You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dcm4che
I have upgraded my working dcm4chee-arc-psql:5.10.4-secure-ui to dcm4chee-arc-psql:5.10.6-secure-ui on docker.
First of all, it looks like dcm4che/keycloak:3.2.1-10.6 has a hostname "ldap" hardcoded. Its deployment kept failing until -e LDAP_HOST=ldap was provided. My old name for the slapd-dcm4chee was rejected.
I see in Keycloak that connection to slapd container was successful and user federation "ldap" was created and all roles and users were synced successfully.
dcm4chee-arc container sees (tested) keycloak as a authentication server, access to the Archive GUI is redirected to the Keycloak dcm4che realm for authentication and the user is successfully authenticated.
Everything looks fine, but I get a "Forbidden" message when Keycloak redirects back to the archive GUI.
There are no warning or errors in Keycloak log.
In dcm4chee-arc log I keep getting these error messages:
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-25) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) . . . What is this all about?
Does dcm4che/keycloak:3.2.1-10.6 has keycloak adapter?
leogrande
unread,
Nov 27, 2017, 6:11:43 PM11/27/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dcm...@googlegroups.com
I have figured it out.
Keycloak has SSL_REQUIRED with the default value "external". I prefer to stay with SSL so just added to the keycloak container these environment variables: