Skip to content

Enabling HTTPS/TLS for PCoIP License Server

Enabling HTTPS/TLS on the License Server

Offline Environments     Online Environments

Important: Always use HTTPS

The default communication protocol is HTTP, which is less secure than HTTPS. We strongly recommend using HTTPS when communicating with the local HP Anyware license server.

Warning: Only internal network usage is supported

The HP Anyware License Server only supports company internal network usage. It is not designed to receive connections from the public internet.

TLS 1.1 Considerations

TLS 1.1 is disabled by default in RHEL/Rocky Linux 8. Attempts to use it in those operating systems may result in errors.

TLS 1.1 is insecure and we strongly recommend that you do not enable it. If you must enable TLS 1.1, first update the CentOS security policy to LEGACY.

To view the current security policy, run the following command:

update-crypto-policies --show 

To set the policy to LEGACY, run the following command:

update-crypto-policies --set LEGACY

Once this policy is set, you can proceed with the following instructions.

Prerequisites for Using HTTPS/TLS

Before enabling HTTP/TLS, get a valid certificate and accompanying private key, and save them in the JKS (Java Key Store) format. Ensure that the JKS file has a keystore password and storepass, and they both are the same.

We recommend using a CA-signed certificate whenever possible, but you can use a self-signed certificate if required.

If you must use a self-signed certificate, generate one using the following command. Replace <password> with your own password, and <license server="" address=""> with the IP address or FQDN of the license server:

keytool -genkey -keyalg RSA -alias teradiciLicenseServer -keystore teradiciLicenseServer.jks -storepass <pasword> -validity 365 -keysize 2048 -noprompt -dname "CN=<license server="" address="">, OU=Teradici PCoIP License Server, O=Teradici Corp, L=Vancouver, ST=BC, C=CA" -keypass <password>
keytool -importkeystore -srckeystore teradiciLicenseServer.jks -destkeystore teradiciLicenseServer.p12 -deststoretype pkcs12

Anyware agents can't validate self-signed certificates for HTTPS connections unless the public certificate is installed on the machine's trust store. For more information, see the RHEL instructions on this page.

Procedure

Create a new /opt/flexnetls/certs directory, and copy the .jks file into it. Do not place .jks file under /opt/flexnetls/TERADICI/, which may be overwritten by future upgrades.

Give the .jks file appropriate permissions:

Create an obfuscated password using Flexera's password obfuscation tool, replacing <password> with your password:

The output from this command shows the original password and the obfuscated password. Copy the obfuscated password (including OBF:) for use in the next step.

Configure the Local License Server settings to use the JKS:

Open /opt/flexnetls/TERADICI/local-configuration.yaml in a text editor using sudo.

Edit the following lines, replacing <obfuscated password=""> with the password you copied in the previous step. The configuration options are described next:

The options are:

port: HTTP listen port. This is required to run the license server commands internally on the license server host. You can safely block this port externally.

https-in/enabled: HTTPS-in enable. Set this to true to enable HTTPS for incoming connections to the license server.

https-in/port: HTTPS-in port number. Set this to the HTTPS listening port for the license server.

https-in/keystore-path: Set this to the full path for the JKS file that will be used for encryption.

https-in/keystore-password: Set this to the keypass/storepass, preferably the obfuscated password you created earlier.

Restart the license server:

When the server comes back up, verify that the system is listening on the configured HTTP and HTTPS ports (replace the ports in this example with your own as needed):

A positive response will look similar to the following example:

Verify that you can view licenses:

If you can view licenses, you will see output similar to the following example:

=======================================================================================
Feature ID      Feature Name           Feature Version   Feature Count Used/Available
=======================================================================================
1               Agent-Graphics                2019.0209            0/1
2               Agent-Session                 2019.0209            0/1
=======================================================================================

Device Information:

-------------------------------------------------------------
Device Name                   Feature Registered(Used Count)
-------------------------------------------------------------
=======================================================================================

        Total feature count           : 2
        Total feature count used      : 0
        Total uncounted features      : 0
=======================================================================================
```

Verify that the license server setting in the Connection Manager is configured correctly.

When using HTTPS, it should be configured as follows (replace <license-server-ip-or-fqdn> with the IP or FQDN of your license server, and <https-listen-port> with the port number you specified in step 5):

Verify that the Anyware Agents can check out licenses.

Move to a Anyware Agent desktop machine that will use this license server.

Verify that the License Server's firewall is open by opening a browser and visiting https://<license-server-ip-or-fqdn>:<https-listen-port>/api/1.0/health.

If the page loads, the firewall configuration is correct.

If the page loads but throws a certificate error, the port is open but the certificate is invalid; see below for guidance.

If the page does not load, the port is most likely closed.

Verify that the Anyware Agent machine can view license information from the License Server:

pcoip-validate-license
LicenseServerAddress = https://<license-server-ip-or-fqdn>:<https-listen-port>/request
================================================================================
Name              Count           Version         Type              Expiration    
================================================================================

Agent-Graphics    1               2019.0209       CONCURRENT        2019-02-09    
Agent-Session     1               2019.0209       CONCURRENT        2019-02-09    

Total number of features : 2
pcoip-list-licenses
tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java
tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java
sudo netstat -tulpn | grep -e 7070 -e 7071
sudo systemctl restart flexnetls-TERADICI
# local-configuration.

# HTTP listening port. Default is 7070. You can bind to an interface with this syntax: '[127.0.0.1].7070'.
port: 7070

...

# HTTPS server mode
https-in:
  # Set to true to enable
  enabled: true
  # HTTPS listening port
  port: 7071
  # Path to keystore
  keystore-path: /opt/flexnetls/certs/teradiciLicenseServer.jks
  # Keystore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here
  keystore-password: <obfuscated password="">

...
java -jar flexnetls.jar -password <password>
cd /opt/flexnetls/TERADICI/
sudo chown root.pcoip_license_server /opt/flexnetls/certs/teradiciLicenseServer.jks
sudo chmod 440 /opt/flexnetls/certs/teradiciLicenseServer.jks