP_TOKEN

• MHV_SM_HOST

• MHV_SM_APP_TOKEN

As mentioned above, there is now a single API gateway so MHV_HOST and MHV_SM_HOST should match (and eventually these may be collapsed into one variable). However the backing services use their own authentication tokens so MHV_APP_TOKEN and MHV_SM_APP_TOKEN are not expected to match.

These parameters are set via credstash.

Additionally, the parameters MHV_APP_TOKEN and MHV_SM_APP_TOKEN are stored in AWS Parameter Store under the keys (and most recently moved to credstash)

• /dsva-vagov/vets-api/<env>/mhv_app_token

• /dsva-vagov/vets-api/dev/mhv_sm_app_token

Additionally, custom certificates must be added to the cert chain to allow SSL connectivity, these certificates are placed in /etc/pki/ca-trust/source/anchors/

• intb.pem

• prod.pem

Key Contacts

TODO (additional contacts required)

Maintenance Windows

• ANR (login required) - Alerts are sent for all VA online services and systems for planned and unplanned outages

• A Release schedule is emailed out with release dates ( TODO: a POC to receive and UPDATE)

• MHV List Serv (login required) - Notifications are sent out about outages

Incident Response

Any time PagerDuty has a status other than "active" for MHV a downtime banner is in place on the sign in modal. Vets-api gets the status from PagerDuty once a minute.

1. If you see an alert for http://id.me authentication at the same time as a MHV alert, focus on http://id.me as MHV authentication depends on http://id.me .

2. Contact the NSD (1-855-673-4357) to file a ticket for MHV outages. Phone tree 5 (Other issues) -> 1 (VHA). You will be forwarded to a technician.

3. Send an email describing the issue in detail, including the NSD ticket #, to

 "Graham, Kenneth J. (BYLIGHT)" <Kenneth.Graham2@va.gov>, "Hormby, Thomas W.
(SMS)" <Thomas.Hormby@va.gov>, "Copeman, Richard L.. (SMS)"
<Richard.Copeman@va.gov>, "Zallar, Kerry (KGS)" <Kerry.Zallar@va.gov>, "Kirk,
Gregory" <Gregory.Kirk@va.gov>, "Phelps, Carl J." <Carl.Phelps@va.gov>, "Good,
Sean M." <Sean.Good@va.gov>, "Robertson, Raquel D.(BYLIGHT)"
<Raquel.Robertson@va.gov>, "Bain, Matthew" <Matthew.Bain@va.gov>, "Moy, Jacob T.
(By Light)" <Jacob.Moy@va.gov>, "Born, Michael A. (Vidoon, Inc)"
<Michael.Born@va.gov>, "Brekke, John L." <John.Brekke@va.gov>.

SLAs, incident response times, and phone contacts are not yet established.

Help and feedback

• Suggest content changes to this page.

• Submit new Platform Website content.

• Get help from the Platform Support Team in Slack.

• Submit a feature idea to the Platform.