18.1. Security Profiles¶
18.1.1. Secure Transport Connection Profiles¶
dcm4che DICOM Archive 5 supports the Basic TLS Secure Transport Connection Profile and the AES TLS Secure Transport Connection Profile as specified in DICOM Standard, Part 15, Annex B.1 and Annex B.3.
By default configuration, TLS 1.0, TLS 1.1 and TLS 1.2 are enabled, use of TLS 1.2 is preferred.
Also other cipher suite options than the two in compliance with AES TLS Secure Transport Connection Profile:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
may be configured.
Beside DICOM DIMSE service connections, also HL7 v2 and HTTP connections can be secured by use of TLS.
IP ports on which an implementation accepts TLS connections are configurable.
The private key and the Certificate used by an instance of dcm4che DICOM Archive 5 to identify itself in the TLS negotiation with remote applications has to be provided in a local keystore file in PKCS12 or JKS (Java Key Store) format on the application host. Certificates of Certificate Authorities (CA) to validate Certificates received from remote applications during the TLS negotiation can also be provided in a local keystore file in JKS format or at the central LDAP server, used as configuration backend for all instances of dcm4che DICOM Archive 5.
18.1.2. Audit Trail Profiles¶
18.1.2.1. Audit Trail Message Format Profile¶
dcm4che DICOM Archive 5 supports the Audit Trail Message Format Profile as specified in DICOM Standard, Part 15, Annex A.5. Following audit messages are triggered on receive of HL7 messages.
18.1.2.1.1. Audit Messages¶
18.1.2.2. Audit Trail Message Transmission Profile - SYSLOG-TLS¶
dcm4che DICOM Archive 5 supports the Audit Trail Message Transmission Profile - SYSLOG-TLS as specified in DICOM Standard, Part 15, Annex A.6.
18.1.2.3. Audit Trail Message Transmission Profile - SYSLOG-UDP¶
dcm4che DICOM Archive 5 supports the Audit Trail Message Transmission Profile - SYSLOG-UDP as specified in DICOM Standard, Part 15, Annex A.7.