Installation worked, sort of?

[Jonathan Brooks]

Hi All (Vrinda?),

Following on from an earlier discussion we had about an installation of Secured UI and Secured RESTful service - I have revisited this to see whether things have changed with the latest dcm4chee-arc 5.25.1 version.

Basically, much like in the original thread (here) I was able to install and configure dcm4chee (using keycloak 14 and wildfly 20.0.1 Final), all running on a single host. The configuration of the database (mysql) and LDAP services appears to have worked too. After deploying, I am able to point a browser (from the same host that is running the service) to https://<archive host>:8443/dcm4chee-arc/ui2, and login using the standard user/pass, but never "see" the expected interface. I just get the background with J4Care logo and menu icon on the left  - which is clickable, but e.g. on selecting Navigation this only brings up red warning boxes (401 - Unauthorized). Please see attached images.

Please note that I think the underlying systems are probably working as I am able to follow the instructions to create an OIDC Client (curl) to get a private token which allows me to perform the suggested tests here.

So I suspect that something about the browser (?) is blocking the webapp from loading properly and displaying the DCM4CHE archive.

I'm so close to getting this working! If anyone has any ideas what might be blocking this from working properly please do let me know.

Best wishes,

Jon

[Jonathan Brooks]

Okay, some progress courtesy of a helpful post by Gunter (https://groups.google.com/g/dcm4che/c/ouXBtmbSFfs/m/1usqcTmpCQAJ)

This prompted me to look at the roles that were associated with the users stored in the keycloak server (https://<archive host>:8843/auth).

Selecting either admin or user from this list brings up their details and in particular the Role Mappings tab. Here we can see that admin (and user) do not have default-roles-dcm4che added in. This was a surprise as I expected that as I was making use of User Federation via LDAP these would have been added automatically.

Adding in the relevant role (default-roles-dcm4che) to the assigned roles means that the archive server works as expected (NO MORE 401 Unauthorized!!!)

However, I can't tell why the default user specification didn't bring this in automatically - and may point to more fundamental problems with my set up.

Now all I need to do is learn how to upload some DICOM data!!!

Hope this helps someone.

Best wishes,

Jon

[Vrinda Nayak]

Creation of users and assigning of roles manually or doing the same using LDAP user federation has been explained in the wiki.

- https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak#ldap-configuration-and-keycloak-user-federation

From where do you get default-roles-dcm4che, as this is not present anywhere in default-users.ldif or explained anywhere in wiki

[Jonathan Brooks]

Hi Vrinda,

Thanks for getting back to me. Yes, I followed those instructions exactly as specified.

I imported import $DCM4CHEE_ARC/ldap/default-ui-config.ldif using ApacheDirectoryStudio during the LDAP configuration, then when I'm in the User Federation section I import default-users.ldif (see relevant command and output at end of this message).

I then restart the keycloak server and follow the instructions to add the LDAP provider in Keycloak, and can connect and authenticate successfully. I then sync the users before creating the role-ldap-mapper and then sync ldap roles to keycloak (see pictures in 2nd post above). In total three users and five roles are created. At no point can I see where "default-roles-dcm4che" was created, though it appears that this is necessary for me to access the archive.

E.g. I just started dcm4che:

$KEYCLOAK_HOME/bin/standalone.sh

$WILDFLY_HOME/bin/standalone.sh -c dcm4che-arc.xml

Make a connection to https://<archive host>:8443/dcm4chee-arc/ui2 and I can browse the DICOM data that I uploaded using storescu.

If I now close the browser, take down the wildfly server and then go into keycloak and remove the role (default-roles-dcm4che) from user (user), and restart wildfly server I get the following when I try to access the archive:

(Note there was probably no need to take the wildfly server down to accomplish this test)

For completeness, here are the the roles as installed in keycloak - I would imagine that default-roles-dcm4che is created automatically at the time the realm is created?

You can see the five that were imported from LDAP, plus the three that were generated automatically.

If I put default-roles-dcm4che back in to the Role Mappings for user (user), I'm back online again:

This behaviour is completely reproducible.

Any suggestions as to what's going on? Happy to send logfiles if that helps?

Best wishes,

Jon

Command used to add user information into LDAP:

ldapadd -x -W -D "cn=admin,dc=dcm4che,dc=org" -H ldapi:/// -f $DCM4CHEE_ARC/ldap/default-users.ldif
Enter LDAP Password:
adding new entry "ou=users,dc=dcm4che,dc=org"

adding new entry "uid=root,ou=users,dc=dcm4che,dc=org"

adding new entry "uid=admin,ou=users,dc=dcm4che,dc=org"

adding new entry "uid=user,ou=users,dc=dcm4che,dc=org"

adding new entry "cn=root,ou=users,dc=dcm4che,dc=org"

adding new entry "cn=admin,ou=users,dc=dcm4che,dc=org"

adding new entry "cn=user,ou=users,dc=dcm4che,dc=org"

adding new entry "cn=auditlog,ou=users,dc=dcm4che,dc=org"

adding new entry "cn=ADMINISTRATOR,ou=users,dc=dcm4che,dc=org"

adding new entry "ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=create-client,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=impersonation,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=manage-authorization,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=manage-clients,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=manage-events,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=manage-identity-providers,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=manage-realm,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=manage-users,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=realm-admin,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=view-authorization,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=view-clients,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=view-events,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=view-identity-providers,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=view-realm,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=view-users,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=query-users,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=query-groups,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=query-realms,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "cn=query-clients,ou=realm-management,dc=dcm4che,dc=org"

adding new entry "ou=account,dc=dcm4che,dc=org"

adding new entry "cn=view-profile,ou=account,dc=dcm4che,dc=org"

adding new entry "cn=delete-account,ou=account,dc=dcm4che,dc=org"

adding new entry "cn=manage-account,ou=account,dc=dcm4che,dc=org"

adding new entry "cn=manage-consent,ou=account,dc=dcm4che,dc=org"

adding new entry "cn=view-applications,ou=account,dc=dcm4che,dc=org"

[Jonathan Brooks]

To be clear I did not create any of the five basic roles manually - as per the instructions you sent - I used the User Federation through LDAP as this seems much more flexible.

Best wishes,

Jon

On Monday, February 14, 2022 at 9:05:19 AM UTC vrinda...@j4care.com wrote:

[Jonathan Brooks]

I.e. I followed the instructions here: https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak#ldap-configuration-and-keycloak-user-federation

Cheers, Jon

[Vrinda Nayak]

default-roles-{realm-name} is automatically created by Keycloak when a realm is created.

If all steps together with role-ldap-mappers are done as described in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak#ldap-configuration-and-keycloak-user-federation, the roles and users are correctly imported from LDAP into Keycloak.

Note : To enable access to archive UI, every created user in ldap / keycloak should be assigned user role

There is no need to assign / remove default-roles-dcm4che which was created by Keycloak. See attached screenshots

[Jonathan Brooks]

Hi,

So I followed the instructions *exactly* as described on the webpage, but the kicker here was that even with the user role assigned to 'user' or 'admin' accounts (as was always the case), this was *not* sufficient to give them access to the archive, they also required default-roles-dcm4che in their Role Mappings . It's important to note that this role (default-roles-dcm4che) was *not* automatically added to new users imported via User Federation - which as I mentioned worked flawlessly (other than for this crucial requirement).

So I disagree, I suspect that if you found that default-roles-dcm4che is missing for your user, then you would need to add it to make the archive work as expected.

Best wishes,

Jon

[Jonathan Brooks]

Hi Vrinda,

I just re-read that and it sounded really snotty. Sorry. You're right, something must have gone wrong with my installation to not have this default role added to users imported from LDAP. I will try removing the user role and see if that kills access for me and let you know what the outcome was.

Thanks for taking the time to look into this problem - basically I'm really happy that I've managed to get the system running and want to thank the dcm4che team for putting in all their hard work to get this running and making it available for the community.

Best wishes,

Jon