Configuration for TLS in dcm4chee-arc-light

965 views

Skip to first unread message

Lotte Heckmann

unread,

Jan 16, 2019, 11:14:13 AM1/16/19

to dcm4che

Dear all,

I am trying to enable dicom-TLS for my dcm4chee-arc-light PACS, i.e. to be able to connect to the PACS Server using dcm4che-5.x with a command like

storescu -c DCM4CHEE@localhost:2762 --tls etc. I'm trying to achieve that by following this wiki page TLS Handshake Tests as well as partly following these instructions Unfortunately, I'm very new to the general concepts of TLS (and servers in general...), so especially the part about creating the keystores and truststores is confusing to me. Can someone elaborate on this? In the wiki page, for example I don't know which certificates to use for creation of serverside and clientside truststores. Can someone provive an example or further Explanation for use of TLS with dcm4chee-arc-light PACS and dcm4che-5 library? Thank you and best regards, Lotte

Lotte Heckmann

unread,

Jan 17, 2019, 5:37:16 AM1/17/19

to dcm...@googlegroups.com

What I've tried so far:

1. Create Keystores, Truststores according to http://davidsimic.com/2016/06/06/dcm4chee-security-setting-up-tls-encryption/

Keystores for Server and client

keytool -genkey -keyalg RSA -dname "CN=node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT" --keystore server_keystore.jks -alias node1
Password keystore1
keytool -genkey -keyalg RSA -dname "CN=node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT" --keystore client_keystore.jks -alias test_client
Password keystoreclient

Truststore containing client's certificate

keytool -export -file test_client.cert -keystore client_keystore.jks -alias test_client
keytool -import -file test_client.cert -keystore server_trust.jks -alias test_client (Password servertrust)

Truststore containing sever's certificate

keytool -export -file server.cert -keystore server_keystore.jks -alias node1
keytool -import -file server.cert -keystore client_trust.jks -alias node1 (Password clienttrust)

2. LDAP Configuration for TLS Handshake Tests according to https://github.com/dcm4che/dcm4chee-arc-light/wiki/TLS-Handshake-Tests

Place server_keystore.jks in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc/server_keystore.jks
Using Apache Directory Studio in dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,
dc=org:

dcmKeyStoreURL: ${jboss.server.config.url}/dcm4chee-arc/server_keystore.jks
dcmKeystorePin: keystore1
Modify userCertificate so that it points to server.cert

in dcm4chee-arc-light web configuration: dicomDeviceName=navegatium,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org as Authorized Node Certificate Reference
In navegatium device, add objectClass: pkiUser and attribute userCertificate;binary: test_client.cert

3. Wildfly configuration according to https://github.com/dcm4che/dcm4chee-arc-light/wiki/TLS-Handshake-Tests

Modify the $WILDFLY_HOME/standalone/configuration/application-roles.properties: CN\=client,\ OU\=<authentication>,\ O\=JBoss,\ ST\=UP,\ C\=IN=JBossAdmin
admin=JBossAdmin
Adjust dcm4chee-arc.xml:

   <security-realm name="UndertowRealm">
                <server-identities>
                    <ssl>
                        <keystore path="dcm4chee-arc\server_keystore.jks" relative-to="jboss.server.config.dir" keystore-password="keystore1" alias="node1" key-password="keystore1"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="dcm4chee-arc\server_trust.jks" relative-to="jboss.server.config.dir" keystore-password="servertrust"/>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
added Server_trust.jks to $WILDFLY_HOME/standalone/configuration/dcm4chee-arc/
    <security-domain name="client_cert_domain" cache-type="default">
                    <authentication>
                        <login-module code="CertificateRoles" flag="required">
                            <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
                            <module-option name="securityDomain" value="client_cert_domain"/>
                            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/application-roles.properties"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="keystore1" keystore-url="file:${jboss.server.config.dir}/dcm4chee-arc/server_keystore.jks" truststore-password="clienttrust" truststore-url="file:${jboss.server.config.dir}/dcm4chee-arc/client_trust.jks" cipher-suites="TLS_RSA_WITH_AES_128_CBC_SHA" client-auth="true" protocols="SSLv3, TLSv1"/>
                </security-domain>
added client_trust.jks to $WILDFLY_HOME/standalone/configuration/dcm4chee-arc/
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" max-post-size="100000000" socket-binding="http"/>
                <https-listener name="https" max-post-size="100000000" verify-client="REQUIRED" security-realm="UndertowRealm" socket-binding="https"/>
The complete dcm4chee-arc.xml is attached.

Wildfly can be deployed without errors.

Next Thing I do is establishing a normal Connection to my PACS: storescu -c DCM4CHEE@localhost:5432 -> works

Now I want to try out TLS:

storescu -c DCM4CHEE@localhost:8443 --tls --trust-store C:\Users\Testlab\client_trust.jks --trust-store-pass clienttrust --key-store C:\Users\Testlab\client_keystore.jks --key-store-pass keystoreclient

which yields the following ouput.

Can someone help me out with this error message? Is there something wrong with my configuration or the way I try to test the TLS connection?

Many thanks,

Lotte

storescu -c DCM4CHEE@localhost:8443 --tls --trust-store C:\Users\Testlab\client_trust.jks --trust-store-pass clienttrust --key-store C:\Users\Testlab\client_keystore.jks --key-store-pass keystoreclient
***
found key for : test_client
chain [0] = [
[
Version: V3
Subject: CN="test_client.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 16450683007596730441757272865589569396632723870384656118472667830048133540653011757006485711214088459799917842413585857728947748781647406727976055257246320856392867269850434283375659488868321116948038887694675523319560196819431729404615644399859433540691510508923462529508189413359275432217663771649194363825353363510264833444904628691165761011631424751139326155727170157448098626024437826665421666339710129323551509241505660183012085858733396235061044533888319576212519045493724127168900656241229682762060996453973559099431323325119073767709500282076549455652296515483258795051347531444960035595785458772629776691561
public exponent: 65537
Validity: [From: Thu Jan 17 10:30:52 CET 2019,
               To: Wed Apr 17 11:30:52 CEST 2019]
Issuer: CN="test_client.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
SerialNumber: [    183f44f9]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 84 28 23 B9 39 C1 C7 25   DD 0C A2 3B 6C DA 36 D9 .(#.9..%...;l.6.
0010: 70 9D 33 98                                        p.3.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4C 27 03 8C 33 05 1E 75   80 34 16 BE 3F 53 43 3C L'..3..u.4..?SC<
0010: AE 55 22 55 BE 49 EB 14   BA B0 A7 F8 43 F2 61 49 .U"U.I......C.aI
0020: 9E C4 D6 42 5E A0 91 9D   9D 1C 80 FF B5 61 2B 99 ...B^........a+.
0030: D2 3D 96 8A 6B 6E 9D 99   F7 BD 4A C9 BF 57 F3 39 .=..kn....J..W.9
0040: C6 EC A9 31 46 89 57 55   2F 1A 1F 11 6C 4C A5 78 ...1F.WU/...lL.x
0050: A5 79 20 0F 2D 7C 0B 5F   41 0E 5C 8F 7B 4A 2F 1E .y .-.._A.\..J/.
0060: 28 27 11 0C 00 A3 62 A2   17 A1 56 D5 48 D3 0E D7 ('....b...V.H...
0070: F7 C4 6D B9 11 3D 8D 47   FD 28 1E 51 36 64 D9 5B ..m..=.G.(.Q6d.[
0080: 11 79 B8 04 D3 D3 4C D0   FA F5 4C 0A 09 45 C8 60 .y....L...L..E.`
0090: 7A C2 2E 3A 26 D8 16 4B   9E E1 CD 10 64 88 D7 AB z..:&..K....d...
00A0: 70 10 5B 6E A3 13 89 70   F9 17 66 F0 79 05 27 5B p.[n...p..f.y.'[
00B0: BD 57 A5 2D B1 CB A3 6E   89 A2 04 DA F1 D8 A7 53 .W.-...n.......S
00C0: A5 5D 02 E9 38 FF 33 36   4F E2 A5 DD 5B C7 DB 31 .]..8.36O...[..1
00D0: C5 32 3C 1F 92 8B E3 DF   7A 45 91 45 44 50 C7 4E .2<.....zE.EDP.N
00E0: 0D 91 74 09 6D E1 40 A5   2C 6B DC 4E FE 9C 16 E1 ..t.m.@.,k.N....
00F0: 7B 93 42 ED 25 6C BA 40   9D 0E 3F EC 6C 29 6E 2C ..B.%l.@..?.l)n,
]
***
adding as trusted cert:
Subject: CN="node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
Issuer: CN="node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
Algorithm: RSA; Serial number: 0x7e761de4
Valid from Thu Jan 17 10:30:36 CET 2019 until Wed Apr 17 11:30:36 CEST 2019
11:28:43,456 INFO - Initiate connection from localhost/127.0.0.1:0 to localhost:8443
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1547720667 bytes = { 15, 175, 58, 194, 135, 78, 163, 101, 19, 78, 203, 54, 216, 194, 243, 193, 46, 63, 253, 254, 230, 10, 161, 178, 48, 140, 26, 99 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_NULL_SHA, TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 84
main, READ: TLSv1.2 Handshake, length = 1017
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1547720667 bytes = { 221, 34, 192, 18, 47, 37, 215, 107, 64, 231, 169, 66, 171, 190, 201, 65, 69, 10, 0, 90, 119, 235, 134, 7, 220, 215, 23, 102 }
Session ID: {92, 64, 88, 219, 51, 92, 182, 164, 131, 140, 8, 205, 194, 176, 161, 7, 139, 163, 85, 132, 111, 164, 116, 58, 119, 239, 172, 43, 98, 253, 21, 162}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN="node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 24426389148721471761284920492966377105207600877375448738812166027221296507425002126163489622390797131477668063208100428224060035672692182576146595311811158415560144006041143688291919385667993566016775166486680090183688114624110432516221347541484584956997545181366272771428816437449578903526661088413479607627953554428297678767573848176273659205713832230622337358297977700900638235665630258184914584763491778117387724853147873155693565580733631472715285095831361310213476382647610708507093851148154279375161342043580344021258179198123365317203938807708011398903550497487572100958094724844676240942179318820904603657501
public exponent: 65537
Validity: [From: Thu Jan 17 10:30:36 CET 2019,
               To: Wed Apr 17 11:30:36 CEST 2019]
Issuer: CN="node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
SerialNumber: [    7e761de4]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 8E 10 A7 CA AF A7 27   80 75 F3 98 EA B2 1E D0 @......'.u......
0010: A3 B9 98 CE                                        ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 10 BC 20 29 4B 53 F4 DA   37 53 B8 9B EB 5D 8C 30 .. )KS..7S...].0
0010: 96 E7 37 D8 B7 6F 0F CA   DD 2A 71 87 97 72 9C 4F ..7..o...*q..r.O
0020: B4 59 DA A6 EA 20 C9 73   36 77 57 DE 8D BF C0 35 .Y... .s6wW....5
0030: FC 09 23 45 E4 9E 34 DF   BB 96 FF 00 C5 B3 FF BF ..#E..4.........
0040: BF 9F 34 B6 08 87 7D F0   65 59 00 8C 69 F7 AC E2 ..4.....eY..i...
0050: 7B D0 07 23 C2 D9 D4 C4   11 BD CA DF 9A 2D CA 36 ...#.........-.6
0060: 0D 27 03 8B 44 48 B6 F5   17 33 03 78 CA 99 DB 52 .'..DH...3.x...R
0070: C4 CA 4F 64 FE 78 00 F5   53 A0 87 CA 2A D2 F4 1E ..Od.x..S...*...
0080: DE 9D 39 02 19 9F C9 6A   00 85 0C F1 76 FE 40 C4 ..9....j....v.@.
0090: 58 B5 4B 39 52 28 76 9A   D2 74 60 E3 B8 7A DA F9 X.K9R(v..t`..z..
00A0: CC 14 BE 63 2B 35 71 A8   1D EE 00 73 80 3E 10 A3 ...c+5q....s.>..
00B0: 3E BA BD 26 DE DB 15 CF   A6 2D AB E6 FC 59 68 67 >..&.....-...Yhg
00C0: CD F0 76 D6 57 F7 78 F5   32 3A EF 08 38 C5 62 48 ..v.W.x.2:..8.bH
00D0: 14 E0 C7 84 3C F7 8F 41   D5 B8 F8 A2 2B E0 F4 BF ....<..A....+...
00E0: 59 F3 21 0A 9C B8 26 0B   E9 68 D8 3E 33 D0 A0 18 Y.!...&..h.>3...
00F0: DB 81 DF 85 EF 0C 16 1B   16 0B 77 E1 B0 35 C1 B4 ..........w..5..
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN="node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 24426389148721471761284920492966377105207600877375448738812166027221296507425002126163489622390797131477668063208100428224060035672692182576146595311811158415560144006041143688291919385667993566016775166486680090183688114624110432516221347541484584956997545181366272771428816437449578903526661088413479607627953554428297678767573848176273659205713832230622337358297977700900638235665630258184914584763491778117387724853147873155693565580733631472715285095831361310213476382647610708507093851148154279375161342043580344021258179198123365317203938807708011398903550497487572100958094724844676240942179318820904603657501
public exponent: 65537
Validity: [From: Thu Jan 17 10:30:36 CET 2019,
               To: Wed Apr 17 11:30:36 CEST 2019]
Issuer: CN="node1.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
SerialNumber: [    7e761de4]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 8E 10 A7 CA AF A7 27   80 75 F3 98 EA B2 1E D0 @......'.u......
0010: A3 B9 98 CE                                        ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 10 BC 20 29 4B 53 F4 DA   37 53 B8 9B EB 5D 8C 30 .. )KS..7S...].0
0010: 96 E7 37 D8 B7 6F 0F CA   DD 2A 71 87 97 72 9C 4F ..7..o...*q..r.O
0020: B4 59 DA A6 EA 20 C9 73   36 77 57 DE 8D BF C0 35 .Y... .s6wW....5
0030: FC 09 23 45 E4 9E 34 DF   BB 96 FF 00 C5 B3 FF BF ..#E..4.........
0040: BF 9F 34 B6 08 87 7D F0   65 59 00 8C 69 F7 AC E2 ..4.....eY..i...
0050: 7B D0 07 23 C2 D9 D4 C4   11 BD CA DF 9A 2D CA 36 ...#.........-.6
0060: 0D 27 03 8B 44 48 B6 F5   17 33 03 78 CA 99 DB 52 .'..DH...3.x...R
0070: C4 CA 4F 64 FE 78 00 F5   53 A0 87 CA 2A D2 F4 1E ..Od.x..S...*...
0080: DE 9D 39 02 19 9F C9 6A   00 85 0C F1 76 FE 40 C4 ..9....j....v.@.
0090: 58 B5 4B 39 52 28 76 9A   D2 74 60 E3 B8 7A DA F9 X.K9R(v..t`..z..
00A0: CC 14 BE 63 2B 35 71 A8   1D EE 00 73 80 3E 10 A3 ...c+5q....s.>..
00B0: 3E BA BD 26 DE DB 15 CF   A6 2D AB E6 FC 59 68 67 >..&.....-...Yhg
00C0: CD F0 76 D6 57 F7 78 F5   32 3A EF 08 38 C5 62 48 ..v.W.x.2:..8.bH
00D0: 14 E0 C7 84 3C F7 8F 41   D5 B8 F8 A2 2B E0 F4 BF ....<..A....+...
00E0: 59 F3 21 0A 9C B8 26 0B   E9 68 D8 3E 33 D0 A0 18 Y.!...&..h.>3...
00F0: DB 81 DF 85 EF 0C 16 1B   16 0B 77 E1 B0 35 C1 B4 ..........w..5..
]
check handshake state: unknown[13]
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN="test_client.yourorg.org OU=development O=dcm4che L=Vienna C=AT">
update handshake state: unknown[13]
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
check handshake state: server_hello_done[14]
update handshake state: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ServerHelloDone
matching alias: test_client
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN="test_client.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 16450683007596730441757272865589569396632723870384656118472667830048133540653011757006485711214088459799917842413585857728947748781647406727976055257246320856392867269850434283375659488868321116948038887694675523319560196819431729404615644399859433540691510508923462529508189413359275432217663771649194363825353363510264833444904628691165761011631424751139326155727170157448098626024437826665421666339710129323551509241505660183012085858733396235061044533888319576212519045493724127168900656241229682762060996453973559099431323325119073767709500282076549455652296515483258795051347531444960035595785458772629776691561
public exponent: 65537
Validity: [From: Thu Jan 17 10:30:52 CET 2019,
               To: Wed Apr 17 11:30:52 CEST 2019]
Issuer: CN="test_client.yourorg.org OU=development O=dcm4che L=Vienna C=AT"
SerialNumber: [    183f44f9]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 84 28 23 B9 39 C1 C7 25   DD 0C A2 3B 6C DA 36 D9 .(#.9..%...;l.6.
0010: 70 9D 33 98                                        p.3.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4C 27 03 8C 33 05 1E 75   80 34 16 BE 3F 53 43 3C L'..3..u.4..?SC<
0010: AE 55 22 55 BE 49 EB 14   BA B0 A7 F8 43 F2 61 49 .U"U.I......C.aI
0020: 9E C4 D6 42 5E A0 91 9D   9D 1C 80 FF B5 61 2B 99 ...B^........a+.
0030: D2 3D 96 8A 6B 6E 9D 99   F7 BD 4A C9 BF 57 F3 39 .=..kn....J..W.9
0040: C6 EC A9 31 46 89 57 55   2F 1A 1F 11 6C 4C A5 78 ...1F.WU/...lL.x
0050: A5 79 20 0F 2D 7C 0B 5F   41 0E 5C 8F 7B 4A 2F 1E .y .-.._A.\..J/.
0060: 28 27 11 0C 00 A3 62 A2   17 A1 56 D5 48 D3 0E D7 ('....b...V.H...
0070: F7 C4 6D B9 11 3D 8D 47   FD 28 1E 51 36 64 D9 5B ..m..=.G.(.Q6d.[
0080: 11 79 B8 04 D3 D3 4C D0   FA F5 4C 0A 09 45 C8 60 .y....L...L..E.`
0090: 7A C2 2E 3A 26 D8 16 4B   9E E1 CD 10 64 88 D7 AB z..:&..K....d...
00A0: 70 10 5B 6E A3 13 89 70   F9 17 66 F0 79 05 27 5B p.[n...p..f.y.'[
00B0: BD 57 A5 2D B1 CB A3 6E   89 A2 04 DA F1 D8 A7 53 .W.-...n.......S
00C0: A5 5D 02 E9 38 FF 33 36   4F E2 A5 DD 5B C7 DB 31 .]..8.36O...[..1
00D0: C5 32 3C 1F 92 8B E3 DF   7A 45 91 45 44 50 C7 4E .2<.....zE.EDP.N
00E0: 0D 91 74 09 6D E1 40 A5   2C 6B DC 4E FE 9C 16 E1 ..t.m.@.,k.N....
00F0: 7B 93 42 ED 25 6C BA 40   9D 0E 3F EC 6C 29 6E 2C ..B.%l.@..?.l)n,
]
***
update handshake state: certificate[11]
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
update handshake state: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 1093
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 99 6B 71 39 BF 52   B9 02 2A F3 57 E7 82 7E ...kq9.R..*.W...
0010: 7B A3 6B 7C E2 A9 98 10   96 2F 1D 72 3E AD BE F1 ..k....../.r>...
0020: 9B DA 29 ED E1 C6 B6 32   10 29 DD 67 FA 72 60 41 ..)....2.).g.r`A
CONNECTION KEYGEN:
Client Nonce:
0000: 5C 40 58 DB 0F AF 3A C2   87 4E A3 65 13 4E CB 36 \@X...:..N.e.N.6
0010: D8 C2 F3 C1 2E 3F FD FE   E6 0A A1 B2 30 8C 1A 63 .....?......0..c
Server Nonce:
0000: 5C 40 58 DB DD 22 C0 12   2F 25 D7 6B 40 E7 A9 42 \@X.."../%.k@..B
0010: AB BE C9 41 45 0A 00 5A   77 EB 86 07 DC D7 17 66 ...AE..Zw......f
Master Secret:
0000: 7C 15 FB BB 8B 72 0F BB   BC 22 3E D3 92 E6 85 15 .....r...">.....
0010: AC 49 79 D1 B3 39 3D 6A   CE FE 98 AE A6 7E 14 8B .Iy..9=j........
0020: 65 F1 19 5E 8E 1D FD 15   E9 E2 4A 64 88 0D E6 82 e..^......Jd....
Client MAC write Secret:
0000: 0C 68 07 13 94 D4 BA 41   73 30 8B 45 73 7E 5B B3 .h.....As0.Es.[.
0010: 27 13 6F 57                                        '.oW
Server MAC write Secret:
0000: 42 26 3A 9D 1D B6 85 F9   B5 50 1E EB DC 9D 71 19 B&:......P....q.
0010: AD 73 FB 45                                        .s.E
Client write key:
0000: BD F1 4C 07 F0 93 50 37   44 46 76 1E CF 66 BE A8 ..L...P7DFv..f..
Server write key:
0000: 42 C1 B6 40 67 C4 52 E1   F6 CB 5C 07 29 37 09 FC B..@g.R...\.)7..
... no IV derived for this protocol
*** CertificateVerify
Signature Algorithm SHA512withRSA
update handshake state: certificate_verify[15]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 264
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 57, 145, 96, 4, 214, 72, 21, 148, 151, 235, 35, 67 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 64
main, READ: TLSv1.2 Change Cipher Spec, length = 1
update handshake state: change_cipher_spec
upcoming handshake states: server finished[20]
main, READ: TLSv1.2 Handshake, length = 64
check handshake state: finished[20]
update handshake state: finished[20]
*** Finished
verify_data: { 24, 144, 157, 177, 93, 84, 135, 160, 198, 142, 4, 137 }
***
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
11:28:44,330 INFO - Established connection 100d6b1[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=localhost/127.0.0.1,port=8443,localport=61460]]
11:28:44,346 DEBUG - /127.0.0.1:61460->localhost/127.0.0.1:8443(1): enter state: Sta4 - Awaiting transport connection opening to complete
11:28:44,346 INFO - NAVEGATIUM->DCM4CHEE(1) << A-ASSOCIATE-RQ
11:28:44,362 DEBUG - A-ASSOCIATE-RQ[
calledAET: DCM4CHEE
callingAET: NAVEGATIUM
applicationContext: 1.2.840.10008.3.1.1.1 - DICOM Application Context Name
implClassUID: 1.2.40.0.13.1.3
implVersionName: dcm4che-5.15.1
maxPDULength: 16378
maxOpsInvoked/maxOpsPerformed: 0/0
PresentationContext[id: 1
    as: 1.2.840.10008.1.1 - Verification SOP Class
    ts: 1.2.840.10008.1.2 - Implicit VR Little Endian
]
]
11:28:44,362 DEBUG - NAVEGATIUM->DCM4CHEE(1): enter state: Sta5 - Awaiting A-ASSOCIATE-AC or A-ASSOCIATE-RJ PDU
main, WRITE: TLSv1.2 Application Data, length = 256
pool-1-thread-1, READ: TLSv1.2 Application Data, length = 112
11:28:44,362 WARN - NAVEGATIUM->DCM4CHEE(1): unrecognized PDU[type=72, len=1414541105]
11:28:44,362 INFO - NAVEGATIUM->DCM4CHEE(1) << {}
A-ABORT[source: 2 - service-provider, reason: 1 - unrecognized-PDU]
        at org.dcm4che3.net.PDUDecoder.abort(PDUDecoder.java:234)
        at org.dcm4che3.net.PDUDecoder.nextPDU(PDUDecoder.java:199)
        at org.dcm4che3.net.Association$2.run(Association.java:520)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
pool-1-thread-1, WRITE: TLSv1.2 Application Data, length = 48
11:28:44,362 DEBUG - NAVEGATIUM->DCM4CHEE(1): enter state: Sta13 - Awaiting Transport Connection Close Indication
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 48
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket(true)
storescu: A-ABORT[source: 2 - service-provider, reason: 1 - unrecognized-PDU]
A-ABORT[source: 2 - service-provider, reason: 1 - unrecognized-PDU]
        at org.dcm4che3.net.PDUDecoder.abort(PDUDecoder.java:234)
        at org.dcm4che3.net.PDUDecoder.nextPDU(PDUDecoder.java:199)
        at org.dcm4che3.net.Association$2.run(Association.java:520)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

dcm4chee-arc.xml

vrinda...@j4care.com

unread,

Jan 17, 2019, 5:58:39 AM1/17/19

to dcm4che

To use dcm4che tools with TLS you don't need to refer those wiki pages. You just need to have TLS connection configured for the device and it should be referenced to the AE which you are using. See sample-config.ldif

Also, see attached log and screenshots of configuration.

storescu-tls.log

tls-connection.png

tls-connection-ae.png

Lotte Heckmann

unread,

Jan 17, 2019, 7:50:37 AM1/17/19

to dcm4che

Thank you for your answer Vrinda! I managed to get it to work with your help.

What I did based on the advice: (for anyone equally confused as I was)

Import sample_config.ldif to LDAP (I was still working with default_config imported during the installation)
Enable TLS connection as shown in the screenshots provided by Vrinda
Add Keystore URL, Pin, Truststore URL, Pin to dcm4chee device as I described before (if you're not using the default key.jks)
call e.g. getscu -c DCM4CHEE@localhost:2762 --tls --key-store C:\Users\Testlab\client_keystore.jks --key-store-pass keystoreclient --trust-store C:\Users\Testlab\client_trust.jks --trust-store-pass clienttrust -m <some Option like PatientName> (again, if you're not using the Default key/truststores of dcm4che)

Best regards!

Brandon C

unread,

Aug 10, 2022, 11:09:51 AM8/10/22

to dcm4che

Hi Is there a way to update the Keystore and truststore without re depoying or a way in the UI to update? I am using docker, but unsure how to manage the keys the best way
Thank you

Reply all

Reply to author

Forward

0 new messages