Enabling HTTPS/TLS for HP Anyware License Server¶
Offline Environments Online Environments
The following instructions document the use of HTTPS with TLS. The default communication protocol is HTTP, which is less secure than HTTPS. HP strongly recommends HTTPS for communicating with the local HP Anyware License Server.
Warning: Only internal network usage is supported
The HP Anyware License Server supports only a company internal network. It is not designed to receive connections from the public Internet.
Using Self-signed Certificates¶
HP recommends against using a self-signed certificate. Use a CA-signed certificate whenever possible.
-
If you must use a self-signed certificate, generate one using the following command:
keytool -genkeypair -v -alias HPLicenseServer -keyalg RSA -keysize 4096 -storetype PKCS12 -keystore HPLicenseServer.p12 -validity 365 -
Convert pkcs12 to JKS
keytool -importkeystore -srckeystore HPLicenseServer.p12 -srcstoretype PKCS12 -destkeystore HPLicenseServer.jks -deststoretype JKS
Using HTTPS/TLS on HP Anyware License Server¶
-
Get a valid certificate along with its private key and save it in the JKS (Java Key Store) format. Ensure that the JKS file has a keystore password and storepass, and they are the same.|
-
Create a new C:\Program Files\HP\certs directory and copy the .jks file into it. To avoid overwriting by future upgrades, do not place the .jks file under C:\Program Files\HP\HP Anyware License Server.
-
Create an obfuscated password using Flexera's password by replacing
with yours: cd C:\Program Files\HP\HP Anyware License Server\server java -jar flexnetls.jar -password <password>
The output from this command shows the original and the obfuscated passwords. Copy the obfuscated password (including OBF:) for use in the next step.
-
Configure the Local License Server settings to use the JKS:
-
Open C:\Program Files\HP\HP Anyware License Server\server\local-configuration.yaml in a text editor.
-
Edit the following lines by replacing
with the password you copied in 3. The configuration options are:
# local-configuration. # HTTP listening port. Default is 7070. You can bind to an interface with this syntax: '[127.0.0.1].7070'. port: 7070 # HTTPS server mode https-in: # Set to true to enable enabled: true # HTTPS listening port port: 7071 # Path to keystore keystore-path: C:\Program Files\HP\certs\HPLicenseServer.jks # Keystore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here keystore-password: <obfuscated password>where,
-
port: The HTTP listening port. This is required to run the license server commands internally on the license server host. You can safely block this port externally. -
https-in/enabled: HTTPS-in enable. Set this to true to enable HTTPS for incoming connections to the license server. -
https-in/port: HTTPS-in port number. Set this to the HTTPS listening port for the license server. -
https-in/keystore-path: Set this to the full path for the JKS file used for encryption. -
https-in/keystore-password: Set this to the keypass/storepass, preferably the obfuscated password you created earlier.
-
-
-
Restart the license server:
-
Navigate to Services > HP Anyware License Server.
-
Stop the service and start it again.
-
-
Add a rule to allow incoming TCP traffic on port 7071:
netsh advfirewall firewall add rule name="Allow Port 7071 TCP" dir=in action=allow protocol=TCP localport=7071 -
Verify that you can see the licenses:
pcoip-list-licensesIf you can see the licenses, you will see output similar to the following example:
8. Verify that the license server setting in the Connection Manager is configured correctly.================================================================================ Name Count Version Type Expiration ================================================================================ Agent-Graphics 1 2019.0209 CONCURRENT 2019-02-09 Agent-Session 1 2019.0209 CONCURRENT 2019-02-09 Total number of features : 2 ======================================================================================= Feature ID Feature Name Feature Version Feature Count Used/Available ======================================================================================= 1 Agent-Graphics 2019.0209 0/1 2 Agent-Session 2019.0209 0/1 ======================================================================================= Device Information: ------------------------------------------------------------- Device Name Feature Registered(Used Count) ------------------------------------------------------------- ======================================================================================= Total feature count : 2 Total feature count used : 0 Total uncounted features : 0 =======================================================================================When using HTTPS, it should be configured as (replace
with the IP or FQDN of your license server and with the port number you specified in step 5): 9. Verify whether Anyware Agents check out licenses:LicenseServerAddress = https://<License-Server-IP-or-FQDN>:<https-listen-port>/request-
Move to an Anyware Agent desktop that uses this license server.
-
Verify that the HP Anyware License Server's firewall is open by opening the following page:
https://<License-Server-IP-or-FQDN>:<https-listen-port>/api/1.0/health. -
If the page loads, the firewall configuration is correct.
-
If the page loads but throws a certificate error, then the port is open, but the certificate is invalid; see below for guidance.
-
If the page does not load, the port is most likely closed.
-
Verify that Anyware Agent can view license information from the License Server:
pcoip-validate-license -
Fixing Certificate Validation Error¶
If the certificate fails to validate, it is likely because the Common Name is incorrect, or the certificate is invalid because it is not issued by a trusted Certificate Authority. If this happens, do the following: