Use Custom Keystore with Archive

Overview

This page briefly describes how one may use their own key+certificate in dockerized archive (using docker-compose) instead of the default keystore provided by the archive.

Configuration

• Configure archive as specified in Running on Docker
• Before you start the containers:
  • Create a custom directory in /var/local/dcm4chee-arc/.
  • Place your keystore (in JKS or PKCS12 format) in this directory, i.e. /var/local/dcm4chee-arc/custom-dir
  • In your docker-compose.yml Map this directory to a path within the archive container as :

    - /var/local/dcm4chee-arc/custom-dir:/opt/wildfly/custom-dir
    

  • If you're using secured version of archive, in the same docker-compose.yml file, do the same volume mapping also for keycloak container

    - /var/local/dcm4chee-arc/custom-dir:/opt/wildfly/custom-dir
    

  • In docker-compose.env file, specify your keystore (Replace custom-keystore and custom-keystore-password with your keystore values)

    KEYSTORE=/opt/wildfly/custom-dir/custom-keystore.p12
    KEYSTORE_PASSWORD=custom-keystore-password
    

  • In the same docker-compose.env file, if your private key in keystore is protected by a password, then specify (Replace custom-keystore-private-key-password with value as required)

    KEY_PASSWORD=custom-keystore-private-key-password
    

  • By default, the KEYSTORE_TYPE is PKCS12. If you used a JKS type of keystore, you need to specify this env variable

    KEYSTORE_TYPE=JKS
    

  • Provide read permission to all users to this folder

    sudo chmod a+r /var/local/dcm4chee-arc/custom-dir/*
    

• Start the containers as specified
• If you used a secure version of archive, to enable Keycloak adapter in archive to accept requests from Keycloak server, add the CA certificate

  cd /var/local/dcm4chee-arc/wildfly/configuration/keystores
  
  keytool -import -alias customCA -file <custom-CA-certificate.pem> -storetype JKS -keystore cacerts.p12