comparison Sphinx/source/faq/dicom-tls.rst @ 609:0dde82745e0d

documentation of DICOM TLS
author Sebastien Jodogne <s.jodogne@gmail.com>
date Fri, 29 Jan 2021 14:35:55 +0100
parents
children 25e44dba9dba
comparison
equal deleted inserted replaced
608:a6d27fe89650 609:0dde82745e0d
1 .. _dicom-tls:
2
3 Configuring DICOM TLS
4 =====================
5
6 .. contents::
7 :depth: 3
8
9 Starting with release 1.9.0, Orthanc supports the encryption of the
10 DICOM protocol using `DICOM TLS
11 <https://www.dicomstandard.org/using/security/>`__. This allows the
12 secure exchange of medical images between different sites, even if
13 using the DICOM protocol.
14
15 Configuration
16 -------------
17
18 .. highlight:: bash
19
20 To enable DICOM TLS, each DICOM modality must have been assigned with
21 a `X.509 certificate
22 <https://en.wikipedia.org/wiki/X.509>`__. Obtaining such a certificate
23 from a `recognized certification authority
24 <https://en.wikipedia.org/wiki/Certificate_authority>`__ is obviously
25 out of the scope of the Orthanc project. Here is a simple command-line
26 to generate a self-signed certificate using the `OpenSSL
27 <https://www.openssl.org/>`__ command-line tools::
28
29 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
30 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost"
31
32 Obviously, you have adapt the arguments to your setup (notably the
33 ``subj`` argument that generates a certificate for Belgium for the
34 server whose DNS address is ``localhost``). This command line will
35 generate two files using the `PEM file format
36 <https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail>`__:
37 ``orthanc.crt`` is the newly-generated certificate, and
38 ``orthanc.key`` contains the private key that protects the
39 certificate. The ``orthanc.crt`` can be openly distributed, but
40 ``orthanc.key`` must be kept secret (it should only be placed on the
41 modality using the corresponding certificate).
42
43 Once ``orthanc.crt`` and ``orthanc.key`` have been generated, all the
44 modalities that will be in touch with Orthanc (either as SCP or as
45 SCU) through DICOM TLS must be identified, and their public
46 certificates must be collected. All those certificates must be
47 concatenated into a single file in order to tell Orthanc which
48 modalities can be trusted.
49
50 Concretely, if one has collected ``a.crt``, ``b.crt`` and ``c.crt`` as
51 the certificates (in the PEM format) for trusted remote DICOM
52 modalities, a ``trusted.crt`` file can be generated as follows::
53
54 $ cat a.crt b.crt c.crt > trusted.crt
55
56 Once the three files ``orthanc.crt``, ``orthanc.key`` and
57 ``trusted.crt`` are available, setting the following
58 :ref:`configuration options <configuration>` will enable DICOM TLS in
59 **Orthanc SCP**:
60
61 * ``DicomTlsEnabled`` must be set to ``true``.
62 * ``DicomTlsCertificate`` must be set to ``orthanc.crt``.
63 * ``DicomTlsPrivateKey`` must be set to ``orthanc.key`` (note that
64 this private key must not be password-protected).
65 * ``DicomTlsTrustedCertificates`` must be set to ``trusted.crt``.
66
67 If Orthanc acts as a **DICOM SCU** against one remote DICOM modality,
68 and if this remote modality is protected by DICOM TLS, the
69 ``UseDicomTls`` field must be set to ``true`` in the definition of the
70 modality in the configuration file of Orthanc (cf. the
71 ``DicomModalities`` option). The file indicated by
72 ``DicomTlsCertificate`` will be used to authentify Orthanc by the
73 remote modality: This modality must thus include ``orthanc.crt`` in
74 its list of trusted certificates.
75
76
77 **Remark 1:** Pay attention not to confuse the configuration options
78 related to HTTPS encryption, with the options related to DICOM TLS.
79 In Orthanc, HTTPS and DICOM TLS are not obliged to use the same
80 encryption certificates.
81
82 **Remark 2:** Orthanc SCU and Orthanc SCP share the same set of
83 trusted certificates.
84
85
86 Example using DCMTK
87 -------------------
88
89 .. highlight:: bash
90
91 Let us generate one certificate for Orthanc, and one certificate for
92 DCMTK::
93
94 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
95 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost"
96 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
97 -keyout dcmtk.key -out dcmtk.crt -subj "/C=BE/CN=localhost"
98
99 .. highlight:: json
100
101 Let us start Orthanc using the following minimal configuration file::
102
103 {
104 "DicomTlsEnabled" : true,
105 "DicomTlsCertificate" : "orthanc.crt",
106 "DicomTlsPrivateKey" : "orthanc.key",
107 "DicomTlsTrustedCertificates" : "dcmtk.crt",
108 "DicomModalities" : {
109 "dmctk" : {
110 "Host" : "localhost",
111 "Port" : 4242,
112 "AET" : "DCMTK",
113 "UseDicomTls" : true
114 }
115 }
116 }
117
118 .. highlight:: txt
119
120 It is then possible to trigger a secure C-GET SCU request from DCMTK
121 to Orthanc as follows::
122
123 $ echoscu -v -aet DCMTK localhost 4242 +tls dcmtk.key dcmtk.crt +cf orthanc.crt
124 I: Requesting Association
125 I: Association Accepted (Max Send PDV: 16372)
126 I: Sending Echo Request (MsgID 1)
127 I: Received Echo Response (Success)
128 I: Releasing Association