Enable TLS/SSL encrypted DICOM transfer to Mediaflux server (using DCMTK storescu)

I. TLS/SSL encrypted DICOM transfer to Mediaflux DICOM server without verifying the certificates on both ends

1. Configure Mediaflux server with SSL encryption without client certificate verification, i.e. allow untrusted.

   network.start :type dicom :port 6667 :ssl -trusted false true \
       :arg -name asset.engine pss \
       :arg -name authentication.domain dicom \
       :arg -name dicom.title MFLUX \
       :arg -name pss.asset.namespace.root /dicom \
       :arg -name pss.id.subject.by patient.id
   

2. Send DICOM files to Mediaflux server using DCMTK's storescu

   storescu +tls /path/to/dcmtk-storescu.key /path/to/dcmtk-storescu.pem -ic -aet DCMTK -aec MFLUX mediaflux.example.org 6667 /path/to/*.dcm
   

   NOTE: -ic option in the command above disables peer certificate verification.

II. TLS/SSL encrypted DICOM transfer to Mediaflux DICOM server with certificate verification on both ends

1. Export Mediaflux server certificate:

   server.certificate.identity.export :format base64 :id 8 :out file:/path/to/dcmtk-trusted-certs/mflux.pem

   Note: Currently, there is an issue when the Mediaflux server certificate identity contains chained root CA certificate and intermediate certificate: The server certificate file exported by server.certificate.identity.export service is incomplete. It contains only the host certificate and misses the identity contains also chained root CA certificate and intermediate certificate. This causes the DICOM client using this certificate file failed to connect to Mediaflux DICOM server while doing SSL handshake.
   
   To work around this issue, use the original certificate file that includes all the chained certificates.

2. Import (DCMTK) client's certificate into Mediaflux as trusted certificate:

   server.certificate.trust.import :in file:/path/to/dcmtk-storescu.pem

3. Configure Mediaflux server with SSL encryption with certificate verification:

   network.start :type dicom :port 6667 :ssl -trusted true true \
       :arg -name asset.engine pss \
       :arg -name authentication.domain dicom \
       :arg -name dicom.title MFLUX \
       :arg -name pss.asset.namespace.root /dicom \
       :arg -name pss.id.subject.by patient.id
   

4. Send DICOM files to Mediaflux server using DCMTK's storescu

   storescu +tls /path/to/dcmtk-storescu.key /path/to/dcmtk-storescu.pem --add-cert-file /path/to/dcmtk-trusted-certs/mflux.pem --rc -aet DCMTK -aec MFLUX mediaflux.example.org 6667 /path/to/*.dcm
   

   NOTE: -rc option in the command above requires peer certificate verification.
   --add-cert-dir specifies the trusted certificate.