Warning: Follow your organization's security policy | |
For all security and certificate procedures, ensure you follow your organization’s security policy. |
Warning: Enable validation of certificate files | |
For production deployments, Teradici strongly recommends enabling validation of certificate files presented by PCoIP agents and broker. |
For a system using a PCoIP broker, Teradici recommends the following:
/etc/ConnectionManager.conf
, enter:AgentCertCheck = true
BrokerCertCheck = true
Caution: Configure the agents and broker to present certificate chain | |
Ensure the agents and the broker are configured to present the complete certificate chain to clients (namely, the PCoIP Connection Manager). If none of the certificate files in the chain are signed by an intermediate or root certificate in the PCoIP Connection Manager’s keystore, certificate validation will fail. |
To validate the agent and broker certificates, the PCoIP Connection Manager uses the Java system default keystore. The exact location of the will vary depending on your Java installation and system configuration. In the Java home directory, the keystore path is typically:
<java-home>/<jre>/lib/security/cacerts
To import a certificate into the keystore so that the PCoIP Connection Manager can establish trust of the certificate signed by it:
sudo keytool -importcert –trustcacerts -file <path-to-certificate> -keystore <path-to-keystore> -alias <arbitrary-alias>
BasicConstraints:[
...
CA:true
...
]
Note: Certificate files do not need to be added to the keystore | |
Certificate files that the PCoIP Connection Manager |
Warning: Change your default password | |
Teradici strongly recommends changing the default password and using a password that conforms to your organization’s security policy. Java's default keystore password is 'changeit'. |
To list the certificates in the keystore:
keytool –list –v –keystore <path-to-keystore>
To determine whether a particular certificate is already installed to the keystore, it may be easier to search by Subject:
keytool –list –v –keystore <path-to-keystore> | grep "^Owner"
To change the keystore password:
keytool –storepasswd –keystore <path-to-keystore>
To remove a certificate from the keystore:
keytool –delete –alias <alias> -keystore <path-to-keystore>
The PCoIP Connection Manager supports the following cipher suites for the TLS connections from the PCoIP client, to the connection broker, and to the PCoIP Agent (in decreasing order of preference):
You can configure the PCoIP Connection Manager to support a subset of the previous cipher suites. The ClientSSLCipherBlackList
setting enables you to remove cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.
Note: Changing the ClientSSLCipherBlackList setting updates cipher suite list | |
Changing the |
You can configure the PCoIP Connection Manager to support a subset of the previous cipher suites for connections to the connection broker and to the PCoIP agents. The ServerSSLCipherBlackList
setting enables you to remove cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.
The PCoIP Security Gateway supports the following cipher suites for TLS connections, in decreasing order of preference:
You can configure the PCoIP Security Gateway to support a subset of the previous cipher suites. The SSLCipherBlackList
setting enables removing cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.