-
Notifications
You must be signed in to change notification settings - Fork 230
Run secured archive services on a single host
Secured Archive services using Keycloak as Authentication Server.
(Optional) Create system groups and users with particular group and user IDs used by the archive services on the host
$ sudo -i
# groupadd -r slapd-dcm4chee --gid=1021 && useradd -r -g slapd-dcm4chee --uid=1021 slapd-dcm4chee
# groupadd -r postgres-dcm4chee --gid=999 && useradd -r -g postgres-dcm4chee --uid=999 postgres-dcm4chee
# groupadd -r dcm4chee-arc --gid=1023 && useradd -r -g dcm4chee-arc --uid=1023 dcm4chee-arc
# groupadd -r keycloak-dcm4chee --gid=1029 && useradd -r -g keycloak-dcm4chee --uid=1029 keycloak-dcm4chee
# exit
Continue using Docker Command Line or Docker Compose alternatively:
-
$ docker network create dcm4chee_network
-
Start OpenLDAP Server as described in Run minimum set of archive services on a single host.
-
Launch a container providing preconfigured Keycloak Authentication Server into the created network, e.g:
$ docker run --network=dcm4chee_network --name keycloak \ -p 8843:8843 \ -e KC_HTTPS_PORT=8843 \ -e KC_HOSTNAME=<docker-host> \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=changeit \ -e KC_LOG=file \ -e KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true \ -e ARCHIVE_HOST=<docker-host> \ -e KEYCLOAK_WAIT_FOR=ldap:389 \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ -v /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data \ -d dcm4che/keycloak:21.0.0
-p 8843:8843 \
publishes the https (
8843
) port of Keycloak from the container to the host to enable connections from external https clients to Keycloak.The port number is set by:
-e KC_HTTPS_PORT=8843 \
to avoid collisions with the https port used by Wildfly with the deployed dcm4che Archive 5 application by default.
-e KC_HOSTNAME=<docker-host> \
specifies the public host name of the Keycloak server.
-e KC_HTTP_RELATIVE_PATH=/auth \
specifies the path to '/auth' for serving resources, matching the context path of previous Wildfly based Keycloak Server.
-e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=changeit \
is required to create an admin account to be able to login to the admin console of the Keycloak master realm at
https://${KC_HOSTNAME}:${KC_HTTPS_PORT}[/${KC_HTTP_RELATIVE_PATH}]
. Once the first user with administrative rights exists, you may use the UI to change the password or create additional admin users and/or delete that initial admin user.KC_LOG=file
enables logging to file
/opt/keycloak/data/keycloak.log
, instead of logging to the standard output.KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
enables legacy
redirect_uri
query parameter for logout - required for logout by UI of current archive version (5.29.2).If you set the environment variables
LDAP_BASE_DN
,LDAP_ROOTPASS
for the LDAP server container, you have to set that environment variables also for the Keycloak container. Otherwise Keycloak will fail to connect to the LDAP Server.-e ARCHIVE_HOST=<docker-host> \
specify the public hostname of the archive device referred by OIDC Keycloak clients for securing the UI and the Wildfly Administration Console of the archive initialized on first startup. You have to replace <docker-host> by the hostname of the docker host, which must be resolvable by your DNS server.
-e KEYCLOAK_WAIT_FOR=ldap:389
delays the start of Keycloak until OpenLDAP is listening on the specified port, which prevents error on restart of all containers caused by failures to connect LDAP by Keycloak, before OpenLDAP slapd is ready to accept connections.For further available environment variables of the Keycloak container see https://github.com/dcm4che-dockerfiles/keycloak-quarkus#environment-variables.
Bind mount
-v /etc/localtime:/etc/localtime:ro
and-v /etc/timezone:/etc/timezone:ro
duplicates your host timezone inside the container. Otherwise the container timezone is UTC. Attention: If there is no/etc/timezone
on your host, you have to create one (e.g.:$ echo "Europe/Vienna" > /etc/timezone
) before launching the container, otherwise the container will not start.Bind mount
-v /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data
takes care to store the Keycloak server configuration in the specified host directory. It is initialized on first container start-up if it is not already present in the specified host directory. That ensures that the data does not get lost on deletion and re-creation of the Keycloak Server container.By default the https service will use the certificate for handling TLS connections. To avoid the security warning of Web Browsers accessing the Keycloak UI or the WildFly Administration Console, you have to provide a certificate which Common Name and/or Subject Alt Name matches the host name and which is signed by a trusted issuer in a keystore file in PKCS #12 or Java KeyStore (JKS) format, bind mount the file or its containing directory into the container, and refer it by environment variable KC_HTTPS_KEY_STORE_FILE.
Check the Keycloak server log if Keycloak started successfully:
$ tail -f /var/local/dcm4chee-arc/keycloak/log/keycloak.log 2022-06-09 16:06:19,360 INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 875d7be6d885-1337: no members discovered after 2002 ms: creating cluster as coordinator 2022-06-09 16:06:19,369 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [875d7be6d885-1337|0] (1) [875d7be6d885-1337] 2022-06-09 16:06:19,373 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `875d7be6d885-1337`, physical addresses are `[172.21.0.3:44392]` 2022-06-09 16:06:19,873 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 875d7be6d885-1337, Site name: null 2022-06-09 16:06:19,935 INFO [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm 2022-06-09 16:06:22,169 INFO [org.keycloak.services] (main) KC-SERVICES0004: Imported realm dcm4che from file /opt/keycloak/bin/../data/import/dcm4che-realm.json. 2022-06-09 16:06:22,405 INFO [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master' 2022-06-09 16:06:22,719 INFO [io.quarkus] (main) Keycloak 19.0.1 on JVM (powered by Quarkus 2.7.5.Final) started in 8.238s. Listening on: https://0.0.0.0:8843 2022-06-09 16:06:22,719 INFO [io.quarkus] (main) Profile prod activated. 2022-06-09 16:06:22,719 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]
See further environment variables of Keycloak
-
Start PostgreSQL Server as described in Run minimum set of archive services on a single host.
-
Launch a container providing Wildfly with deployed dcm4che Archive 5 application into the created network, e.g:
$ docker run --network=dcm4chee_network --name arc \ -p 8080:8080 \ -p 8443:8443 \ -p 9990:9990 \ -p 9993:9993 \ -p 11112:11112 \ -p 2762:2762 \ -p 2575:2575 \ -p 12575:12575 \ -e POSTGRES_DB=pacsdb \ -e POSTGRES_USER=pacs \ -e POSTGRES_PASSWORD=pacs \ -e AUTH_SERVER_URL=https://<docker-host>:8843 \ -e WILDFLY_WAIT_FOR="ldap:389 db:5432" \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ -v /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone \ -d dcm4che/dcm4chee-arc-psql:5.29.2-secure
which differs from Run minimum set of archive services on a single host only by
-
-e AUTH_SERVER_URL=https://<docker-host>:8843
- you have to replace <docker-host> by the hostname of the docker host, which must be resolvable by your DNS server - and -
-d dcm4che/dcm4chee-arc-psql:5.29.2-secure
- to select the Docker image for the Archive with secured UI and secured RESTful services. If you want to secure the Archive UI without securing the RESTful services use-d dcm4che/dcm4chee-arc-psql:5.29.2-secure-ui
instead.
If you set the environment variables
REALM_NAME
orSSL_REQUIRED
for the Keycloak server container, you have to set that environment variables also for the Archive container. Otherwise the background out of band REST invocation to Keycloak for user authorization will fail.If you want to run more than one Archive container, you have to specify different values for environment variable
UI_CLIENT_ID
(default:dcm4chee-arc-ui
), and register each of the Archive UIs in Keycloak.See further environment variables of Archive
-
-
Sign in with User/Password
root
/changeit
at the Realm Admin Console of Keycloak athttps://<docker-host>:8843/admin/dcm4che/console
- you have to replace <docker-host> by the hostname of the docker host. If you changed the default realm name:dcm4che
by environment variableREALM_NAME
for the Keycloak and the Archive Container, you also have to replacedcm4che
by the that value in the URL.Keycloak docker image
dcm4che/keycloak:21.0.0
and newer creates an OIDC client for the Archive UI on first startup, customizable by environment variablesUI_CLIENT_ID
,ARCHIVE_HOST
,ARCHIVE_HTTP_PORT
andARCHIVE_HTTPS_PORT
:Only users with role
user
are permitted to access the Archive UI and RESTful services. Depending on the UI Permission Configuration particular UI features are restricted to additional user roles. Users with roleroot
- or the value specified by environment variable SUPER_USER_ROLE for the Archive container - have access to all UI features, independent of their other roles and configured UI Permissions.Sign out, before verifying that accessing the Archive UI at
http://<docker-host>:8080/dcm4chee-arc/ui2
orhttps://<docker-host>:8443/dcm4chee-arc/ui2
will redirect you to the Login page of Keycloak. You may sign in with User/Passwordroot
/changeit
,admin
/changeit
oruser
/changeit
.Every user can change her password and other account settings via
Edit Account
in theSign-in Tools
in the upper right corner of the Archive UI. Users withrealm-management -> view-realm
role mapped to them, also have a linkAdmin Realm
to view the Keycloak Realm Admin Console.Only users with all roles specified by client
realm-management
are permitted to access the Keycloak Administration Console and perform administration changes. -
Access to the Wildfly Administration Console is also protected with Keycloak.
Keycloak docker image
dcm4che/keycloak:21.0.0
and newer creates also another OIDC client for the Wildfly Administration Console on first startup, customizable by environment variablesWILDFLY_CONSOLE
,ARCHIVE_HOST
andARCHIVE_MANAGEMENT_HTTPS_PORT
:Only users with role
ADMINISTRATOR
are permitted to access the WildFly Administration Console.Sign out, before verifying that accessing the WildFly Administration Console at
http://<docker-host>:9990
orhttps://<docker-host>:9993
will redirect you to the Login page of Keycloak. You may sign in with User/Passwordroot
/changeit
. -
There are 3 users configured by default:
Name Password Role(s) root
changeit
user
root
auditlog
ADMINISTRATOR
all roles specified by clientrealm-management
admin
changeit
user
admin
user
changeit
user
Optionally, add separate users for Keycloak / Wildfly administration to decouple roles / responsibilities of archive
root
user :Name Password Role(s) wildfly-admin
changeit
user
ADMINISTRATOR
keycloak-admin
changeit
user
all roles specified by clientrealm-management
using scripts :
-
add-keycloak-admin
$ docker exec ldap add-keycloak-admin keycloak-admin secret adding new entry "uid=keycloak-admin,ou=users,dc=dcm4che,dc=org" modifying entry "cn=user,ou=users,dc=dcm4che,dc=org" modifying entry "cn=create-client,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=impersonation,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=manage-authorization,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=manage-clients,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=manage-events,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=manage-identity-providers,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=manage-realm,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=manage-users,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=realm-admin,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=view-authorization,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=view-clients,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=view-events,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=view-identity-providers,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=view-realm,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=view-users,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=query-users,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=query-groups,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=query-realms,ou=realm-management,dc=dcm4che,dc=org" modifying entry "cn=query-clients,ou=realm-management,dc=dcm4che,dc=org"
-
add-wildfly-admin
$ docker exec ldap add-wildfly-admin wildfly-admin secret adding new entry "uid=wildfly-admin,ou=users,dc=dcm4che,dc=org" modifying entry "cn=user,ou=users,dc=dcm4che,dc=org" modifying entry "cn=ADMINISTRATOR,ou=users,dc=dcm4che,dc=org"
By default,
root
user hasADMINISTRATOR
as well as all roles specified by clientrealm-management
:to allow full access to the Realm Admin Console of Keycloak and Wildfly Administration Console. If decoupling of management functions is required by your application, log in to Keycloak Admin Console at
https://<docker-host>:8843/admin/dcm4che/console
withkeycloak-admin
user and unassignADMINISTRATOR
andrealm-management
client role mappings fromroot
user.Synchronize users from LDAP by navigating to
User Federation >> Ldap
and clicking theSynchronize all users
button in the LdapSettings
tab:and edit, delete or add new users by navigating to
Users
:You may add additional Realm Roles associated with particular UI Permission Configuration and assign them to users to grant them the associated UI Permissions. (Users with role
root
- or the value specified by environment variable SUPER_USER_ROLE for the Archive container - have access to all UI features, independent of their other roles and configured UI Permissions.) -
add-keycloak-admin
-
(Optional) Send CT images to the Archive using dcm4che/dcm4che-tools as described in Run minimum set of archive services on a single host.
-
$ docker stop ldap keycloak db arc
and start all 3 containers again by:
$ docker start ldap keycloak db arc
-
$ docker rm -v ldap keycloak db arc
You may delete the created bridge network by
$ docker network rm dcm4chee_network
Use Docker Compose
Alternatively to Docker Command Line one may use Docker Compose to take care for starting all 4 containers:
-
version: "3" services: ldap: image: dcm4che/slapd-dcm4chee:2.6.3-29.2 logging: driver: json-file options: max-size: "10m" ports: - "389:389" - "636:636" env_file: docker-compose.env volumes: - /var/local/dcm4chee-arc/ldap:/var/lib/openldap/openldap-data - /var/local/dcm4chee-arc/slapd.d:/etc/openldap/slapd.d keycloak: image: dcm4che/keycloak:21.0.0 logging: driver: json-file options: max-size: "10m" ports: - "8843:8843" env_file: docker-compose.env environment: KC_HTTPS_PORT: 8843 KC_HOSTNAME: <docker-host> KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN_PASSWORD: changeit KC_LOG: file KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN: "true" KEYCLOAK_WAIT_FOR: ldap:389 depends_on: - ldap volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data db: image: dcm4che/postgres-dcm4chee:14.5-29 logging: driver: json-file options: max-size: "10m" ports: - "5432:5432" env_file: docker-compose.env volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - /var/local/dcm4chee-arc/db:/var/lib/postgresql/data arc: image: dcm4che/dcm4chee-arc-psql:5.29.2-secure ports: - "8080:8080" - "8443:8443" - "9990:9990" - "9993:9993" - "11112:11112" - "2762:2762" - "2575:2575" - "12575:12575" env_file: docker-compose.env environment: WILDFLY_CHOWN: /opt/wildfly/standalone /storage WILDFLY_WAIT_FOR: ldap:389 db:5432 depends_on: - ldap - keycloak - db volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone - /var/local/dcm4chee-arc/storage:/storage
you have to replace <docker-host> by the hostname of the docker host, which must be resolvable by your DNS server.
Note : If there are difficulties starting the archive service due to
There is insufficient memory for the Java Runtime Environment to continue. Cannot create GC thread. Out of system resources.
adding the following option to the
arc
servicesecurity_opt: - seccomp:unconfined
-
ARCHIVE_HOST=<docker-host> STORAGE_DIR=/storage/fs1 POSTGRES_DB=pacsdb POSTGRES_USER=pacs POSTGRES_PASSWORD=pacs AUTH_SERVER_URL=https://<docker-host>:8843
you have to replace <docker-host> by the hostname of the docker host, which must be resolvable by your DNS server.
See available environment variables for containers :
-
$ docker-compose -p dcm4chee up -d Creating network "dcm4chee_network" with the default driver Creating dcm4chee_db_1 ... Creating dcm4chee_ldap_1 ... Creating dcm4chee_db_1 Creating dcm4chee_ldap_1 ... done Creating dcm4chee_keycloak_1 ... Creating dcm4chee_keycloak_1 ... done Creating dcm4chee_arc_1 ... Creating dcm4chee_arc_1 ... done
in the directory containing
docker-compose.yml
anddocker-compose.env
. -
Register the Archive UI as OIDC client in Keycloak as described above.
-
Register the WildFly Administration Console as OIDC client in Keycloak as described above.
-
$ docker-compose -p dcm4chee stop Stopping dcm4chee_arc_1 ... done Stopping dcm4chee_keycloak_1 ... done Stopping dcm4chee_ldap_1 ... done Stopping dcm4chee_db_1 ... done
and start all 4 containers again by:
$ docker-compose -p dcm4chee start Starting db ... done Starting ldap ... done Starting keycloak ... done Starting arc ... done
-
$ docker-compose -p dcm4chee down Stopping dcm4chee_arc_1 ... done Stopping dcm4chee_keycloak_1 ... done Stopping dcm4chee_ldap_1 ... done Stopping dcm4chee_db_1 ... done Removing dcm4chee_arc_1 ... done Removing dcm4chee_keycloak_1 ... done Removing dcm4chee_ldap_1 ... done Removing dcm4chee_db_1 ... done Removing network dcm4chee_network
DCM4CHEE 5 Documentation