Preparing for Spok Go
Overview
Before deploying Spok Go, make sure you have the following resources and information ready to ensure a smooth set up.
Integrations with Existing Spok Products
If existing Spok products, such as MediCall, Smart Suite, Spok Console, or Spok Messenger, will be integrated with Spok Go, ensure the following requirements are met. These integrations require an on-premises gateway, load balancer, and SSL certificate.
Spok strongly recommends using a DHCP server with the VM server to assign an IP address to each instance of the gateway/virtual machine and to access the internet. If a DHCP server is not available, additional configuration of the on-premises gateway is required to assign the static IP addresses.
Load Balancer
- A load balancer is required to help route traffic to the on-premises gateway. A load balancer, such as HA Proxy, can be used. Simple round-robin load balancing between the three virtual machines for the gateway is sufficient.
- Any HTTPS traffic should pass through the load balancer, with the SSL termination occurring in the on-premises gateway. It is not necessary to load the SSL certificate on the load balancer.
- The on-premises gateway's virtual machines must also be added the load balancer's configuration (sometimes known as a "Resource Pool").
- Verify the FQDN or IP address of the load balancer (ex: loadBalancerVM.HospitalName.com) is added to the customer’s DNS. The FQDN also is needed for creating the SSL certificate as well as integrating Spok Messenger.
- Health checks of the gateway’s virtual machines should be directed to https://<ip address of each vm>/health-check?verbose=false and must target HTTP 1.0 or higher (ex: GET /health-check?verbose=false HTTP/1.0). Valid health checks will return a 200 response with 'HealthCheck: OK' in the body of the response. Be sure to also note that these health checks aren’t checking the overall health of the Gateway but rather the viability of each of the VMs that make up the Gateway.
SSL Certificate
A SSL certificate is needed to enable HTTPS between the on-site systems and the on-premises gateway. A customer-provided signed PKCS12 (PFX) X509 SSL certificate is required and it should follow the guidelines below.
- A certificate should be generated for the on-premises gateway and the certificate's origin should be traced to a trusted root certificate authority.
- A x.509 *PFX archive (a container that included both the certificate and the private key) with the password with which it was encrypted. The .PFX archive will be imported onto the on-premises gateway. By using the *.PFX file and the password, the on-premises gateway will have all the necessary public/private components that apply to the certificate.
- A .*PEM public key that can be generated from the .PFX file. (A *.PEM file is a version of a certificate that is recognized by a Linux operating system, like Ubuntu.) The *.PEM public key needs to be added to the Smart Suite application server to enable WCTP via HTTPS.
- A *.CER certificate that can also be generated from the *.PFX file. (A *.CER is the same as a *.PEM except that Windows recognizes only *.CER files.) The *.CER certificate needs to be added to the Spok Messenger server's trusted stored to allow Spok Messenger to use HTTPS to connect with the load balancer.
- Because Spok does not embed a private key in the gateway, this certificate and its private key must be provided by the customer and should be available when the gateway is installed.
-
The certificate should use the Fully Qualified Domain Name (FQDN) or IP address of the load balancer.
-
The corresponding root and/or public version of the certificate should also be recognized as a trusted certificate in the operating systems of any on-premises systems, including (Smart Suite and Spok Messenger) that are communicating with the gateway.
MediCall Integration
- Verify MediCall version 11.12 or higher is installed.
Smart Suite Integration
- Verify Smart Suite version 7.1.2 or higher has been installed.
- If you will configure single sign-on, do the following:
- Ensure each user has an email with the correct domain (name@besthospital.org). If the domain is incorrect, the user will not be able to sign in using single sign-on.
- Ensure the display order for emails is set within Smart Center. Only the first email will be synchronized with Spok Go during the integration.
Spok Console Integration
- Verify Spok Console version 7.11 or higher is installed.
Spok Messenger Integration
Nurse Call
Ensure you have the names/locations used for the units, rooms, and beds for the nurse call system. The names/locations within Spok Go must match these names for the alerts to be sent to the correct person.
Escrow Key
All communication in Spok Go is securely transmitted. If you need to access the messages for any legal or administrative purposes, a key is needed. (You cannot decrypt or access any messages prior to setting up the key. ) Create and provide Spok with your public 4096-bit RSA key. The key has two sides: one is public and the other is private.
The private key must be stored securely at your site, preferably offline.
A key can be created using Openssl or any other key generation utility. To create a key, follow the example below using Openssl.
- Open a command line.
- To generate the private key, run the following command (replace "acme" with a filename of your choice.) This creates the private key of "acme.key". Keep this key safe.
openssl genpkey -algorithm RSA -out acme.key -pkeyopt rsa_keygen_bits:4096 - To generate the public key, run the following command.
openssl rsa -in acme.key -outform PEM -pubout -out acmepublic.pem - Review the key and ensure it starts with "-----BEGIN PUBLIC KEY-----". If it begins with "-----BEGIN PRIVATE KEY-----", it is the private key and it should not be sent to Spok.
- Send the public key to Spok.
Single Sign-On and User Accounts
- Create a non-user service email account (for example, serviceaccount@besthospital.org) and provide this to Spok. This account is needed to allow a customer administrator to sign in and configure single sign-on. It can also be used as a general service account that is not tied to the single sign-on system.
- Identify any non-SSO accounts that may need to be created in Spok Go. These may be outside contractors or people with emails that do not match the domain of the SAML system.
Spok Go
Ensure your site has the supported operating systems, browsers, and devices. For more information, see Supported Operating Systems, Browsers, and Mobile Devices.
Spok Go Mobile Messaging - iOS
- Ensure mobile users have the supported version of the iOS operating system.
- Ensure mobile users download Spok Go to their mobile devices.
- Ensure notifications are configured.
Spok Go Mobile Messaging - Android
- Ensure mobile users have the supported version of the Android operating system.
- Ensure mobile users download Spok Go from Google Play to their mobile devices.
- Ensure notifications are configured.