Optima MR450w BASE 1.5T System Service Methods
5690012-2EN Revision 3
Object ID: 00000018WIA30FE0550GYZ
Topic ID: id_2024462 Version: 1.27
Date: Jul 4, 2020 12:10:12 AM

Importing and exporting TLS certificates

Prerequisites


Personnel requirements
Required persons	Preliminary requirements	Procedure	Finalization
1	-	45 to 65 minutes	5 minutes


Tools and test equipment
Item	Quantity	Part number	Manufacturer
USB Flash Drive	1	-	-


Required conditions
The certificate must be installed on the USB flash drive prior to starting the procedure.


Safety
Before working in any GE Healthcare MR suite or performing any GE Healthcare service procedure, you must: Have read and understood all hazard conditions and safety requirements in the latest revision of the GE Healthcare MR Service Safety Manual (5452735). Have successfully completed all relevant GE Healthcare Environmental Health and Safety (EHS) courses (or for non-GE employees, equivalent workplace training courses). Comply with all site-specific training and workplace safety requirements. If you have any safety concerns at any time, do not begin work or immediately stop work and move to a safe location. Immediately contact your supervisor or site safety officer for instructions on how to proceed.

About this task

Software version and later introduces Certificate Management through TLS encryption for DICOM, EA3 and EAT features on the MR system.

Certificate specifications as required by the MR software

About this task

Certificates generated by the customer IT team for use on the MR system must comply with the following:

Certificates can be self-signed or CA Authorized
The MR scanner only accepts certificate files with extension .pem
The following attributes within the certificate are mandatory:
- Common name (for example, server FQDN)
- Organization name
- Organizational unit name
- Locality name (city/locality)
- State or province name (state/province)
- Country name (country/region)
Bit length. 2048 is the current industry standard
Self-signed certificates complying with the above rules can be generated on the MR scanner itself; however, this is the least preferred and not a recommended method for accomplishing certificate management. For information on self-signed certificates, see Generating self-signed certificates.

Note: Consult with customer IT to determine which of the below setups is applicable for their system.

MR Scanner set up as secure client

About this task

When the MR Scanner is set up as a secure client through Transfer Layer Security (TLS), it can only send encrypted data (EAT, EA3, or DICOM as configured) to a server. The MR Scanner itself cannot receive any encrypted information from the server. Therefore, if the MR Scanner is set up as a client and either the customer or service personnel is trying to send data (EAT, EA3, or DICOM as configured) from the server to the MR Scanner, this transfer will not go through. To avoid a transfer failure, follow this procedure.

Figure 1. MR Scanner set up as secure client flowchart

Note: Underlined text in the flowchart below indicates links to additional content.

MR Scanner set up as secure server

About this task

When the MR Scanner is set up as a secure server, it can send/receive encrypted data (EAT, EA3, or DICOM as configured) to/from a server.

Figure 2. MR Scanner set up as secure server flowchart

Note: Underlined text in the flowchart below indicates links to additional content.

Note: Certificate import/export alone does not configure secure networking on the MR scanner. Individual applications must be configured to use the certificates. For detailed information on configuration, see the following:

To configure DICOM over TLS using certificates recently configured with the procedure above, see Configuring DICOM networking (standard or DICOM over TLS).
To configure EAT with TLS encryption, see Enterprise Audit Trail (EAT)-audit logging.
To configure EA3 with TLS encryption, see Accessing the EA3 admin utility.