dcm4chee-arc-psql:5.10.6-secure-ui on docker upgrade from 5.10.4 issues
192 views
Skip to first unread message
leogrande
Nov 27, 2017, 11:54:37 AM11/27/17
to dcm4che
I have upgraded my working dcm4chee-arc-psql:5.10.4-secure-ui to dcm4chee-arc-psql:5.10.6-secure-ui on docker.
First of all, it looks like dcm4che/keycloak:3.2.1-10.6 has a hostname "ldap" hardcoded. Its deployment kept failing until -e LDAP_HOST=ldap was provided. My old name for the slapd-dcm4chee was rejected.
I see in Keycloak that connection to slapd container was successful and user federation "ldap" was created and all roles and users were synced successfully.
dcm4chee-arc container sees (tested) keycloak as a authentication server, access to the Archive GUI is redirected to the Keycloak dcm4che realm for authentication and the user is successfully authenticated.
Everything looks fine, but I get a "Forbidden" message when Keycloak redirects back to the archive GUI.
There are no warning or errors in Keycloak log.
In dcm4chee-arc log I keep getting these error messages:
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-25) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
.
.
.
What is this all about?
Does dcm4che/keycloak:3.2.1-10.6 has keycloak adapter?
First of all, it looks like dcm4che/keycloak:3.2.1-10.6 has a hostname "ldap" hardcoded. Its deployment kept failing until -e LDAP_HOST=ldap was provided. My old name for the slapd-dcm4chee was rejected.
I see in Keycloak that connection to slapd container was successful and user federation "ldap" was created and all roles and users were synced successfully.
dcm4chee-arc container sees (tested) keycloak as a authentication server, access to the Archive GUI is redirected to the Keycloak dcm4che realm for authentication and the user is successfully authenticated.
Everything looks fine, but I get a "Forbidden" message when Keycloak redirects back to the archive GUI.
There are no warning or errors in Keycloak log.
In dcm4chee-arc log I keep getting these error messages:
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-25) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
.
.
.
What is this all about?
Does dcm4che/keycloak:3.2.1-10.6 has keycloak adapter?
leogrande
Nov 27, 2017, 6:11:43 PM11/27/17
to dcm...@googlegroups.com
I have figured it out.
Keycloak has SSL_REQUIRED with the default value "external". I prefer to stay with SSL so just added to the keycloak container these environment variables:
-e KEYSTORE=
-e KEYSTORE_PASSWORD=
-e KEY_PASSWORD=
-e KEYSTORE_TYPE=
I believe that keycloak.xml and dcm4chee-arc.xml need an "alias" environment variable to be added for JKS type.keystores.
Keycloak has SSL_REQUIRED with the default value "external". I prefer to stay with SSL so just added to the keycloak container these environment variables:
-e KEYSTORE=
-e KEYSTORE_PASSWORD=
-e KEY_PASSWORD=
-e KEYSTORE_TYPE=
I believe that keycloak.xml and dcm4chee-arc.xml need an "alias" environment variable to be added for JKS type.keystores.
Reply all
Reply to author
Forward
0 new messages