Security Considerations¶

All certificate files must be in base64-encoded PEM format.

Follow your organisation's security policy

For all security and certficate procedures, ensure you follow your organisation's security policy.

Agent and Broker Certificate Validation¶

Enable validation of certificate files

For production deployments, Teradici strongly recommends enabling validation of certificate files presented by PCoIP agents and broker.

In brokered systems, Teradici recommends the following:

Install certificate files signed by a trusted certificate authority (CA) onto the agents and broker.
Ensure the intermediate or root certificate from the CA is installed in the PCoIP Connection Manager's keystore. See Importing Certificates into the Keystore.

Enabling Certificate Validation¶

To Enable PCoIP Connection Manager agent and broker certificate validation:

Open /etc/ConnectionManager.conf in a text editor and set the following values:
```
AgentCertCheck = true

BrokerCertCheck = true
```
Save and close the editor.
Restart the PCoIP Connection Manager to implement the change:
```
sudo service connection_manager restart
```
Configure the agents and broker to present certificate chain

Ensure the agents and the broker are configured to present the complete certificate chain to clients (namely, the PCoIP Connection Manager). If none of the certificate files in the chain are signed by an intermediate or root certificate in the PCoIP Connection Manager's keystore, certificate validation will fail.

Using the PCoIP Connection Manager Keystore¶

To validate the agent and broker certificates, the PCoIP Connection Manager uses the Java system default keystore. The exact location of the keystore will vary depending on your Java installation and system configuration; in the Java home directory, the keystore path is typically /etc/ssl/certs/java/cacerts.

Importing Certificates Into the Keystore¶

To import a certificate into the keystore:

On the PCoIP Connection Manager server, open a command prompt.

Start the Java keytool:

sudo keytool -importcert –trustcacerts -file <path-to-certificate> -keystore <path-to-keystore> -alias <arbitrary-alias>

When prompted, enter the keystore password.
If the keytool cannot establish trust of the specified certificate, it displays the properties of the certificate followed by a prompt. In this case, verify you are importing the correct certificate and ensure that the certificate's constraints enable it to be used for certificate verification:
```
BasicConstraints:[

...

CA:true

...

]
```
At the Trust this certificate? prompt enter y and press Enter to complete the import.
Verify you get a confirmation that the certificate was added to keystore.

Certificate files do not need to be added to the keystore

Certificate files that the PCoIP Connection Manager and the PCoIP Security Gateway present to clients do not need to be added to the keystore, namely, CMCertificate.pem.

Managing the Keystore¶

Change your default password

Teradici strongly recommends changing the default password and using a password that conforms to your organization's security policy. Java's default keystore password is 'changeit'.

To list the certificates in the keystore:

keytool –list –v –keystore <path-to-keystore>

To determine whether a particular certificate is already installed to the keystore, it may be easier to search by Subject:

keytool –list –v –keystore <path-to-keystore> | grep "^Owner"

To change the keystore password:

keytool –storepasswd –keystore <path-to-keystore>

To remove a certificate from the keystore:

keytool –delete –alias <alias> -keystore <path-to-keystore>