Enable SSL HTTPS for the Keycloak Server - dcm4che/dcm4chee-arc-light GitHub Wiki

Secure Archive UI and RESTful Services using Keycloak first.

Allow validation for any host name

This use case applies for validation of any host trying to connect to secured version of dcm4chee archive over https.

Following configuration is required in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml

  1. In server-identities of security-realm : ApplicationRealm

    Change

     <ssl>
        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
     </ssl>
    

    To

     <ssl>
        <keystore path="keystores/key.p12" relative-to="jboss.server.config.dir" keystore-password="secret" alias="dcm4chee-arc" key-password="secret"/>
     </ssl>
    
  2. In keycloak-server subsystem

    Add

     <spi name="truststore">
             <provider name="file" enabled="true">
                     <properties>
                             <property name="file" value="${jboss.server.config.dir}/keystores/key.p12"/>
                             <property name="password" value="secret"/>
                             <property name="hostname-verification-policy" value="ANY"/>
                             <property name="disabled" value="false"/>
                     </properties>
             </provider>
     </spi>
    
  3. In keycloak subsystem, in secure-deployment of dcm4chee-arc-ui resource add the following :

     <truststore>${jboss.server.config.dir}/keystores/key.p12</truststore>
     <truststore-password>secret</truststore-password>
     <allow-any-hostname>true</allow-any-hostname>
    

Restart wildfly and https://localhost:8443/dcm4chee-arc/ui should now redirect to login page.

Note : One may get message saying Your connection is not private. Go to Advanced and then Proceed to localhost(unsafe)

Allow validation for specific host name

This use case applies for validation of a specific host trying to connect to secured version of dcm4chee archive over https.

  1. Generate one's own self signed certificate and keystore as shown below :

    Generate keystore

       keytool -genkeypair -keyalg RSA -keystore mykey.p12
    

    Once the above command is typed, it will prompt for details to be entered by user as shown below :

      Enter keystore password: <secret>
      Re-enter new password: <secret>
      What is your first and last name?
        [Unknown]: <localhost>
      What is the name of your organizational unit?
        [Unknown]: <localhost>
      What is the name of your organization?
        [Unknown]:  <localhost>
      What is the name of your City or Locality?
        [Unknown]:  Vienna
      What is the name of your State or Province?
        [Unknown]:  Vienna
      What is the two-letter country code for this unit?
        [Unknown]:  AT
      Is CN=localhost, OU=localhost, O=localhost, L=Vienna, ST=Vienna, C=AT correct?
        [no]:  yes
    
      Enter key password for <mykey>
              (RETURN if same as keystore password):
    

    The password entered above will be needed in LDAP configuration mentioned below. Note that the hostname or ip address of the host trying to connect to secured version of archive should be present in the CN (common name) of the certificate. Here I have used localhost

    Generate certificate from keystore

         keytool -export -storepass secret -file mykey.cer -keystore mykey.p12
    

    Place this newly created mykey.p12 and mykey.cer files in jboss location $WILDFLY_HOME/standalone/configuration/keystores

  2. LDAP Configuration : On dcm4chee-arc device level change the values of following attributes :

         dcmKeystoreURL : ${jboss.server.config.url}/keystores/mykey.p12
         dcmKeystorePin : secret (Note : password that was used while generating the keystore)
         userCertificate;binary : <Load the certificate mykey.cer>
    
  3. Following configuration is required in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml

    a. In server-identities of security-realm : ApplicationRealm

    Change

        <ssl>
           <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
        </ssl>
    

    To

        <ssl>
           <keystore path="keystores/mykey.p12" relative-to="jboss.server.config.dir" keystore-password="secret" alias="mykey" key-password="secret"/>
        </ssl>
    

    b. In keycloak-server subsystem

    Add

     <spi name="truststore">
             <provider name="file" enabled="true">
                     <properties>
                             <property name="file" value="${jboss.server.config.dir}/keystores/mykey.p12"/>
                             <property name="password" value="secret"/>
                             <property name="hostname-verification-policy" value="WILDCARD"/>
                             <property name="disabled" value="false"/>
                     </properties>
             </provider>
     </spi>
    

    c. In keycloak subsystem, in secure-deployment of dcm4chee-arc-ui resource add the following :

     <truststore>${jboss.server.config.dir}/keystores/mykey.p12</truststore>
     <truststore-password>secret</truststore-password>
    

Restart wildfly and https://localhost:8443/dcm4chee-arc/ui should now redirect to login page.

Note : One may get message saying Your connection is not private. Go to Advanced and then Proceed to localhost(unsafe)

⚠️ **GitHub.com Fallback** ⚠️