Mercurial > hg > orthanc-book
changeset 512:be8b638f3f46
added mutual auth
author | Alain Mazy <alain@mazy.be> |
---|---|
date | Wed, 16 Sep 2020 11:46:11 +0200 |
parents | 5b574520a34c |
children | f22b3743fd3f |
files | Sphinx/source/faq/https.rst Sphinx/source/faq/security.rst |
diffstat | 2 files changed, 43 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/Sphinx/source/faq/https.rst Mon Sep 14 14:54:15 2020 +0200 +++ b/Sphinx/source/faq/https.rst Wed Sep 16 11:46:11 2020 +0200 @@ -175,3 +175,42 @@ "HttpPort" : 8042, [...] } + + +Securing Orthanc with mutual TLS authentication +............................................... + +.. highlight:: bash + +Once HTTPS is enabled, Orthanc can also be configured to accept incoming +connections based on a certificate provided by the client. + +Server side, this is configured via:: + + { + "SslVerifyPeers": true, + "SslTrustedClientCertificates": "trustedClientCertificates.pem" + } + +``SslTrustedClientCertificates`` shall contain a list of certificates +that are trusted. This can be a list of individual self-signed certificates +or this can contain a list of trusted root CAs. + +Client side, this is configured via:: + + { + "OrthancPeers" : { + "orthanc-b" : { + "Url" : "https://localhost:8043", + "CertificateFile" : "client-crt.pem", + "CertificateKeyFile" : "client-key.pem", + "CertificateKeyPassword": "" + } + } + } + +Note that the same kind of configuration is also available for +:ref:`DICOMweb client <dicomweb-client>`. + +An example of such a setup with instructions to generate the +certificates is available `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__ . \ No newline at end of file
--- a/Sphinx/source/faq/security.rst Mon Sep 14 14:54:15 2020 +0200 +++ b/Sphinx/source/faq/security.rst Wed Sep 16 11:46:11 2020 +0200 @@ -72,7 +72,10 @@ * If Orthanc is put on a server that can be contacted from Internet, put Orthanc behind a :ref:`reverse proxy <https>`, and let this reverse proxy take care of the HTTPS encryption. - + +* Enable :ref:`Client certificate authentication <https>` between multiple + Orthanc peers. + * Setup rules that define, for each authorized user, which resources it can access, and through which HTTP method (GET, POST, DELETE and/or PUT). This can be done by defining a :ref:`filter written in