# HG changeset patch # User Alain Mazy # Date 1600249571 -7200 # Node ID be8b638f3f46a50fa1269d9ca593f013cb71ec71 # Parent 5b574520a34c39f156b1c23d1446627418e7a161 added mutual auth diff -r 5b574520a34c -r be8b638f3f46 Sphinx/source/faq/https.rst --- a/Sphinx/source/faq/https.rst Mon Sep 14 14:54:15 2020 +0200 +++ b/Sphinx/source/faq/https.rst Wed Sep 16 11:46:11 2020 +0200 @@ -175,3 +175,42 @@ "HttpPort" : 8042, [...] } + + +Securing Orthanc with mutual TLS authentication +............................................... + +.. highlight:: bash + +Once HTTPS is enabled, Orthanc can also be configured to accept incoming +connections based on a certificate provided by the client. + +Server side, this is configured via:: + + { + "SslVerifyPeers": true, + "SslTrustedClientCertificates": "trustedClientCertificates.pem" + } + +``SslTrustedClientCertificates`` shall contain a list of certificates +that are trusted. This can be a list of individual self-signed certificates +or this can contain a list of trusted root CAs. + +Client side, this is configured via:: + + { + "OrthancPeers" : { + "orthanc-b" : { + "Url" : "https://localhost:8043", + "CertificateFile" : "client-crt.pem", + "CertificateKeyFile" : "client-key.pem", + "CertificateKeyPassword": "" + } + } + } + +Note that the same kind of configuration is also available for +:ref:`DICOMweb client `. + +An example of such a setup with instructions to generate the +certificates is available `here `__ . \ No newline at end of file diff -r 5b574520a34c -r be8b638f3f46 Sphinx/source/faq/security.rst --- a/Sphinx/source/faq/security.rst Mon Sep 14 14:54:15 2020 +0200 +++ b/Sphinx/source/faq/security.rst Wed Sep 16 11:46:11 2020 +0200 @@ -72,7 +72,10 @@ * If Orthanc is put on a server that can be contacted from Internet, put Orthanc behind a :ref:`reverse proxy `, and let this reverse proxy take care of the HTTPS encryption. - + +* Enable :ref:`Client certificate authentication ` between multiple + Orthanc peers. + * Setup rules that define, for each authorized user, which resources it can access, and through which HTTP method (GET, POST, DELETE and/or PUT). This can be done by defining a :ref:`filter written in