Dcm4chee: Getting Weasis Working w/ TLS Encryption

After having set up dcm4chee w/ TLS encryption and gleefully performing a few dcmsnds or dcmqrs, you may find yourself a bit frustrated to discover that Weasis no longer seems to work with dcm4chee via weasis-pacs-connector.

Note: This is a follow-up article to setting up dcm4chee w/ TLS. Also, the below has only been tested with dcm4chee2.x.

Weasis working with TLS, launched using dcm4chee-web3.

Weasis working with TLS (launched from dcm4chee-web3).

In my case, this was because the C-FIND’s that weasis-pacs-connector uses to tell Weasis the uri’s of the images it needs to download aren’t by default setup to use TLS. Opening up dcm4chee’s log, you should see some error’s to that effect. This is a bit frustrating given that weasis-pacs-connector runs on the *same box* *via* dcm4chee and so presumably shouldn’t need this extra layer of authentication. Alas this is not the case.

Luckily, weasis-pacs-connector does come with config options to enable TLS. However, I found the setup to be a bit tricky, as the config syntax differs greatly between the current weasis-pacs-connector version (the master branch found here), and v5.0.1 which is the latest pre-compiled version available on sourceforge, as of this writing, so I decided to write up some instructions.

Step 1: Download the correct properties file

The first step is to copy weasis-connector-default.properties from the correct branch of the weasis-pacs-connector git repo, rename it to weasis-pacs-connector.properties, and place this file in the appropriate folder according to your JBoss / Wildfly version, as described in the docs here.

On my system, running jboss inferior to version 7, the location is $DCM4CHEE/server/default/conf/.

If you are using weasis-pacs-connector v5.0.1, then the direct link to the properties file is here. If you are using the latest master branch version (which I am told will in the near future become v6.x), the link is here. Again, be careful to get this right as this file has changed quite a bit between v5.0.1 and the current latest version.

The next step differs based on your version of weasis-pacs-connector.

Step 2 for weasis-pacs-connector v5.0.1

If you’ve download the correct weasis-pacs-connect.properties file then this step will be rather self-explanatory, as the options related to turning on TLS are already referenced within this file. Simply uncomment / edit so that they match with the details of your install. My file looks like this:

##### Using TLS to query the PACS
pacs.tls.mode=true
##### Need client authentication for TLS
#pacs.tlsNeedClientAuth=false
##### File path or URL of key store containing the private key
pacs.keystoreURL=/opt/dcm4chee/server/default/conf/keystore.jks
##### Type of key store containing the private key, JKS by default
#pacs.keystoreType=JKS
##### Password for key store containing the private key
pacs.keystorePass=mykeypwd
##### Password for accessing the key in the key store, key store password by default
#pacs.keyPass=keypwd
##### File path or URL of key store containing trusted certificates
pacs.truststoreURL=/opt/dcm4chee/server/default/conf/trust.jks
##### Type of key store with trusted certificates, JKS by default
#pacs.truststoreType=JKS
##### Password for key store with trusted certificates
pacs.truststorePass=mytrustpwd

Step 2 for weasis-pacs-connector “v6.x” / “current” master

Note: These are directions for the “latest” (at the time of this writing) version of weasis-pacs-connector grabbed directly from the master branch of the git repo (again, as it was at the time of this writing) and built from source. I have been told this version will soon become v6.x, however, as these instructions are against the ‘latest’ master which has not yet been tagged with an official release version, they may become quickly outdated. So take the below with a grain of salt and continue to refer to the official docs.

If you’ve already downloaded the correct weasis-connector-default.properties file the next step is to download dicom-dcm4chee.properties from the same git repo and plop it into the same directory as weasis-pacs-connector.properties. However you must rename it such that it is not named one of:

dicom-dcm4chee.properties
dicom-vital-it.properties
db-dcm4chee.properties

as these are *already* packaged with the weasis-pacs-connector war archive and the settings in these files (which do *not* enable TLS) will override your custom defined file if it has one these names. My file is named dicom-dcm4chee-local.properties.

Make the appropriate edits for your system. My file looks like:

##########  DICOM Query of archive (PACS, MACS or VNA) ##########
# ID of the archive (Mandatory property), alphanumeric value
arc.id=1000
# Query automatically the archive when true. Otherwise requires to have the archive ID in the request URL (ex. http://host?patientID=9702672&archive=1000) 
arc.activate=true
# list of previous archive IDs (separate by a comma) where the images has been migrated in this archive
arc.inherit.ids=
# AET, hostname and port of the archive (Mandatory properties)
arc.aet=DCM4CHEE
arc.host=localhost
arc.port=11112

##### Using TLS to query
arc.tls.mode=true
##### Need client authentication for TLS
# arc.tlsNeedClientAuth=false
##### File path or URL of key store containing the private key
arc.keystoreURL=/opt/dcm4chee/server/default/conf/security/node1.jks
##### Type of key store containing the private key, JKS by default
arc.keystoreType=JKS
##### Password for key store containing the private key
arc.keystorePass=yourkeystorepass
##### Password for accessing the key in the key store, key store password by default
#arc.keyPass=keypwd
##### File path or URL of key store containing trusted certificates
arc.truststoreURL=/opt/dcm4chee/server/default/conf/security/trust.jks
##### Type of key store with trusted certificates, JKS by default
#arc.truststoreType=JKS
##### Password for key store with trusted certificates
arc.truststorePass=yourtruststorepass

##### Base URL of the WADO server (Mandatory property)
arc.wado.url=${server.base.url}/wado
##### Request a specific transfer syntax (no value in dcm4chee will return the stored syntax)
##### For lossy syntax, quality in % can be added (wado.request.tsuid=1.2.840.10008.1.2.4.91:82)
#wado.request.tsuid=1.2.840.10008.1.2.1
##### If the WADO server requires an http authentication (arc.web.login=user:pwd)
#arc.web.login=
##### Allows additional parameters at the end of the WADO URL
#wado.addparams=
##### True if the WADO server supports request with only the SopInstanceUID (standard is Study, Series and Intance UID), default value is false
#wado.onlysopuid=false
##### Set a DICOM tag list (comma-separated integer values) that will be used to override downloaded DICOM files by the values in the wado xml file.
#wado.override.tags=
##### Set a HTTP tag list (comma-separated key:value). The tags will be included in the HTTP header of each WADO request. 
##### Ex. wado.httpTags=X-Time:23424324,X-Value:32443432
#wado.httpTags=

Finally, open up weasis-pacs-connector.properties and make sure this file is properly referenced, like so:

arc.config.list=dicom-dcm4chee-local.properties

Step 3: Restart dcm4chee

Restart dcm4chee and open up a dicom archive w/ Weasis via dcm4chee-web3 or otherwise, it should now work w/ TLS.

Random troubleshooting

Possible problems:

  • If you changed the AE title of your dcm4chee instance, make sure to make the appropriate adjustments in the weasis-pacs-connector config files. If this is the case Weasis will fail to load studies TLS mode or not.

No fancy tricks or popups, simply an article like the above, which I write a few times a month - just for my subscribers.