How to Install secured version of DCM4CHEE Archive (Secure UI and Secure RESTful) Wildfly and Keycloak
Clone this wiki locally
Please follow the https://github.com/dcm4che/dcm4chee-arc-light/wiki/Installation for LDAP/Database and related configuration. This page is just to guide with new installation of secured version of archive
Installation and Configuration
Get the latest Java 8, Wildfly-10.0.0.Final, Keycloak-overlay-2.4.0.Final and Keycloak-wildfly-adapter-dist-2.4.0.Final
Unzip the keycloak overlay and wildfly adapter zip files into your Wildfly directory.
The Java EE 8 Full Profile configuration can be used as base configuration. To preserve the original WildFly configuration you may copy the original configuration file for JavaEE 8 Full Profile:
> cd $WILDFLY_HOME/standalone/configuration/ > cp standalone-full.xml dcm4chee-arc.xml
Modify the $WILDFLY_HOME/bin/keycloak-install.cli
Change embed-server --server-config=standalone.xml To embed-server --server-config=dcm4chee-arc.xml
Run the below command from $WILDFLY_HOME/bin to add Keycloak to Wildfly server configuration
In the dcm4chee-arc.xml, in the keycloak-server subsystem section add eventsListener and dcm4che-rest provider, as shown below :
........... <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <web-context>auth</web-context> <providers> .......... <provider> module:org.dcm4che.audit-keycloak </provider> </providers> ............ <spi name="eventsListener"> <provider name="dcm4che-rest" enabled="true"> <properties> <property name="includes" value="["LOGIN", "LOGIN_ERROR", "LOGOUT", "LOGOUT_ERROR"]"/> </properties> </provider> </spi> ........... </subsystem> ...........
Build the dcm4chee-arc-light project using -P secure-ui flag as below (Note : You may use -P secure flag while building the project if you need secure version of RESTful services as well.)
mvn clean install -P secure-ui
Update the DCM4CHE dcm4chee-arc-light libraries as JBoss modules:
> cd $WILDFLY_HOME > unzip $DCM4CHEE_ARC/jboss-modules/dcm4che-jboss-modules-5.x-dcm4chee-arc-light.zip
Start Wildfly and run the below command to install Keycloak adapter
> cd $WILDFLY_HOME/bin > jboss-cli.bat -c --file=adapter-install.cli
Login to the keycloak admin at http://localhost:8080/auth and create new Keycloak admin user
http://localhost:8080/auth User/Password : admin/admin
Add a new Realm
Name : dcm4che Note down its Public-Key (This will be required in Steps 19 & 20)
Create a new Client 'dcm4chee-arc-ui' in 'dcm4che' realm
Client Id : dcm4chee-arc-ui Valid Redirect UIs : http://localhost:8080/dcm4chee-arc/ui/* Admin URL : http://localhost:8080/dcm4chee-arc/ui/ Access Type : Confidential Note down its Secret-Key under the Credentials tab (This will be required in Step 19)
Create a new Client 'dcm4chee-arc-rs' in 'dcm4che' realm (Do this step only if you need secured version of RESTful services as well)
Client Id : dcm4chee-arc-rs Valid Redirect UIs : http://localhost:8080/dcm4chee-arc/aets/* Admin URL : http://localhost:8080/dcm4chee-arc/aets/ Access Type : Confidential Note down its Secret-Key under the Credentials tab (This will be required in Step 20)
One may directly import the default-users.ldif file into LDAP. This file consists of default roles and users. Please note that either of point 14 or point 15 should be followed and not both. If point 14 is followed then one needs to also refer to the section Keycloak User Storage Federation
Note that this point is an alternative to point 14.
a. Add a 2 new Roles
Role name : admin Role name : user
b. Add a 2 new Users
Username : user Under the Role Mappings tab, map the _**user**_ role to this newly created user. Under the Credentials tab, set the Password for this user. Username : admin Under the Role Mappings tab, map the _**user**_ and _**admin**_ roles to this newly created user. Under the Credentials tab, set the Password for this user.
In the Events section, under the Config tab in Events Config, add dcm4che-rest as an Event Listener and save it.
You may log out, stop the Wildfly and do rest of the Installation steps for Wildfly as given in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Installation/_edit#setup-wildfly : Step no. 1, Step nos. 4-14
Restart Wildfly and deploy secured version of DCM4CHEE archive
[standalone@localhost:9999 /] deploy $DCM4CHEE_ARC/deploy/dcm4chee-arc-ear-5.x-psql-secure-ui.ear
To configure Keycloak settings (done in steps above) in Wildfly configuration for secure UI
To configure Keycloak settings (done in steps above) in Wildfly configuration for secure RESTful services
http://localhost:8080/dcm4chee-arc/ui should now redirect you to Keycloak user login page.
Keycloak User Storage Federation
This should be followed only if point 14 was followed in the Installation and Configuration section.
Login to your Keycloak admin console - http://localhost:8080/auth/. In the Dcm4che realm go to User Federation and click on Add Provider and select ldap
On the following screen that comes up, in the Edit Mode dropdown select WRITABLE
Sync registrations turn ON
In the Vendor dropdown select Other. Once this is done, most of the mandatory fields are pre-populated, which need to be kept as it is.
In the Connection URL field, enter ldap://localhost:389
In the Users DN field, enter ou=users,dc=dcm4che,dc=org. You may now click on Test connection and see that it is successful or not.
In the Bind DN, enter cn=admin,dc=dcm4che,dc=org. In Bind Credential enter the password you have set for this connection. You can get these values also from properties of your connection in LDAP. You can now click on Test authentication and see that it is successful or not.
Click Save. You now see the newly created provider id on top of the page. Go to the Mappers tab and click on Create.
In the Mapper type, select Role Mappings. In the Name field, enter role.
In the LDAP Roles DN field, enter ou=users,dc=dcm4che,dc=org.
If one needs to sync the LDAP user related changes in Keycloak, then he/she can turn on the Periodic Full Sync and the Periodic Changed Users Sync to sync the changes done in LDAP to Keycloak. By default, Keycloak pre-populates the periodic full sync value to 604800 (= 7 days) and periodic changed users sync value to 86400 (= 24 hours). One may change these default values as per his/her application needs.