Authentication and logging HTTP proxy to Kibana - dcm4che/dcm4chee-arc-light GitHub Wiki

Overview

DCM4CHEE archive has a proxy available which can be enabled to proxy requests to Kibana which is being used as an audit record repository. By enabling it, user can restrict the access to Kibana for authenticated users (in case of secured version of archive) and also ensure that requests to Kibana are always over archive as the proxy. An audit log message is recorded for this event as well.

Configuration

Wildfly

In undertow subsystem in the default-server section in wildfly configuration add the following :

  ..........
  ..........
  <subsystem xmlns="urn:jboss:domain:undertow:3.1">
     .........
     .........
     <server name="default-server">
		.........
		.........
          <host name="arr-proxy">
		    <location name="/" handler="welcome-content"/>
		    <filter-ref name="server-header"/>
		    <filter-ref name="x-powered-by-header"/>
          </host>
      </server>
      ........
      ........
  </subsystem>
..........
..........

LDAP

One may either

  • create LDIF file

          version: 1
          dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
          changetype: modify
          add: dcmAuditRecordRepositoryURL
          dcmAuditRecordRepositoryURL: http://<kibana-host>:<kibana-port>
    

    and import it to the LDAP Server by using the ldapmodify command line utility.

  • or use the Add Attribute... and Add Value... function of Apache Directory Studio to add attributes on Archive Device level (e.g.: dicomDeviceName=dcm4chee-arc) in the Archive Configuration.

One may refer to Archive Device to understand the description of attributes.

Go to the Control tab on Configuration page in archive UI and reload the configuration.

Hosts file

Add the following to hosts file

           127.0.0.1       localhost
           127.0.0.1       arr-proxy

Restart wildfly. http://arr-proxy:8080 should now redirect to Kibana.

Secured Version of this feature

This feature can be secured using Keycloak similar to the secured version of Archive UI and RESTful services. Before doing the below changes for Keycloak, Secure Archive UI and RESTful Services using Keycloak

  1. Login to Keycloak Admin Console and note down the Public-Key of the Dcm4che realm. This is needed in Step 4.

  2. Create a new Client dcm4chee-arr-proxy in Dcm4che realm

         Client Id : dcm4chee-arr-proxy
         Valid Redirect UIs : http://arr-proxy:8080/*
         Admin URL : http://arr-proxy:8080/
         Access Type : Confidential
         Note down its Secret-Key under the Credentials tab (This will be required in Step 4)
    
  3. Create a new role auditlog and assign this role to the admin user from the Role Mappings tab.

  4. Run the below cli scripts to add this configuration to wildfly.

      /subsystem=keycloak/secure-deployment=dcm4chee-arr-proxy-5.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arr-proxy,realm-public-key=<Public-Key>,auth-server-url=http://localhost:8080/auth)
      /subsystem=keycloak/secure-deployment=dcm4chee-arr-proxy-5.x-secure.war/credential=secret:add(value=<Secret-Key>)
    

    Note that for the value of auth-server-url the ip address or hostname of the machine on which the keycloak is running is needed.

  5. Restart wildfly. http://arr-proxy:8080 should now redirect to login page. Once login is successful user is redirected to Kibana.

⚠️ **GitHub.com Fallback** ⚠️