This docker image provides Keycloak Authentication Server initialized for securing the DICOM Archive dcm4chee-arc-light.
See Running on Docker at the dcm4che Archive 5 Wiki.
Below explained environment variables can be set as per one's application to override the default values if need be.
An example of how one can set an env variable in docker run command is shown below :
-e KEYCLOAK_DEVICE_NAME=my-keycloak
Note : If default values of any environment variables were overridden in startup of slapd container,
then ensure that the same values are also used for overriding the defaults during startup of keycloak container.
Realm name (default is dcm4che).
Login theme
basej4carekeycloakkeycloak.v2
(default is j4care).
Defining the SSL/HTTPS requirements for interacting with the realm:
none- HTTPS is not required for any client IP addressexternal- private IP addresses can access without HTTPSall- HTTPS is required for all IP addresses
(default is external).
Indicates if Keycloak should validate the password with the realm password policy before updating it
(default value is false).
Keycloak client ID for securing the UI of the archive (optional, default is dcm4chee-arc-ui).
Keycloak client ID for securing RESTful services of the archive (optional, default is dcm4chee-arc-rs).
Secret for Keycloak client for securing RESTful services of the archive (optional, default is changeit).
File containing secret for Keycloak client for securing RESTful services of the archive (alternative to RS_CLIENT_SECRET).
User role associated to Service Account of Keycloak client for securing RESTful services of the archive (optional, default is auth).
Keycloak client ID for securing the Wildfly Management Console
of the archive (optional, default is wildfly-console).
Redirect URL of Keycloak client for securing the Wildfly Management Console. Default value is https://dcm4chee-arc:9993/console/*.
Hostname of the archive device referred by OIDC Keycloak clients for securing the UI and RESTful services
of the archive. Default value is dcm4chee-arc.
HTTP port of the UI of the archive (optional, default is 8080).
HTTPS port of the UI of the archive (optional, default is 8443).
Keycloak client ID for securing the UI of Kibana (optional, default is kibana).
Secret for Keycloak client for securing the UI of Kibana (optional, default is changeit).
File containing secret for Keycloak client for securing the UI of Kibana (alternative to KIBANA_CLIENT_SECRET).
Redirect URL of Keycloak client for securing the UI of Kibana (optional, default is https://kibana:8643/*).
Keycloak client ID for securing access to Elasticsearch (optional, default is elastic).
Secret for Keycloak client for securing access to Elasticsearch (optional, default is changeit).
File containing secret for Keycloak client for securing access to Elasticsearch (alternative to ELASTIC_CLIENT_SECRET).
URL for accessing LDAP (optional, default is ldap://ldap:389).
Base domain name for LDAP (optional, default is dc=dcm4che,dc=org).
Password to use to authenticate to LDAP (optional, default is secret).
Password to use to authenticate to LDAP via file input (alternative to LDAP_ROOTPASS).
Indicates to disable the verification of the hostname of the certificate of the LDAP server,
if using TLS (LDAP_URL=ldaps://<host>:<port>) (optional, default is true).
Device name to lookup in LDAP for Audit Logger configuration (optional, default is keycloak).
User role to identify super users, which have unrestricted access to all UI functions of the Archive. Login/Logout of
such users will emit an Audit Message for Security Alert
with Event Type Code: (110127,DCM,"Emergency Override Started")/(110138,DCM,"Emergency Override Stopped").
Optional, default is root.
By default there is no admin user created so you won't be able to login to the admin console of the Keycloak master
realm at https://${KC_HOSTNAME}:${KC_HTTPS_PORT}[/${KC_HTTP_RELATIVE_PATH}]. To create an admin account you may use
environment variables KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD to pass in an initial username and password.
Once the first user with administrative rights exists, you may use the UI to change the initial password,
create additional admin users and/or delete that initial admin user.
Keycloak admin user via file input (alternative to KC_BOOTSTRAP_ADMIN_USERNAME).
User's password to use to authenticate to the Keycloak master realm.
User's password to use to authenticate to the Keycloak master realm via file input (alternative to KC_BOOTSTRAP_ADMIN_PASSWORD).
Hostname used to externally access Keycloak. If there is a reverse proxy in front of Keycloak, you have to specify the hostname of the reverse proxy.
The port used by the proxy when exposing the hostname. Required if there is a reverse proxy in front of Keycloak which
port differs from the HTTPS port of Keycloak specified by KC_HTTPS_PORT.
When all applications connected to Keycloak communicate through the public URL, set KC_HOSTNAME_STRICT_BACKCHANNEL
to true. Otherwise, leave this parameter as false to allow internal applications to communicate with Keycloak
through an internal URL.
The context-path used by the proxy. Required if there is a reverse proxy in front of Keycloak which uses a different
context-path for Keycloak than specified by KC_HTTP_RELATIVE_PATH.
Set the context-path relative to '/' for serving resources. (optional, default is /).
Configuring OpenID Connect Logout
Enable backwards compatibility option legacy-logout-redirect-uri of oidc login protocol in the server configuration (default value is false).
Required for logout by UI of earlier archive version than 5.29.1.
Enables to suppress logout confirmation screen, if the user does not provide a valid idTokenHint (default value is false).
Enables the HTTP listener (default value is false).
HTTP port of Keycloak (optional, default is 8080). Only effective with KC_HTTP_ENABLED is true.
HTTPS port of Keycloak (optional, default is 8443).
Path to keystore file with private key and certificate for HTTPS (default is
/opt/keycloak/conf/keystore/key.p12, with sample key + certificate:
Owner: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Issuer: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Serial number: 1
Valid from: Tue Nov 27 11:21:33 CET 2018 until: Mon Nov 27 11:21:33 CET 2028
Certificate fingerprints:
SHA1: 95:B3:01:BD:8B:97:46:D3:17:C4:E6:96:42:C9:84:FC:17:8D:E9:6F
SHA256: 21:EB:CA:86:4A:08:E9:A2:D2:1F:6E:84:37:8D:60:BB:14:92:4D:1B:B0:DD:B0:DC:75:03:0C:2E:F3:B2:6E:DD
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
provided by the docker image only for testing purpose).
Password used to protect the integrity of the keystore specified by KC_HTTPS_KEY_STORE_FILE (default is secret).
Password used to protect the integrity of the keystore specified by KC_HTTPS_KEY_STORE_FILE via file input
(alternative to KC_HTTPS_KEY_STORE_PASSWORD).
Type (JKS or PKCS12) of the keystore specified by KEYSTORE (default is PKCS12).
Path to keystore file with trusted certificates for TLS (optional, default is the default Java truststore
$JAVA_HOME/lib/security/cacerts). s.o. EXTRA_CACERTS.
Password used to protect the integrity of the keystore specified by KC_HTTPS_TRUST_STORE_FILE (optional, default is changeit).
Password used to protect the integrity of the keystore specified by KC_HTTPS_TRUST_STORE_FILE via file input
(alternative to KC_HTTPS_TRUST_STORE_PASSWORD).
Type (JKS or PKCS12) of the keystore specified by TRUSTSTORE (optional, default is JKS).
Path to keystore file with CA certificates imported to default Java truststore (optional, default is
/opt/keycloak/conf/keystore/cacerts.p12, with sample CA certificate:
Owner: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Issuer: OU=Gazelle, CN=IHE Europe CA, O=IHE Europe, C=FR
Serial number: 1
Valid from: Tue Nov 27 11:21:33 CET 2018 until: Mon Nov 27 11:21:33 CET 2028
Certificate fingerprints:
SHA1: 95:B3:01:BD:8B:97:46:D3:17:C4:E6:96:42:C9:84:FC:17:8D:E9:6F
SHA256: 21:EB:CA:86:4A:08:E9:A2:D2:1F:6E:84:37:8D:60:BB:14:92:4D:1B:B0:DD:B0:DC:75:03:0C:2E:F3:B2:6E:DD
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
provided by the docker image only for testing purpose).
Password used to protect the integrity of the keystore specified by EXTRA_CACERTS (optional, default is secret).
Password used to protect the integrity of the keystore specified by EXTRA_CACERTS via file input
(alternative to EXTRA_CACERTS_PASSWORD).
Comma separated list of enabled TLS protocols (SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3)
(optional, default is TLSv1.3).
The cipher suites to use. If none is given, a reasonable default is selected.
The proxy address forwarding mode if the server is behind a reverse proxy. Accepted values are:
edge- Enables communication through HTTP between the proxy and Keycloak. This mode is suitable for deployments with a highly secure internal network where the reverse proxy keeps a secure connection (HTTP over TLS) with clients while communicating with Keycloak using HTTP..reencrypt- Requires communication through HTTPS between the proxy and Keycloak. This mode is suitable for deployments where internal communication between the reverse proxy and Keycloak should also be protected. Different keys and certificates are used on the reverse proxy as well as on Keycloak.passthrough- Enables communication through HTTP or HTTPS between the proxy and Keycloak. This mode is suitable for deployments where the reverse proxy is not terminating TLS. The proxy instead is forwarding requests to the Keycloak server so that secure connections between the server and clients are based on the keys and certificates used by the Keycloak server.
If true, certificate checking will include the default set of root CA certificates in the JDK
additionally to CA certificates in TRUSTSTORE (optional, default is false).
Specifies if Keycloak shall verify the hostname of the server’s certificate on outgoing HTTPS requests. Accepted values are:
ANY- the hostname is not verified.WILDCARD- allows wildcards in subdomain names i.e.*.foo.com.STRICT- CN must match hostname exactly.
Default value is ANY.
Path to keystore file with trusted certificates for verifying server certificates on outgoing HTTPs requests
(optional, default is the default Java truststore $JAVA_HOME/lib/security/cacerts).
s.o. EXTRA_CACERTS.
Password used to protect the integrity of the keystore specified by KC_SPI_TRUSTSTORE_FILE_FILE (optional, default is changeit).
Password used to protect the integrity of the keystore specified by KC_SPI_TRUSTSTORE_FILE_FILE via file input
(alternative to KC_HTTPS_TRUST_STORE_PASSWORD).
Java VM options (optional, default is "-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true").
Additional Java properties to append to JAVA_OPTS.
If true, start JPDA listener for remote socket debugging on local binding address and port specified by DEBUG_PORT
(optional, default is false).
Specify local binding address and port <addr>:<port> for JPDA remote socket debugging, if DEBUG is true
or with command option --debug (optional, default is *:8787).
Indicates to delay the start of keycloak until specified TCP ports become accessible. Format: <host>:<port> ..., e.g.: ldap:389 logstash:8514.
The database vendor:
mariadb- use external MariaDB database,mssql- use external Microsoft SQL Server database,mysql- use external MySQL and MariaDB database,oracle- use external Oracle database,postgres- use external PostgreSQL database,
(optional, default use embedded H2 database).
The database schema to be used.
JDBC driver connection URL. Optional, default JDBC URL depends on external database.
Sets the database name of the default JDBC URL of the chosen vendor.
Sets the hostname of the default JDBC URL of the chosen vendor.
Sets the port of the default JDBC URL of the chosen vendor.
Sets the properties of the default JDBC URL of the chosen vendor.
User to authenticate to the external database (optional, default is keycloak).
User to authenticate to the external database via file input (alternative to KC_DB_USERNAME).
User's password to use to authenticate to the external database (optional, default is keycloak).
User's password to use to authenticate to the external database via file input (alternative to DB_PASSWORD).
The initial size of the connection pool.
The maximum size of the connection pool (optional, default is 100).
The minimum size of the connection pool.
Manually override the transaction type (optional, default is true).
Enable one or more log handlers by comma separated list of enumerated values:
console- console log handler (=default)file- file log handlergelf- GELF log handler
(optional, default is console).
The log level of the root category or a comma-separated list of individual categories and their levels
(optional, default is INFO). E.g.: INFO,org.infinispan:DEBUG,org.jgroups:DEBUG.
Set the log file path and filename (optional, default is /opt/keycloak/data/log/keycloak.log).
Set a format specific to file log entries (optional, default is %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n).
The maximum file size of the log file after which a rotation is executed (optional, default is 10M).
The maximum number of backups to keep (optional, default is 5).
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the host with 'tcp:' to switch to TCP. Example: 'tcp:logstash'". (optional, default is logstash).
The port the Logstash or Graylog Host is called on (optional, default is 12201).
The gelf version to be used (optional, default is 1.1).
The facility (name of the process) that sends the message (optional, default is keycloak).
Log-Level threshold (optional, default is INFO).
If set to true, occuring stack traces are included in the 'StackTrace' field in the gelf output (optional, default is true).
Set the format for the gelf timestamp field. Uses Java SimpleDateFormat pattern (optional, default is yyyy-MM-dd HH:mm:ss,SSS).
Maximum message size (in bytes). If the message size is exceeded, gelf will submit the message in multiple chunks (optional, default is 8192).
Include message parameters from the log event. (optional, default is true).
Include source code location (optional, default is true).
Requires use of external MySQL, MariaDB, Postgres or Microsoft SQL Server database to persist data.
Specify included cache-ispn-jdbc-ping.xml as cache configuration file.
JGroups server socket bind address (optional, default $(hostname -i) or select particular container IP according JGROUPS_BIND_IP_PREFIX).
JGroups server socket bind address prefix used to select particular container IP if no JGROUPS_BIND_IP is specified.
JGroups TCP stack port (optional, default is 7600).
IP address of this host - must be accessible by the other Keycloak instances.
