dcm4chee-arc-psql:5.31.2-secure + Keycloak: Self-signed certificates, dcm4chee-arc/ui2ui2 Forbidden
448 views
Skip to first unread message
Marius S
Jan 31, 2024, 2:10:55 AM1/31/24
to dcm4che
Hello,
I have installed dcm4chee-arc-psql:5.31.2-secure with keycloak:23.0.3 dockers followed by this instruction:
https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-on-a-single-host
I have used localhost as hostname, as this is a test environment.
docker network create dcm4chee_network
docker run --network=dcm4chee_network --name ldap \
-p 389:389 \
-v /var/local/dcm4chee-arc/ldap:/var/lib/openldap/openldap-data \
-v /var/local/dcm4chee-arc/slapd.d:/etc/openldap/slapd.d \
-d dcm4che/slapd-dcm4chee:2.6.5-31.2
docker run --network=dcm4chee_network --name mariadb \
-p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=secret \
-e MYSQL_DATABASE=keycloak \
-e MYSQL_USER=keycloak \
-e MYSQL_PASSWORD=keycloak \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/mysql:/var/lib/mysql \
-d mariadb:10.11.4
docker run --network=dcm4chee_network --name keycloak \
-p 8843:8843 \
-e KC_HTTPS_PORT=8843 \
-e KC_HOSTNAME=localhost \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=changeit \
-e KC_DB=mariadb \
-e KC_DB_URL_DATABASE=keycloak \
-e KC_DB_URL_HOST=mariadb \
-e KC_DB_USERNAME=keycloak \
-e KC_DB_PASSWORD=keycloak \
-e KC_LOG=file \
-e ARCHIVE_HOST=localhost \
-e KEYCLOAK_WAIT_FOR="ldap:389 mariadb:3306" \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data \
-d dcm4che/keycloak:23.0.3
docker run --network=dcm4chee_network --name db \
-p 5432:5432 \
-e POSTGRES_DB=pacsdb \
-e POSTGRES_USER=pacs \
-e POSTGRES_PASSWORD=pacs \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/db:/var/lib/postgresql/data \
-d dcm4che/postgres-dcm4chee:15.4-31
docker run --network=dcm4chee_network --name arc \
-p 8080:8080 \
-p 8443:8443 \
-p 9990:9990 \
-p 9993:9993 \
-p 11112:11112 \
-p 2762:2762 \
-p 2575:2575 \
-p 12575:12575 \
-e POSTGRES_DB=pacsdb \
-e POSTGRES_USER=pacs \
-e POSTGRES_PASSWORD=pacs \
-e AUTH_SERVER_URL=https://keycloak:8843 \
-e UI_AUTH_SERVER_URL=https://localhost:8843 \
-e WILDFLY_WAIT_FOR="ldap:389 db:5432 keycloak:8843" \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone \
-d dcm4che/dcm4chee-arc-psql:5.31.2-secure
Everything installed fine and I can login to dcm4chee-arc/ui2 using Keycloak, however I need to change the default certificates to my own (self-signed, with additional Subject Alternative Names).
DCM4CHEE has mapped key.p12 and cacerts.p12 in local directory /var/local/dcm4chee-arc/wildfly/configuration/keystores/
Keycloak has key.p12 and cacerts.p12 inside docker in directory /opt/keycloak/conf/keystores/
I have used the following keytool commands:
1. Created a self-signed certificate for Keycloak:
keytool -genkeypair -alias keycloak -keyalg RSA -keysize 2048 -validity 3650 -keystore /home/user/testcerts/keycloak/keycloak_key.p12 -storetype PKCS12 -dname "CN=127.0.0.1, OU=KeycloakSelfSigned, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext "SAN=IP:127.0.0.1,IP:192.168.56.121,DNS:localhost,DNS:keycloak" -storepass secret
2. Exported Keycloak's certificate and added certificate with the private key to Keycloak's key.p12 file:
keytool -export -alias keycloak -keystore /home/user/testcerts/keycloak/keycloak_key.p12 -file /home/user/testcerts/keycloak/keycloak_cert.crt
keytool -importkeystore -srckeystore /home/user/testcerts/keycloak/keycloak_key.p12 -destkeystore /home/user/testcerts/keycloak/keycloak_key.p12 -deststoretype PKCS12 -deststorepass secret
3. Added Keycloak's certificate to dcm4che's cacerts.p12 file:
keytool -import -alias keycloak -file /home/user/testcerts/keycloak/keycloak_cert.crt -keystore /home/user/testcerts/dcm4che/dcm4che_cacerts.p12 -storetype PKCS12 -storepass secret
4. Created a self-signed certificate for dcm4che:
keytool -genkeypair -alias dcm4che -keyalg RSA -keysize 2048 -validity 3650 -keystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -storetype PKCS12 -dname "CN=127.0.0.1, OU=dcm4cheSelfSigned, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext "SAN=IP:127.0.0.1,IP:192.168.56.121,DNS:localhost,DNS:keycloak,DNS:arc" -storepass secret
5. Exported dcm4che's certificate and added certificate with the private key to dcm4che's key.p12 file:
keytool -export -alias dcm4che -keystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -file /home/user/testcerts/dcm4che/dcm4che_cert.crt
keytool -importkeystore -srckeystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -destkeystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -deststoretype PKCS12 -deststorepass secret
6. Added dcm4che's certificate to Keycloak's cacerts.p12 file:
keytool -import -alias dcm4che -file /home/user/testcerts/dcm4che/dcm4che_cert.crt -keystore /home/user/testcerts/keycloak/keycloak_cacerts.p12 -storetype PKCS12 -storepass secret
7. I have renamed and replaced the key.p12 and cacerts.p12 for both Keycloak and DCM4CHEE with my own generated files, and restarted all docker containers.
After this change I can successfully login to https://localhost:8843/admin/dcm4che/console/ (it shows KeycloakSelfSigned certificate)
But I cannot access https://localhost:8443/dcm4chee-arc/ui2/ (it shows dcm4cheSelfSigned certificate), I am getting white page with text Forbidden.
And in DCM4CHEE logs I see this line: 2024-01-30 17:23:10,335 WARN [org.wildfly.security.http.oidc] (default task-1) ELY23005: Unable to load OpenID provider metadata from https://keycloak:8843/realms/dcm4che/.well-known/openid-configuration
How should I created a self signed certificate for DCM4CHEE and Keycloak so that DCM4CHEE would work it with?
I have installed dcm4chee-arc-psql:5.31.2-secure with keycloak:23.0.3 dockers followed by this instruction:
https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-on-a-single-host
I have used localhost as hostname, as this is a test environment.
docker network create dcm4chee_network
docker run --network=dcm4chee_network --name ldap \
-p 389:389 \
-v /var/local/dcm4chee-arc/ldap:/var/lib/openldap/openldap-data \
-v /var/local/dcm4chee-arc/slapd.d:/etc/openldap/slapd.d \
-d dcm4che/slapd-dcm4chee:2.6.5-31.2
docker run --network=dcm4chee_network --name mariadb \
-p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=secret \
-e MYSQL_DATABASE=keycloak \
-e MYSQL_USER=keycloak \
-e MYSQL_PASSWORD=keycloak \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/mysql:/var/lib/mysql \
-d mariadb:10.11.4
docker run --network=dcm4chee_network --name keycloak \
-p 8843:8843 \
-e KC_HTTPS_PORT=8843 \
-e KC_HOSTNAME=localhost \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=changeit \
-e KC_DB=mariadb \
-e KC_DB_URL_DATABASE=keycloak \
-e KC_DB_URL_HOST=mariadb \
-e KC_DB_USERNAME=keycloak \
-e KC_DB_PASSWORD=keycloak \
-e KC_LOG=file \
-e ARCHIVE_HOST=localhost \
-e KEYCLOAK_WAIT_FOR="ldap:389 mariadb:3306" \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/keycloak:/opt/keycloak/data \
-d dcm4che/keycloak:23.0.3
docker run --network=dcm4chee_network --name db \
-p 5432:5432 \
-e POSTGRES_DB=pacsdb \
-e POSTGRES_USER=pacs \
-e POSTGRES_PASSWORD=pacs \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/db:/var/lib/postgresql/data \
-d dcm4che/postgres-dcm4chee:15.4-31
docker run --network=dcm4chee_network --name arc \
-p 8080:8080 \
-p 8443:8443 \
-p 9990:9990 \
-p 9993:9993 \
-p 11112:11112 \
-p 2762:2762 \
-p 2575:2575 \
-p 12575:12575 \
-e POSTGRES_DB=pacsdb \
-e POSTGRES_USER=pacs \
-e POSTGRES_PASSWORD=pacs \
-e AUTH_SERVER_URL=https://keycloak:8843 \
-e UI_AUTH_SERVER_URL=https://localhost:8843 \
-e WILDFLY_WAIT_FOR="ldap:389 db:5432 keycloak:8843" \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
-v /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone \
-d dcm4che/dcm4chee-arc-psql:5.31.2-secure
Everything installed fine and I can login to dcm4chee-arc/ui2 using Keycloak, however I need to change the default certificates to my own (self-signed, with additional Subject Alternative Names).
DCM4CHEE has mapped key.p12 and cacerts.p12 in local directory /var/local/dcm4chee-arc/wildfly/configuration/keystores/
Keycloak has key.p12 and cacerts.p12 inside docker in directory /opt/keycloak/conf/keystores/
I have used the following keytool commands:
1. Created a self-signed certificate for Keycloak:
keytool -genkeypair -alias keycloak -keyalg RSA -keysize 2048 -validity 3650 -keystore /home/user/testcerts/keycloak/keycloak_key.p12 -storetype PKCS12 -dname "CN=127.0.0.1, OU=KeycloakSelfSigned, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext "SAN=IP:127.0.0.1,IP:192.168.56.121,DNS:localhost,DNS:keycloak" -storepass secret
2. Exported Keycloak's certificate and added certificate with the private key to Keycloak's key.p12 file:
keytool -export -alias keycloak -keystore /home/user/testcerts/keycloak/keycloak_key.p12 -file /home/user/testcerts/keycloak/keycloak_cert.crt
keytool -importkeystore -srckeystore /home/user/testcerts/keycloak/keycloak_key.p12 -destkeystore /home/user/testcerts/keycloak/keycloak_key.p12 -deststoretype PKCS12 -deststorepass secret
3. Added Keycloak's certificate to dcm4che's cacerts.p12 file:
keytool -import -alias keycloak -file /home/user/testcerts/keycloak/keycloak_cert.crt -keystore /home/user/testcerts/dcm4che/dcm4che_cacerts.p12 -storetype PKCS12 -storepass secret
4. Created a self-signed certificate for dcm4che:
keytool -genkeypair -alias dcm4che -keyalg RSA -keysize 2048 -validity 3650 -keystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -storetype PKCS12 -dname "CN=127.0.0.1, OU=dcm4cheSelfSigned, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext "SAN=IP:127.0.0.1,IP:192.168.56.121,DNS:localhost,DNS:keycloak,DNS:arc" -storepass secret
5. Exported dcm4che's certificate and added certificate with the private key to dcm4che's key.p12 file:
keytool -export -alias dcm4che -keystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -file /home/user/testcerts/dcm4che/dcm4che_cert.crt
keytool -importkeystore -srckeystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -destkeystore /home/user/testcerts/dcm4che/dcm4che_key.p12 -deststoretype PKCS12 -deststorepass secret
6. Added dcm4che's certificate to Keycloak's cacerts.p12 file:
keytool -import -alias dcm4che -file /home/user/testcerts/dcm4che/dcm4che_cert.crt -keystore /home/user/testcerts/keycloak/keycloak_cacerts.p12 -storetype PKCS12 -storepass secret
7. I have renamed and replaced the key.p12 and cacerts.p12 for both Keycloak and DCM4CHEE with my own generated files, and restarted all docker containers.
After this change I can successfully login to https://localhost:8843/admin/dcm4che/console/ (it shows KeycloakSelfSigned certificate)
But I cannot access https://localhost:8443/dcm4chee-arc/ui2/ (it shows dcm4cheSelfSigned certificate), I am getting white page with text Forbidden.
And in DCM4CHEE logs I see this line: 2024-01-30 17:23:10,335 WARN [org.wildfly.security.http.oidc] (default task-1) ELY23005: Unable to load OpenID provider metadata from https://keycloak:8843/realms/dcm4che/.well-known/openid-configuration
How should I created a self signed certificate for DCM4CHEE and Keycloak so that DCM4CHEE would work it with?
Do I need to redeploy some docker containers with some other environment variable values if I use my own self-signed certificates?
I am missing what I did wrong and why dcm4chee-arc/ui2 gives me Forbidden.
Thanks,
M.
Marius S
Feb 2, 2024, 10:50:30 AM2/2/24
to dcm4che
I have tried to deploy another Ubuntu Virtual machine with the same setup, but this time for hostname I have used test.mydomain.com and I have used real SSL wildcard *.mydomain.com certificate (issued by Go Daddy, certificate.crt and private.key converted to key.p12 using openssl).
In Unbutu I have set /etc/hosts 127.0.0.1 test.mydomain.com
In Unbutu I have set /etc/hosts 127.0.0.1 test.mydomain.com
However after replacing the certificate key.p12 in Keycloak and Dcm4che docker containers, after restarting dockers I was not able to access https://test.mydomain.com:8443/dcm4chee-arc/ui2/ it was giving me the same Forbidden text.
It seems that demo certificate (attached below) or it's keys or some other information are stored somewhere in Keycloak or DCM4CHEE configuration and it still wants to have demo certificate when I try to open https://test.mydomain.com:8443/dcm4chee-arc/ui2/
Because if I would open https://test.mydomain.com:8443 or https://test.mydomain.com:8843 it would work, but the authentication part when DCM4CHEE /ui2 should be redirected to Keycloak seems not working with my certificate.
So does your demo certificate is added somewhere in Keycloak or DCM4CHEE configuration?
Thanks,
M.
M.
Marius S
Feb 5, 2024, 8:38:06 AM2/5/24
to dcm4che
Hello,
Today I have tried again with Go Daddy Secure Certificate Authority - G2 certificate which is a valid certificate. Finally I have managed to run DCM4CHEE with Keycloak with this certificate.
Below is the information what was the problem. Now knowing this issue, I think it might also work with your own self-signed certificates, but you need to add it to truststore in few additional locations.
As last time I have changed Keycloak (docker /opt/keycloak/conf/keystores/key.p12) and DCM4CHEE (local /var/local/dcm4chee-arc/wildfly/configuration/keystores/key.p12) certificates with my Go Daddy certificate.
But still was getting Forbidden when trying to access https://test.mydomain.com:8443/dcm4chee-arc/ui2/
After some research I have found that both DCM4CHEE and Keycloak docker containers also has openjdk installed with their own truststore: /opt/java/openjdk/lib/security/cacerts
The reason why demo certificate (IHE Europe) was working because it seems that when you install DCM4CHEE and Keyclock docker containers, this demo certificate is automatically added to /opt/java/openjdk/lib/security/cacerts on both containers.
So basically the problem why I was getting Forbidden on https://test.mydomain.com:8443/dcm4chee-arc/ui2/ even with a valid certificate is because Go Daddy Secure Certificate Authority - G2 certificate authority was not added in truststore in /opt/java/openjdk/lib/security/cacerts.
I have downloaded Go Daddy Secure Certificate Authority - G2 Intermediate certificate and added it to truststore file /opt/java/openjdk/lib/security/cacerts both in DCM4CHEE and Keycloak containers.
Now it works with my own certificate, I can login both to DCM4CHEE ui2 and Keycloak.
Thanks,
M.
Reply all
Reply to author
Forward
0 new messages