Trouble setting up SSL on port 8443

[GOKHAN DILEK]

windows 7 64bit
dcm4chee-2.18.0-psql
postgresql 9.3
jdk 1.7

I am trying to allow SSL connections to my dcm4chee using the guide below:

1- http://www.dcm4che.org/confluence/display/ee2/Setting+up+DCM4CHEE+with+TLS++encryption

2- Also uncommented the code below under server/default/deplpy/jboss-web.deployer/server.xml:

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
         maxThreads="150" scheme="https" secure="true"
         clientAuth="true" sslProtocol="TLS"
         ciphers="SSL_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
         keystoreFile="${jboss.server.home.dir}/conf/certificates/test_sys_1.p12"
         keystorePass="secret" keystoreType="PKCS12"
         truststoreFile="${jboss.server.home.dir}/conf/certificates/mesa_certs.jks"
         truststorePass="secret" truststoreType="JKS"
         SSLImplementation="org.dcm4chee.audit.tomcat.ATNAImplementation"
   />

And restarted the dmc4chee service.

Still no joy.

I have "Page cannot be displayed" on Firefox using 8443 port (port8080 works without any issue; can login to jmx-console http://127.0.0.1:8080/dcm4chee-web3/).

Could you please let me know what may be causing this?

I cannot seem to find an updated documentation regarding enabling SSL connections.

Thank you.

[Alvaro [Andor]]

The guide you're pointing to is only for allowing DICOM-TLS connections, nothing related to the web interface.
The code you uncommented is related to TLS access to the web interface, nothing related to DICOM.

Which one do you want to achieve?

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at http://groups.google.com/group/dcm4che.
For more options, visit https://groups.google.com/d/optout.

[GOKHAN DILEK]

TLS access to the web interface.

For instance: https://127.0.0.1:8443

Thank you

[Alvaro [Andor]]

Then, rather than that, I would use nginx or pound in front of dcm4chee, to act as an SSL inverse proxy.

I wrote some instructions for using pound with a different service some time ago that you can use anyway:

http://pierdelacabeza.com/maruja/2012/10/protecting-airtime-web-admin-with-ssl/

And you can use this ones for nginx:

https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins

[fleetwoodfc]

By default you should be able to access via https on port 8443. Th emain thing to notice is the setting 

clientAuth="true"

What this means is that will you need to also install a certificate in the client  browser to connect. Try setting  

clientAuth="false"

[GOKHAN DILEK]

Thank you ! Much appreciated.

[pmackinney]

On Monday, February 23, 2015 at 5:26:12 AM UTC-8, fleetwoodfc wrote:

By default you should be able to access via https on port 8443. Th emain thing to notice is the setting 

clientAuth="true"

What this means is that will you need to also install a certificate in the client  browser to connect. Try setting  

clientAuth="false"

 

Suppose you wanted to use client authentication for 8443 web access. The default server.xml file specifies

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
         maxThreads="150" scheme="https" secure="true"
         clientAuth="true" sslProtocol="TLS"
         ciphers="SSL_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
         keystoreFile="${jboss.server.home.dir}/conf/certificates/test_sys_1.p12"

         keystorePass="skelet0r" keystoreType="PKCS12"

         truststoreFile="${jboss.server.home.dir}/conf/certificates/mesa_certs.jks"
         truststorePass="secret" truststoreType="JKS"
         SSLImplementation="org.dcm4chee.audit.tomcat.ATNAImplementation"
    />

I've tried installing the test_sys_1.p12 in my browser, but the URL http://<my_dcm4chee_server>:8443/dcm4chee-web3/ just yields a 6-byte binary block. My production server is TLS-enabled for dicom transfer using real certs, but I'd like to have the website working with clien-cert protection. TIA

[fleetwoodfc]

Some help here: https://developer.jboss.org/wiki/SSLSetup

[Horcle Buzz]

Were you ever successful in getting this working out-of-the-box with the switch clientAuth = "false?"

I am having the same issue of not being able to connect from a browser. It's possible that port 8443 may be blocked at the router (I am still waiting for confirmation on this), but the port is telnetable from the actual host (just not from other hosts on the same WAN). Is there a way through the JMXConsole to check that the clientAuth attribute is indeed set to false even after editing it as such and restarting the service?

Thanks!

Greg-- 

[Horcle Buzz]

I decided the path of least resistance was to create another ssh tunnel to port 8080 for access to the admin console. Worked like a charm and I will not need to deal with certificates or anything else.

Greg--

[GOKHAN DILEK]

Setting client auth to false worked for me.
You could also generate the keys and replace it with the default ones.