Enable SSL HTTPS for the Keycloak Server - dcm4che/dcm4chee-arc-light GitHub Wiki
Secure Archive UI and RESTful Services using Keycloak first.
This use case applies for validation of any host trying to connect to secured version of dcm4chee archive over https.
Following configuration is required in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml
-
In
server-identities
of security-realm :ApplicationRealm
Change
<ssl> <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/> </ssl>
To
<ssl> <keystore path="keystores/key.p12" relative-to="jboss.server.config.dir" keystore-password="secret" alias="dcm4chee-arc" key-password="secret"/> </ssl>
-
In
keycloak-server
subsystemAdd
<spi name="truststore"> <provider name="file" enabled="true"> <properties> <property name="file" value="${jboss.server.config.dir}/keystores/key.p12"/> <property name="password" value="secret"/> <property name="hostname-verification-policy" value="ANY"/> <property name="disabled" value="false"/> </properties> </provider> </spi>
-
In
keycloak
subsystem, insecure-deployment
ofdcm4chee-arc-ui
resource add the following :<truststore>${jboss.server.config.dir}/keystores/key.p12</truststore> <truststore-password>secret</truststore-password> <allow-any-hostname>true</allow-any-hostname>
Restart wildfly and https://localhost:8443/dcm4chee-arc/ui
should now redirect to login page.
Note : One may get message saying Your connection is not private. Go to Advanced and then Proceed to localhost(unsafe)
This use case applies for validation of a specific host trying to connect to secured version of dcm4chee archive over https.
-
Generate one's own self signed certificate and keystore as shown below :
Generate keystore
keytool -genkeypair -keyalg RSA -keystore mykey.p12
Once the above command is typed, it will prompt for details to be entered by user as shown below :
Enter keystore password: <secret> Re-enter new password: <secret> What is your first and last name? [Unknown]: <localhost> What is the name of your organizational unit? [Unknown]: <localhost> What is the name of your organization? [Unknown]: <localhost> What is the name of your City or Locality? [Unknown]: Vienna What is the name of your State or Province? [Unknown]: Vienna What is the two-letter country code for this unit? [Unknown]: AT Is CN=localhost, OU=localhost, O=localhost, L=Vienna, ST=Vienna, C=AT correct? [no]: yes Enter key password for <mykey> (RETURN if same as keystore password):
The password entered above will be needed in LDAP configuration mentioned below. Note that the hostname or ip address of the host trying to connect to secured version of archive should be present in the CN (common name) of the certificate. Here I have used
localhost
Generate certificate from keystore
keytool -export -storepass secret -file mykey.cer -keystore mykey.p12
Place this newly created mykey.p12 and mykey.cer files in jboss location $WILDFLY_HOME/standalone/configuration/keystores
-
LDAP Configuration : On dcm4chee-arc device level change the values of following attributes :
dcmKeystoreURL : ${jboss.server.config.url}/keystores/mykey.p12 dcmKeystorePin : secret (Note : password that was used while generating the keystore) userCertificate;binary : <Load the certificate mykey.cer>
-
Following configuration is required in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml
a. In
server-identities
of security-realm :ApplicationRealm
Change
<ssl> <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/> </ssl>
To
<ssl> <keystore path="keystores/mykey.p12" relative-to="jboss.server.config.dir" keystore-password="secret" alias="mykey" key-password="secret"/> </ssl>
b. In
keycloak-server
subsystemAdd
<spi name="truststore"> <provider name="file" enabled="true"> <properties> <property name="file" value="${jboss.server.config.dir}/keystores/mykey.p12"/> <property name="password" value="secret"/> <property name="hostname-verification-policy" value="WILDCARD"/> <property name="disabled" value="false"/> </properties> </provider> </spi>
c. In
keycloak
subsystem, insecure-deployment
ofdcm4chee-arc-ui
resource add the following :<truststore>${jboss.server.config.dir}/keystores/mykey.p12</truststore> <truststore-password>secret</truststore-password>
Restart wildfly and https://localhost:8443/dcm4chee-arc/ui
should now redirect to login page.
Note : One may get message saying Your connection is not private. Go to Advanced and then Proceed to localhost(unsafe)