changeset 512:be8b638f3f46

added mutual auth
author Alain Mazy <alain@mazy.be>
date Wed, 16 Sep 2020 11:46:11 +0200
parents 5b574520a34c
children f22b3743fd3f
files Sphinx/source/faq/https.rst Sphinx/source/faq/security.rst
diffstat 2 files changed, 43 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/Sphinx/source/faq/https.rst	Mon Sep 14 14:54:15 2020 +0200
+++ b/Sphinx/source/faq/https.rst	Wed Sep 16 11:46:11 2020 +0200
@@ -175,3 +175,42 @@
     "HttpPort" : 8042,
     [...]
   }
+
+
+Securing Orthanc with mutual TLS authentication
+...............................................
+        
+.. highlight:: bash
+               
+Once HTTPS is enabled, Orthanc can also be configured to accept incoming
+connections based on a certificate provided by the client.
+
+Server side, this is configured via::
+
+  {
+    "SslVerifyPeers": true,
+    "SslTrustedClientCertificates": "trustedClientCertificates.pem"
+  }
+
+``SslTrustedClientCertificates`` shall contain a list of certificates
+that are trusted.  This can be a list of individual self-signed certificates
+or this can contain a list of trusted root CAs.
+
+Client side, this is configured via::
+
+  {
+    "OrthancPeers" : {
+      "orthanc-b" : {
+        "Url" : "https://localhost:8043",
+        "CertificateFile" : "client-crt.pem",
+        "CertificateKeyFile" : "client-key.pem",
+        "CertificateKeyPassword": ""
+      }
+    }
+  }
+	  
+Note that the same kind of configuration is also available for 
+:ref:`DICOMweb client <dicomweb-client>`.
+
+An example of such a setup with instructions to generate the
+certificates is available `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__ .
\ No newline at end of file
--- a/Sphinx/source/faq/security.rst	Mon Sep 14 14:54:15 2020 +0200
+++ b/Sphinx/source/faq/security.rst	Wed Sep 16 11:46:11 2020 +0200
@@ -72,7 +72,10 @@
 * If Orthanc is put on a server that can be contacted from Internet,
   put Orthanc behind a :ref:`reverse proxy <https>`, and let this
   reverse proxy take care of the HTTPS encryption.
-  
+
+* Enable :ref:`Client certificate authentication <https>` between multiple
+  Orthanc peers.
+
 * Setup rules that define, for each authorized user, which resources
   it can access, and through which HTTP method (GET, POST, DELETE
   and/or PUT). This can be done by defining a :ref:`filter written in