Mercurial > hg > orthanc-book
comparison Sphinx/source/faq/dicom-tls.rst @ 609:0dde82745e0d
documentation of DICOM TLS
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Fri, 29 Jan 2021 14:35:55 +0100 |
| parents | |
| children | 25e44dba9dba |
comparison
equal
deleted
inserted
replaced
| 608:a6d27fe89650 | 609:0dde82745e0d |
|---|---|
| 1 .. _dicom-tls: | |
| 2 | |
| 3 Configuring DICOM TLS | |
| 4 ===================== | |
| 5 | |
| 6 .. contents:: | |
| 7 :depth: 3 | |
| 8 | |
| 9 Starting with release 1.9.0, Orthanc supports the encryption of the | |
| 10 DICOM protocol using `DICOM TLS | |
| 11 <https://www.dicomstandard.org/using/security/>`__. This allows the | |
| 12 secure exchange of medical images between different sites, even if | |
| 13 using the DICOM protocol. | |
| 14 | |
| 15 Configuration | |
| 16 ------------- | |
| 17 | |
| 18 .. highlight:: bash | |
| 19 | |
| 20 To enable DICOM TLS, each DICOM modality must have been assigned with | |
| 21 a `X.509 certificate | |
| 22 <https://en.wikipedia.org/wiki/X.509>`__. Obtaining such a certificate | |
| 23 from a `recognized certification authority | |
| 24 <https://en.wikipedia.org/wiki/Certificate_authority>`__ is obviously | |
| 25 out of the scope of the Orthanc project. Here is a simple command-line | |
| 26 to generate a self-signed certificate using the `OpenSSL | |
| 27 <https://www.openssl.org/>`__ command-line tools:: | |
| 28 | |
| 29 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ | |
| 30 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost" | |
| 31 | |
| 32 Obviously, you have adapt the arguments to your setup (notably the | |
| 33 ``subj`` argument that generates a certificate for Belgium for the | |
| 34 server whose DNS address is ``localhost``). This command line will | |
| 35 generate two files using the `PEM file format | |
| 36 <https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail>`__: | |
| 37 ``orthanc.crt`` is the newly-generated certificate, and | |
| 38 ``orthanc.key`` contains the private key that protects the | |
| 39 certificate. The ``orthanc.crt`` can be openly distributed, but | |
| 40 ``orthanc.key`` must be kept secret (it should only be placed on the | |
| 41 modality using the corresponding certificate). | |
| 42 | |
| 43 Once ``orthanc.crt`` and ``orthanc.key`` have been generated, all the | |
| 44 modalities that will be in touch with Orthanc (either as SCP or as | |
| 45 SCU) through DICOM TLS must be identified, and their public | |
| 46 certificates must be collected. All those certificates must be | |
| 47 concatenated into a single file in order to tell Orthanc which | |
| 48 modalities can be trusted. | |
| 49 | |
| 50 Concretely, if one has collected ``a.crt``, ``b.crt`` and ``c.crt`` as | |
| 51 the certificates (in the PEM format) for trusted remote DICOM | |
| 52 modalities, a ``trusted.crt`` file can be generated as follows:: | |
| 53 | |
| 54 $ cat a.crt b.crt c.crt > trusted.crt | |
| 55 | |
| 56 Once the three files ``orthanc.crt``, ``orthanc.key`` and | |
| 57 ``trusted.crt`` are available, setting the following | |
| 58 :ref:`configuration options <configuration>` will enable DICOM TLS in | |
| 59 **Orthanc SCP**: | |
| 60 | |
| 61 * ``DicomTlsEnabled`` must be set to ``true``. | |
| 62 * ``DicomTlsCertificate`` must be set to ``orthanc.crt``. | |
| 63 * ``DicomTlsPrivateKey`` must be set to ``orthanc.key`` (note that | |
| 64 this private key must not be password-protected). | |
| 65 * ``DicomTlsTrustedCertificates`` must be set to ``trusted.crt``. | |
| 66 | |
| 67 If Orthanc acts as a **DICOM SCU** against one remote DICOM modality, | |
| 68 and if this remote modality is protected by DICOM TLS, the | |
| 69 ``UseDicomTls`` field must be set to ``true`` in the definition of the | |
| 70 modality in the configuration file of Orthanc (cf. the | |
| 71 ``DicomModalities`` option). The file indicated by | |
| 72 ``DicomTlsCertificate`` will be used to authentify Orthanc by the | |
| 73 remote modality: This modality must thus include ``orthanc.crt`` in | |
| 74 its list of trusted certificates. | |
| 75 | |
| 76 | |
| 77 **Remark 1:** Pay attention not to confuse the configuration options | |
| 78 related to HTTPS encryption, with the options related to DICOM TLS. | |
| 79 In Orthanc, HTTPS and DICOM TLS are not obliged to use the same | |
| 80 encryption certificates. | |
| 81 | |
| 82 **Remark 2:** Orthanc SCU and Orthanc SCP share the same set of | |
| 83 trusted certificates. | |
| 84 | |
| 85 | |
| 86 Example using DCMTK | |
| 87 ------------------- | |
| 88 | |
| 89 .. highlight:: bash | |
| 90 | |
| 91 Let us generate one certificate for Orthanc, and one certificate for | |
| 92 DCMTK:: | |
| 93 | |
| 94 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ | |
| 95 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost" | |
| 96 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ | |
| 97 -keyout dcmtk.key -out dcmtk.crt -subj "/C=BE/CN=localhost" | |
| 98 | |
| 99 .. highlight:: json | |
| 100 | |
| 101 Let us start Orthanc using the following minimal configuration file:: | |
| 102 | |
| 103 { | |
| 104 "DicomTlsEnabled" : true, | |
| 105 "DicomTlsCertificate" : "orthanc.crt", | |
| 106 "DicomTlsPrivateKey" : "orthanc.key", | |
| 107 "DicomTlsTrustedCertificates" : "dcmtk.crt", | |
| 108 "DicomModalities" : { | |
| 109 "dmctk" : { | |
| 110 "Host" : "localhost", | |
| 111 "Port" : 4242, | |
| 112 "AET" : "DCMTK", | |
| 113 "UseDicomTls" : true | |
| 114 } | |
| 115 } | |
| 116 } | |
| 117 | |
| 118 .. highlight:: txt | |
| 119 | |
| 120 It is then possible to trigger a secure C-GET SCU request from DCMTK | |
| 121 to Orthanc as follows:: | |
| 122 | |
| 123 $ echoscu -v -aet DCMTK localhost 4242 +tls dcmtk.key dcmtk.crt +cf orthanc.crt | |
| 124 I: Requesting Association | |
| 125 I: Association Accepted (Max Send PDV: 16372) | |
| 126 I: Sending Echo Request (MsgID 1) | |
| 127 I: Received Echo Response (Success) | |
| 128 I: Releasing Association |