Orthanc on Ubuntu 24.04 on Azure User Guide
Overview
This image runs Orthanc 1.12.11 on Ubuntu 24.04 LTS. Orthanc is a lightweight, standalone DICOM server for medical imaging. Scanners, ultrasound machines and other imaging equipment speak DICOM, and Orthanc gives them somewhere to send studies: it listens on the DICOM protocol, indexes every patient, study, series and instance it receives, and makes them browsable in its built in web interface, Orthanc Explorer. The same catalogue is exposed through a full REST API, so images and metadata can be pulled into research pipelines, teaching archives, reporting tools or your own applications.
No credential ships in this image, and it is locked until first boot. Orthanc's packaged and container builds are widely known for the default orthanc / orthanc login. This image has no such default, and no password of any kind is baked into it. A unique administrator password is generated on your VM specifically, from the kernel random number generator, by orthanc-firstboot.service during first boot. Until that runs there is no registered user at all, and Orthanc's authentication is fail closed: it answers 401 to every request rather than serving your archive openly.
What is included:
- Orthanc 1.12.11, compiled from the official upstream source release against Ubuntu's own system libraries
- Orthanc Explorer, the built in web interface, served through nginx on port 80
- The DICOM server (SCP) listening on port 4242 with AE title
ORTHANC - The full Orthanc REST API on the same port 80, behind the same authentication
- A unique administrator password generated on this VM at first boot, in a root only file
dcmtk, the standard DICOM toolkit (echoscu,storescu,dcmdump) for testing and sending- A synthetic phantom study you can send in one command to prove the install end to end
- The complete corresponding source and licence texts on the image, satisfying the GPL
- A dependency vulnerability scan, gated at build time and recorded at
/usr/share/doc/orthanc/cve-audit.txt
Why this image is built from source. Ubuntu's own orthanc package is version 1.12.2, which predates the nine security vulnerabilities (CVE-2026-5437 through CVE-2026-5445) that Orthanc fixed in 1.12.11. Orthanc's own prebuilt binary is 1.12.11, but it statically bundles its own private copies of OpenSSL, DCMTK and boost, which your VM's package manager can never see or update. cloudimg compiles the current release against Ubuntu's shared libraries instead, so you get both the security fixes and cryptography and image parsing that keep receiving Ubuntu security updates on your machine for the life of the image. The exact build is recorded at /usr/share/doc/orthanc/BUILD-INFO.txt.
Prerequisites
- An Azure subscription
- The Azure CLI if you deploy from the command line
- An SSH key pair
Standard_B2s(2 vCPU, 4 GB) suits evaluation and small archives. Give Orthanc more vCPU and a larger data disk for production volumes.
Step 1 - Deploy from the Azure Marketplace
Search the Azure Marketplace for Orthanc on Ubuntu 24.04 LTS by cloudimg, select Create, and work through the wizard. Choose SSH public key authentication with the username azureuser.
On the Networking tab, allow inbound SSH (22) and HTTP (80). You will also need 4242 for DICOM, but read Step 9 before opening it to the internet.
Step 2 - Deploy from the Azure CLI
az group create --name orthanc-rg --location eastus
az vm create \
--resource-group orthanc-rg \
--name orthanc-vm \
--image cloudimg:orthanc-ubuntu-24-04:default:latest \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
az vm open-port --resource-group orthanc-rg --name orthanc-vm --port 80 --priority 1001
# Accept the image terms once per subscription:
az vm image terms accept --urn cloudimg:orthanc-ubuntu-24-04:default:latest
Step 3 - Connect to your VM
ssh azureuser@<vm-ip>
Step 4 - Confirm the services are running
Three units make up this image: orthanc-firstboot.service generates your unique administrator password, orthanc.service is the DICOM server itself, and nginx.service is the front door on port 80.
systemctl is-active orthanc orthanc-firstboot nginx
All three report active:
active
active
active
Orthanc's HTTP server listens on loopback only, and nginx is what serves port 80. The DICOM server listens on all interfaces, because that is the point of a DICOM server.
sudo ss -ltnp | grep -E ':80 |:4242 |:8042 '
LISTEN 127.0.0.1:8042 users:(("Orthanc",pid=52879,fd=7))
LISTEN 0.0.0.0:80 users:(("nginx",pid=52886,fd=5))
LISTEN 0.0.0.0:4242 users:(("Orthanc",pid=52879,fd=6))

Step 5 - Retrieve your administrator password
Your password was generated on this VM at first boot and written to a root only file:
sudo cat /root/orthanc-credentials.txt
The file records your URL, username and password, plus your DICOM AE title and port:
ORTHANC_URL=http://<vm-ip>/
ORTHANC_ADMIN_USERNAME=admin
ORTHANC_ADMIN_PASSWORD=<your unique password>
ORTHANC_DICOM_AET=ORTHANC
ORTHANC_DICOM_PORT=4242
ORTHANC_DICOM_HOST=<vm-ip>
Rotate it at any time, either to a new random value or to one you choose:
sudo orthanc-passwd
Step 6 - Open Orthanc Explorer
Browse to http://<vm-ip>/ and sign in with admin and the password from Step 5. Orthanc Explorer opens on the patient list. A fresh server is empty until something is sent to it, which is Step 7.

Step 7 - Send your first study over DICOM
The image ships a small synthetic phantom study at /usr/share/orthanc/sample-dicom/ so you can prove your server works end to end immediately. It is procedurally generated geometry and contains no patient data of any kind.
First check that the DICOM server answers a C-ECHO, the DICOM equivalent of a ping:
echoscu -aec ORTHANC localhost 4242 && echo "C-ECHO: association accepted"
C-ECHO: association accepted
Now send the study with a real C-STORE, exactly as a modality would:
storescu -aec ORTHANC localhost 4242 /usr/share/orthanc/sample-dicom/*.dcm
Confirm the 12 instances arrived and were indexed:
PW=$(sudo sed -n 's/^ORTHANC_ADMIN_PASSWORD=//p' /root/orthanc-credentials.txt)
curl -s -u admin:$PW http://localhost/statistics | jq '{CountPatients,CountStudies,CountSeries,CountInstances}'
{
"CountPatients": 1,
"CountStudies": 1,
"CountSeries": 2,
"CountInstances": 12
}

Refresh Orthanc Explorer and the study is there. Click through Patient, then Study, to see the two series that arrived.

Open a series to see every instance with its DICOM metadata.

Select Preview this series to page through the decoded images.

When you are done with the phantom, delete it from Explorer with Delete this study, or over the API.
Step 8 - Use the REST API
Everything Explorer does is the REST API, and it uses the same credentials:
PW=$(sudo sed -n 's/^ORTHANC_ADMIN_PASSWORD=//p' /root/orthanc-credentials.txt)
curl -s -u admin:$PW http://localhost/system | jq '{Name,Version,ApiVersion,IsHttpServerSecure,DicomAet,DicomPort}'
{
"Name": "cloudimg Orthanc",
"Version": "1.12.11",
"ApiVersion": 30,
"IsHttpServerSecure": true,
"DicomAet": "ORTHANC",
"DicomPort": 4242,
"StorageCompression": false
}
IsHttpServerSecure is Orthanc's own assessment of its configuration. It reports true here because authentication is explicitly enforced and no default credential exists. If it ever reported false, Orthanc Explorer would show a red Insecure setup banner on every page.
List what is stored:
curl -s -u admin:$PW "http://localhost/patients?expand" | jq -r '.[] | {PatientName:.MainDicomTags.PatientName, PatientID:.MainDicomTags.PatientID}'
{
"PatientName": "PHANTOM^CLOUDIMG",
"PatientID": "CLOUDIMG-PHANTOM-001"
}

The full API is documented in the Orthanc Book.
Step 9 - Confirm the security posture, and restrict the DICOM port
Everything on port 80 requires your password. An unauthenticated request is refused:
curl -s -o /dev/null -w 'unauthenticated: HTTP %{http_code}\n' http://localhost/system
unauthenticated: HTTP 401
The well known default credential does not work either, because it does not exist on this image:
curl -s -o /dev/null -w 'default credential: HTTP %{http_code}\n' -u orthanc:orthanc http://localhost/system
default credential: HTTP 401
The DICOM port has no password. This is how the DICOM protocol works, not a choice this image made: DICOM identifies peers by AE title, not by password, so anyone who can reach port 4242 can send images to your server. Treat network reachability as the access control. Restrict 4242 to your modalities:
az network nsg rule create \
--resource-group orthanc-rg \
--nsg-name orthanc-vmNSG \
--name allow-dicom-from-modalities \
--priority 1002 \
--source-address-prefixes <modality-ip>/32 \
--destination-port-ranges 4242 \
--access Allow --protocol Tcp
Then register each modality with Orthanc so you can query and send to it. Open /etc/orthanc/orthanc.json in your editor and fill in the DicomModalities block, giving each modality a name, its AE title, its host and its port:
"DicomModalities" : {
"ct-scanner" : [ "CT_AET", "192.168.1.50", 104 ]
},
Restart Orthanc to apply it:
sudo systemctl restart orthanc
There is one deliberate exception to authentication: http://<vm-ip>/healthz is served by nginx itself and returns ok without credentials, so an Azure Load Balancer can probe the VM. It exposes no Orthanc data and stays available while Orthanc restarts.
curl -s http://localhost/healthz
ok
Step 10 - Put TLS in front of Orthanc
Orthanc uses HTTP Basic authentication, which sends your password on every request. Do not use it across an untrusted network without TLS. Point a DNS name at the VM, then:
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d orthanc.example.com
Certbot rewrites the nginx site in place and renews automatically. Your Orthanc configuration does not change.
Step 11 - Licence and corresponding source
Orthanc is free software under the GNU General Public License version 3 or later. The complete corresponding source for the binary in this image ships on the image, alongside the licence texts and a written offer:
ls /usr/share/doc/orthanc/ /usr/share/orthanc/source/
/usr/share/doc/orthanc/:
AUTHORS BUILD-INFO.txt COPYING COPYING.LGPL-framework NEWS WRITTEN-OFFER.txt cve-audit.txt
/usr/share/orthanc/source/:
Orthanc-1.12.11.tar.gz SHA256SUMS
BUILD-INFO.txt records the exact source, its checksum and the exact command used to compile it, so the build is reproducible:
head -8 /usr/share/doc/orthanc/BUILD-INFO.txt
Orthanc 1.12.11 -- cloudimg Azure Marketplace image
Built: 2026-07-16T20:03:41Z
Source: https://orthanc.uclouvain.be/downloads/sources/orthanc/Orthanc-1.12.11.tar.gz
Source sha256: 1d1f8a9a71c831fa07155e9f88fdb22be8e5792e19fa6a27b9a62145fa822b66
Corresponding src: /usr/share/orthanc/source/Orthanc-1.12.11.tar.gz
Patches applied: none (unmodified upstream release)
Licence: GPL-3.0-or-later (core), LGPL-3.0 (OrthancFramework)
cloudimg applies no patches to Orthanc: what you run is the unmodified upstream release. Nothing in this image or its support terms restricts the rights the GPL grants you over Orthanc itself.

Maintenance
Where your images live. The DICOM files and Orthanc's index are under /var/lib/orthanc/db. Back that directory up as a unit, with Orthanc stopped:
sudo systemctl stop orthanc
sudo tar czf /tmp/orthanc-backup.tar.gz -C /var/lib/orthanc db
sudo systemctl start orthanc
For anything beyond a small archive, attach an Azure data disk and point StorageDirectory and IndexDirectory in /etc/orthanc/orthanc.json at it, so your images are not on the OS disk.
Configuration. /etc/orthanc/orthanc.json holds the non secret configuration. Your password lives separately in /etc/orthanc/credentials.json, which is why rotating it never touches the main file. Restart after editing:
sudo systemctl restart orthanc
Logs.
sudo journalctl -u orthanc -n 50 --no-pager
Updates. The base OS takes Ubuntu security updates automatically through unattended-upgrades, and that includes the OpenSSL, DCMTK, SQLite and boost libraries Orthanc links against, because this image links them from Ubuntu rather than bundling private copies.
Vulnerability report. The dependency scan performed when this image was built is recorded on the image:
head -20 /usr/share/doc/orthanc/cve-audit.txt
Support
Commercial support is included with this image. Contact support@cloudimg.co.uk.