Mercurial > hg > orthanc-book
annotate Sphinx/source/faq/https.rst @ 512:be8b638f3f46
added mutual auth
author | Alain Mazy <alain@mazy.be> |
---|---|
date | Wed, 16 Sep 2020 11:46:11 +0200 |
parents | 18ef1c795d17 |
children | 22e3868d2eb1 |
rev | line source |
---|---|
0 | 1 .. _https: |
2 | |
3 HTTPS encryption with Orthanc | |
4 ============================= | |
5 | |
397
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
6 .. contents:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
7 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
8 Overview |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
9 -------- |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
10 |
0 | 11 It is highly desirable to enable HTTPS (SSL) encryption with Orthanc |
12 to protect its REST API, as it provides access to medical | |
13 information. To this end, you have two possibilites: | |
14 | |
15 1. Put Orthanc behind an enterprise-ready HTTPS server such as | |
17 | 16 :ref:`Apache <apache>`, :ref:`nginx <nginx>` or :ref:`Microsoft IIS <iis>`. |
0 | 17 2. For simple deployments, use Orthanc :ref:`built-in HTTPS server <https-builtin>`. |
18 | |
19 **You should always favor the first option**. The second option might make | |
20 sense in the context of an hospital Intranet, i.e. the Orthanc server | |
21 is not publicly accessible from the Internet. | |
22 | |
23 | |
24 .. _https-builtin: | |
25 | |
26 Built-in encryption | |
27 ------------------- | |
28 | |
29 To enable the built-in HTTP server of Orthanc, you need to: | |
30 | |
25 | 31 1. Obtain a `X.509 certificate <https://en.wikipedia.org/wiki/X.509>`_ |
0 | 32 in the `PEM format |
25 | 33 <https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions>`_. |
0 | 34 2. Prepend this certificate with the content of your private key. |
35 3. Modify the ``SslEnabled`` and ``SslCertificate`` variables in the | |
36 :ref:`Orthanc configuration file <configuration>`. | |
37 | |
397
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
38 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
39 Examples |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
40 -------- |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
41 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
42 Securing Orthanc using self-signed certificate |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
43 .............................................. |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
44 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
45 .. highlight:: bash |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
46 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
47 Here are instructions to create a simple self-signed SSL certificate |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
48 that is suitable for test environments thanks to the `OpenSSL |
25 | 49 <https://en.wikipedia.org/wiki/Openssl>`_ command-line tools:: |
0 | 50 |
397
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
51 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/private.key -out /tmp/certificate.crt |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
52 $ cat /tmp/private.key /tmp/certificate.crt > /tmp/certificate.pem |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
53 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
54 **Important:** While invoking ``openssl``, make sure to set the option |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
55 ``Common Name (e.g. server FQDN or YOUR name)`` to the name of your |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
56 server. For testing on your local computer, you would set this option |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
57 to value ``localhost``. |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
58 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
59 The file ``/tmp/certificate.crt`` can be publicly distributed. The |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
60 files ``/tmp/private.key`` and ``/tmp/certificate.pem`` must be kept |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
61 secret and must be stored securely. |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
62 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
63 Some interesting references about generating self-signed certificates |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
64 can be found `here <http://www.devsec.org/info/ssl-cert.html>`__, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
65 `here <https://www.akadia.com/services/ssh_test_certificate.html>`__, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
66 and `here |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
67 <https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files>`__. |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
68 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
69 .. highlight:: json |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
70 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
71 Once the certificate is generated, you can start Orthanc using the |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
72 following minimal configuration file:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
73 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
74 { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
75 "SslEnabled" : true, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
76 "SslCertificate" : "/tmp/certificate.pem" |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
77 } |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
78 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
79 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
80 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
81 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
82 Querying Orthanc using HTTPS |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
83 ............................ |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
84 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
85 .. highlight:: txt |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
86 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
87 If you contact Orthanc using a HTTP client, you will see that |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
88 encryption is enabled:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
89 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
90 $ curl http://localhost:8042/studies |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
91 curl: (52) Empty reply from server |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
92 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
93 Nothing is returned from the Orthanc server using the HTTP protocol, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
94 as it must contacted using the HTTPS protocol. You have to provide the |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
95 ``https`` prefix:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
96 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
97 $ curl https://localhost:8042/studies |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
98 curl: (60) SSL certificate problem: self signed certificate |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
99 More details here: https://curl.haxx.se/docs/sslcerts.html |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
100 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
101 curl failed to verify the legitimacy of the server and therefore could not |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
102 establish a secure connection to it. To learn more about this situation and |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
103 how to fix it, please visit the web page mentioned above. |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
104 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
105 The HTTPS client now complains, as it was not provided with our |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
106 self-signed certificate. For the query to succeed, you must provide |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
107 the public certificate ``/tmp/certificate.crt`` that was generated |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
108 above to the HTTPS client:: |
0 | 109 |
397
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
110 $ curl --cacert /tmp/certificate.crt https://localhost:8042/studies |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
111 [ "66c8e41e-ac3a9029-0b85e42a-8195ee0a-92c2e62e" ] |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
112 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
113 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
114 Configuring Orthanc peers |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
115 ......................... |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
116 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
117 .. highlight:: json |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
118 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
119 Let us configure a second instance of Orthanc on the localhost that |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
120 will act as a client (i.e., an :ref:`Orthanc peer <peers>`) to the |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
121 HTTPS-protected Orthanc server. One would create the following |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
122 configuration file:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
123 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
124 { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
125 "HttpPort" : 8043, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
126 "DicomPort" : 4343, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
127 "OrthancPeers" : { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
128 "https" : [ "https://localhost:8042/" ] |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
129 } |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
130 } |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
131 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
132 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
133 .. highlight:: bash |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
134 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
135 The values of the ``HttpPort`` and ``DicomPort`` options are set to |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
136 non-default values in order to avoid a collision with the |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
137 HTTPS-protected Orthanc. Let us now trigger a query from our Orthanc |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
138 client to the Orthanc server using the REST API of the Orthanc |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
139 client:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
140 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
141 $ curl http://localhost:8043/peers/https/system |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
142 { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
143 "Details" : "libCURL error: Problem with the SSL CA cert (path? access rights?)", |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
144 "HttpError" : "Internal Server Error", |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
145 "HttpStatus" : 500, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
146 [...] |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
147 } |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
148 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
149 .. highlight:: json |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
150 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
151 Just like the cURL command-line client, the Orthanc client complains |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
152 about the fact it wasn't provided with the HTTPS public certificate. |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
153 The certificate must be provided by adapting the configuration file as |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
154 follows:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
155 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
156 { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
157 "HttpPort" : 8043, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
158 "DicomPort" : 4343, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
159 "HttpsCACertificates" : "/tmp/certificate.crt", |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
160 "OrthancPeers" : { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
161 "https" : [ "https://localhost:8042/" ] |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
162 } |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
163 } |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
164 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
165 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
166 .. highlight:: bash |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
167 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
168 Using this new configuration, the query will succeed:: |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
169 |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
170 $ curl http://localhost:8043/peers/https/system |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
171 { |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
172 "ApiVersion" : 6, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
173 "DicomAet" : "ORTHANC", |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
174 "DicomPort" : 4242, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
175 "HttpPort" : 8042, |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
176 [...] |
18ef1c795d17
extending page about https
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
358
diff
changeset
|
177 } |
512 | 178 |
179 | |
180 Securing Orthanc with mutual TLS authentication | |
181 ............................................... | |
182 | |
183 .. highlight:: bash | |
184 | |
185 Once HTTPS is enabled, Orthanc can also be configured to accept incoming | |
186 connections based on a certificate provided by the client. | |
187 | |
188 Server side, this is configured via:: | |
189 | |
190 { | |
191 "SslVerifyPeers": true, | |
192 "SslTrustedClientCertificates": "trustedClientCertificates.pem" | |
193 } | |
194 | |
195 ``SslTrustedClientCertificates`` shall contain a list of certificates | |
196 that are trusted. This can be a list of individual self-signed certificates | |
197 or this can contain a list of trusted root CAs. | |
198 | |
199 Client side, this is configured via:: | |
200 | |
201 { | |
202 "OrthancPeers" : { | |
203 "orthanc-b" : { | |
204 "Url" : "https://localhost:8043", | |
205 "CertificateFile" : "client-crt.pem", | |
206 "CertificateKeyFile" : "client-key.pem", | |
207 "CertificateKeyPassword": "" | |
208 } | |
209 } | |
210 } | |
211 | |
212 Note that the same kind of configuration is also available for | |
213 :ref:`DICOMweb client <dicomweb-client>`. | |
214 | |
215 An example of such a setup with instructions to generate the | |
216 certificates is available `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__ . |