dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear deployment errors

[leogrande]

This is what I got when I was trying to deploy dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear on ec2 Ubuntu 18.04.

 Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./dcm4chee-arc/ui2" => "java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
    Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
    Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}

Keycloak is running and I did this:

Install the Keycloak Wildfly Adapter

> $WILDFLY_HOME/bin/jboss-cli.sh -c --file=adapter-install.cli

In dcm4chee-arc.xml:

    <system-properties>
        <property name="super-user-role" value="admin"/>
        <property name="realm-name" value="dcm4che"/>
        <property name="auth-server-url" value="http://127.0.0.1:8880/auth"/>
        <property name="org.dcm4che.audit-keycloak.AppName" value="keycloak"/>
    </system-properties>

               </security-domain>
                <security-domain name="keycloak">
                    <authentication>
                        <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
                    </authentication>
                </security-domain>
            </security-domains>

I am using LDAP Configuration and Keycloak User Federation.

[Gunter Zeilinger]

Check your DB (connection configuration)!

On Tue, Jan 22, 2019 at 6:15 PM leogrande <leon....@gmail.com> wrote:

This is what I got when I was trying to deploy dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear on ec2 Ubuntu 18.04.

deploy /mnt/data/dcm4chee-arc/deploy/dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jboss.persistenceunit.\"dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear#dcm4chee-arc\"" => "org.hibernate.service.spi.ServiceException: Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
    Caused by: org.hibernate.service.spi.ServiceException: Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
    Caused by: org.hibernate.HibernateException: Access to DialectResolutionInfo cannot be null when 'hibernate.dialect' not set"},

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at https://groups.google.com/group/dcm4che.
For more options, visit https://groups.google.com/d/optout.

[leogrande]

Yes, it was a db connection issue but now I am getting Keycloak authentication errors. I have just edited my initial post to replace that initial issue with the new one. My bad. I had to just reply to my post, sorry. But that issue with the Keycloak still persists. Thank you.

[leogrande]

I am comparing dcm4chee-arc.xml from my working docker version of  dcm4chee-arc 5.14.1 (postgresql) with the dcm4chee-arc.xml from 5.15.1 (postgresql) standalone. It looks like 5.15.1 is missing mechanism-name="Keycloak" and some other entries, like <extension module="org.keycloak.keycloak-adapter-subsystem"/>

This is from the working docker version:

............................

                </http-authentication-factory>
                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
                    <mechanism-configuration>
                        <mechanism mechanism-name="BASIC">
                            <mechanism-realm realm-name="Application Realm"/>
                        </mechanism>
                        <mechanism mechanism-name="FORM"/>
                    </mechanism-configuration>
                </http-authentication-factory>
                <http-authentication-factory name="keycloak-http-authentication" security-domain="KeycloakDomain" http-server-mechanism-factory="keycloak-http-server-mechanism-factory">
                    <mechanism-configuration>
                        <mechanism mechanism-name="KEYCLOAK">
                            <mechanism-realm realm-name="KeycloakOIDCRealm" realm-mapper="keycloak-oidc-realm-mapper"/>
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
                <aggregate-http-server-mechanism-factory name="keycloak-http-server-mechanism-factory">
                    <http-server-mechanism-factory name="keycloak-oidc-http-server-mechanism-factory"/>
                    <http-server-mechanism-factory name="global"/>
                </aggregate-http-server-mechanism-factory>
                <provider-http-server-mechanism-factory name="global"/>
                <service-loader-http-server-mechanism-factory name="keycloak-oidc-http-server-mechanism-factory" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter"/>
            </http>

..........................................

$WILDFLY_HOME/bin/jboss-cli.sh -c

/subsystem=keycloak/secure-deployment=dcm4chee-arc-ui2-5.15.1-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=http://localhost:8880/auth,ssl-required=external,public-client=true)
Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [
    ("subsystem" => "keycloak"),
    ("secure-deployment" => "dcm4chee-arc-ui2-5.15.1-secure.war")

When I was trying, during the installation process, to log into:

http://<host>:8880/auth/

I got an error message ".Sorry, HTTPS required......"

So, I used https://host:8843/auth and it worked out.

Therefore, I am not sure about   auth-server-url=http://localhost:8880/auth

[Gunter Zeilinger]

Did you followed https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak for securing a standalone installation?

On Tue, Jan 22, 2019 at 11:46 PM leogrande <leon....@gmail.com> wrote:

I am comparing dcm4chee-arc.xml from my working docker version of  dcm4chee-arc 5.14.1 (postgresql) with the dcm4chee-arc.xml from 5.15.1 (postgresql) standalone. It looks like 5.15.1 it is missing mechanism-name="Keycloak" and some other entries, like <extension module="org.keycloak.keycloak-adapter-subsystem"/>

On Tuesday, January 22, 2019 at 2:59:02 PM UTC-5, leogrande wrote:

Yes, it was a db connection issue but now I am getting Keycloak authentication errors. I have just edited my initial post to replace that initial issue with the new one. My bad. I had to just reply to my post, sorry. But that issue with the Keycloak still persists. Thank you.

On Tuesday, January 22, 2019 at 2:40:33 PM UTC-5, gunterze wrote:

Check your DB (connection configuration)!

On Tue, Jan 22, 2019 at 6:15 PM leogrande <leon....@gmail.com> wrote:

This is what I got when I was trying to deploy dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear on ec2 Ubuntu 18.04.

deploy /mnt/data/dcm4chee-arc/deploy/dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jboss.persistenceunit.\"dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear#dcm4chee-arc\"" => "org.hibernate.service.spi.ServiceException: Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
    Caused by: org.hibernate.service.spi.ServiceException: Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
    Caused by: org.hibernate.HibernateException: Access to DialectResolutionInfo cannot be null when 'hibernate.dialect' not set"},

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at https://groups.google.com/group/dcm4che.
For more options, visit https://groups.google.com/d/optout.

[leogrande]

Yes, I did.

And it is becoming especially exciting when you are almost there and there are just 2 steps (out of all zillion ones) left to the finish.

/subsystem=keycloak/secure-

deployment=dcm4chee-arc-ui2-5.15.1-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=http://localhost:8880/auth,ssl-required=external,public-client=true)
Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [
    ("subsystem" => "keycloak"),
    ("secure-deployment" => "dcm4chee-arc-ui2-5.15.1-secure.war")

I have tried this installation for several times.

openLDAP is functioning (with all necessary ldif's imported). BTW, your 5.15.1 psql package is missing some ldif files. Keycloak is up an running and happily communicates (I believe) with the slapd. Wildfly is running and responsive to all steps but that one described above. Probably I need to return to the docker version. Just wanted to have a full/standalone dcm4chee-arc on a ec2 instance.

[vrinda...@j4care.com]

Most of the steps for Wildfy Configuration setup have been repeated from the Installation page (used for unsecured archive) to avoid the user to switch between  Secure Archive UI and RESTful Services using Keycloak and Installation pages while doing the setup.

It seems, you have not installed the keycloak wildfly adapter. Make sure you have followed/completed the step

Install the Keycloak Wildfly Adapter

[leogrande]

If you mean the next steps, I did install the Keycloak Client Adapter for Wildfly:

• Unzip the Wildfly and then inside of your wildfly location unzip the Keycloak Client Adapter for Wildfly.

• Install the Keycloak Wildfly Adapter

> $WILDFLY_HOME/bin/jboss-cli.sh -c --file=adapter-install.cli

keycloak-wildfly-adapter-dist-4.6.0
wildfly-12.0.0.Final
keycloak-4.6.0.Final

[leogrande]

I have just checked this:

ls subsystem=security/security-domain=keycloak/authentication=classic
login-module
login-modules=[{"code" => "org.keycloak.adapters.jboss.KeycloakLoginModule","flag" => "required","module" => undefined,"module-options" => undefined}]

But when I checked :

ls extension

org.keycloak.keycloak-adapter-subsystem was for some reasons was missing.

So I created a new adapter-install-changed.cli file with only the next lines:

/extension=org.keycloak.keycloak-adapter-subsystem/:add(module=org.keycloak.keycloak-adapter-subsystem)
/subsystem=keycloak:add

Just to add a missing extension and a subsystem.

I was able to run this command:

/subsystem=keycloak/secure-deployment=dcm4chee-arc-ui2-5.15.1-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=http://127.0.0.1:8880/auth,ssl-required=external,public-client=true)

But now I can't deploy dcm4chee-arc-ear-5.15.1-psql-secure-ui.ear

I will try to figure it out.

[vrinda...@j4care.com]

This should have been added automatically when you run the below command. I don't see any reason why it could have been missing even after you ran the below command successfully.

- Install the Keycloak Wildfly Adapter
    ````
    > $WILDFLY_HOME/bin/jboss-cli.sh -c --file=adapter-install.cli [UNIX]
    > %WILDFLY_HOME%\bin\jboss-cli.bat -c --file=adapter-install.cli [Windows]
    ````

I have myself verified all the steps again by doing a complete re-install of Wildfly 12 and Keycloak 4.6 in standalone mode and it works if all the steps were followed exactly as described.

Also, I have not encountered yet any error message stating : Sorry, HTTPS required when tried to login to Keycloak admin console at http://<host>:8880/auth replacing in my case <host> with localhost.

Attached server logs of Wildfly and Keycloak standalone system and successful login screenshot for reference.

[leogrande]

 Yes, it should, but in my case it didn't. I do not blame your instructions. And I didn't make up this story, it just happened to me, that's all.

"...Also, I have not encountered yet any error message stating : Sorry, HTTPS required when tried to login to Keycloak admin console at http://<host>:8880/auth replacing in my case <host> with localhost..."

I am using  0.0.0.0 (IP address bind) for the Keycloak server to be able to access it remotely. I connected to it (on the ec2 instance) http://<ec2-dns-name>:8880/auth and I got this message, but this is not an error actually, It just requires https for the external access.

That is why I used https://http://<ec2-dns-name>:8843/auth

Now I understand this.

For the local communications between Wildfly and Keycloak http://<host>:8880/auth should work.

[vrinda...@j4care.com]

Never mentioned that the story was made up or wiki instructions were blamed, it's just that the root cause for org.keycloak.keycloak-adapter-subsystem extension to be missing could be that the adapter-install.cli may not have been run (or something else went wrong while running it), else I'm at loss of words as to why this extension could be missing, that's all.