Security Considerations

	Warning: Follow your organization's security policy
	For all security and certificate procedures, ensure you follow your organization’s security policy.

Agent and Broker Certificate Validation

	Warning: Enable validation of certificate files
	For production deployments, Teradici strongly recommends enabling validation of certificate files presented by PCoIP agents and broker.

For a system using a PCoIP broker, Teradici recommends the following:

Install certificate files signed by a trusted certificate authority (CA) onto the agents and broker.
Ensure the intermediate or root certificate from the CA is installed in the PCoIP Connection Manager’s keystore. See Importing Certificates into the Keystore.
Enable PCoIP Connection Manager agent and broker certificate validation. In /etc/ConnectionManager.conf, enter:
```
AgentCertCheck = true
BrokerCertCheck = true
```

	Caution: Configure the agents and broker to present certificate chain
	Ensure the agents and the broker are configured to present the complete certificate chain to clients (namely, the PCoIP Connection Manager). If none of the certificate files in the chain are signed by an intermediate or root certificate in the PCoIP Connection Manager’s keystore, certificate validation will fail.

Importing Certificates into the Keystore

To validate the agent and broker certificates, the PCoIP Connection Manager uses the Java system default keystore. The exact location of the will vary depending on your Java installation and system configuration. In the Java home directory, the keystore path is typically:

<java-home>/<jre>/lib/security/cacerts

To import a certificate into the keystore so that the PCoIP Connection Manager can establish trust of the certificate signed by it:

In the PCoIP Connection Manager server, open a command prompt.

Start the Java keytool:

sudo keytool -importcert –trustcacerts -file <path-to-certificate> -keystore <path-to-keystore> -alias <arbitrary-alias>

When prompted, enter the keystore password.
If the keytool cannot establish trust of the specified certificate, it displays the properties of the certificate followed by a prompt. In this case, verify you are importing the correct certificate and ensure that the certificate’s constraints enable it to be used for certificate verification:
```
BasicConstraints:[
...
CA:true
...
]
```
At the Trust this certificate? prompt, enter y and press Enter to complete the import.
Verify you get a confirmation that the certificate was added to keystore.

	Note: Certificate files do not need to be added to the keystore
	Certificate files that the PCoIP Connection Manager and the PCoIP Security Gateway present to clients do not need to be added to the keystore, namely, CMCertificate.pem.

Managing the Keystore

	Warning: Change your default password
	Teradici strongly recommends changing the default password and using a password that conforms to your organization’s security policy. Java's default keystore password is 'changeit'.

To list the certificates in the keystore:

keytool –list –v –keystore <path-to-keystore>

To determine whether a particular certificate is already installed to the keystore, it may be easier to search by Subject:

keytool –list –v –keystore <path-to-keystore> | grep "^Owner"

To change the keystore password:

keytool –storepasswd –keystore <path-to-keystore>

To remove a certificate from the keystore:

keytool –delete –alias <alias> -keystore <path-to-keystore>

PCoIP Connection Manager Supported TLS Cipher Suites

The PCoIP Connection Manager supports the following cipher suites for the TLS connections from the PCoIP client, to the connection broker, and to the PCoIP Agent (in decreasing order of preference):

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Blacklisting Cipher Suites for the PCoIP Client Connections

You can configure the PCoIP Connection Manager to support a subset of the previous cipher suites. The ClientSSLCipherBlackList setting enables you to remove cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.

	Note: Changing the ClientSSLCipherBlackList setting updates cipher suite list
	Changing the `ClientSSLCipherBlackList` and then restarting the PCoIP Connection Manager service causes the `SSLCipherSuite` variable in `/opt/Teradici/thirdparty/tomcat/conf/server.xml` to be updated with the revised cipher suite list. Tomcat uses the ciphers specified in `server.xml` for all its inbound connections.

Blacklisting Cipher Suites for the Connection Broker and the PCoIP Agent Connections

You can configure the PCoIP Connection Manager to support a subset of the previous cipher suites for connections to the connection broker and to the PCoIP agents. The ServerSSLCipherBlackList setting enables you to remove cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.

PCoIP Security Gateway Supported TLS Cipher Suites

The PCoIP Security Gateway supports the following cipher suites for TLS connections, in decreasing order of preference:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

You can configure the PCoIP Security Gateway to support a subset of the previous cipher suites. The SSLCipherBlackList setting enables removing cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.