Unable to deploy dcm4che Arc 5 with -secure or -secure-ui in the docker image

[oliverfchen]

I am doing Run-secured-archive-services-on-a-single-host from the link:https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-on-a-single-host and it failed, I have succeeded in deploy https://github.com/dcm4che/dcm4chee-arc-light/wiki/Running-on-Docker, which worked without keycloak.
The failed dock image is:
dcm4che/dcm4chee-arc-psql 5.24.0-secure-ui
and:
dcm4che/dcm4chee-arc-psql 5.24.0-secure
which does not show the arc name in the docker container ls after the run.
I am using Ubuntu desktop 18, and 20.

[gunterze]

Verify that the host name you configured in ENV AUTH_SERVER_URL is resolvable in the archive container:

$ docker-compose exec arc bash
root@62c8ede1c34c:/# curl -vk $AUTH_SERVER_URL
*   Trying 192.168.2.150:8843...
* TCP_NODELAY set
* Connected to gunter-nb (192.168.2.150) port 8843 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=AT; O=J4CARE; CN=PACS_J4C
*  start date: Apr  2 06:38:46 2017 GMT
*  expire date: Apr  2 06:38:46 2027 GMT
*  issuer: C=FR; O=IHE Europe; CN=IHE Europe CA
*  SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56052f64de10)
> GET /auth HTTP/2
> Host: gunter-nb:8843
> user-agent: curl/7.68.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
< HTTP/2 303 
< x-xss-protection: 1; mode=block
< strict-transport-security: max-age=31536000; includeSubDomains
< x-content-type-options: nosniff
< location: https://gunter-nb:8843/auth/
< referrer-policy: no-referrer
< content-length: 0
< date: Fri, 20 Aug 2021 11:20:24 GMT
< 
* Connection #0 to host gunter-nb left intact
root@62c8ede1c34c:/# 

[oliverfchen]

Hi Gunter, Thanks for your reply. I am new to this please help me. I do not know how to run your email mentioned docker-compose command because it through me an error message: [image: image.png] Please explain more about this. I still having problems in deploy Run-secured-archive-services-on-a-single-host. I've used the docker image and use the docker run to start. I have followed the attached file to start dcm4chee-arc but failed in step 5 (Start Wildfly with deployed dcm4che Archive 5 application), although I had run keycloak with dcm4chee-arc with the same steps in the version dcm4chee-arc-psql:5.22.6 successfully. I also changed to -e AUTH_SERVER_URL=https://192.168.8.208:8843/auth \ and still not running. I can run -d dcm4che/dcm4chee-arc-psql:5.24.0 without -secure or -secure-ui options please advise what is the problem? [image: image.png] regards Oliver F ***@***.***> , ***@***.*** Ph:0433161557

On Fri, Aug 20, 2021 at 9:22 PM Gunter Zeilinger ***@***.***> wrote: Verify that the host name you configured in ENV AUTH_SERVER_URL <https://github.com/dcm4che-dockerfiles/dcm4chee-arc-psql#auth_server_url> is resolvable in the archive container: $ docker-compose exec arc bash ***@***.***:/# curl -vk $AUTH_SERVER_URL * Trying 192.168.2.150:8843... * TCP_NODELAY set * Connected to gunter-nb (192.168.2.150) port 8843 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=AT; O=J4CARE; CN=PACS_J4C * start date: Apr 2 06:38:46 2017 GMT * expire date: Apr 2 06:38:46 2027 GMT * issuer: C=FR; O=IHE Europe; CN=IHE Europe CA * SSL certificate verify result: EE certificate key too weak (66), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x56052f64de10) > GET /auth HTTP/2 > Host: gunter-nb:8843 > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)! < HTTP/2 303 < x-xss-protection: 1; mode=block < strict-transport-security: max-age=31536000; includeSubDomains < x-content-type-options: nosniff < location: https://gunter-nb:8843/auth/ < referrer-policy: no-referrer < content-length: 0 < date: Fri, 20 Aug 2021 11:20:24 GMT < * Connection #0 to host gunter-nb left intact ***@***.***:/# — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3321 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AI4WF63HF6W5LY7YWHQP6N3T5Y3I3ANCNFSM5CQEBEUA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

https://github.com/dcm4che/dcm4chee-arc-light/wiki/Running-on-Docker https://github-wiki-see.page/m/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak oliver-macbook: ssh ssh ***@***.*** pw:oliver ssh ***@***.*** pw:iot ssh ***@***.*** pw:dcm4chee Run secured archive services on a single host: 192.168.8.199:8080/dcm4chee-arc/ui2 192.168.8.199:8843/auth/admin/dcm4che/console/ https://github.com/dcm4che/dcm4chee-arc-light/wiki/Running-on-Docker ---dcm4chee only docker-keycloak-single-host: https://github.com/dcm4che/dcm4chee-arc-light/wiki/Run-secured-archive-services-on-a-single-host ---dcm4chee with keycloak Create system groups and users with particular group and user IDs used by the archive services on the host $ sudo -i groupadd -r slapd-dcm4chee --gid=1021 && useradd -r -g slapd-dcm4chee --uid=1021 slapd-dcm4chee groupadd -r postgres-dcm4chee --gid=999 && useradd -r -g postgres-dcm4chee --uid=999 postgres-dcm4chee groupadd -r dcm4chee-arc --gid=1023 && useradd -r -g dcm4chee-arc --uid=1023 dcm4chee-arc groupadd -r keycloak-dcm4chee --gid=1029 && useradd -r -g keycloak-dcm4chee --uid=1029 keycloak-dcm4chee exit 1.Create an user-defined bridge network $ sudo docker network create dcm4chee_default sudo docker network rm dcm4chee_default --rm 2.Start OpenLDAP Server as described in Run minimum set of archive services on a single host. sudo docker run --network=dcm4chee_default --name ldap \ -p 389:389 \ -v /var/local/dcm4chee-arc/ldap:/var/lib/openldap/openldap-data \ -v /var/local/dcm4chee-arc/slapd.d:/etc/openldap/slapd.d \ -d dcm4che/slapd-dcm4chee:2.4.57-24.0 3.Start Keycloak Authentication Server sudo docker run --network=dcm4chee_default --name keycloak \ -p 8880:8880 \ -p 8843:8843 \ -p 8990:8990 \ -p 8993:8993 \ -e HTTP_PORT=8880 \ -e HTTPS_PORT=8843 \ -e MANAGEMENT_HTTP_PORT=8990 \ -e MANAGEMENT_HTTPS_PORT=8993 \ -e KEYCLOAK_WAIT_FOR=ldap:389 \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ -v /var/local/dcm4chee-arc/keycloak:/opt/keycloak/standalone \ -d dcm4che/keycloak:11.0.3 3.1 Check the Keycloak server log if Keycloak started successfully: tail -f /var/local/dcm4chee-arc/keycloak/log/server.log 4.Start PostgreSQL Server as described in Run minimum set of archive services on a single host. sudo docker run --network=dcm4chee_default --name db \ -p 5432:5432 \ -e POSTGRES_DB=pacsdb \ -e POSTGRES_USER=pacs \ -e POSTGRES_PASSWORD=pacs \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ -v /var/local/dcm4chee-arc/db:/var/lib/postgresql/data \ -d dcm4che/postgres-dcm4chee:13.3-24 5.Start Wildfly with deployed dcm4che Archive 5 application sudo docker run --network=dcm4chee_default --name arc \ -p 8080:8080 \ -p 8443:8443 \ -p 9990:9990 \ -p 9993:9993 \ -p 11112:11112 \ -p 2762:2762 \ -p 2575:2575 \ -p 12575:12575 \ -e POSTGRES_DB=pacsdb \ -e POSTGRES_USER=pacs \ -e POSTGRES_PASSWORD=pacs \ -e WILDFLY_WAIT_FOR="ldap:389 db:5432" \ -e AUTH_SERVER_URL=https://127.0.0.1:8843/auth \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ -v /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone \ -d dcm4che/dcm4chee-arc-psql:5.24.0-secure-ui http://192.168.8.208:8080/dcm4chee-arc/ui2 sudo lsof -i -P | grep LISTEN ***@***.***:~$ sudo lsof -i -P|grep LISTEN systemd-r 601 systemd-resolve 13u IPv4 25400 0t0 TCP localhost:53 (LISTEN) cupsd 640 root 6u IPv6 28467 0t0 TCP ip6-localhost:631 (LISTEN) cupsd 640 root 7u IPv4 28468 0t0 TCP localhost:631 (LISTEN) container 758 root 13u IPv4 34911 0t0 TCP localhost:35691 (LISTEN) sshd 772 root 3u IPv4 31197 0t0 TCP *:22 (LISTEN) sshd 772 root 4u IPv6 31199 0t0 TCP *:22 (LISTEN) docker-pr 5291 root 4u IPv4 75663 0t0 TCP *:389 (LISTEN) docker-pr 5298 root 4u IPv6 76441 0t0 TCP *:389 (LISTEN) docker-pr 5586 root 4u IPv4 76738 0t0 TCP *:8993 (LISTEN) docker-pr 5593 root 4u IPv6 80908 0t0 TCP *:8993 (LISTEN) docker-pr 5605 root 4u IPv4 79504 0t0 TCP *:8990 (LISTEN) docker-pr 5613 root 4u IPv6 79508 0t0 TCP *:8990 (LISTEN) docker-pr 5626 root 4u IPv4 80951 0t0 TCP *:8880 (LISTEN) docker-pr 5632 root 4u IPv6 76772 0t0 TCP *:8880 (LISTEN) docker-pr 5645 root 4u IPv4 76776 0t0 TCP *:8843 (LISTEN) docker-pr 5651 root 4u IPv6 79975 0t0 TCP *:8843 (LISTEN) docker-pr 6691 root 4u IPv4 82593 0t0 TCP *:12575 (LISTEN) docker-pr 6699 root 4u IPv6 82597 0t0 TCP *:12575 (LISTEN) docker-pr 6712 root 4u IPv4 82626 0t0 TCP *:11112 (LISTEN) docker-pr 6718 root 4u IPv6 82630 0t0 TCP *:11112 (LISTEN) docker-pr 6730 root 4u IPv4 83322 0t0 TCP *:9993 (LISTEN) docker-pr 6736 root 4u IPv6 83326 0t0 TCP *:9993 (LISTEN) docker-pr 6749 root 4u IPv4 81703 0t0 TCP *:9990 (LISTEN) docker-pr 6755 root 4u IPv6 81707 0t0 TCP *:9990 (LISTEN) docker-pr 6769 root 4u IPv4 82678 0t0 TCP *:8443 (LISTEN) docker-pr 6777 root 4u IPv6 81728 0t0 TCP *:8443 (LISTEN) docker-pr 6789 root 4u IPv4 80790 0t0 TCP *:8080 (LISTEN) docker-pr 6795 root 4u IPv6 82714 0t0 TCP *:8080 (LISTEN) docker-pr 6807 root 4u IPv4 82723 0t0 TCP *:2762 (LISTEN) docker-pr 6815 root 4u IPv6 81760 0t0 TCP *:2762 (LISTEN) docker-pr 6827 root 4u IPv4 83372 0t0 TCP *:2575 (LISTEN) docker-pr 6834 root 4u IPv6 81764 0t0 TCP *:2575 (LISTEN) 6.Register the Archive UI as OIDC client in Keycloak https://192.168.8.208:8843/auth/admin/dcm4che/console ---config keycloak http://192.168.8.208:8080/dcm4chee-web3/ admin/admin https://121.37.162.242:8843/auth/admin/dcm4che/console https://139.159.134.168:8443/dcm4chee-arc/ui2 admin/oliver https://121.37.162.242:8443/dcm4chee-arc/ui2 keycloak setup: https://192.168.8.208:8843/auth/admin/dcm4che/console/ login admin/chargeit login as admin/admin client -> Creat => dcm4chee-arc-ui root URL: https://192.168.8.208:8443/dcm4chee-arc/ui2 Valid Redirect URLs: https://192.168.8.208:8443/dcm4chee-arc/ui2/* http://192.168.8.208:8080/dcm4chee-arc/ui2/* base URL: Admin URL: https://192.168.8.208:8443/dcm4chee-arc/ui2 user:admin pw:oliver web Origins: https://192.168.8.208:8443 http://192.168.8.208:8080 Users: ->add user users -> all user -> u09u0ujio ->Credentials => password / password confirmation -> Temporary off 7.Register the WildFly Administration Console as OIDC client in Keycloak https://<docker-host>:9993/console 8.(Optional) Change preconfigured users and roles (test send dcm) docker run --rm --network=dcm4chee_default dcm4che/dcm4che-tools storescu ***@***.***:11112 /opt/dcm4che/etc/testdata/dicom 10.You may stop all 4 containers by: $ sudo docker stop ldap keycloak db arc and start all 4 containers again by: $ sudo docker start ldap keycloak db arc 11.You may delete the stopped containers by $ sudo docker rm -v ldap keycloak db arc You may delete the created bridge network by $ sudo docker network rm dcm4chee_default \[\e]0;\u@\h: \w\a\]${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ config Accepeted calling AT title : http://pcbbc.site.mobi/templates/mobile/facade_transcoder_iframe.php?u=%2Fdcm4che%2Fdcm4chee-arc-light%2Fwiki%2FRestrict-AE-Titles-opening-associations-with-Archive%3Fimz_s%3Dtabd55f8pg6s53uvjq8hbj8r66&lang=en

[oliverfchen]

*Hi, please help, I still can't start the docker arc images. Attached are docker-compose.env and docker-compose.yml files.* *Oliver* ***@***.***:/home/dcm4chee/dcm4chee-arc-psql# docker-compose -p dcm4chee up Creating network "dcm4chee_default" with the default driver Creating dcm4chee_db_1 ... done Creating dcm4chee_ldap_1 ... done Creating dcm4chee_keycloak_1 ... done Creating dcm4chee_arc_1 ... done Attaching to dcm4chee_db_1, dcm4chee_ldap_1, dcm4chee_keycloak_1, dcm4chee_arc_1 db_1 | db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization db_1 | db_1 | 2021-08-27 18:31:19.185 AEST [1] LOG: starting PostgreSQL 13.3 (Debian 13.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit db_1 | 2021-08-27 18:31:19.185 AEST [1] LOG: listening on IPv4 address "0.0.0.0", port 5432 db_1 | 2021-08-27 18:31:19.185 AEST [1] LOG: listening on IPv6 address "::", port 5432 db_1 | 2021-08-27 18:31:19.403 AEST [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" keycloak_1 | Importing keystore /opt/keycloak/standalone/configuration/keystores/cacerts.p12 to /opt/java/openjdk/lib/security/cacerts... keycloak_1 | Entry for alias mykey successfully imported. keycloak_1 | Import command completed: 1 entries successfully imported, 0 entries failed or cancelled keycloak_1 | keycloak_1 | Warning: keycloak_1 | <mykey> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update. keycloak_1 | Waiting for ldap:389 ... keycloak_1 | done keycloak_1 | Starting Keycloak 11.0.3 keycloak_1 | ========================================================================= keycloak_1 | keycloak_1 | JBoss Bootstrap Environment keycloak_1 | keycloak_1 | JBOSS_HOME: /opt/keycloak keycloak_1 | keycloak_1 | JAVA: /opt/java/openjdk/bin/java keycloak_1 | keycloak_1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED keycloak_1 | keycloak_1 | ========================================================================= keycloak_1 | ldap_1 | 6128a2da @(#) $OpenLDAP: slapd 2.4.57 (Feb 24 2021 06:14:32) $ ldap_1 | openldap ldap_1 | 6128a2da slapd starting db_1 | 2021-08-27 18:31:20.140 AEST [26] LOG: database system was shut down at 2021-08-27 18:30:48 AEST db_1 | 2021-08-27 18:31:20.609 AEST [1] LOG: database system is ready to accept connections arc_1 | Importing keystore /opt/wildfly/standalone/configuration/keystores/cacerts.p12 to /opt/java/openjdk/lib/security/cacerts... arc_1 | Entry for alias mykey successfully imported. arc_1 | Import command completed: 1 entries successfully imported, 0 entries failed or cancelled arc_1 | arc_1 | Warning: arc_1 | <mykey> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update. arc_1 | Waiting for ldap:389 ... arc_1 | done arc_1 | Waiting for db:5432 ... arc_1 | done arc_1 | Starting Wildfly 24.0.1.Final arc_1 | ========================================================================= arc_1 | arc_1 | JBoss Bootstrap Environment arc_1 | arc_1 | JBOSS_HOME: /opt/wildfly arc_1 | arc_1 | JAVA: /opt/java/openjdk/bin/java arc_1 | arc_1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/ java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED arc_1 | arc_1 | ========================================================================= arc_1 | arc_1 | *java.lang.IllegalStateException: WFLYCTL0214: Could not get main file: dcm4chee-arc-oidc.xml. Specified files must be relative to the configuration dir: /opt/wildfly/standalone/configuration* arc_1 | at ***@***.*** //org.jboss.as.controller.persistence.ConfigurationFile.determineMainFile(ConfigurationFile.java:362) arc_1 | at ***@***.*** //org.jboss.as.controller.persistence.ConfigurationFile.<init>(ConfigurationFile.java:200) arc_1 | at ***@***.*** //org.jboss.as.server.ServerEnvironment.<init>(ServerEnvironment.java:550) arc_1 | at ***@***.*** //org.jboss.as.server.Main.determineEnvironment(Main.java:407) arc_1 | at ***@***.*** //org.jboss.as.server.Main.main(Main.java:96) arc_1 | at org.jboss.modules.Module.run(Module.java:353) arc_1 | at org.jboss.modules.Module.run(Module.java:321) arc_1 | at org.jboss.modules.Main.main(Main.java:617) *dcm4chee_arc_1 exited with code 1* keycloak_1 | WARNING: An illegal reflective access operation has occurred keycloak_1 | WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-12.0.3.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS() keycloak_1 | WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions keycloak_1 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations keycloak_1 | WARNING: All illegal access operations will be denied in a future release Oliver F ***@***.***> , ***@***.*** Ph:0433161557

…

On Fri, Aug 20, 2021 at 9:22 PM Gunter Zeilinger ***@***.***> wrote: Verify that the host name you configured in ENV AUTH_SERVER_URL <https://github.com/dcm4che-dockerfiles/dcm4chee-arc-psql#auth_server_url> is resolvable in the archive container: $ docker-compose exec arc bash ***@***.***:/# curl -vk $AUTH_SERVER_URL * Trying 192.168.2.150:8843... * TCP_NODELAY set * Connected to gunter-nb (192.168.2.150) port 8843 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=AT; O=J4CARE; CN=PACS_J4C * start date: Apr 2 06:38:46 2017 GMT * expire date: Apr 2 06:38:46 2027 GMT * issuer: C=FR; O=IHE Europe; CN=IHE Europe CA * SSL certificate verify result: EE certificate key too weak (66), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x56052f64de10) > GET /auth HTTP/2 > Host: gunter-nb:8843 > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)! < HTTP/2 303 < x-xss-protection: 1; mode=block < strict-transport-security: max-age=31536000; includeSubDomains < x-content-type-options: nosniff < location: https://gunter-nb:8843/auth/ < referrer-policy: no-referrer < content-length: 0 < date: Fri, 20 Aug 2021 11:20:24 GMT < * Connection #0 to host gunter-nb left intact ***@***.***:/# — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3321 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AI4WF63HF6W5LY7YWHQP6N3T5Y3I3ANCNFSM5CQEBEUA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[gunterze]

Check mapped out wildfly server.log for ERROR messages

[oliverfchen]

Hi Sir, I still can't work out the problem is, it still remains the same. my docker-compose.env is: ARCHIVE_HOST=192.168.8.113 STORAGE_DIR=/storage/fs1 POSTGRES_DB=pacsdb POSTGRES_USER=pacs POSTGRES_PASSWORD=pacs AUTH_SERVER_URL=https://192.168.8.113:8843/auth and my error is: ***@***.***:/home/dcm4chee/dcm4chee-arc-psql$ ***@***.***:/home/dcm4chee/dcm4chee-arc-psql$ sudo docker-compose -p dcm4chee up Creating network "dcm4chee_default" with the default driver Creating dcm4chee_db_1 ... done Creating dcm4chee_ldap_1 ... done Creating dcm4chee_keycloak_1 ... done Creating dcm4chee_arc_1 ... done Attaching to dcm4chee_ldap_1, dcm4chee_db_1, dcm4chee_keycloak_1, dcm4chee_arc_1 db_1 | db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization db_1 | db_1 | 2021-09-02 12:25:54.724 AEST [1] LOG: starting PostgreSQL 13.3 (Debian 13.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit db_1 | 2021-09-02 12:25:54.725 AEST [1] LOG: listening on IPv4 address "0.0.0.0", port 5432 db_1 | 2021-09-02 12:25:54.725 AEST [1] LOG: listening on IPv6 address "::", port 5432 db_1 | 2021-09-02 12:25:55.807 AEST [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" db_1 | 2021-09-02 12:25:56.256 AEST [26] LOG: database system was shut down at 2021-09-02 12:25:13 AEST db_1 | 2021-09-02 12:25:56.931 AEST [1] LOG: database system is ready to accept connections keycloak_1 | Importing keystore /opt/keycloak/standalone/configuration/keystores/cacerts.p12 to /opt/java/openjdk/lib/security/cacerts... keycloak_1 | Entry for alias mykey successfully imported. keycloak_1 | Import command completed: 1 entries successfully imported, 0 entries failed or cancelled keycloak_1 | keycloak_1 | Warning: keycloak_1 | <mykey> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update. keycloak_1 | Waiting for ldap:389 ... keycloak_1 | done keycloak_1 | Starting Keycloak 11.0.3 keycloak_1 | ========================================================================= keycloak_1 | keycloak_1 | JBoss Bootstrap Environment keycloak_1 | keycloak_1 | JBOSS_HOME: /opt/keycloak keycloak_1 | keycloak_1 | JAVA: /opt/java/openjdk/bin/java keycloak_1 | keycloak_1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED keycloak_1 | keycloak_1 | ========================================================================= keycloak_1 | ldap_1 | 61303635 @(#) $OpenLDAP: slapd 2.4.57 (Feb 24 2021 06:14:32) $ ldap_1 | openldap ldap_1 | 61303635 slapd starting arc_1 | Importing keystore /opt/wildfly/standalone/configuration/keystores/cacerts.p12 to /opt/java/openjdk/lib/security/cacerts... arc_1 | Entry for alias mykey successfully imported. arc_1 | Import command completed: 1 entries successfully imported, 0 entries failed or cancelled arc_1 | arc_1 | Warning: arc_1 | <mykey> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update. arc_1 | Waiting for ldap:389 ... arc_1 | done arc_1 | Waiting for db:5432 ... arc_1 | done arc_1 | Starting Wildfly 24.0.1.Final arc_1 | ========================================================================= arc_1 | arc_1 | JBoss Bootstrap Environment arc_1 | arc_1 | JBOSS_HOME: /opt/wildfly arc_1 | arc_1 | JAVA: /opt/java/openjdk/bin/java arc_1 | arc_1 | JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/ java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED arc_1 | arc_1 | ========================================================================= arc_1 | arc_1 | java.lang.IllegalStateException: WFLYCTL0214: Could not get main file: dcm4chee-arc-oidc.xml. Specified files must be relative to the configuration dir: /opt/wildfly/standalone/configuration arc_1 | at ***@***.*** //org.jboss.as.controller.persistence.ConfigurationFile.determineMainFile(ConfigurationFile.java:362) arc_1 | at ***@***.*** //org.jboss.as.controller.persistence.ConfigurationFile.<init>(ConfigurationFile.java:200) arc_1 | at ***@***.*** //org.jboss.as.server.ServerEnvironment.<init>(ServerEnvironment.java:550) arc_1 | at ***@***.*** //org.jboss.as.server.Main.determineEnvironment(Main.java:407) arc_1 | at ***@***.*** //org.jboss.as.server.Main.main(Main.java:96) arc_1 | at org.jboss.modules.Module.run(Module.java:353) arc_1 | at org.jboss.modules.Module.run(Module.java:321) arc_1 | at org.jboss.modules.Main.main(Main.java:617) dcm4chee_arc_1 exited with code 1 keycloak_1 | WARNING: An illegal reflective access operation has occurred keycloak_1 | WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-12.0.3.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS() keycloak_1 | WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions keycloak_1 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations keycloak_1 | WARNING: All illegal access operations will be denied in a future release Oliver F ***@***.***> , ***@***.*** Ph:0433161557

…

On Fri, Aug 20, 2021 at 9:22 PM Gunter Zeilinger ***@***.***> wrote: Verify that the host name you configured in ENV AUTH_SERVER_URL <https://github.com/dcm4che-dockerfiles/dcm4chee-arc-psql#auth_server_url> is resolvable in the archive container: $ docker-compose exec arc bash ***@***.***:/# curl -vk $AUTH_SERVER_URL * Trying 192.168.2.150:8843... * TCP_NODELAY set * Connected to gunter-nb (192.168.2.150) port 8843 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=AT; O=J4CARE; CN=PACS_J4C * start date: Apr 2 06:38:46 2017 GMT * expire date: Apr 2 06:38:46 2027 GMT * issuer: C=FR; O=IHE Europe; CN=IHE Europe CA * SSL certificate verify result: EE certificate key too weak (66), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x56052f64de10) > GET /auth HTTP/2 > Host: gunter-nb:8843 > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)! < HTTP/2 303 < x-xss-protection: 1; mode=block < strict-transport-security: max-age=31536000; includeSubDomains < x-content-type-options: nosniff < location: https://gunter-nb:8843/auth/ < referrer-policy: no-referrer < content-length: 0 < date: Fri, 20 Aug 2021 11:20:24 GMT < * Connection #0 to host gunter-nb left intact ***@***.***:/# — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3321 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AI4WF63HF6W5LY7YWHQP6N3T5Y3I3ANCNFSM5CQEBEUA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[gunterze]

Are you sure, that you deleted mapped out wildfly/standalone/configuration and wildfly/standalone/deployment directory which was created on startup of the not secured version, before starting the secured version?

[oliverfchen]

Worked, thanks. Oliver Oliver F ***@***.***> , ***@***.*** Ph:0433161557

…

On Fri, Aug 20, 2021 at 9:22 PM Gunter Zeilinger ***@***.***> wrote: Verify that the host name you configured in ENV AUTH_SERVER_URL <https://github.com/dcm4che-dockerfiles/dcm4chee-arc-psql#auth_server_url> is resolvable in the archive container: $ docker-compose exec arc bash ***@***.***:/# curl -vk $AUTH_SERVER_URL * Trying 192.168.2.150:8843... * TCP_NODELAY set * Connected to gunter-nb (192.168.2.150) port 8843 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=AT; O=J4CARE; CN=PACS_J4C * start date: Apr 2 06:38:46 2017 GMT * expire date: Apr 2 06:38:46 2027 GMT * issuer: C=FR; O=IHE Europe; CN=IHE Europe CA * SSL certificate verify result: EE certificate key too weak (66), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x56052f64de10) > GET /auth HTTP/2 > Host: gunter-nb:8843 > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)! < HTTP/2 303 < x-xss-protection: 1; mode=block < strict-transport-security: max-age=31536000; includeSubDomains < x-content-type-options: nosniff < location: https://gunter-nb:8843/auth/ < referrer-policy: no-referrer < content-length: 0 < date: Fri, 20 Aug 2021 11:20:24 GMT < * Connection #0 to host gunter-nb left intact ***@***.***:/# — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3321 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AI4WF63HF6W5LY7YWHQP6N3T5Y3I3ANCNFSM5CQEBEUA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .