User guide

This user guide provides a detailed overview of each page available in the Karnak web interface, focusing on the sections listed in the left-hand menu.

Subsections of User guide

Gateway

Forward Node

This page lists all the forward nodes configured in Karnak and allows to edit, create and delete nodes. The forward node contains the configuration of the DICOM node’s Application Entity.

gateway_page gateway_page

1. Creation of a forward node

After clicking on the New Forward Node button, a form will appear as illustrated below.

New Forward Node New Forward Node

To create a new forward node, the “Forward AETitle” input must be filled, then click on the “Add” button. Once added, it will appear in the list of forward nodes and will be selected. The Forward AETitle must be unique.

2. Forward node list

This list displays all the forward nodes created in the Karnak instance. A forward node can be selected to view and manage its details on the right panel.

3. Forward node parameters

The value of the forward AETitle and its description can be modified after creation on the detailed view of the forward node. To save your changes, click on the “Save” button.

4. Forward node sources or destinations

In the forward node’s details, source control can be configured, checking if the received DICOM is provided from a known source. Destinations can also be created and configured to distribute received DICOM instances. These destinations can communicate with the DICOM or DICOM WEB protocol.

gateway destinations gateway destinations

4.1 Navigation

Depending on the selected tab, the list of destinations or sources associated to this forward node will be displayed.

4.2 Filtering

The destination’s list filter is applied to the destination description.

The source’s list filter is applied to the AE title, hostname and description source.

4.3 List

All the destinations or sources associated to the forward node are displayed here.

Click on an element of the list will open its detailed view, also allowing its edition.

4.4 Actions

The action buttons depend on the current tab selected.

In the Destinations view, two actions are displayed, corresponding to the protocol associated to the destination being created. The available protocols are either DICOM or DICOM WEB. The Destination creation is detailed in the section Destinations.

In the Sources view, a button for creating a new Source is displayed. The Source creation is detailed in the Sources page.

Sources button Sources button

5. Forward node actions

Three actions are available:

  • Save: saves the changes made on the forward node parameters
  • Delete: deletes the selected forward node
  • Cancel: reverts the changes made on the forward node parameters

Subsections of Gateway

Destinations

Depending on the associated protocol, two types of destinations can be created: DICOM Destinations or STOW Destinations protocol.

DICOM Destination

The following fields are required for the DICOM Destination creation:

  • AETitle
  • Hostname
  • Port (Should be between 1 and 65535)

Creation source Creation source

1. Destination parameters

These fields define the destination Karnak should send the instances to.

Condition is an optional field that can contain an expression. If the condition is met, the destination will be activated. See Conditions for more details.

The hostname and the port will be used to define the host in case the “Use AETitle destination” is not checked.

2. Transfer Syntax

This field defines the transfer syntax used.

3. Use AETitle destination

If “Use AETitle destination” is checked, the AETitle will be used as host.

4. Notifications

If the notifications are activated, automatic emails are generated and sent by Karnak, summarizing successfully forwarded instances as well as errors.

Notifications Notifications

  • List of emails: comma separated list of emails that the email notification will be sent to
  • Error subject prefix: prefix of the email object an issue occurred. Default value: **ERROR**
  • Rejection subject prefix: prefix of the email object an instance is not sent because of some defined filter or criteria. Default value: **REJECTED**
  • Subject pattern: pattern of the email object in Java String Format. Default value: [Karnak Notification] %s %.30s
  • Subject values: attribute values that can be injected in the subject pattern. The attributes that can be injected are: PatientID, StudyDescription, StudyDate, StudyInstanceUID. Default value: PatientID,StudyDescription
  • Interval: interval in seconds for the notification generation. Once an instance is received, it will wait for the number of seconds defined and aggregate the information so that only one email is sent in that period of time. Default value: 45
5. Tag morphing

To activate tag morphing, it is required to create a new project first. The tag morphing needs a project to be selected. The applied profile is displayed below with its version.

Tag Morphing Tag Morphing

6. De-identification
Note
Activate de-identification and Activate tag morphing are mutually exclusive options. They cannot be both selected since they are incompatible with each other.

To activate de-identification, it is required to create a new project first.

If a project does not exist, a popup will be displayed.

Popup deidentificatio Popup deidentificatio

  • Create a project redirects to the page project. If this option is chosen, all previously made changes in the destination form will be lost

  • Continue will close the pop-up, and the de-identification will not be activated

If a project exists, de-identification can be configured as detailed below.

Configure de-identification Configure de-identification

Project

De-identification requires a project to be selected. The applied profile is displayed below with its version.

Pseudonym Type

The pseudonym types are detailed below:

  • Pseudonym is already stored in KARNAK: queries the pseudonym stored in the internal cache as explained in External Pseudonym. In case a pseudonym is not returned by the cache, the transfer of the current DICOM instance is aborted.
  • Pseudonym is in a DICOM tag: retrieves the pseudonym in the specified DICOM tag. It requires the tag number. It is possible to use the delimiter and position fields to split the content of the tag and retrieve a part of it. Otherwise, the entire tag’s value is used as the pseudonym.

Pseudonym is in a DICOM tag Pseudonym is in a DICOM tag

Issuer of Patient ID by default

The value contained in this field is used when retrieving the pseudonym using the External Pseudonym. The pseudonym is queried based on the Patient ID and the Issuer of the Patient ID value.

7. Authorized SOPs

This field defines a list of SOPs that are used to filter the DICOM instances. If this option is activated, the list can be filled using DICOM SOPs values. If this option is not activated, any SOPs will be transferred without restrictions.

SOP Filter SOP Filter

8. Enable the destination

This field allows a destination to be disabled, meaning that no DICOM instances will be transferred to that destination.

9. Action buttons

Three actions are available:

  • Save: saves the changes made on the destination
  • Delete: deletes the selected destination
  • Cancel: reverts the changes made on the destination

STOW Destination

The URL is required for the STOW Destination creation.

Only the parts that differ from the DICOM Destination configuration will be detailed here. For more information on the parts not highlighted, please refer to the DICOM Destinations.

Creation source Creation source

1. Destination parameters

These fields define the destination Karnak should send the instances to.

Condition is an optional field that can contain an expression. If the condition is met, the destination will be activated. See Conditions for more details.

The Headers field contains the HTTP headers that are added to the HTTP request. The headers are defined with key and value tags, see below for examples.

The button Generate Authorization Header displays a popup that will generate the headers in the correct format based on the Authorization type selected and the relevant information provided. If the header’s value already contains <key>Authorization</key>, an error message will be displayed. If other header values are present, the Authorization header will be appended.

The following Authorization types are supported:

Basic Auth drawing

Generated headers:

<key>Authorization</key>
<value>Basic dXNlcm5hbWU6cGFzc3dvcmQ=</value>

OAuth 2 drawing

Generated headers:

<key>Authorization</key>
<value>Bearer 1234567890</value>
2. Switching in different Kheops albums

If the destination is a Kheops endpoint, it is possible to configure multiple albums by selecting the option “Switching in different KHEOPS albums”.

Explanations for configuring Kheops-related parameters can be found in the Kheops chapter.

Sources

Sources

The Sources tab contains a list of configured sources for the forward node.

Sources view Sources view

A source is used to perform control over the sending entity to the associated forward node. It checks if the received DICOM instance is provided from a known AET.

If no sources are defined, the forward node will receive DICOM instances from any AET.

Creation source Creation source

The field AETitle is mandatory.

The fields Description and Hostname are optional. If the “Check the hostname” option is selected, the Hostname’s field value will also be used to filter DICOM instances based on the sending AET.

Profiles

This page lists all the profiles configured in Karnak and allows to edit, create and delete them. A profile contains a definition of actions that should be applied to a DICOM instance before being sent.

The “Dicom Basic Profile” is present by default and cannot be deleted. This profile is detailed in the section How does de-identification work?. This profile cannot be deleted or edited, except for the value of default issuer of patient ID.

profile page profile page

1. Profile drag and drop area

A profile can only be created by importing a YAML file using the top right component of the Profiles view. The file can be selected by clicking the “Upload File” button or drag and dropped there. It will be loaded and analyzed. If there are no errors, a new profile will automatically be created with the content of the file, and added to the list of profiles.

2. Profile list

All the profiles available are listed here. A profile can evolve and be present in the list under the same name but with a different version.

By selecting a profile in the list, its details are displayed on the right.

3. Profile details

This area contains the details of a profile.

If the profile is selected in the list, its details will appear on the right panel.

Some information can be edited such as the name, version and minimum required version of Karnak, by clicking on the pen icon.

profile edit profile edit

The field’s value can be edited, the changes are saved by clicking on the check mark button and reverted by clicking on the cross button.

profile edit profile edit

The rest of the profile cannot be modified.

The entire profile can be downloaded as a YAML file by clicking on the button on the right or deleted by clicking on the button on the left.

Profile actions Profile actions

If a YAML file was imported, this view will display the details of the newly created profile, if no errors occurred during the import and the creation was successful.

If some errors occurred during the profile creation, the profile won’t be created and added to the profiles’ list. The errors will be displayed in the right panel with details about the source of the error(s). An example is shown below.

profile page profile page

Projects

This page lists all the projects configured in Karnak and allows to edit, create and delete them. A project is linked to a profile and contains a secret used for de-identification.

project page project page

1. Create a project

To create a new project, the project name field and the profile select box must be filled, then click on the button “Add”. The project will be added to the list of projects and its details displayed in the right panel.

2. Project list

All the projects available are listed here. By selecting a project in the list, its details are displayed on the right.

3. Project details

In the details view, the project name and de-identification profile can be modified. The changes must then be saved using the “Update” button.

4. Project secret

The project’s secret is at the core of Karnak, more specifically for the de-identification process. It is a 32-character hexadecimal value.

The project’s secret is automatically generated when the project is created. The date and time of the secret’s creation are appended at the end of the secret in the details view.

A new secret can be generated by clicking the “Generate Secret” button. If new secrets are generated, previous secrets are saved in the database. Previous versions can be selected to be used.

project secret history project secret history

Note

Changing the project’s secret can cause data consistency issues

A destination is associated with a project regarding the de-identification, as explained in the Destination configuration

In order to generate new values, as well as pseudonymize certain patient information, a hash function is used with the secret as seed to have a project-wise unique yet determinist generated value. When the secret is changed, it must be taken into consideration that this determinist mechanism will be broken. If a DICOM instance is de-identified twice using the same project, same secret and same profile, the resulting de-identified instances will be the equal. If the secret is changed, then the same DICOM instance de-identified twice, using the same project, same profile but a new secret will result in different de-identified instances.

Details about the algorithm and UID generation using the project’s secret can be found here.

5. Action buttons

Any change done on the project’s details must be persisted using the “Update” button.

The selected project can be deleted by clicking on the “Remove” button. If the project is associated to a destination, an error message will be displayed.

Delete error Delete error

External Pseudonym

In this page, pseudonyms can be created or imported, and will then be used during de-identification by Karnak. The de-identification process and how the pseudonym is used is detailed in the Pseudonym chapter.

The activation of de-identification is done in the Destination configuration.

The created or imported pseudonyms in this page are stored in a cache that will be cleared after a maximum of 7 days. The pseudonyms saved will also be lost in case Karnak is restarted.

External pseudonym cache External pseudonym cache

1. Choose a project

External pseudonyms are linked to a project. It allows Karnak to handle properly the case where a patient is participating in multiple clinical studies, as well as potential collisions.

2. Upload a CSV file

A CSV file containing external pseudonyms can be uploaded by clicking the “Upload File” button or drag and dropped there. It launches the import process.

A pop-up is displayed asking for the separator of the CSV file. By default, the value is set to “,”.

External pseudonym pop-up External pseudonym pop-up

After clicking on the “Open CSV” button, a grid is displayed containing the CSV file data.

External pseudonym CSV Dialog External pseudonym CSV Dialog

2.1 From line

This field defines the index of the first line of the CSV file to import. It allows to skip a number of lines at the beginning of the file, especially if it contains headers.

External pseudonym CSV Dialog 2 External pseudonym CSV Dialog 2

2.2 Columns assignments

In this view, the CSV columns are associated with the corresponding pseudonym attributes. All the fields are mandatory, except the Issuer of patient ID.

External pseudonym CSV Dialog 3 External pseudonym CSV Dialog 3

2.3 Upload CSV

The “Upload CSV” button will start importing the CSV data. It performs data validation on the data, such as Patient ID or Pseudonym duplication.

3. Add a new patient

It’s also possible to add an external pseudonym manually. All the fields are mandatory, except the Issuer of patient ID.

Clicking on “Add patient” will add the entered data into the external pseudonyms table.

4. Delete all patients

This button will delete all the external pseudonyms stored in the cache but linked to the selected project. The other pseudonyms linked to other projects won’t be impacted.

A popup will be displayed before the deletion is effectively done, asking for the confirmation of the user.

5. Pseudonym edition

Once stored in the cache, it is possible to edit the patient fields by clicking on the “Edit” button on the external pseudonym row that should be modified. The external pseudonym can also be deleted by clicking in the “Delete” button on the external pseudonym row that should be removed.

Multiple rows can be selected by checking the boxes on the left of each row. These rows can be deleted by clicking on the “Delete selected patients” at the top of the external pseudonyms table. Again, a confirmation is asked before the deletion is performed.

External pseudonym CSV Dialog 2 External pseudonym CSV Dialog 2

Pseudonym mapping

The pseudonym mapping is used to retrieve the mapping of pseudonyms added in the External pseudonym view.

pseudonym mapping view pseudonym mapping view

1. Search field

In order to retrieve the original value, enter the pseudonym and click on the “Find” button. The search is case-sensitive.

2. Results

If a correspondence is found, it is displayed below. “[External]” means that the match was found in the external pseudonym table followed by the associated project. The original patient data is displayed as well.

If that pseudonym has no correspondence, an error message will be displayed as illustrated below.

pseudonym mapping not found pseudonym mapping not found

Monitoring

monitoring view monitoring view

Monitoring view is used to follow transfers in progress or recent transfers.

Currently limited to 150000 transfers, it is possible to browse the different pages via the navigation bar at the bottom center of the view

An automatic cleaning occurs on the monitoring tables, if the limit is exceeded.

The view displays the most recent transfers and is ordered with most recent first.

Filters are available to easily browse or find a transfer.

It is possible to export the list of transfers via the export functionality in csv format depending on the filters selected.

By clicking on a transfer, its details are displayed containing the de-identified and original information.

1. Filters

monitoring filters monitoring filters

Filters allow to easily search and browse transfers. It is possible to filter by:

  • Date/Time of transfers
  • Study UID (original or de-identified)
  • Serie UID (original or de-identified)
  • Sop Instance UID (original or de-identified)
  • Status of the transfer (not sent, sent, all, excluded and error)

The status of a transfer is defined as follows :

  • if the instance was successfully sent, it appears with the label “Sent” in green
  • if the instance was not sent because of the SOP filter, the destination condition or the use of ExcludeInstance() in the profile, it appears in orange with a label corresponding to the reason why it was excluded
  • if the instance was not sent because an unexpected error occurred, it will appear in red with a label corresponding to the error that occurred

Transfer statuses Transfer statuses

2. Browsing

monitoring browsing monitoring browsing

It is possible to go through the different pages of the list of transfers by using the navigation bar.

3. Refresh

monitoring refresh monitoring refresh

By clicking on the refresh button, the list of transfers is updated with last transfers.

4. Export

monitoring export settings monitoring export settings

Export settings allow to customize the csv before exporting it. It is possible to change the csv delimiter and the quote character of the file.

monitoring export button monitoring export button

Once customized, the export is launched by clicking on the export button.

monitoring export csv monitoring export csv

Export will use the filters selected in the monitoring view and export only transfers matching the filters’ criteria.

DICOM tools

This page provides an overview of the utility tools available in the DICOM Tools module, designed to assist with connectivity, query, and status checks for DICOM servers. These tools enable users to:

  • Test the availability of a DICOM node using DICOM Echo
  • Query a DICOM Worklist and display the DICOM result
  • Group and monitor DICOM nodes using DICOM Echo and WADO protocols

The different modules are accessed through the tabs at the top of the page.

DICOM Tools main page DICOM Tools main page

Those functionalities will be presented in details below.

DICOM Echo tab

This tool tests the DICOM communication between 2 AETs.

The field “Calling AETitle” defines the identity of the calling DICOM entity. The field “Called AETitle” defines the identity of the DICOM entity to test. The field “Called Hostname” and “Called Port” define the hostname and port of the DICOM node to test.

All the fields are mandatory to execute the ECHO test.

Clicking on the button “Echo” will launch the connectivity test and DICOM Echo command. Below is an example of a successful test.

DICOM Tools Echo success DICOM Tools Echo success

In this example, the “Called AETitle” value is purposely wrong, we can see that the network connectivity test is successful but not the DICOM Echo, displaying the reason of the failure.

DICOM Tools Echo error DICOM Tools Echo error

Select Node Utility

The Select Node popup can be displayed by clicking on the “Select Node” button.

DICOM Tools Select Node DICOM Tools Select Node

The type of DICOM Node is set in the “Dicom Nodes Type” field. The list of values in the “Dicom Node” field is then updated according to the selected node type. The values can be filtered in this field by typing directly a string that will be matched against the AET, hostname, port or description.

Clicking on the “Select” button will automatically fill the Called AETitle, Called Hostname and Called Port fields with the values of the selected DICOM node.

DICOM Tools Select Node DICOM Tools Select Node

DICOM Worklist tab

This tool retrieves the content of a DICOM Worklist and tests their behavior and connectivity.

DICOM Tools Worklist main page DICOM Tools Worklist main page

Worklist Configuration

The field “Calling AETitle” defines the identity of the calling DICOM entity. The field “Worklist AET” defines the identity of the worklist to test. The field “Worklist Hostname” and “Worklist Port” define the hostname and port of the worklist to test.

All the fields are mandatory to retrieve the worklist content.

Worklist Query

Additionally, some fields are defined to filter the results returned by the worklist. These fields are optional. If none are filled, no filters are applied and all the elements of the worklist are retrieved.

Query Results

Clicking on the button “Select Worklist” will launch the test and data retrieval. The retrieved worklist data is displayed in a table, that can be sorted by column, by clicking on its header.

Worklist success Worklist success

Select Worklist Utility

The Select Worklist popup can be displayed by clicking on the “Select Worklist” button.

DICOM Tools Select worklist DICOM Tools Select worklist

A list of available worklist will be displayed and a node can be selected. The worklists can be filtered in this field by typing directly a string that will be matched against the AET, hostname, port or description.

Clicking on the “Select” button will automatically fill the Worklist AET, Worklist Hostname and Worklist Port fields with the values of the selected DICOM worklist.

DICOM Tools Select worklist result DICOM Tools Select worklist result

Monitor tab

This tool checks the status of DICOM nodes using both DICOM and WADO protocols.

DICOM Tools Monitor DICOM Tools Monitor

DICOM ECHO

A DICOM node must be selected in the list, and the button “Check” can be clicked to launch the DICOM Echo test for that node. Below is an example of a successful DICOM Echo test.

Monitor DICOM Echo Monitor DICOM Echo

WADO

A DICOM node must be selected in the list, and the button “Check” can be clicked to launch the WADO test for that node. Below is an example of a successful WADO test.

Monitor DICOM WADO Monitor DICOM WADO

Kheops

Create a destination album

To create a Kheops album as a destination, the following values must be set:

  • Protocol: STOW
  • DICOM endpoint: /api/studies

To create the album destination, please refer to the official documentation. of Kheops.

Once the album is created, please follow these steps to configure the album as a destination in Karnak.

  1. Create a new token New token New token

  2. Give WRITE permission to the token and set the expiration date New token New token

  3. Copy the authentication token value to be used in the header of your Karnak destination New token New token

The creation and configuration of a STOW Destination in Karnak is detailed here.

Switching in different Kheops albums

When a destination points to a Kheops album, the data can be propagated to underlying albums.

This is useful when a cohort of studies is sent to a research group for example, without sharing all the album studies.

Studies cannot be shared between different Kheops instances, one destination must be configured in Karnak per Kheops instance.

The purpose of this functionality is to take advantage of the Kheops API to propagate the data to different places without having to create new destinations in Karnak. At the same time, the data is split according to rules defined in Kheops to prevent data leakage and allow the authorized persons to access only the relevant data and not all the main album.

The following diagram illustrates the behavior of data being processed through Karnak and sent to multiple Kheops albums.

graph LR;
  A(DICOM Data) --> B[Karnak]
  
  subgraph Kheops
    D[Main Album] --> E[Album X]
    D --> F[Album Y]
  end
  
  B --> D

First, a DICOM instance is received by Karnak. After processing it, it sends the instance to the main Kheops album. Depending on existing rules and conditions, the instance will also be shared to the album X and Y.

Create a switching Kheops album

To share a DICOM instance in different Kheops albums, the following fields must be filled and validated by clicking on Add button.

Switching Switching

Fields Description
Url API The url of the Kheops API
Valid token of destination The token to write to the album destination. Need WRITE permission
Valid token of source The token to shared from the album source. Need READ, SEND (Sharing in the Kheops UI) permission

The condition field defines a condition to enable sharing an instance to a specific album if it is evaluated to true.

The conditions syntax and usage is detailed in the Conditions page.