My Healthe Vet (MHV)

My Healthe Vet is our third most common login type, acconting for rougly 20% of all logins.

MHV APIs provide Secure Messaging (SM), Prescriptions (RX), and Health Records aka Blue Button (BB) support as well as authentication. The integration with MHV is provided via NSOC configured tunnels to the MHV HA systems in Terremark, within the VA network. As of 2/2017, MHV provides a single API gateway for all services; it acts as a fa├žade in front of two independent services for (RX + BB) and (SM). So it is possible for one or the other of the backing services to be down while the other is up.

Network connectivity and L7 status checks reported by the External Service Status dashboard.

Integration Points

Prescriptions (RX)

  • Type: REST

  • Endpoint: #{ENV['MHV_HOST']}/mhv-api/patient/v1/

  • Error Indicator:

    • StatsD: api.external_http_request.Rx

    • Prometheus:

    api_external_http_request{service:Rx}
    api_external_http_request_success_total{service:Rx}
    api_external_http_request_failure_total{service:Rx}
    
    CODE

Secure Messaging (SM)

  • Type: REST

  • Endpoint: #{ENV['MHV_SM_HOST']}/mhv-sm-api/patient/v1/

  • Error Indicator:

    • StatsD: api.external_http_request.SM

    • Prometheus:

    api_external_http_request{service:SM}
    api_external_http_request_success_total{service:SM}
    api_external_http_request_failure_total{service:SM}
    
    CODE

Authentication

We don't connect directly to MHV for authentication. Instead, we redirect to http://id.me who redirects to MHV and redirects back to http://id.me who redirects back to http://va.gov . More details on the login flow login flow are in the vets.gov-team repository.

Trust Chains

essapi-sysb.myhealth.va.gov

   0 s:/DC=gov/DC=va/OU=devices/CN=essapi-sysb.myhealth.va.gov
     i:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
   1 s:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
     i:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
   2 s:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
     i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
CODE

essapi.myhealth.va.gov

   0 s:/DC=gov/DC=va/OU=devices/CN=essapi.myhealth.va.gov
     i:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
   1 s:/DC=gov/DC=va/OU=Services/OU=PKI/CN=Veterans Affairs Device CA B2
     i:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
   2 s:/C=US/O=Betrusted US Inc/OU=SSP/OU=Betrusted Production SSP CA A1/CN=Betrusted Production SSP CA A1
     i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
   3 s:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
     i:/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
CODE

Required Configuration

The following environment variables must be set to establish connectivity:

  • MHV_HOST

  • MHV_APP_TOKEN

  • MHV_SM_HOST

  • MHV_SM_APP_TOKEN

As mentioned above, there is now a single API gateway so MHV_HOST and MHV_SM_HOST should match (and eventually these may be collapsed into one variable). However the backing services use their own authentication tokens so MHV_APP_TOKEN and MHV_SM_APP_TOKEN are not expected to match.

These parameters are set via credstash.

Additionally the parameters MHV_APP_TOKEN and MHV_SM_APP_TOKEN are stored in AWS Parameter Store under the keys (and most recently moved to credstash)

  • /dsva-vagov/vets-api/<env>/mhv_app_token

  • /dsva-vagov/vets-api/dev/mhv_sm_app_token

Additionally custom certificates must be added to the cert chain to allow SSL connectivity, these certificates are placed in /etc/pki/ca-trust/source/anchors/

  • intb.pem

  • prod.pem

Key Contacts

Name

Capacity

Email

Slack

Mobile

TODO(additional contacts required)

Maintenance Windows

  • ANR - Alerts are sent for all VA online services and systems for planned and unplanned outages

  • A Release schedule is emailed out with release dates ( TODO: a POC to receive and UPDATE)

  • MHV List Serv - Notifications are sent out about outages

Incident Response

Any time Pagerduty has a status other than "active" for MHV a downtime banner is in place on the sign in modal. Vets-api gets the status from PagerDuty once a minute.

  1. If you see an alert for http://id.me authentication at the same time as a MHV alert, focus on http://id.me as MHV authenticaion depends on http://id.me .

  2. Contact the NSD (1-855-673-4357) to file a ticket for MHV outages. Phone tree 5 (Other issues) -> 1 (VHA). You will be forwarded to a technician.

  3. Send an email describing the issue in detail, including the NSD ticket #, to

 "Graham, Kenneth J. (BYLIGHT)" <Kenneth.Graham2@va.gov>, "Hormby, Thomas W.
(SMS)" <Thomas.Hormby@va.gov>, "Copeman, Richard L.. (SMS)"
<Richard.Copeman@va.gov>, "Zallar, Kerry (KGS)" <Kerry.Zallar@va.gov>, "Kirk,
Gregory" <Gregory.Kirk@va.gov>, "Phelps, Carl J." <Carl.Phelps@va.gov>, "Good,
Sean M." <Sean.Good@va.gov>, "Robertson, Raquel D.(BYLIGHT)"
<Raquel.Robertson@va.gov>, "Bain, Matthew" <Matthew.Bain@va.gov>, "Moy, Jacob T.
(By Light)" <Jacob.Moy@va.gov>, "Born, Michael A. (Vidoon, Inc)"
<Michael.Born@va.gov>, "Brekke, John L." <John.Brekke@va.gov>.
CODE

SLAs, incident response times, and phone contacts are not yet established.