TLS Handshake Tests - dcm4che/dcm4chee-arc-light GitHub Wiki

Overview

This page explains how one can configure Keystore, LDAP and Wildfly in order to do the TLS Handshake tests.

Creation of Server side Keystore.p12

The below tool is used to generate a new keystore.p12 file with the key algorithm as RSA

keytool -genkeypair -keyalg RSA -keystore keystore.p12

Once the above command is typed, it will prompt for details to be entered by user as shown below

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:  dcm4che
What is the name of your City or Locality?
  [Unknown]:  Vienna
What is the name of your State or Province?
  [Unknown]:  Vienna
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Unknown, OU=Unknown, O=dcm4che, L=Vienna, ST=Vienna, C=AT correct?
  [no]:  yes

Enter key password for <mykey>
        (RETURN if same as keystore password):
Re-enter new password:

The password entered above will be needed in LDAP configuration mentioned below.

Creation of Server side & Client side Truststore

Create client side truststore (required in Wildfly configuration) from the clientKey received from the Client side

   keytool -importcert -file clientKey.pem -keystore client.truststore	

Create server side truststore (required in Wildfly configuration)

   keytool -importcert -file keystore.pem -keystore server.truststore

LDAP Configuration for TLS Handshake tests

  1. Place this newly created keystore.p12 file in wildfly location : $WILDFLY_HOME/standalone/configuration/dcm4chee-arc/keystore.p12

  2. On dcm4chee-arc device level, add the attribute dcmKeystoreURL and its value should point the above location.

  3. On dcm4chee-arc device level, add another attribute dcmKeystorePin. The value should be the password used while generating the keystore.p12 as shown above in Creation of keystore.p12

  4. On dcm4chee-arc device level, modify the value of userCertificate;binary to point to server side certificate.

  5. To add client side certificate in LDAP configuration one may add following attributes in a new device or update an existing device which is not being used

        objectClass: pkiUser
        userCertificate;binary: <add client certificate here>
    
  6. On dcm4chee-arc device level, add a new dicomAuthorizedNodeCertificateReference and point its value to the device (newly added or updated as mentioned in point 5, which has the client certificate information)

Go to the Control tab on Configuration page in archive UI and reload the configuration.

Wildfly Configuration

  1. Modify the $WILDFLY_HOME/standalone/configuration/application-roles.properties

        CN\=client,\ OU\=<authentication>,\ O\=JBoss,\ ST\=UP,\ C\=IN=JBossAdmin
        admin=JBossAdmin
    
  2. Add below code snippets in the $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml

....
....
<management>
        <security-realms>
        ....
        ....
        <security-realm name="UndertowRealm">
                <server-identities>
                    <ssl>
                        <keystore path="keystore.p12" relative-to="jboss.server.config.dir" keystore-password="myPass" alias="myAlias" key-password="myPass"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="clientPass"/>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
....
....
<subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
            ....
            ....
            <security-domain name="client_cert_domain" cache-type="default">
                    <authentication>
                        <login-module code="CertificateRoles" flag="required">
                            <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
                            <module-option name="securityDomain" value="client_cert_domain"/>
                            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/application-roles.properties"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="myPass" keystore-url="file:${jboss.server.config.dir}/keystore.p12" truststore-password="myPass" truststore-url="file:${jboss.server.config.dir}/server.truststore" cipher-suites="TLS_RSA_WITH_AES_128_CBC_SHA" client-auth="true" protocols="SSLv3, TLSv1"/>
                </security-domain>
....
....
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" max-post-size="100000000" socket-binding="http"/>
                <https-listener name="https" max-post-size="100000000" verify-client="REQUIRED" security- realm="UndertowRealm" socket-binding="https"/>
....
....
⚠️ **GitHub.com Fallback** ⚠️