This docker image provides Keycloak Authentication Server initialized for securing the DICOM Archive dcm4chee-arc-light.
See Running on Docker at the dcm4che Archive 5 Wiki.
Below explained environment variables can be set as per one's application to override the default values if need be.
An example of how one can set an env variable in docker run command is shown below :
-e KEYCLOAK_DEVICE_NAME=my-keycloak
Note : If default values of any environment variables were overridden in startup of slapd container,
then ensure that the same values are also used for overriding the defaults during startup of keycloak container.
URL for accessing LDAP (optional, default is ldap://ldap:389).
Base domain name for LDAP (optional, default is dc=dcm4che,dc=org).
Password to use to authenticate to LDAP (optional, default is secret).
Password to use to authenticate to LDAP via file input (alternative to LDAP_ROOTPASS).
Indicates to disable the verification of the hostname of the certificate of the LDAP server,
if using TLS (LDAP_URL=ldaps://<host>:<port>) (optional, default is true).
Device name to lookup in LDAP for Audit Logging configuration (optional, default is keycloak).
By default there is no admin user created so you won't be able to login to the admin console of the Keycloak master
realm. To create an admin account you may use environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD to pass in
an initial username and password.
You can also create an account on an already running container by running:
$ docker exec <CONTAINER> add-user-keycloak.sh -u <USERNAME> -p <PASSWORD>
Then restarting the container:
$ docker restart <CONTAINER>
Keycloak admin user via file input (alternative to KEYCLOAK_USER).
User's password to use to authenticate to the Keycloak master realm.
User's password to use to authenticate to the Keycloak master realm via file input (alternative to KEYCLOAK_PASSWORD).
Path to JSON file with (previous exported)
realm configuration to be imported on startup, if such realm does not already exists. Default is
"/opt/keycloak/standalone/configuration/dcm4che-realm.json", provided by the docker image, customizable by
environment variables:
Realm name (default is dcm4che).
Defining the SSL/HTTPS requirements for interacting with the realm:
none- HTTPS is not required for any client IP addressexternal- private IP addresses can access without HTTPSall- HTTPS is required for all IP addresses
(default is external).
Indicates if Keycloak should validate the password with the realm password policy before updating it
(default value is false).
If this is enabled then the X-Forwarded-For and X-Forwarded-Proto headers will be used to determine the peer address.
This allows applications that are behind a proxy to see the real address of the client, rather than the address
of the proxy. (optional, default is false).
HTTP port of Keycloak (optional, default is 8080).
HTTPS port of Wildfly (optional, default is 8443).
HTTPS port to redirect requests that require security too. (optional, default is 8443).
Have to be set different to HTTPS_PORT, if running behind a HTTPS/SSL reverse proxy listing on a different port.
HTTP port of Wildfly Administration Console (optional, default is 9990).
HTTPS port of Wildfly Administration Console (optional, default is 9993).
User role to identify super users, which have unrestricted access to all UI functions of the Archive. Login/Logout of
such users will emit an Audit Message for Security Alert
with Event Type Code: (110127,DCM,"Emergency Override Started")/(110138,DCM,"Emergency Override Stopped").
Optional, default is root.
Path to keystore file with private key and certificate for HTTPS (default is
/opt/keycloak/standalone/configuration/keystore/key.p12, with sample key + certificate:
Subject - CN=PACS_J4C,O=J4CARE,C=AT
Issuer - CN=IHE Europe CA, O=IHE Europe, C=FR
Valid From - Sun Apr 02 06:38:46 UTC 2017
Valid To - Fri Apr 02 06:38:46 UTC 2027
MD5 : 7a:b3:f7:5d:cf:6e:84:34:be:5a:7a:12:95:fa:46:76
SHA1 : a9:36:b3:b4:60:63:22:9e:f4:ae:41:d3:3b:97:ca:be:9b:a9:32:e9
provided by the docker image only for testing purpose).
Password used to protect the integrity of the keystore specified by KEYSTORE (default is secret).
Password used to protect the integrity of the keystore specified by KEYSTORE via file input
(alternative to KEYSTORE_PASSWORD).
Password used to protect the private key in the keystore specified by KEYSTORE
(default is value of KEYSTORE_PASSWORD).
Password used to protect the private key in the keystore specified by KEYSTORE via file input
(alternative to KEY_PASSWORD).
Type (JKS or PKCS12) of the keystore specified by KEYSTORE (default is PKCS12).
Path to keystore file with trusted certificates for TLS (optional, default is the default Java truststore
/usr/local/openjdk-11/lib/security/cacerts). s.o. EXTRA_CACERTS.
Password used to protect the integrity of the keystore specified by TRUSTSTORE (optional, default is changeit).
Password used to protect the integrity of the keystore specified by TRUSTSTORE via file input
(alternative to TRUSTSTORE_PASSWORD).
Type (JKS or PKCS12) of the keystore specified by TRUSTSTORE (optional, default is JKS).
Path to keystore file with CA certificates imported to default Java truststore (optional, default is
/opt/keycloak/standalone/configuration/keystore/cacerts.p12, with sample CA certificate:
Subject - CN=IHE Europe CA,O=IHE Europe,C=FR
Issuer - CN=IHE Europe CA,O=IHE Europe,C=FR
Valid From - Fri Sep 28 11:19:29 UTC 2012
Valid To - Wed Sep 28 11:19:29 UTC 2022
MD5 : 64:b6:1b:0f:8d:84:17:da:23:e4:e5:1c:56:ba:06:5d
SHA1 : 54:e0:10:c6:4a:fe:2c:aa:20:3f:50:95:45:82:cb:53:55:6b:07:7f
provided by the docker image only for testing purpose).
Password used to protect the integrity of the keystore specified by EXTRA_CACERTS (optional, default is secret).
Password used to protect the integrity of the keystore specified by EXTRA_CACERTS via file input
(alternative to EXTRA_CACERTS_PASSWORD).
Comma separated list of enabled TLS protocols (SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
(optional, default is TLSv1.2).
The filter to apply to specify the enabled cipher suites for TLSv1.2 and below. See
javadoc
for possible values. (optional, default is DEFAULT).
Specifies if Keycloak shall verify the hostname of the server’s certificate on outgoing HTTPS requests. Accepted values are:
ANY- the hostname is not verified.WILDCARD- allows wildcards in subdomain names i.e.*.foo.com.STRICT- CN must match hostname exactly.
Default value is ANY.
If true, certificate checking will include the default set of root CA certificates in the JDK
additionally to CA certificates in TRUSTSTORE (optional, default is false).
Java VM options (optional, default is "-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true").
Indicates to delay the start of keycloak until specified TCP ports become accessible. Format: <host>:<port> ..., e.g.: ldap:389 logstash:8514.
Logstash/GELF Logger configuration:
Hostname/IP-Address of the Logstash host. Required for emitting system logs to Logstash.
Name of the Facility (optional, default is keycloak).
Log-Level threshold (optional, default is WARN).
Indicates if the Stack-Trace shall be sent in the StackTrace field (optional, default is true).
Indicates if Stack-Trace filtering shall be performed (optional, default is true).
DB vendor. Supported values are:
h2- use embedded H2 database,postgres- use external PostgreSQL database,mysql- use external MySQL and MariaDB database with MySQL Connector/J JDBC Drivermariadb- use external MariaDB database with MariaDB Connector/J JDBC Driveroracle- use external Oracle database.
(optional, default is h2).
JDBC driver connection URL. Not effective with embedded H2 database. Optional, default depends on external database:
DB_VENDOR |
default |
|---|---|
postgres |
jdbc:postgresql://db:5432/keycloak |
mysql |
jdbc:mysql://db:3306/keycloak?characterEncoding=UTF-8 |
mariadb |
jdbc:mariadb://db:3306/keycloak?characterEncoding=UTF-8 |
oracle |
jdbc:oracle:thin:@db:1521:keycloak |
Maximum number of pooled DB connections (optional, default is 20).
User to authenticate to the external database (optional, default is keycloak).
User to authenticate to the external database via file input (alternative to KEYCLOAK_DB_USER).
User's password to use to authenticate to the external database (optional, default is keycloak).
User's password to use to authenticate to the external database via file input (alternative to DB_PASSWORD).
Requires use of external Postgres or MySQL/MariaDB database to persist data.
JGroups server socket bind address (optional, default $(hostname -i) or select particular container IP according JGROUPS_BIND_IP_PREFIX).
JGroups server socket bind address prefix used to select particular container IP if no JGROUPS_BIND_IP is specified.
JGroups TCP stack port (optional, default is 7600).
IP address of this host - must be accessible by the other Keycloak instances.
IP address and port of all hosts (e.g.: "172.21.48.4[7600],172.21.48.39[7600]")