Preparing Security Certificates
To ensure the communications between Anyware Connector and external entities are trusted and secured, the following certificates are required:
- Certificate for establishing LDAPs connection from Connector to AD , typically it is the DC certificate
- Certificate for the Connector to establish HTTPs connection from PCoIP client to Connector for Login
- Certificate for Anyware Manager to establish HTTPs connection from Connector to Anyware Manager installed locally
For testing purposes, there is option to bypass some of them, however it is recommended to have them for production use.
Domain Controller Certificates¶
Configuring ldaps-ca-cert Flag¶
Domain Controller Certificate is required for secure and trusted communication to the Active Directory using LDAPs. By default the certificate is signed by a private Certificate Authority(CA). However for the Connector to validate the certificate and communicate securely with the Active Directory the certificate should be signed by a Public Certificate Authority(CA). If verifying Active Directory certificate is required use
--ldaps-ca-cert to pass Active Directory root certificate, in the case where validating the certificate is not required use
--ldaps-insecure flag to skip verification.
Anyware Connector runs with the following supported Domain Controller servers:
- Windows 2016 Server with secure LDAP (LDAPS) enabled.
- Windows 2012 R2 Server with secure LDAP (LDAPS) enabled.
- Windows 2019 Server with secure LDAP (LDAPS) enabled.
It is recommended to provide Domain Controller or Domain's root certificate. Alternatively you can provide the public certificate for the leaf certificate for the Domain Controllers instead, leaf certificate is valid for a shorter time such as 1 year than the CA cert, which usually is valid for 5 years. For more information, see How to create and install a self-signed certificate on a Windows 2016 Active Directory server to enable LDAPS.
If you don't have the CA cert, you can get the leaf certificate by running the following command:
openssl s_client -connect domain-controller.domain.com:636
domain-controller.domain.com is the Domain Controller's Fully qualified domain name and 636 is the LDAPs port.
Configuring ldaps-insecure Flag¶
LDAPS with a root Certificate is the recommended way to use Anyware Connector. This way, communication from the Connector to the Active Directory is done using a secure TLS connection. If you do not wish to install the CA cert or want to skip certification verification for testing purposes, you can use
--ldaps-insecure flag. This flag helps you establish a encrypted connection between the Connector and Active Directory however, that connection is not validated.
Configuring enable-plaintext-ldap Flag¶
For non production environment, LDAP could be used instead of LDAPS to avoid setting up certificates. LDAP is non secure protocol and message between the Connector and Active Directory are sent in plain text.
To enable the LDAP mode, use the following flag:
Domain Controller certificates expiry
When all the LDAPS certificates expire, the Connector stops working and displays an error message on the Connectors page. Also, a warning message that details the current state of the certificates is displayed on the same page when a Connector has a certificate that is less than a week away from expiring.
Connector TLS Certificate¶
Connector TLS certificate is required for secure and trusted connection between PCoIP client and Anyware Connector, you can bypass this using
--insecure) flag which will generate a self-signed certificate and key for the Connector. However, the PCoIP clients gets insecure warning when establishing a connection, which is recommended strictly only for testing purposes. For production use, you should assign a TLS certificate to the Connector during installation. This prevents insecure connection errors when connecting to Anyware Connector, Anyware manager is not affected by this certificate.
Anyware Manager Certificate¶
Anyware Manager Certificate could be required and obtained using
--manager-ca-cert flag for secure and trusted connection from Connector to the Manager.
You don't need to provide Anyware Manager certificate if:
- You are using Anyware Manager as it uses a certificate signed by a public CA
- You are using a trusted TLS certificates signed by a public CA when connecting to Anyware Manager.
If Anyware Manager is installed with self-signed certificate or a certificate signed by a public CA that is not trusted by the Connector, you need to provide Anyware Manager Certificate unless
--manager-insecure flag is used to skip certificate validation for testing purpose.
For more information on supported certificate file format, see
Expected Certificate file¶
The certificate supported by the Connector has certain requirements. They are as follows:
The Anyware Connector supports the certificate file in the following form:¶
A certificate in the PEM format as shown below:- A certificate file including only a single certificate. For example: - A single self-signed certificate - A root CA certificate - A single leaf certificate that is signed by an existing root CA
-----BEGIN CERTIFICATE----- base64encodedcertdata -----END CERTIFICATE-----
The Anyware Connector doesn't support the certificate file in following form:¶
- A bundle certificate that includes multiple certificates such as root, intermediate, or leaf certificate.
- Leaf certificate that is signed by a different or an untrusted root CA by the Connector.