Preparing Security Certificates
To ensure the communications between Anyware Connector and external entities are trusted and secured, the following certificates are required:
- Certificate for establishing LDAPs connection from Connector to AD , typically it is the DC certificate
- Certificate for the Connector to establish HTTPs connection from PCoIP client to Connector for Login
- Certificate for Anyware Manager to establish HTTPs connection from Connector to Anyware Manager installed locally
For testing purposes, there is option to bypass some of them, however it is recommended to have them for production use.
Domain Controller Certificates¶
Domain Controller Certificate is required for secure and trusted communication to the Active Directory using LDAPs. By default the certificate is signed by a private Certificate Authority(CA). However for the Connector to validate the certificate and communicate securely with the Active Directory the certificate should be signed by a Public Certificate Authority(CA). When configuring the Anyware Connector, the
--ldaps-ca-cert flag is required to provide the certificate.
The Anyware Connector runs with the following supported Domain Controller servers:
- Windows 2016 Server with secure LDAP (LDAPS) enabled.
- Windows 2012 R2 Server with secure LDAP (LDAPS) enabled.
- Windows 2019 Server with secure LDAP (LDAPS) enabled.
It is recommended to provide Domain Controller or Domain's CA certificate. Alternatively you can provide the public certificate for the leaf certificate for the Domain Controllers instead, leaf certificate is valid for a shorter time such as 1 year than the CA cert, which usually is valid for 5 years. For more information, see How to create and install a self-signed certificate on a Windows 2016 Active Directory server to enable LDAPS.
If you don't have the CA cert, you can get the leaf certificate by running the following command:
openssl s_client -connect domain-controller.domain.com:636
domain-controller.domain.com is the Domain Controller's Fully qualified domain name and 636 is the LDAPs port.
Domain Controller certificates expiry
When all the LDAP certificates expire, the Connector stops working and displays an error message on the Connectors page. Also, a warning message that details the current state of the certificates is displayed on the same page when a Connector has a certificate that is less than a week away from expiring.
Connector TLS Certificate¶
Connector TLS certificate is required for secure and trusted connection between the PCoIP client and Anyware Connector, you can bypass this using
--insecure) flag which will generate a self-signed certificate and key for the Connector. However, the PCoIP clients will get insecure warning when requesting a connection, which is recommended strictly only for testing purposes.
For production use, you should assign a TLS certificate to the Connector during installation. This will prevent insecure connection errors when connecting to Anyware Manager or Anyware Manager as a Service Interface through your browser.
Anyware Manager Certificate¶
Anyware Manager Certificate could be required and obtained using
--manager-ca-cert flag for secure and trusted connection from Connector to the Manager.
You don't need to provide Anyware Manager certificate if:
- You are using Anyware Manager as a service
- You are using a trusted TLS certificates signed by a public CA when connecting to Anyware Manager.
If Anyware Manager is installed with self-signed certificate or a certificate signed by a public CA that is not trusted by the Connector, you need to provide Anyware Manager Certificate unless
--manager-insecure flag is used to skip the certificate validation for testing purpose.
For more information on supported certificate file format, see
Expected Certificate file¶
TThe certificate supported by the Connector has certain requirements. They are as follows:
The Anyware Connector supports the certificate file in the following form:¶
A certificate in the PEM format as shown below:- A certificate file including only a single certificate. For example: - A single self-signed certificate - A root CA certificate - A single leaf certificate that is signed by an existing root CA
-----BEGIN CERTIFICATE----- base64encodedcertdata -----END CERTIFICATE-----
The Anyware Connector doesn't support the certificate file in following form:¶
- A bundle certificate that includes multiple certificates such as root, intermediate, or leaf certificate.
- Leaf certificate that is signed by a different or an untrusted root CA by the Connector.