Configuration Guide¶
You can configure the Remote Workstation Card Agent for Linux, and optimize the PCoIP broker protocol for security, licensing and messaging behavior by adjusting configuration directives found in /etc/pcoip-agent/pcoip-agent.conf.
For detailed information and descriptions about each setting, see Configurable Settings. You can also consult the man pages for pcoip-agent.conf:
man pcoip-agent.conf
Only the settings documented here apply to the Remote Workstation Card Agent for Linux
The Remote Workstation Card Agent for Linux man pages document additional configuration settings, beyond those described here.
These additional settings apply to virtual machine instances and have no effect on Remote Workstation Card systems. Only the settings described here apply to the Remote Workstation Card.
Applying Configuration Changes¶
To set or change a configuration value, add or modify directives in pcoip-agent.conf. Place one directive on each line, in this format:
directive.name = <value>
Example
To set the Enable Disclaimer Authentication, add pcoip.enable_disclaimer_auth = 1 to pcoip-agent.conf and save the file. If you prefer a customized disclaimer message, you must additionally create a custom message in a file called en_us.txt and save it in the /etc/pcoip-agent/disclaimers/ location.
Configurable Settings¶
The following settings can be configured on the Remote Workstation Card Agent for Linux.
Enable Disclaimer Authentication¶
| Directive | Options | Default |
|---|---|---|
pcoip.enable_disclaimer_auth |
0 (off), 1 (on) | Off |
This setting takes effect when you start the next session. When this setting is enabled, users connecting via direct connect will be presented a disclaimer prior to user authentication. If the disclaimer is rejected, the user will not be able to connect.
Disclaimer files must be placed in /etc/pcoip-agent/disclaimers/ and must be readable by the "pcoip" system user. Files must be named according to the locale, e.g. en_US.txt for en_US, ko_KR.txt for ko_KR, etc. If a file matching the negotiated locale is not present, en_US will be used as a fallback. If disclaimer text cannot be found, an blank disclaimer will be presented.
License server URL¶
| Directive | Options | Default |
|---|---|---|
pcoip.license_server_path |
string (up to 511 characters) | — |
This setting takes effect when you start the next session. This policy sets the license server path. Enter the license server path in https://address:port/request or http://address:port/request format.
PCoIP Security Certificate Settings¶
| Directive | Options | Default |
|---|---|---|
pcoip.ssl_cert_type |
1—From certificate storage 2—Generate a unique self-signed certificate 0—From certificate storage if possible, otherwise generate |
— |
pcoip.ssl_cert_min_key_length |
1024—1024 bits 2048—2048 bits 3072—3072 bits 4096—4096 bits |
— |
This setting takes effect when you start the next session. A certificate is used to secure PCoIP related communications. The way PCoIP components choose a certificate is based on the certificate type and the key length. Without a certificate being generated or selected, a PCoIP Session cannot be established.
Depending on the value chosen for the option, 'How the PCoIP agent chooses the certificate...' and the availability of appropriate certificates, PCoIP components may acquire a CA signed certificate from certificate storage or generate an in-memory self-signed certificate.
In order for a CA signed certificate to be loadable by PCoIP components, it must be stored at /etc/pcoip-agent/ssl-certs in three .pem files, owned by the pcoip user, only readable by the owning user.
-
pcoip-key.pem must contain an unlocked RSA key
-
pcoip-cert.pem must contain a certificate that signs the key in pcoip.pem
-
pcoip-cacert.pem must contain a CA certificate chain that validates the certificate in pcoip-cert.pem.
Note: Self-signed certificates are 3072 bits long.
Select a minimum key length (in bits) for a CA signed certificate. Longer length certificates will require more computing resources and may reduce performance, but will increase security. Shorter length certificates will provide better performance at the cost of lower security.
Note: Please refer to Teradici documentation for instructions on creating and deploying certificates.
PCoIP Security Settings¶
| Directive | Options | Default |
|---|---|---|
pcoip.tls_security_mode |
0—Maximum Compatibility | — |
pcoip.tls_cipher_blacklist |
string (up to 1023 characters) | — |
This setting takes effect when you start the next session. Controls the cryptographic cipher suites and encryption ciphers used by PCoIP endpoints.
The endpoints negotiate the actual cryptographic cipher suites and encryption ciphers based on the settings configured here. Newer versions of TLS and stronger cipher suites will be preferred during negotiation between endpoints.
If this setting is not configured or disabled, the TLS Security Mode will be set to Maximum Compatibility.
TLS Security Mode
Maximum Compatibility offers TLS 1.1, 1.2 and a range of cipher suites including those that support Perfect Forward Security (PFS) and SHA-1. Supported cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_AES_256_GCM_SHA384
Blacklisted Cipher Suites
Provides the ability to block specific cipher suites from being offered during negotiation. Must be entered as a semi-colon separated list of cipher suites.
PCoIP event log verbosity¶
| Directive | Range | Increment | Default |
|---|---|---|---|
pcoip.event_filter_mode |
0 – 3 | 1 | 2 |
This setting takes effect immediately. Configures the PCoIP event log verbosity ranging from 0 (least verbose) to 3 (most verbose).
Proxy Access to a remote License Server¶
| Directive | Options | Range | Increment | Default |
|---|---|---|---|---|
pcoip.license_proxy_server |
string (up to 511 characters) | — | ||
pcoip.license_proxy_port |
0 – 65535 | 1 | — |
This setting takes effect when you start the next session. If a proxy is required to access a local License Server or the Cloud License Server, enter those parameters here. These parameters are loaded only during agent startup.
X server remote access¶
| Directive | Options | Default |
|---|---|---|
pcoip.allow_x_remoting |
0 (off), 1 (on) | — |
This setting takes effect when you restart the agent. Configuring this allows you to enable or disable remote access to the X server run by the PCoIP Agent. When not configured, remote access is disabled by default.