weasis, dcm4chee-arc-light 5.23.0 and secured restful services

[Zaharia Dragos-Cosmin]

Hi,

I searched for this subject but i didn't find sometrhing coherent yet so I decided it is worth opening a new discussion.

I am a medical doctor working in a covid hospital in Romania and I want to use dcm4chee as a personal database for my cases for research purposes.

I installed on an Ubuntu 20.04 LTS machine dcm4chee-arc-5.23.0-secure, mysql 8, java 14, slapd, keycloak 10, wildfly 19 and intend to use weasis integration using weasis protocol with direct http headers (no pacs connector).

I tested first with secured ui and unsecured restful services and weasis integration works well in windows and ubuntu.

I coudn't make it work with seecured restful services.

in dcm4chee-arc.xml I have

 <subsystem xmlns="urn:jboss:domain:keycloak:1.1">

            <secure-deployment name="dcm4chee-arc-ui2-5.23.0-secure.war">

                <realm>dcm4che</realm>

                <resource>dcm4chee-arc-ui</resource>

                <public-client>true</public-client>

                <auth-server-url>https://my-domain:8843/auth</auth-server-url>

                <truststore>/usr/lib/jvm/java-14-openjdk-amd64/lib/security/cacerts</truststore>

                <truststore-password>changeit</truststore-password>

                <ssl-required>external</ssl-required>

                <allow-any-hostname>true</allow-any-hostname>

            </secure-deployment>

            <secure-deployment name="dcm4chee-arc-war-5.23.0-secure.war">

                <realm>dcm4che</realm>

                <resource>dcm4chee-arc-rs</resource>

                <bearer-only>true</bearer-only>

                <auth-server-url>https://my-domain:8843/auth</auth-server-url>

                <truststore>/usr/lib/jvm/java-14-openjdk-amd64/lib/security/cacerts</truststore>

                <truststore-password>changeit</truststore-password>

                <ssl-required>external</ssl-required>

                <allow-any-hostname>true</allow-any-hostname>

            </secure-deployment>

        </subsystem>

In keycloak I created an oidc client wado-export type confidential and stored its secret "xxxxxxxx"

In dcm4chee-arc ui I accessed  configuration>>>devices>>>dcm4chee-arc>>>edit extensions>>>child objects>>>keycloak clients and added a new keycloak client called wado-export using 

Keycloak Client ID  wado-export

Server URL https://my-domain:8843/auth 

Keycloak Realm  dcm4che

Keycloak grant type client_credentials

Keycloak Client secret xxxxxxxx (from keycloak interface credentials of client wado-export) 

TLS Allow Any Hostname  True

TLS Disable Trust Manager False 

blanc user id and user password fields

In dcm4chee-arc ui I accessed  configuration>>>devices>>>dcm4chee-arc>>>edit extensions>>>child objects>>>web applications>>>DCM4CHEE and added 3 properties:

IID_STUDY_URL=weasis://$dicom:rs --url "{{qidoBaseURL}}{{qidoBasePath}}" -r "studyUID={{studyUID}}" --query-ext "&includedefaults=false" -H "Authorization: Bearer {{access_token}}"

IID_URL_TARGET=_self

IID_PATIENT_URL=weasis://$dicom:rs --url "{{qidoBaseURL}}{{qidoBasePath}}" -r "patientID={{patientID}}" --query-ext "&includedefaults=false" -H "Authorization: Bearer {{access_token}}"

Here I also selected wado-export ad Keycloak client ID

This configuration does not work. The eye icon appears on the DCM4CHEE web interface but when I press it it doesn't even launch the native client installed. I see no error in the logs of wildfly or keycloak.

when I test it with curl the secret/token system works.

I noticed that <secure-deployment name="dcm4chee-arc-war-5.23.0-secure.war">   <resource>dcm4chee-arc-rs</resource> uses certifficate/key and keycloak client uses credentials client/secret. Maybe it should be the same?

Please advise what should I do. I also found some inconsistencies in the tutorials but I kind of solve them and I intend to create a full tutorial to help others.

Kind regards,

Dr. Dragos Zaharia

[vrinda...@j4care.com]

To invoke an image display by integrating the archive with Weasis - does not require Keycloak Client configuration, since the UI of archive takes care to pass the token to Weasis which then in turn uses it while invoking WADO requests. Looking at your Keycloak Client configuration above, it seems that maybe you have also configured Pre-fetch of WADO objects, but this feature is different and independent from the former.

Which version of Weasis have you installed?

[Zaharia Dragos-Cosmin]

Hi, I have weasis 3.6.2 (last available from the weasis page, sourceforge page and microsoft store

.  So i don't need to use the prefetcj wado and wado-export keycloak client. Then maybe the url is malformed and does not pass correctly the token?

Dr. Dragos-Cosmin Zaharia

--
You received this message because you are subscribed to a topic in the Google Groups "dcm4che" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dcm4che/iMmi47rcZiA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/791e51e4-5332-4a82-9b2c-3661b1494560n%40googlegroups.com.

[vrinda...@j4care.com]

The weasis viewer integration was working for me until 3.6.1 version.

After upgrading to 3.6.2, even I'm having problems to launch the study / patient in Weasis application. I did the following :

- Upgraded native Weasis installation from 3.6.1 to 3.6.2

- Upgraded weasis.war to 3.6.2 and weasis-pacs-connector.war to 7.1.2

- Ensured dicom-dcm4chee-arc.properties and weasis-pacs-connector.properties files in my $Wildfly/standalone/configuration is up to date as per https://github.com/nroduit/weasis-pacs-connector/tree/master/src/main/resources

- Imported default-ui-config.ldif in ldap (which has the UI permissions)

- Configured in properties of DCM4CHEE web application IID URLs as per https://nroduit.github.io/en/basics/customize/integration/#dcm4chee-arc-light

In browser console log, I'm getting the following when clicked on eye icon

Prevented navigation to “weasis://$dicom:rs%20--url%20%22http://localhost:8080/dcm4chee-arc/aets/DCM4CHEE/rs%22%20-r%20%22studyUID=1.2.392.200036.9125.0.199402091242.1%22%20--query-ext%20%22&includedefaults=false%22%20-H%20%22Authorization:%20Bearer%20<token>%22” due to an unknown protocol.

[Zaharia Dragos-Cosmin]

Very interesting. Maybe I should use only the secured ui version and drop the secured restful services. Weasis 3.6.2 works with secured ui only and without weasis pacs connector. I tried also with weasis pacs connector but the xml manifest was empty or coupt not be accesed. I'll give you more precise details

Dr. Dragos-Cosmin Zaharia
Medic primar pneumolog, Institutul National de Pneumologie "Marius Nasta" Bucuresti
Asistent universitar Universitatea de Medicina si Farmacie "Carol Davila" Bucuresti
Doctor in stiinte medicale
Telefon:0722166541

You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/ba4f40e1-8a33-4cfd-a132-f83109244ff8n%40googlegroups.com.

[Zaharia Dragos-Cosmin]

OK.

So I think maybe your last post is misleading. As i understood from the docs, there are 2 possibilities to launch weasis, even 3 if we count the old /viewer protocol

1) using native installed version of weasis

        - no need for weasis-pacs-connector.war

        - no need for weasis.war

        -no need to install java on the client computer

       - only need installed native version of weasis which is launched from the web with the link of type weasis://$dicom:rs

       - in this case you are supposed to just modify in dcm4chee-arc-ui  Configuration > Devices > dcm4chee-arc > Extensions > Edit extension > Child Objects > Web Applications > DCM4CHEE  and add 3 (in the docs is mentioned that there actually are four propetries) properties listed there (again in the webpage with instructions there is mention of four properties to be added but only 3 are listed and they work without secured restful services):

                         IID_PATIENT_URL=weasis://$dicom:rs --url "{{qidoBaseURL}}{{qidoBasePath}}" -r "patientID={{patientID}}" --query-ext "&includedefaults=false" -H "Authorization: Bearer {{access_token}}"                           IID_STUDY_URL=weasis://$dicom:rs --url "{{qidoBaseURL}}{{qidoBasePath}}" -r "studyUID={{studyUID}}" --query-ext "&includedefaults=false" -H "Authorization: Bearer {{access_token}}"                             IID_URL_TARGET=_self 

     -when you press the eye button an url starting with weasis:// should launch weasis (which is installed on your oc) from webcontext with given URL which is supposed to have in the http header the access token 
2) using weasis-pacs-connector and weasis.war

        - you need to follow the other detailed instructions from https://nroduit.github.io/en/getting-started/dcm4chee/

       - install weasis-pacs-connector.war, weasis.war, and optional other packages by deploying them with wildfly console

        - configure weasis-pacs-connector.properties and dicom-dcm4chee-arc.properties, files downloaded from the same page with instructions in the standalone/configuration folder of wildfly

       - here, for version 5.22.0 (I have 5.23) there is mention only for dokker, and says that the & character must be escaped (e.g. IID_STUDY_URL=../../weasis-pacs-connector/weasis?studyUID={{studyUID}}\&access_token={{access_token}})

        - there is also mention for 5.19.1 and on to edit Configuration > Devices > dcm4chee-arc > Extensions > Edit extension > Child Objects > Web Applications > DCM4CHEE with totally different froperty formats, like:

                   Secured, from 5.22.2

                             IID_PATIENT_URL=../../weasis-pacs-connector/weasis?patientID={{patientID}}&access_token={{access_token}}
                             IID_STUDY_URL=../../weasis-pacs-connector/weasis?studyUID={{studyUID}}&access_token={{access_token}}
                             IID_URL_TARGET=_self
                  Secured  from 5.22.2   (Running only the local native version of Weasis (when not connected to a remote version - weasis.war so if you don't want to download weasis.war from the server). In this case I understand &cdb should be added to the url and/or in weasis-pacs-connector.properties we should comment out the lineweasis.base.url=${server.base.url}/weasis or set it to null
                             IID_PATIENT_URL=../../weasis-pacs-connector/weasis?patientID={{patientID}}&cdb&access_token={{access_token}}
                             IID_STUDY_URL=../../weasis-pacs-connector/weasis?studyUID={{studyUID}}&cdb&access_token={{access_token}}
                             IID_URL_TARGET=_self

                I don't know itf the escaped \& should be used here in ubuntu or only with dokker

                IN the weasis-pacs-connector.properties there is mention that a file weasis.jnlp should be placed in the same folder as this file (i don't have it but in my old version with archive v5.11 there was none and it works). Using this setup when you press the eye button weasis pacs connector should download weasis.jnlp which basically has the java app weasis and pass to it the url which are opened with java which has to be installed on the computer.

3) using weasis as a web applet directly in browser using java webstart with weasis-pacs-connector using /viewer as setting in weasis-pacs-connector.properties.... deprecated as java webstart is blocked in recent browsers.... actually no updated instructions available

So I tested the first 2 setups.

1) the first setup works without secured restful services only with instructions from the webpage.

it does not work for secured restful services enabled. Here I don't understand how the UI knows from where to get the token if it doesn't have defined a connector. the dcm4chee-arc-ui is a public type connector and does not have the role to give tokens. It seems to be only for the interface auth. In the restful services activation tutorial a dcm4chee-arc-rs deployment ("dcm4chee-arc-war-5.23.0-secure.war") resource is defined in dcm4chee-arc.xml as bearer-only. I thought maybe a bearer-only type keycloak connector should be added for this. but in dcm4chee ui interface there is no possibility to put a bearer-only tipe keycloak client, only client_credentials. I think here the documentation needs a little clarification. Logically for me it would be that when pressing the eye button the dcm4chee web interface should connect to the keycloak client of type bearer-only , get the token and pass the url with token in http(s) header to the weasis app.

2) the second setup does not work at all. I get the error: Cannot not get a valid manifest URL null/weasis-pacs-connector/RequestManifest?id=2

here in the old setup with version 5.11 of dcm4chee-arc-secure-ui I introduced those kind of urls in the fields 

             Invoke Image Display Patient URL :../../weasis-pacs-connector/IHEInvokeImageDisplay?requestType=PATIENT&patientID={}

             Invoke Image Display Study URL: ../../weasis-pacs-connector/IHEInvokeImageDisplay?requestType=STUDY&studyUID={}

IN the 5.23.0 web interface we can find

So there must be some inconsistencies in the keycloak authorisation system used for secured restful services that are not present in the tutorials.

Anyway, thank you for your time. I would appreciate it you could post the mechanism by which secured restful services work, which connects where, token generated from who, etc.

Kind regards,

Dr. Dragos Zaharia

[Zaharia Dragos-Cosmin]

Dear Vrinda, one last thought about this...

I think maybe it would be easier to make a tutorial using a drawing with the possible configurations:

                                             dcm4chee
                                                   |___________________________________________________

                                                   |                                                                                            something secured

                                            nothing secured                              _______________________|__________________________                    

                                                                                                       |                                                                                        |

                                                                                                       |                                                                                        |

                                                                                                UI only                                                                                 UI and RS

                                                                                                       |                                                                                        |

                                                                                                       |                                                                                        |

                                                                                          weasis integration & oviyam                             weasis integration and oviyam

                                                                                                       |                                                                                         |

                                                                                                       |                                                                                         |

                                                            _____________________________________________                     ________________________________________

                                                            |                                          |                                      |                   |                               |                                          |

                                                     native                              connector                    webstart        native                       connector                         webstart

kind regards.                               

[vrinda...@j4care.com]

Hello,

Thank you for your points and findings. I shall test weasis integration with archive with / without native installer (latest versions) for unsecured / secure-UI / secured archive setups and update the page in few days. Yesterday when I had tested this I just made use of secured archive (UI and RESTful secured) and with latest versions of Weasis. Weasis is developed and maintained by Nicolas Roduit who is its core developer. The Weasis viewer integration with DCM4CHEE archive was provided long ago as a mechanism to test the IID profile (Invoke Image Display). When I had started to test Weasis with DCM4CHEE, there was only the weasis-pacs-connector and weasis wars with 2 property files. The native installer installer package came in later sometime and so I had all three of them on my system later. As for the documentation on DCM4CHEE wiki w.r.t to the integration with Weasis, earlier it was explained as a very basic integration setup and it was then later updated by Nicolas and redirected to Weasis installations / documentation pages where it is elaborately described.

With regards to Keycloak, the dcm4chee-arc-rs client which is defined as bearer-only implies that RESTful services which are part of dcm4chee-arc-rs.war can be accessed by user only if a bearer token is provided when invoking these services. Hence, there is no need for this client to be separately configured in Keycloak admin console, as the UI of archive has the access token once user authenticates himself by entering his user / password - the UI then uses this token whenever invoking any archive's RESTful services triggered by user using any of the RESTful service specific functions. Similarly as the UI of archive has this token when user logs in, the same token is passed to Weasis which then makes use of it when invoking WADO requests. (fyi - UI acted as an intermediary in between to pass token to Weasis since there is no way to configure Weasis itself in Keycloak - see https://github.com/dcm4che/dcm4chee-arc-light/issues/1738)

As for Oviyam, I haven't found the right documentation to integrate this with archive using manual setup.

[Zaharia Dragos-Cosmin]

Thank you, Vrinda, for your kind answer. I'll wait for the update of the documentation for the last versions.

Kind regards, 

Dragos Zaharia

[Zaharia Dragos-Cosmin]

Dear Vrinda, something very trivial and fortunate happened.

Today I asked a friend to try to connect to my dcm4chee server and open a study with weasis on his computer. Surprisingly he sait it works in ubuntu and also in windows 10. It works! I verified and it is the version with secured restful services activated. It works without pacs connector and settings from nroduit website.

I went home and tested myself. In linux (ubuntu) it works on 3 of my computers out-of-the-box.

Another thing is with the windows version. I tried it also on 3 of my computers with windows 10 with 64 bit version from MS store and classically installed and when I press the eye button the browser asks to open weasis, but it does not open. So the problem seems to be weasis launcher from windows. I didn't try with 32 bit version. So the settings on the server seem fine. It is a weasis problem.

Buut still, the weasis pacs connector with weasis.war don't work. It would be nice to work to be able to use the weasis from the server with java.

Kind regards

[Zaharia Dragos-Cosmin]

Digging a little further i used chrome and edge in windows and same thing happened. I installed firefox and when opening the eye in firefox it asked to open the weasis installer, the browser didn't seem to know about weasis being installed. But there was also the option of opening with another app... I browsed to weasis and in worked. So it seems there is a problem with installed weasis not being launched by chrome/edge. Else it works. Maybe some settings... registries need some fixing.

And if you think... I did my testing on windows... bad choice. I should have used linux all along...

[Nicolas Roduit]

There are indeed several ways to integrate Weasis that may seem confusing. Unfortunately, this is because Java Web Start technology has been abandoned and in order to make a smooth transition, I have to maintain these different possible configurations. Here is the post that explains this change.

Starting with Weasis 4, only the native version will be available with the ability to deploy a server package (weasis.war) to automatically update clients (see this post).

weasis-pacs-connector is a server component allowing to query any PACS in DICOM in order to provide a manifest to Weasis so that it can download images in WADO (WADO-URI). 

Adding the weasis-pacs-connector component may be necessary in the situation where you want to launch Weasis from another GUI (EMR, EHR, RIS...) or if you want to inject specific launch or user configurations.

For recent versions of dcm4chee-arc-light, Weasis can be configured directly with the standard WADO-RS APIs. This way, the configuration can be summarized in 2 lines.

And in the next version of Weasis (3.7.0), in the Query/Retrieve window you will also be able to select DICOMWeb nodes (i.e. a WADO-RS API). So we will be able to search for patients by date, modality... directly in Weasis in DICOMWeb.

I consider that it is necessary to have documentation to understand and be able to choose the most suitable method for one's own needs  I will try to do it with the new release. 

[Zaharia Dragos-Cosmin]

Dear Nicholas,

Thank you for your answer. I look forward for the versions 7.x and I congratulate you for this great work

Dr. Dragos-Cosmin Zaharia
Medic primar pneumolog, Institutul National de Pneumologie "Marius Nasta" Bucuresti
Asistent universitar Universitatea de Medicina si Farmacie "Carol Davila" Bucuresti
Doctor in stiinte medicale
Telefon:0722166541

To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/74de678e-26e3-4239-bf46-76f18342f54dn%40googlegroups.com.