dcm4chee + OsiriX + TLS = No joy?

[Suresh Viswanathan]

Has anyone been successful in getting dcm4chee and OsiriX communicate using TLS. My team's been trying to get this working for the last few days but it looks like there is an incompatibility between certificates generated by Keychain on the Mac and using it with Java and vice versa.

Suresh

[Damien Evans]

I have had success with this, but I don't remember how I did it.  You're right though, it was not intuitive or easy.  The only thing I remember was that google was heavily involved.  ;)  I'll see if I have notes anywhere.

On Thu, Mar 7, 2013 at 1:56 PM, Suresh Viswanathan <suresh...@gmail.com> wrote:

Has anyone been successful in getting dcm4chee and OsiriX communicate using TLS. My team's been trying to get this working for the last few days but it looks like there is an incompatibility between certificates generated by Keychain on the Mac and using it with Java and vice versa.

Suresh

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at http://groups.google.com/group/dcm4che?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Suresh Viswanathan]

Thanks Damien. Any help is much appreciated.

Suresh 

[Vinicius Vollrath]

I'm interested this issue.

--

Vinicius Vollrath

[nicolas...@gmail.com]

I think it is because Osirix doesn't support ssl3 protocol (only TLS).

[pmackinney]

I did get this working following this link: http://www.dcm4che.org/confluence/display/ee2/Setting+up+DCM4CHEE+with+TLS++encryption

From my notes

1. Finally got dcm4chee running with TLS. The trick missing from this page  Setting up DCM4CHEE with TLS encryption is to include the -keystorepw and -truststorepw arguments in the final test command.

2. Also discovered that you can use a PKCS12 cert (.p12) in place of a keystore, and you can use the java keytool to import one into keystore by using a command like this

keytool -importkeystore -srckeystore ondtls.p12 \ 
-srcstoretype PKCS12 -alias 1 -destkeystore \ 
dcm4chee/server/default/conf/certificates/trust.jks

3. I recommend using an Sun Java 6 keytool.

HTH, Paul

[sathees kumar]

 I am not getting working . Have u successfully established TLS connection between Osirix and DCM4CHEE?  

 I exported certificates from MAC keychain as PKCS12(*.p12) and tried to import it to keystore,I got the following error.

keytool -importkeystore -srckeystore Certificates.p12 -srcstoretype PKCS12 -alias 1 -destkeystore server/default/conf/certificates/trust.jks

Error: 

keytool error: java.lang.Exception: Alias <1> does not exist

 what i am doing wrong?

[pmackinney]

Try without the -alias argument, or use -list to see if the alias should be different.

[sathees kumar]

I tried without alias imported certificate,But still not getting working.

Steps : 

  * I created the certificate in Keychain as said by Osirix and Enabled TLS in Osirix.

    Ref : http://www.osirix-viewer.com/Documentation/Guides/Security/index.html (Creating a Self-Signed Certificate, OsiriX TLS DICOM Listener Setup)

  

  * TLS connection works fine between Osirix.  

  * Exported the certificate from keychain as Certificates.p12 .

  * Imported the certificate into trust.jsk which is already avilable as u said without alias.

   keytool -importkeystore -srckeystore Certificates.p12 -srcstoretype PKCS12 -destkeystore server/default/conf/certificates/trust.jks

  * I used Certificates.p12 as keystore ,trust.jks as truststore with -keystorepw and -truststorepw secret which i used while creating certificate in keychain and importing certificate to trust.jsk .

  * finally i executed DCMECHO

     

./dcmecho OxirixPacs@192.168.1.188:1113  -acceptTO 60000 -tls 3DES -truststore resource:tls/trust.jks -keystore resource:tls/Certificates.p12 -truststorepw secret -keystorepw secret
 
Error :
Initialize TLS context in 0.202s
 13:38:51,102 INFO   - Association(1) initiated 12940b3[SSL_NULL_WITH_NULL_NULL: Socket[addr=/192.168.1.188,port=1113,localport=45168]]
 13:38:51,104 INFO   - OxirixPacs(1): A-ASSOCIATE-RQ OxirixPacs << DCMECHO
 13:39:51,345 INFO   - OxirixPacs(1): close 12940b3[SSL_NULL_WITH_NULL_NULL: Socket[addr=OxirixPacs-mac.local/192.168.1.188,port=1113,localport=45168]]
 ERROR: Failed to establish association:Read timed out

   * I was able to echo Osirix without TLS.

    

   * TLS works fine between DCM4CHEE.

   - What i am doing wrong? 

[sathees kumar]

 Finally it works, -tls1(disable the use of SSLv3 and SSLv2 for TLS connections) should added in argument.

 

./dcmecho OsirixPacs@192.168.1.188:1113  -acceptTO 60000 -tls 3DES -truststore resource:tls/trust.jks -keystore resource:tls/Certificates.p12 -truststorepw secret -keystorepw secret -tls1

[Nivaldo Bueno]

I sucessfull to configure dcm4chee with OsiriX and tls, but I have a new problem.

I have two servers, one of them and cloud based, this with tls up and running.

how to send the internal pacs using TLS? but should only be sending to the cloud, since as use it internally and I can not activate the tls because the modalitys do not have tls support.

Thaís in advance

[sathees kumar]

You need a router between the modality and a pacs, the modality should send the images to router (Use dcmrcv to receive) , then send the studies to server through TLS using dcmsnd .

--
You received this message because you are subscribed to a topic in the Google Groups "dcm4che" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/dcm4che/-E7yA5uGlnc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to dcm4che+u...@googlegroups.com.

To post to this group, send email to dcm...@googlegroups.com.

Visit this group at http://groups.google.com/group/dcm4che.

For more options, visit https://groups.google.com/groups/opt_out.

--
sathees

[Horcle Buzz]

I believe I have a similar situation sending from a hospital PACS (Phillips iSite) to our departmental university PACS (dcm4chee) through a firewall. I have OsiriX communicating just fine with our departmental university PACS over TLS, but so far I have been unable to get the hospital people to configure the hospital PACS to use TLS for the connection and to get me a public certificate. Would setting up dcmrcv be the bridge I need to do this using dcmsnd to send via TLS?

Mahalo!

Greg--

-- 

Greg M. Silverman

Senior Developer Analyst

Cardiovascular Informatics 

University of Minnesota

[fleetwoodfc]

The 'bridge' solution was because the modality did not support TLS where your devices already do. I would think a VPN would be the best way to go. 

[Greg Silverman]

Thanks, I may end up resorting to this.

Greg--

For more options, visit https://groups.google.com/d/optout.

[Horcle Buzz]

Can't do it, since we have firewall rules at the router to only allow certain IP addresses access to our PACS. Plus, encryption is only guaranteed up to the VPN server (beyond that, there is clear text being sent who knows where after it leaves the VPN server and hits the destination route).  

I started looking into use of dcmrcv and dcmsnd. So far it appears to be a viable solution, especially since the volume of images being transferred is not that high.

Greg--

To unsubscribe from this group and all its topics, send an email to dcm4che+unsubscribe@googlegroups.com.

To post to this group, send email to dcm...@googlegroups.com.
Visit this group at http://groups.google.com/group/dcm4che.
For more options, visit https://groups.google.com/d/optout.

[fleetwoodfc]

An ssh tunnel might be easier.

[Greg Silverman]

Interesting suggestion. I just looked at this describing the procedure: http://forums.dcm4che.org/jiveforums/thread.jspa?threadID=2098 (see posting by pts2 on Dec 9, 2009 6:22 AM). I'll give this a whirl (much better than having to deal with individual certificates for each client).

Thanks!

Greg--

[Greg Silverman]

Kewl! Works like a charm... now, as the last post in the thread I posted states: Just need to figure out how to automate creating the tunnels on start up.

Mahalo nui loa!

Greg--