Dcm4chee: Getting Weasis Working w/ TLS Encryption
After having set up dcm4chee w/ TLS encryption and gleefully performing a few dcmsnds or dcmqrs, you may find yourself a bit frustrated to discover that Weasis no longer seems to work with dcm4chee via weasis-pacs-connector.
Note: This is a follow-up article to setting up dcm4chee w/ TLS. Also, the below has only been tested with dcm4chee2.x.
In my case, this was because the C-FIND’s that weasis-pacs-connector uses to tell Weasis the uri’s of the images it needs to download aren’t by default setup to use TLS. Opening up dcm4chee’s log, you should see some error’s to that effect. This is a bit frustrating given that weasis-pacs-connector runs on the *same box* *via* dcm4chee and so presumably shouldn’t need this extra layer of authentication. Alas this is not the case.
Luckily, weasis-pacs-connector does come with config options to enable TLS. However, I found the setup to be a bit tricky, as the config syntax differs greatly between the current weasis-pacs-connector version (the master branch found here), and v5.0.1 which is the latest pre-compiled version available on sourceforge, as of this writing, so I decided to write up some instructions.
Step 1: Download the correct properties file
The first step is to copy weasis-connector-default.properties from the correct branch of the weasis-pacs-connector git repo, rename it to weasis-pacs-connector.properties, and place this file in the appropriate folder according to your JBoss / Wildfly version, as described in the docs here.
On my system, running jboss inferior to version 7, the location is $DCM4CHEE/server/default/conf/.
If you are using weasis-pacs-connector v5.0.1, then the direct link to the properties file is here. If you are using the latest master branch version (which I am told will in the near future become v6.x), the link is here. Again, be careful to get this right as this file has changed quite a bit between v5.0.1 and the current latest version.
The next step differs based on your version of weasis-pacs-connector.
Step 2 for weasis-pacs-connector v5.0.1
If you’ve download the correct weasis-pacs-connect.properties file then this step will be rather self-explanatory, as the options related to turning on TLS are already referenced within this file. Simply uncomment / edit so that they match with the details of your install. My file looks like this:
##### Using TLS to query the PACS pacs.tls.mode=true ##### Need client authentication for TLS #pacs.tlsNeedClientAuth=false ##### File path or URL of key store containing the private key pacs.keystoreURL=/opt/dcm4chee/server/default/conf/keystore.jks ##### Type of key store containing the private key, JKS by default #pacs.keystoreType=JKS ##### Password for key store containing the private key pacs.keystorePass=mykeypwd ##### Password for accessing the key in the key store, key store password by default #pacs.keyPass=keypwd ##### File path or URL of key store containing trusted certificates pacs.truststoreURL=/opt/dcm4chee/server/default/conf/trust.jks ##### Type of key store with trusted certificates, JKS by default #pacs.truststoreType=JKS ##### Password for key store with trusted certificates pacs.truststorePass=mytrustpwd
Step 2 for weasis-pacs-connector “v6.x” / “current” master
Note: These are directions for the “latest” (at the time of this writing) version of weasis-pacs-connector grabbed directly from the master branch of the git repo (again, as it was at the time of this writing) and built from source. I have been told this version will soon become v6.x, however, as these instructions are against the ‘latest’ master which has not yet been tagged with an official release version, they may become quickly outdated. So take the below with a grain of salt and continue to refer to the official docs.
If you’ve already downloaded the correct weasis-connector-default.properties file the next step is to download dicom-dcm4chee.properties from the same git repo and plop it into the same directory as weasis-pacs-connector.properties. However you must rename it such that it is not named one of:
dicom-dcm4chee.properties dicom-vital-it.properties db-dcm4chee.properties
as these are *already* packaged with the weasis-pacs-connector war archive and the settings in these files (which do *not* enable TLS) will override your custom defined file if it has one these names. My file is named dicom-dcm4chee-local.properties.
Make the appropriate edits for your system. My file looks like:
########## DICOM Query of archive (PACS, MACS or VNA) ########## # ID of the archive (Mandatory property), alphanumeric value arc.id=1000 # Query automatically the archive when true. Otherwise requires to have the archive ID in the request URL (ex. http://host?patientID=9702672&archive=1000) arc.activate=true # list of previous archive IDs (separate by a comma) where the images has been migrated in this archive arc.inherit.ids= # AET, hostname and port of the archive (Mandatory properties) arc.aet=DCM4CHEE arc.host=localhost arc.port=11112 ##### Using TLS to query arc.tls.mode=true ##### Need client authentication for TLS # arc.tlsNeedClientAuth=false ##### File path or URL of key store containing the private key arc.keystoreURL=/opt/dcm4chee/server/default/conf/security/node1.jks ##### Type of key store containing the private key, JKS by default arc.keystoreType=JKS ##### Password for key store containing the private key arc.keystorePass=yourkeystorepass ##### Password for accessing the key in the key store, key store password by default #arc.keyPass=keypwd ##### File path or URL of key store containing trusted certificates arc.truststoreURL=/opt/dcm4chee/server/default/conf/security/trust.jks ##### Type of key store with trusted certificates, JKS by default #arc.truststoreType=JKS ##### Password for key store with trusted certificates arc.truststorePass=yourtruststorepass ##### Base URL of the WADO server (Mandatory property) arc.wado.url=${server.base.url}/wado ##### Request a specific transfer syntax (no value in dcm4chee will return the stored syntax) ##### For lossy syntax, quality in % can be added (wado.request.tsuid=1.2.840.10008.1.2.4.91:82) #wado.request.tsuid=1.2.840.10008.1.2.1 ##### If the WADO server requires an http authentication (arc.web.login=user:pwd) #arc.web.login= ##### Allows additional parameters at the end of the WADO URL #wado.addparams= ##### True if the WADO server supports request with only the SopInstanceUID (standard is Study, Series and Intance UID), default value is false #wado.onlysopuid=false ##### Set a DICOM tag list (comma-separated integer values) that will be used to override downloaded DICOM files by the values in the wado xml file. #wado.override.tags= ##### Set a HTTP tag list (comma-separated key:value). The tags will be included in the HTTP header of each WADO request. ##### Ex. wado.httpTags=X-Time:23424324,X-Value:32443432 #wado.httpTags=
Finally, open up weasis-pacs-connector.properties and make sure this file is properly referenced, like so:
arc.config.list=dicom-dcm4chee-local.properties
Step 3: Restart dcm4chee
Restart dcm4chee and open up a dicom archive w/ Weasis via dcm4chee-web3 or otherwise, it should now work w/ TLS.
Random troubleshooting
Possible problems:
- If you changed the AE title of your dcm4chee instance, make sure to make the appropriate adjustments in the weasis-pacs-connector config files. If this is the case Weasis will fail to load studies TLS mode or not.