Enabling HTTPS/TLS for PCoIP License Server
Enabling HTTPS/TLS on the License Server¶
Offline Environments Online Environments
Important: Always use HTTPS
The default communication protocol is HTTP, which is less secure than HTTPS. We strongly recommend using HTTPS when communicating with the local HP Anyware license server.
Warning: Only internal network usage is supported
The HP Anyware License Server only supports company internal network usage. It is not designed to receive connections from the public internet.
TLS 1.1 Considerations¶
TLS 1.1 is disabled by default in RHEL/Rocky Linux 8. Attempts to use it in those operating systems may result in errors.
TLS 1.1 is insecure and we strongly recommend that you do not enable it. If you must enable TLS 1.1, first update the CentOS security policy to LEGACY
.
To view the current security policy, run the following command:
update-crypto-policies --show
To set the policy to LEGACY
, run the following command:
update-crypto-policies --set LEGACY
Once this policy is set, you can proceed with the following instructions.
Prerequisites for Using HTTPS/TLS¶
Before enabling HTTP/TLS, get a valid certificate and accompanying private key, and save them in the JKS (Java Key Store) format. Ensure that the JKS file has a keystore password and storepass, and they both are the same.
We recommend using a CA-signed certificate whenever possible, but you can use a self-signed certificate if required.
If you must use a self-signed certificate, generate one using the following command. Replace <password>
with your own password, and <license server="" address="">
with the IP address or FQDN of the license server:
keytool -genkey -keyalg RSA -alias teradiciLicenseServer -keystore teradiciLicenseServer.jks -storepass <pasword> -validity 365 -keysize 2048 -noprompt -dname "CN=<license server="" address="">, OU=Teradici PCoIP License Server, O=Teradici Corp, L=Vancouver, ST=BC, C=CA" -keypass <password>
keytool -importkeystore -srckeystore teradiciLicenseServer.jks -destkeystore teradiciLicenseServer.p12 -deststoretype pkcs12
Anyware agents can't validate self-signed certificates for HTTPS connections unless the public certificate is installed on the machine's trust store. For more information, see the RHEL instructions on this page.
Procedure¶
Create a new /opt/flexnetls/certs directory, and copy the .jks file into it. Do not place .jks file under /opt/flexnetls/TERADICI/, which may be overwritten by future upgrades.
Give the .jks file appropriate permissions:
Create an obfuscated password using Flexera's password obfuscation tool, replacing <password>
with your password:
The output from this command shows the original password and the obfuscated password. Copy the obfuscated password (including OBF:
) for use in the next step.
Configure the Local License Server settings to use the JKS:
Open /opt/flexnetls/TERADICI/local-configuration.yaml in a text editor using sudo.
Edit the following lines, replacing <obfuscated password="">
with the password you copied in the previous step. The configuration options are described next:
The options are:
port
: HTTP listen port. This is required to run the license server commands internally on the license server host. You can safely block this port externally.
https-in/enabled
: HTTPS-in enable. Set this to true to enable HTTPS for incoming connections to the license server.
https-in/port
: HTTPS-in port number. Set this to the HTTPS listening port for the license server.
https-in/keystore-path
: Set this to the full path for the JKS file that will be used for encryption.
https-in/keystore-password
: Set this to the keypass/storepass, preferably the obfuscated password you created earlier.
Restart the license server:
When the server comes back up, verify that the system is listening on the configured HTTP and HTTPS ports (replace the ports in this example with your own as needed):
A positive response will look similar to the following example:
Verify that you can view licenses:
If you can view licenses, you will see output similar to the following example:
=======================================================================================
Feature ID Feature Name Feature Version Feature Count Used/Available
=======================================================================================
1 Agent-Graphics 2019.0209 0/1
2 Agent-Session 2019.0209 0/1
=======================================================================================
Device Information:
-------------------------------------------------------------
Device Name Feature Registered(Used Count)
-------------------------------------------------------------
=======================================================================================
Total feature count : 2
Total feature count used : 0
Total uncounted features : 0
=======================================================================================
```
Verify that the license server setting in the Connection Manager is configured correctly.
When using HTTPS, it should be configured as follows (replace <license-server-ip-or-fqdn>
with the IP or FQDN of your license server, and <https-listen-port>
with the port number you specified in step 5):
Verify that the Anyware Agents can check out licenses.
Move to a Anyware Agent desktop machine that will use this license server.
Verify that the License Server's firewall is open by opening a browser and visiting https://<license-server-ip-or-fqdn>:<https-listen-port>/api/1.0/health
.
If the page loads, the firewall configuration is correct.
If the page loads but throws a certificate error, the port is open but the certificate is invalid; see below for guidance.
If the page does not load, the port is most likely closed.
Verify that the Anyware Agent machine can view license information from the License Server:
pcoip-validate-license
LicenseServerAddress = https://<license-server-ip-or-fqdn>:<https-listen-port>/request
================================================================================
Name Count Version Type Expiration
================================================================================
Agent-Graphics 1 2019.0209 CONCURRENT 2019-02-09
Agent-Session 1 2019.0209 CONCURRENT 2019-02-09
Total number of features : 2
pcoip-list-licenses
tcp6 0 0 :::7071 :::* LISTEN 3083/java
tcp6 0 0 :::7071 :::* LISTEN 3083/java
sudo netstat -tulpn | grep -e 7070 -e 7071
sudo systemctl restart flexnetls-TERADICI
# local-configuration.
# HTTP listening port. Default is 7070. You can bind to an interface with this syntax: '[127.0.0.1].7070'.
port: 7070
...
# HTTPS server mode
https-in:
# Set to true to enable
enabled: true
# HTTPS listening port
port: 7071
# Path to keystore
keystore-path: /opt/flexnetls/certs/teradiciLicenseServer.jks
# Keystore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here
keystore-password: <obfuscated password="">
...
java -jar flexnetls.jar -password <password>
cd /opt/flexnetls/TERADICI/
sudo chown root.pcoip_license_server /opt/flexnetls/certs/teradiciLicenseServer.jks
sudo chmod 440 /opt/flexnetls/certs/teradiciLicenseServer.jks