How to Install secured version of DCM4CHEE Archive (Secure UI and Secure RESTful) Wildfly and Keycloak

vrindanayak edited this page Dec 22, 2016 · 6 revisions
Clone this wiki locally

Please follow the https://github.com/dcm4che/dcm4chee-arc-light/wiki/Installation for LDAP/Database and related configuration. This page is just to guide with new installation of secured version of archive

Installation and Configuration

  1. Get the latest Java 8, Wildfly-10.0.0.Final, Keycloak-overlay-2.4.0.Final and Keycloak-wildfly-adapter-dist-2.4.0.Final

  2. Unzip the keycloak overlay and wildfly adapter zip files into your Wildfly directory.

  3. The Java EE 8 Full Profile configuration can be used as base configuration. To preserve the original WildFly configuration you may copy the original configuration file for JavaEE 8 Full Profile:

       > cd $WILDFLY_HOME/standalone/configuration/
       > cp standalone-full.xml dcm4chee-arc.xml
    
  4. Modify the $WILDFLY_HOME/bin/keycloak-install.cli

       Change
       embed-server --server-config=standalone.xml
       To
       embed-server --server-config=dcm4chee-arc.xml
    
  5. Run the below command from $WILDFLY_HOME/bin to add Keycloak to Wildfly server configuration

        jboss-cli.sh --file=keycloak-install.cli
    
  6. In the dcm4chee-arc.xml, in the keycloak-server subsystem section add eventsListener and dcm4che-rest provider, as shown below :

        ...........
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
          <web-context>auth</web-context>
            <providers>
               ..........
               <provider>
                  module:org.dcm4che.audit-keycloak
               </provider>
            </providers>
            ............
            <spi name="eventsListener">
               <provider name="dcm4che-rest" enabled="true">
                   <properties>
                      <property name="includes" value="[&quot;LOGIN&quot;, &quot;LOGIN_ERROR&quot;, &quot;LOGOUT&quot;, &quot;LOGOUT_ERROR&quot;]"/>
                   </properties>
                </provider>
             </spi>
             ...........
        </subsystem>
        ...........
    
  7. Build the dcm4chee-arc-light project using -P secure-ui flag as below (Note : You may use -P secure flag while building the project if you need secure version of RESTful services as well.)

        mvn clean install -P secure-ui
    
  8. Update the DCM4CHE dcm4chee-arc-light libraries as JBoss modules:

        > cd  $WILDFLY_HOME
        > unzip $DCM4CHEE_ARC/jboss-modules/dcm4che-jboss-modules-5.x-dcm4chee-arc-light.zip
    
  9. Start Wildfly and run the below command to install Keycloak adapter

        > cd $WILDFLY_HOME/bin
        > jboss-cli.bat -c --file=adapter-install.cli
    
  10. Login to the keycloak admin at http://localhost:8080/auth and create new Keycloak admin user

        http://localhost:8080/auth
        User/Password :  admin/admin
    
  11. Add a new Realm

        Name : dcm4che
        Note down its Public-Key (This will be required in Steps 19 & 20)
    
  12. Create a new Client 'dcm4chee-arc-ui' in 'dcm4che' realm

        Client Id : dcm4chee-arc-ui
        Valid Redirect UIs : http://localhost:8080/dcm4chee-arc/ui/*
        Admin URL : http://localhost:8080/dcm4chee-arc/ui/
        Access Type : Confidential
        Note down its Secret-Key under the Credentials tab (This will be required in Step 19)
    
  13. Create a new Client 'dcm4chee-arc-rs' in 'dcm4che' realm (Do this step only if you need secured version of RESTful services as well)

        Client Id : dcm4chee-arc-rs
        Valid Redirect UIs : http://localhost:8080/dcm4chee-arc/aets/*
        Admin URL : http://localhost:8080/dcm4chee-arc/aets/
        Access Type : Confidential
        Note down its Secret-Key under the Credentials tab (This will be required in Step 20)
    
  14. One may directly import the default-users.ldif file into LDAP. This file consists of default roles and users. Please note that either of point 14 or point 15 should be followed and not both. If point 14 is followed then one needs to also refer to the section Keycloak User Storage Federation

  15. Note that this point is an alternative to point 14.
    a. Add a 2 new Roles

        Role name : admin
        Role name : user
    

    b. Add a 2 new Users

        Username : user
        Under the Role Mappings tab, map the _**user**_ role to this newly created user. 
        Under the Credentials tab, set the Password for this user.
    
        Username : admin
        Under the Role Mappings tab, map the _**user**_ and _**admin**_ roles to this newly created user. 
        Under the Credentials tab, set the Password for this user.
    
  16. In the Events section, under the Config tab in Events Config, add dcm4che-rest as an Event Listener and save it.

  17. You may log out, stop the Wildfly and do rest of the Installation steps for Wildfly as given in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Installation/_edit#setup-wildfly : Step no. 1, Step nos. 4-14

  18. Restart Wildfly and deploy secured version of DCM4CHEE archive

        [standalone@localhost:9999 /] deploy $DCM4CHEE_ARC/deploy/dcm4chee-arc-ear-5.x-psql-secure-ui.ear
    
  19. To configure Keycloak settings (done in steps above) in Wildfly configuration for secure UI

        /subsystem=keycloak/secure-deployment=dcm4chee-arc-ui-5.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,realm-public-key=Public-Key,auth-server-url=/auth)
        /subsystem=keycloak/secure-deployment=dcm4chee-arc-ui-5.x-secure.war/credential=secret:add(value=Secret-Key)
    
  20. To configure Keycloak settings (done in steps above) in Wildfly configuration for secure RESTful services

        /subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-rs,realm-public-key=<pubic-key>,auth-server-url="http://localhost:8080/auth")
        /subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.x-secure.war/credential=secret:add(value=Secret-Key)
    
  21. http://localhost:8080/dcm4chee-arc/ui should now redirect you to Keycloak user login page.

Keycloak User Storage Federation

This should be followed only if point 14 was followed in the Installation and Configuration section.

  1. Login to your Keycloak admin console - http://localhost:8080/auth/. In the Dcm4che realm go to User Federation and click on Add Provider and select ldap

  2. On the following screen that comes up, in the Edit Mode dropdown select WRITABLE

  3. Sync registrations turn ON

  4. In the Vendor dropdown select Other. Once this is done, most of the mandatory fields are pre-populated, which need to be kept as it is.

  5. In the Connection URL field, enter ldap://localhost:389

  6. In the Users DN field, enter ou=users,dc=dcm4che,dc=org. You may now click on Test connection and see that it is successful or not.

  7. In the Bind DN, enter cn=admin,dc=dcm4che,dc=org. In Bind Credential enter the password you have set for this connection. You can get these values also from properties of your connection in LDAP. You can now click on Test authentication and see that it is successful or not.

  8. Click Save. You now see the newly created provider id on top of the page. Go to the Mappers tab and click on Create.

  9. In the Mapper type, select Role Mappings. In the Name field, enter role.

  10. In the LDAP Roles DN field, enter ou=users,dc=dcm4che,dc=org.

  11. If one needs to sync the LDAP user related changes in Keycloak, then he/she can turn on the Periodic Full Sync and the Periodic Changed Users Sync to sync the changes done in LDAP to Keycloak. By default, Keycloak pre-populates the periodic full sync value to 604800 (= 7 days) and periodic changed users sync value to 86400 (= 24 hours). One may change these default values as per his/her application needs.

  12. Click Save.