Replace certificates in LDAP by Truststore configuration in default c…

…onfiguration #1733

dcm4chee-arc-assembly/src/main/resources/ldap/default-config.ldif

@@ -3,9 +3,15 @@ version: 1
 dn: dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dicomInstalled: TRUE
 dicomDeviceName: keycloak
+dcmTrustStoreType: JKS
+dcmKeyStorePin: secret
+dcmKeyStoreType: JKS
+dcmKeyStoreURL: ${jboss.server.config.url}/dcm4chee-arc/key.jks
 objectClass: dicomDevice
 objectClass: dcmDevice
 dicomPrimaryDeviceType: AUTH
+dcmTrustStorePin: secret
+dcmTrustStoreURL: ${jboss.server.config.url}/dcm4chee-arc/cacerts.jks
 
 dn: dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dicomInstalled: TRUE
@@ -18,12 +24,14 @@ dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc
 dcmSendPendingCMoveInterval: PT5S
 dcmQidoMaxNumberOfResults: 1000
 dcmIanTaskPollingInterval: PT1M
+dcmTrustStoreType: JKS
 dcmAECacheStaleTimeout: PT5M
 dcmFuzzyAlgorithmClass: org.dcm4che3.soundex.ESoundex
 dcmWadoCDA2HtmlTemplateURI: /dcm4chee-arc/xsl/cda.xsl
 dcmAudit2XmlFhirTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/audit2xml+fhir.xsl
 dcmExportTaskPollingInterval: PT1M
 dcmKeyStoreType: JKS
+dcmTrustStoreURL: ${jboss.server.config.url}/dcm4chee-arc/cacerts.jks
 dcmRejectExpiredStudiesAETitle: DCM4CHEE
 dcmKeyStoreURL: ${jboss.server.config.url}/dcm4chee-arc/key.jks
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.88.74
@@ -50,7 +58,6 @@ dcmAuditSpoolDirectory: ${jboss.server.data.dir}/audit-spool
 objectClass: dicomDevice
 objectClass: dcmDevice
 objectClass: dcmArchiveDevice
-objectClass: pkiUser
 hl7PatientUpdateTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/hl7-adt2dcm.xsl
 dcmStorageVerificationAETitle: DCM4CHEE
 dcmWadoSR2HtmlTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/dsr2html.xsl
@@ -66,11 +73,11 @@ dcmPurgeStgCmtPollingInterval: PT1H
 dcmRejectExpiredStudiesFetchSize: 10
 dicomPrimaryDeviceType: ARCHIVE
 hl7ImportReportTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/hl7-oru2dsr.xsl
-dicomAuthorizedNodeCertificateReference: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dcmPurgeStgCmtCompletedDelay: P1D
 dicomManufacturer: dcm4che.org
 dcmExternalRetrieveAEDestination: DCM4CHEE
 hl7ScheduleProcedureTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/hl7-order2dcm.xsl
+dcmTrustStorePin: secret
 dcmAuditRecordRepositoryURL: http://kibana:5601
 dcmXDSiImagingDocumentSourceAETitle: DCM4CHEE
 dcmWadoSR2TextTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/dsr2text.xsl
@@ -94,7 +101,6 @@ dcmHideSPSWithStatusFromMWL: CANCELLED
 dcmHideSPSWithStatusFromMWL: DISCONTINUED
 dcmHideSPSWithStatusFromMWL: COMPLETED
 dcmAuditAggregateDuration: PT1M
-userCertificate;binary:: MIIDHTCCAoagAwIBAgIBATANBgkqhkiG9w0BAQ0FADA6MQswCQYDVQQGEwJGUjETMBEGA1UECgwKSUhFIEV1cm9wZTEWMBQGA1UEAwwNSUhFIEV1cm9wZSBDQTAeFw0xMjA5MjgxMTE5MjlaFw0yMjA5MjgxMTE5MjlaMDoxCzAJBgNVBAYTAkZSMRMwEQYDVQQKDApJSEUgRXVyb3BlMRYwFAYDVQQDDA1JSEUgRXVyb3BlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuLWUWgF2L5igJIQ1pWFw/Yk5ZcMG4JPw13GLxn+7nufHHq/xgzxJxFLoY/kL8WUgg+QiCBv6yecXy3qJeb6DjuQJ+k2KHSKQxyN4fpfZdeNVc6w5qNOmMFKixS0ntax/4RXNBgP7IbKq2+fr1QscFZo0X6qWdO9OvL9RgSmGMNQIDAQABo4IBMTCCAS0wPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2dhemVsbGUuaWhlLm5ldC9wa2kvY3JsLzY0My9jYWNybC5jcmwwOwYJYIZIAYb4QgEEBC4WLGh0dHA6Ly9nYXplbGxlLmloZS5uZXQvcGtpL2NybC82NDMvY2FjcmwuY3JsMDsGCWCGSAGG+EIBAwQuFixodHRwOi8vZ2F6ZWxsZS5paGUubmV0L3BraS9jcmwvNjQzL2NhY3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7DMOE8giXqLha69De3pd0ndzHX4wHwYDVR0jBBgwFoAU7DMOE8giXqLha69De3pd0ndzHX4wEQYJYIZIAYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBDQUAA4GBAFfPfr/Cjk/ZBsDI9SdHGYqlHAJaJaJX/fpXIu3akEZxCPzMJkTeDDHvUOGaaP7bAHGnTBsS8rR9CD6gyUVJmrC/fk6/QoYFVaPNOGG2M1KnA14bwhriYLXV1INsUwj/jUTdSSvrPgV8XddgM8VgBLAX59VH94jufDPOPqwV1++P
 
 dn: dicomDeviceName=scheduledstation,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dicomInstalled: TRUE

dcm4chee-arc-assembly/src/main/resources/ldap/sample-config.ldif

@@ -84,9 +84,15 @@ dicomInstitutionName: Site B
 dn: dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dicomInstalled: TRUE
 dicomDeviceName: keycloak
+dcmTrustStoreType: JKS
+dcmKeyStorePin: secret
+dcmKeyStoreType: JKS
+dcmKeyStoreURL: ${jboss.server.config.url}/dcm4chee-arc/key.jks
 objectClass: dicomDevice
 objectClass: dcmDevice
 dicomPrimaryDeviceType: AUTH
+dcmTrustStorePin: secret
+dcmTrustStoreURL: ${jboss.server.config.url}/dcm4chee-arc/cacerts.jks
 
 dn: dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dicomInstalled: TRUE
@@ -126,14 +132,17 @@ dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc
 dcmSendPendingCMoveInterval: PT5S
 dcmQidoMaxNumberOfResults: 1000
 dcmIanTaskPollingInterval: PT1M
+dcmTrustStoreType: JKS
 dcmAECacheStaleTimeout: PT5M
 dcmFuzzyAlgorithmClass: org.dcm4che3.soundex.ESoundex
 dcmWadoCDA2HtmlTemplateURI: /dcm4chee-arc/xsl/cda.xsl
 dcmAudit2XmlFhirTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/audit2xml+fhir.xsl
 dcmExportTaskPollingInterval: PT1M
 dcmKeyStoreType: JKS
+dcmTrustStoreURL: ${jboss.server.config.url}/dcm4chee-arc/cacerts.jks
 dcmRejectExpiredStudiesAETitle: DCM4CHEE
 dcmKeyStoreURL: ${jboss.server.config.url}/dcm4chee-arc/key.jks
+dcmAuditSpoolDirectory: ${jboss.server.data.dir}/audit-spool
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.88.74
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.88.40
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.88.73
@@ -154,11 +163,9 @@ dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.88.71
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.79.1
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.88.59
 dcmWadoSupportedSRClasses: 1.2.840.10008.5.1.4.1.1.78.6
-dcmAuditSpoolDirectory: ${jboss.server.data.dir}/audit-spool
 objectClass: dicomDevice
 objectClass: dcmDevice
 objectClass: dcmArchiveDevice
-objectClass: pkiUser
 hl7PatientUpdateTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/hl7-adt2dcm.xsl
 dcmStorageVerificationAETitle: DCM4CHEE
 dcmWadoSR2HtmlTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/dsr2html.xsl
@@ -175,12 +182,12 @@ dcmPurgeStgCmtPollingInterval: PT1H
 dcmRejectExpiredStudiesFetchSize: 10
 dicomPrimaryDeviceType: ARCHIVE
 hl7ImportReportTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/hl7-oru2dsr.xsl
-dicomAuthorizedNodeCertificateReference: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dcmPurgeStgCmtCompletedDelay: P1D
 dicomManufacturer: dcm4che.org
 dcmExternalRetrieveAEDestination: DCM4CHEE
 hl7ScheduleProcedureTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/hl7-order2dcm.xsl
 dcmSeriesMetadataDelay: PT2M
+dcmTrustStorePin: secret
 dcmAuditRecordRepositoryURL: http://kibana:5601
 dcmXDSiImagingDocumentSourceAETitle: DCM4CHEE
 dcmWadoSR2TextTemplateURI: ${jboss.server.temp.url}/dcm4chee-arc/dsr2text.xsl
@@ -205,7 +212,6 @@ dcmHideSPSWithStatusFromMWL: CANCELLED
 dcmHideSPSWithStatusFromMWL: DISCONTINUED
 dcmHideSPSWithStatusFromMWL: COMPLETED
 dcmAuditAggregateDuration: PT1M
-userCertificate;binary:: MIIDHTCCAoagAwIBAgIBATANBgkqhkiG9w0BAQ0FADA6MQswCQYDVQQGEwJGUjETMBEGA1UECgwKSUhFIEV1cm9wZTEWMBQGA1UEAwwNSUhFIEV1cm9wZSBDQTAeFw0xMjA5MjgxMTE5MjlaFw0yMjA5MjgxMTE5MjlaMDoxCzAJBgNVBAYTAkZSMRMwEQYDVQQKDApJSEUgRXVyb3BlMRYwFAYDVQQDDA1JSEUgRXVyb3BlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuLWUWgF2L5igJIQ1pWFw/Yk5ZcMG4JPw13GLxn+7nufHHq/xgzxJxFLoY/kL8WUgg+QiCBv6yecXy3qJeb6DjuQJ+k2KHSKQxyN4fpfZdeNVc6w5qNOmMFKixS0ntax/4RXNBgP7IbKq2+fr1QscFZo0X6qWdO9OvL9RgSmGMNQIDAQABo4IBMTCCAS0wPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2dhemVsbGUuaWhlLm5ldC9wa2kvY3JsLzY0My9jYWNybC5jcmwwOwYJYIZIAYb4QgEEBC4WLGh0dHA6Ly9nYXplbGxlLmloZS5uZXQvcGtpL2NybC82NDMvY2FjcmwuY3JsMDsGCWCGSAGG+EIBAwQuFixodHRwOi8vZ2F6ZWxsZS5paGUubmV0L3BraS9jcmwvNjQzL2NhY3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7DMOE8giXqLha69De3pd0ndzHX4wHwYDVR0jBBgwFoAU7DMOE8giXqLha69De3pd0ndzHX4wEQYJYIZIAYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBDQUAA4GBAFfPfr/Cjk/ZBsDI9SdHGYqlHAJaJaJX/fpXIu3akEZxCPzMJkTeDDHvUOGaaP7bAHGnTBsS8rR9CD6gyUVJmrC/fk6/QoYFVaPNOGG2M1KnA14bwhriYLXV1INsUwj/jUTdSSvrPgV8XddgM8VgBLAX59VH94jufDPOPqwV1++P
 
 dn: dicomDeviceName=scheduledstation,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
 dicomInstalled: TRUE

dcm4chee-arc-assembly/src/main/resources/ldap/update-config-5.15.1.ldif

@@ -25,3 +25,41 @@ dcmTag: 00201208
 dcmAttributeSetType: QIDO_RS
 dcmAttributeSetID: study
 objectClass: dcmAttributeSet
+
+dn: dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
+changetype: modify
+add: dcmTrustStoreURL
+dcmTrustStoreURL: ${jboss.server.config.url}/dcm4chee-arc/cacerts.jks
+-
+add: dcmTrustStoreType
+dcmTrustStoreType: JKS
+-
+add: dcmTrustStorePin
+dcmTrustStorePin: secret
+-
+add: dcmKeyStoreURL
+dcmKeyStoreURL: ${jboss.server.config.url}/dcm4chee-arc/key.jks
+-
+add: dcmKeyStoreType
+dcmKeyStoreType: JKS
+-
+add: dcmKeyStorePin
+dcmKeyStorePin: secret
+
+dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dcm4che,dc=org
+changetype: modify
+add: dcmTrustStoreURL
+dcmTrustStoreURL: ${jboss.server.config.url}/dcm4chee-arc/cacerts.jks
+-
+add: dcmTrustStoreType
+dcmTrustStoreType: JKS
+-
+add: dcmTrustStorePin
+dcmTrustStorePin: secret
+-
+remove: dicomAuthorizedNodeCertificateReference
+-
+remove: userCertificate;binary
+-
+remove: objectClass
+objectClass: pkiUser

dcm4chee-arc-conf-test/src/test/java/org/dcm4chee/arc/conf/ArchiveDeviceFactory.java

@@ -77,7 +77,27 @@ class ArchiveDeviceFactory {
     enum ConfigType {
         DEFAULT,
         SAMPLE,
-        DOCKER
+        DOCKER {
+            @Override
+            void configureKeyAndTrustStore(Device device) {
+                device.setTrustStoreURL("file://${env.TRUSTSTORE}");
+                device.setTrustStoreType("JKS");
+                device.setTrustStorePin("${env.TRUSTSTORE_PASSWORD}");
+                device.setKeyStoreURL("file://${env.KEYSTORE}");
+                device.setKeyStoreType("${env.KEYSTORE_TYPE}");
+                device.setKeyStorePin("${env.KEYSTORE_PASSWORD}");
+                device.setKeyStoreKeyPin("${env.KEY_PASSWORD}");
+            }
+        };
+
+        void configureKeyAndTrustStore(Device device) {
+            device.setTrustStoreURL("${jboss.server.config.url}/dcm4chee-arc/cacerts.jks");
+            device.setTrustStoreType("JKS");
+            device.setTrustStorePin("secret");
+            device.setKeyStoreURL("${jboss.server.config.url}/dcm4chee-arc/key.jks");
+            device.setKeyStoreType("JKS");
+            device.setKeyStorePin("secret");
+        }
     }
     static final String[] OTHER_DEVICES = {
             "scheduledstation",
@@ -1007,16 +1027,6 @@ private static AuditSuppressCriteria suppressAuditQueryFromArchive() {
 
     static final String AE_TITLE = "DCM4CHEE";
     static final String DCM4CHEE_ARC_VERSION = "5.15.1";
-    static final String DCM4CHEE_ARC_KEY_JKS = "${jboss.server.config.url}/dcm4chee-arc/key.jks";
-    static final String DCM4CHEE_ARC_TRUSTSTORE_URL = "${jboss.server.config.url}/dcm4chee-arc/cacerts.jks";
-    static final String DCM4CHEE_ARC_KEY_TYPE = "JKS";
-    static final String DCM4CHEE_ARC_KEY_PIN = "secret";
-    static final String DOCKER_TRUSTSTORE_URL = "file://${env.TRUSTSTORE}";
-    static final String DOCKER_TRUSTSTORE_PIN = "${env.TRUSTSTORE_PASSWORD}";
-    static final String DOCKER_KEY_JKS = "file://${env.KEYSTORE}";
-    static final String DOCKER_KEYSTORE_TYPE = "${env.KEYSTORE_TYPE}";
-    static final String DOCKER_KEYSTORE_PIN = "${env.KEYSTORE_PASSWORD}";
-    static final String DOCKER_KEY_PIN = "${env.KEY_PASSWORD}";
     static final String HL7_ADT2DCM_XSL = "${jboss.server.temp.url}/dcm4chee-arc/hl7-adt2dcm.xsl";
     static final String HL7_DCM2ADT_XSL = "${jboss.server.temp.url}/dcm4chee-arc/hl7-dcm2adt.xsl";
     static final String DSR2HTML_XSL = "${jboss.server.temp.url}/dcm4chee-arc/dsr2html.xsl";
@@ -1235,7 +1245,7 @@ public static Device createKeycloakDevice(String name, Device arrDevice, ConfigT
         device.setInstalled(true);
         device.setPrimaryDeviceTypes("AUTH");
         addAuditLoggerDeviceExtension(device, arrDevice, keycloakHost);
-        configureTrustStore(device, configType);
+        configType.configureKeyAndTrustStore(device);
         return device;
     }
 
@@ -1285,7 +1295,8 @@ public static Device createArchiveDevice(String name, ConfigType configType, Dev
         device.setManufacturerModelName("dcm4chee-arc");
         device.setSoftwareVersions(DCM4CHEE_ARC_VERSION);
         device.setPrimaryDeviceTypes("ARCHIVE");
-        configureTrustStore(device, configType);
+
+        configType.configureKeyAndTrustStore(device);
 
         device.addApplicationEntity(createAE(AE_TITLE, "Hide instances rejected for Quality Reasons",
                 dicom, dicomTLS, HIDE_REJECTED_VIEW, true, true, true, configType, USER_AND_ADMIN));
@@ -1319,30 +1330,6 @@ public static Device createArchiveDevice(String name, ConfigType configType, Dev
         return device;
     }
 
-    private static void configureTrustStore(Device device, ConfigType configType) {
-        device.setTrustStoreType(DCM4CHEE_ARC_KEY_TYPE);
-        if (configType == ConfigType.DOCKER) {
-            configureTrustStoreDocker(device);
-            return;
-        }
-
-        device.setTrustStoreURL(DCM4CHEE_ARC_TRUSTSTORE_URL);
-        device.setTrustStorePin(DCM4CHEE_ARC_KEY_PIN);
-        device.setKeyStoreURL(DCM4CHEE_ARC_KEY_JKS);
-        device.setKeyStoreType(DCM4CHEE_ARC_KEY_TYPE);
-        device.setKeyStorePin(DCM4CHEE_ARC_KEY_PIN);
-        device.setKeyStoreKeyPin(DCM4CHEE_ARC_KEY_PIN);
-    }
-
-    private static void configureTrustStoreDocker(Device device) {
-        device.setTrustStoreURL(DOCKER_TRUSTSTORE_URL);
-        device.setTrustStorePin(DOCKER_TRUSTSTORE_PIN);
-        device.setKeyStoreURL(DOCKER_KEY_JKS);
-        device.setKeyStoreType(DOCKER_KEYSTORE_TYPE);
-        device.setKeyStorePin(DOCKER_KEYSTORE_PIN);
-        device.setKeyStoreKeyPin(DOCKER_KEY_PIN);
-    }
-
     private static WebApplication createWebApp(
             String name, String desc, String path, String aet, Connection http, Connection https,
             WebApplication.ServiceClass... serviceClasses) {