Secured Archive Non TLS - dcm4che/dcm4chee-arc-light GitHub Wiki

This is available only from archive version 5.13.1 onwards.

Refer Forwarding for unsecured archive non TLS for doing the basic configuration. Ensure Secured Archive configurations are done for both archives. The following configuration are explained with the assumption that two archives are connected to two different Keycloaks.

A Keycloak Client child object shall be configured on Archive 2. This shall be referenced in the Web Application configured on Archive 2. The Keycloak Client ID that is used shall correspond to the client configured/created in dcm4che realm of Keycloak 2.

Configuration

Keycloak Configuration : Keycloak 2 (used for authentication of Archive 2)

  • Create a new Client test in dcm4che realm. This configuration is used only for the sake of accessing the token.

            Client Id : test  (This will be required for dcmKeycloakClientID in LDAP Configuration)
        Access Type : Confidential
        Service Accounts Enabled : ON
        Standard Flow Enabled : OFF
        Note down its Secret-Key under the Credentials tab (This will be required for dcmKeycloakClientSecret in LDAP Configuration)

  • Once the client is created, go to the Service Account Roles tab and assign the role user.

Wildfly Configuration

  • Install keycloak-admin-client library as JBoss modules. Replace 5.x.x with correct version number.

      > cd  $WILDFLY_HOME
  > unzip $DCM4CHEE_ARC/jboss-modules/dcm4che-jboss-modules-5.x.x.zip

The keycloak-admin-client is part of the dcm4che-jboss-modules-5.x.x.zip. Ensure you have keycloak-admin-client folder within $DCM4CHEE_ARC/modules/org location.

LDAP Configuration

One may either

  • create a LDIF file (e.g.):

      version: 1
  dn: cn=RS Forward,dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
  objectClass: dcmRSForwardRule
  cn: RS Forward
  dcmWebAppName: archive2WebApp
  dcmRSOperation: CreatePatient
  dcmRSOperation: UpdatePatient
  dcmRSOperation: DeletePatient
  -
  
  dn: dcmKeycloakClientID=test,dicomDeviceName=dcm4chee-arc2,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
  objectClass: dcmKeycloakClient
  dcmKeycloakClientID: test
  dcmKeycloakRealm: dcm4che
  dcmURI: http://localhost:8680/auth
  dcmKeycloakClientSecret: ee379e31-dd0f-4dd2-8c81-81fbfa84d5b5
  dcmTLSAllowAnyHostname: TRUE
  -
  
  dn: dcmWebAppName=archive2WebApp,dicomDeviceName=dcm4chee-arc2,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
  objectClass: dcmWebApp
  dcmWebAppName: archive2WebApp
  dcmWebServiceClass: DCM4CHEE_ARC_AET
  dcmWebServicePath: /dcm4chee-arc/aets/DCM4CHEE/rs
  dicomNetworkConnectionReference: cn=http,dicomDeviceName=dcm4chee-arc2,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
  dcmKeycloakClientID: test
  -

    and import it to the LDAP Server by using the ldapmodify command line utility.

One may refer to RESTful Forward Rule, Web Application and Keycloak Client to understand the description of attributes and also has the complete list of supported RESTful operations supported by this feature in archive.

Note :

  • The dcmURI, dcmKeycloakClientID and dcmKeycloakClientSecret values shall be adapted to the values used in your Keycloak 2 configuration.

Go to the Control tab on Configuration page in archive UI and reload the configuration.

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️