Configuring the PCoIP Agent¶
You can configure the PCoIP agent, and optimize PCoIP protocol behavior for local network conditions, by adjusting configuration directives found in /etc/pcoip-agent/pcoip-agent.conf.
You can find detailed information and descriptions about each setting in the next section. You can also consult the man pages for pcoip-agent.conf:
man pcoip-agent.conf
Only the settings documented here apply to the Remote Workstation Card Agent for Linux
The Remote Workstation Card Agent for Linux man pages document additional configuration settings, beyond those described here. These additional settings apply to virtual machine instances and have no effect on Remote Workstation Card systems. Only the settings described here apply to the Remote Workstation Card.
Applying Configuration Changes¶
To set or change a configuration value, add or modify directives in pcoip-agent.conf. Place one directive on each line, in this format:
directive.name = <value>
A complete list of configurable values is shown next in Configurable Settings.
Configurable Settings¶
The following settings can be configured on the Remote Workstation Card Agent for Linux. Refer to Configuring the PCoIP agent to understand how to modify these settings.
License server URL¶
| Directive | Options | Default |
|---|---|---|
pcoip.license_server_path |
string (up to 511 characters) | — |
This setting takes effect when you start the next session. This policy sets the license server path. Enter the license server path in 'https://address:port/request' or 'http://address:port/request' format.
PCoIP Security Certificate Settings¶
| Directive | Options | Default |
|---|---|---|
pcoip.ssl_cert_type |
1—From certificate storage 2—Generate a unique self-signed certificate 0—From certificate storage if possible, otherwise generate |
— |
pcoip.ssl_cert_min_key_length |
1024—1024 bits 2048—2048 bits 3072—3072 bits 4096—4096 bits |
— |
This setting takes effect when you start the next session. A certificate is used to secure PCoIP related communications. The way PCoIP components choose a certificate is based on the certificate type and the key length. Without a certificate being generated or selected, a PCoIP Session cannot be established.
Depending on the value chosen for the option, 'How the PCoIP agent chooses the certificate...' and the availability of appropriate certificates, PCoIP components may acquire a CA signed certificate from certificate storage or generate an in-memory self-signed certificate.
In order for a CA signed certificate to be loadable by PCoIP components, it must be stored at /etc/pcoip-agent/ssl-certs in three .pem files, owned by the pcoip user, only readable by the owning user.
-
pcoip-key.pem must contain an unlocked RSA key
-
pcoip-cert.pem must contain a certificate that signs the key in pcoip.pem
-
pcoip-cacert.pem must contain a CA certificate chain that validates the certificate in pcoip-cert.pem.
Note: Self-signed certificates are 3072 bits long.
Select a minimum key length (in bits) for a CA signed certificate. Longer length certificates will require more computing resources and may reduce performance, but will increase security. Shorter length certificates will provide better performance at the cost of lower security.
Note: Please refer to Teradici documentation for instructions on creating and deploying certificates.
PCoIP Security Settings¶
| Directive | Options | Default |
|---|---|---|
pcoip.tls_security_mode |
0—Maximum Compatibility | — |
pcoip.tls_cipher_blacklist |
string (up to 1023 characters) | — |
This setting takes effect when you start the next session. Controls the cryptographic cipher suites and encryption ciphers used by PCoIP endpoints.
The endpoints negotiate the actual cryptographic cipher suites and encryption ciphers based on the settings configured here. Newer versions of TLS and stronger cipher suites will be preferred during negotiation between endpoints.
If this setting is not configured or disabled, the TLS Security Mode will be set to Maximum Compatibility.
TLS Security Mode
Maximum Compatibility offers TLS 1.1, 1.2 and a range of cipher suites including those that support Perfect Forward Security (PFS) and SHA-1. Supported cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Blacklisted Cipher Suites
Provides the ability to block specific cipher suites from being offered during negotiation. Must be entered as a semi-colon separated list of cipher suites.
PCoIP event log verbosity¶
| Directive | Range | Increment | Default |
|---|---|---|---|
pcoip.event_filter_mode |
0 – 3 | 1 | 2 |
This setting takes effect immediately. Configures the PCoIP event log verbosity ranging from 0 (least verbose) to 3 (most verbose).
Proxy Access to a remote License Server¶
| Directive | Options | Range | Increment | Default |
|---|---|---|---|---|
pcoip.license_proxy_server |
string (up to 511 characters) | — | ||
pcoip.license_proxy_port |
0 – 65535 | 1 | — |
This setting takes effect when you start the next session. If a proxy is required to access a local License Server or the Cloud License Server, enter those parameters here. These parameters are loaded only during agent startup.
X server remote access¶
| Directive | Options | Default |
|---|---|---|
pcoip.allow_x_remoting |
0 (off), 1 (on) | — |
This setting takes effect when you restart the agent. Configuring this allows you to enable or disable remote access to the X server run by the PCoIP Agent. When not configured, remote access is disabled by default.