Installing the PCoIP License Server¶
To get up and running quickly with the PCoIP License Server in an online (internet-connected) environment, follow these instructions.
Important: Migrating from RHEL 7 to RHEL 8
If you have currently deployed a PCoIP License Server on RHEL 7 and wish to upgrade to RHEL 8, do not upgrade the operating system in place. Updating the operating system could invalidate your PCoIP licenses. See Migrating from RHEL 7 to RHEL 8 for a supported migration path.
Caution: Don't install more than one type of license server on the same machine
The PCoIP License Server version 22.07 cannot be installed on the same machine as the PCoIP License Server 1.x or an NVIDIA GRID License Server.
Keeping Passwords Secure¶
Some commands documented in this guide allow the use of the -p
flag to provide password values inline, rather than stopping for a user input prompt. Although the PCoIP License Server does not log or distribute passwords provided this way, it can be difficult to tell whether other system loggers (like /var/log/secure and bash history) are capturing them, leading to inadvertent disclosures. For this reason, Teradici strongly discourages the use of the -p
flag (or the related -n
flag used by pcoip-set-password
).
The PCoIP license server supports the use of system environment variables to securely store and recall the license server password. To register the password as an environment variable, open a console window and run the following commands, substituting your password for your_license_server_password
:
export HISTIGNORE="export*" export TERADICI_LICENSE_SERVER_PASSWORD=<your_license_server_password>
If the PCoIP License Server password is registered in this way, the PCoIP License Server can use it automatically without needing the -p
flag.
If you must use the -p
flag
If you prefer to use these flags, or have no alternative, you should run sudo -i
first. This changes to the Linux root user, and may avoid logging your password into /var/log/secure. You may also run export HISTIGNORE="sudo pcoip-*"
to avoid logging password into bash history.
To install the PCoIP License Server:
-
SSH into your License Server machine.
-
For RHEL/CentOS 7, install wget and yum-utils (skip this step for RHEL/Rocky Linux 8):
sudo yum install wget sudo yum install yum-utils
-
Install the Teradici
pcoip-license-server
repository, using the shell script available here. The script will discover your operating system and configure the repo appropriately. -
Install Java:
- For RHEL/CentOS 7:
sudo yum install java-11-openjdk
- For RHEL/Rocky Linux 8:
sudo dnf install java-11-openjdk
- For RHEL/CentOS 7:
-
Install the license server:
- For RHEL/CentOS 7:
sudo yum install -y pcoip-license-server
- For RHEL/Rocky Linux 8:
sudo dnf install -y pcoip-license-server
Note: Wait for the PCoIP License Server to start
Before proceeding, wait for the PCoIP License Server to start. This is typically done within 30-60 seconds.
You can verify that the PCoIP License Server is running by using the following command:
sudo systemctl status flexnetls-TERADICI
- For RHEL/CentOS 7:
-
Set your PCoIP License Server administrative password with
pcoip-set-password
.Change the default password immediately
Until the default password is changed, commands can be issued to the license server without your knowledge.
Info: Password Rules
Passwords should be surrounded with single quotation marks like 'password', and must conform to the following rules:
- Must be between 8 and 30 characters long
- Must contain at least one lowercase letter
- Must contain at least one uppercase letter
- Must contain at least one digit
- Must contain at least one symbol, excluding ' (single quote), " (double quote), \ (backslash), and spaces.
Note: Default password
The default password in new installations is
1P@ssw0rd!
, where the leading1
is a numeral one and0
is a zero. When setting the password on a clean installation, use this as your curent password.-
To set the new password:
sudo pcoip-set-password
You will be prompted for the old and new passwords.
Register your password as an environment variable
Teradici recommends that you register your password as a system environment variable, which will allow you to run commands without providing the password inline via the
-p
flag. Providing the passwords inline can have security implications and Teradici recommends against it. See Keeping Passwords Secure at the top of this page for more information and methods for mitigating the security concerns.To register the PCoIP password as an environment variable, run the following commands, replacing
<your_license_server_password>
with your license server password:export HISTIGNORE="export*" export TERADICI_LICENSE_SERVER_PASSWORD=<your_license_server_password>
You can specify the old and new passwords inline, by including the
-p
and-n
flags; to do this, you would entersudo pcoip-set-password -p <old_password> -n <new_password>
. This method may expose your password via system loggers, and Teradici strongly discourages it.
-
If possible, enable HTTPS/TLS for communication with the PCoIP License Server, as described here.
-
Configure your firewalls:
- Configure your corporate firewall to block all incoming external connections. The PCoIP License Server does not need to accept incoming connections from the outside internet.
-
On the PCoIP License Server machine, first block all incoming TCP connections, then allow incoming connections only on these specific ports:
-
Allow PCoIP agent subnets to connect on your configured listening port
By default, the PCoIP License Server listens on port 7070 using HTTP. If you have not modified the default and have not enabled HTTPS/TLS, then open port 7070; if you have modified the default installation then adjust the port number accordingly.
If you change the default listening port for the PCoIP License Server, you must also change the port configuration on all PCoIP agents that use it.
-
If using SSH to administer the server, allow your administrative subnet to connect on port 22.
-
-
Open port 443 to outgoing connections. If you are using a proxy server, this requirement may be different; review your proxy server configuration.
-
If you block outgoing connections over the internet, you will need to whitelist our licensing service addresses.
Restart the system after making changes
If you make changes to the PCoIP License Server configuration settings, you will have to restart the server to apply your changes. To restart the server, use the following command:
sudo systemctl restart flexnetls-TERADICI.service
Migrating from RHEL 7 to RHEL 8¶
If you have an exisitng PCoIP License Server on RHEL 7 and wish to upgrade to RHEL 8, you must create a new machine and transfer the license activations to it. You cannot upgrade the operating system in place.
To migrate licenses from a RHEL 7 to a RHEL 8 PCoIP License Server:
-
On the existing RHEL 7 machine, record the number of activated licenses using the
pcoip-list-licenses
command:sudo pcoip-list-license
Note the number of licenses returned by this command; we will use it to verify the migration in the last step.
-
Create a new internet-connected RHEL 8 machine.
-
Follow the instructions above to install the PCoIP License Server on the new machine.
-
Return the licenses on the RHEL 7 machine, using the instructions here.
The command will provide the number of licenses returned; note this value. We'll use it in the next step.
-
On the new RHEL 8 machine, activate the same number of licenses that were returned in the previous step, using the instructions here. When following these instructions, use the number returned in the previous step for
<license count>
. -
Repeat steps 4 and 5 for each of your activation codes, until all licenses have been returned from the old machine and re-activated on the new one.
-
On the new machine, verify that all the licenses have been successfully activated with the
pcoip-list-licenses
command:sudo pcoip-list-license
The value returned by this command should match the total number of licenses returned on the old license server.