Wiki

Clone wiki

WADQC / Security

HTTPS

Presently the WAD-QC uses only standard non-encrypted HTTP for all communications with Orthanc, WAD-Admin, and WAD-Dashboard. Since self-signed certificates are no longer supported by some browsers, or at least result in distracting warnings, there are currently no plans to automatically enable HTTPS.

Manually enable HTTPS

To manually enable HTTPS after installation, you can follow these steps for Ubuntu. Here we assume that the server is named "wadqc.myhospital.org" and that you have the appropriate HTTPS certificate files (wadqc.myhospital.org.crt and wadqc.myhospital.org.key).

First copy the certifcate files to a good location.

sudo mkdir /etc/apache2/ssl
sudo cp wadqc.myhospital.org.crt  /etc/apache2/ssl
sudo cp wadqc.myhospital.org.key  /etc/apache2/ssl

Now edit the apache conf files for the different webservices, so they end and start with the HTTPS modifications as shown below. For "...." fill in the contents of the original conf file between the <VirtualHost> and </VirtualHost> (without these tags and without the ServerName line).

/etc/apache2/sites-available/dashboard_wadqc.conf

<IfModule mod_ssl.c>
 <VirtualHost _default_:443>
    ServerName wadqc.myhospital.org

    ....

    SSLEngine on

    SSLCertificateFile      /etc/apache2/ssl/wadqc.myhospital.org.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/wadqc.myhospital.org.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>
 </VirtualHost>
</IfModule>

/etc/apache2/sites-available/admin_wadqc.conf

<IfModule mod_ssl.c>
 Listen 12001
 <VirtualHost _default_:12001>
    ServerName wadqc.myhospital.org

    ....

    SSLEngine on

    SSLCertificateFile      /etc/apache2/ssl/wadqc.myhospital.org.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/wadqc.myhospital.org.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>
 </VirtualHost>
</IfModule>

/etc/apache2/sites-available/api_wadqc.conf

<IfModule mod_ssl.c>
 Listen 3000
 <VirtualHost _default_:3000>
    ServerName wadqc.myhospital.org

    ....

    SSLEngine on

    SSLCertificateFile      /etc/apache2/ssl/wadqc.myhospital.org.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/wadqc.myhospital.org.key
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>
 </VirtualHost>
</IfModule>

Now enable HTTPS

sudo a2enmod ssl
sudo systemctl restart apache2

To redirect all HTTP trafic to HTTPS for the dashboard, modify /etc/apache2/sites-available/000-default and add right below the line "<VirtualHost *:80>"

Redirect permanent "/" "https://wadqc.myhospital.org/"

Now activate this redirect site

sudo a2ensite 000-default
sudo apache2ctl restart

To enable HTTPS for Orthanc, please read http://book.orthanc-server.com/faq/https.html.

Passwords

When installing using wad_setup, some default users with default passwords are created. Also, when starting WAD-Admin and WAD-Dashboard for the first time after installation, a default user is created for access.

changes before running wad_setup

When installing using wad_setup, one can change the initial passwords for the Orthanc REST access and for the databases of Orthanc and WAD-QC by manually editing the installation "recipe" file in a text editor and changing the indicated password fields.

changes in a running WAD-QC installation

In a running WAD-QC installation, all access credentials can be changed.

Orthanc WADQC

The Orthanc REST users are defined in the Orthanc config file, located at <WADROOT>/orthanc/config/orthanc.json. To change the access credentials, edit the file manually. Afer editing, restart Orthanc, and use WAD-Admin to apply the same changes to the access credentials of Source WADQC in the Data Sources page. This page is found from the WAD-Admin home page, under section "data sources".

Sources Page

WAD-Admin

WAD-Admin has its own user management function. This can be accessed from the WAD-Admin home page under section Resources.

WAD-Dashboard

WAD-Dashboard has its own user management function. This can be accessed from the WAD-Dashboard Admin page under section Resources (the WAD-Dashboard Admin page is found with the "Admin" button on the left in the top bar).

Malware Analysis Modules

By design WAD-QC and all its databases are installed in the wadqc user's home directory. Also all analysis processes are excuted as the wadqc user. That means that it is not difficult to make a malware Analyse Module that erases the whole WAD-QC installatation, or tampers with the access credentials.

To minimize that risk, use only factory modules and modules from sources you trust. Before importing Modules or restoring Selectors, you can always open the zip file and inspect the sources. If you don't trust it, do not install it, but please report it here!

Updated