Enable HTTPS/TLS for PCoIP License Server¶

Important: Always use HTTPS

The following instructions document the use of HTTPS with TLS. The default communication protocol is HTTP, which is less secure than HTTPS. Teradici strongly recommends using HTTPS when communicating with the local PCoIP license server.

Warning: Only internal network usage is supported

The PCoIP License Server only supports company internal network usage. It is not designed to receive connections from the public internet.

TLS 1.1 on RHEL/Rocky Linux 8

TLS 1.1 is disabled by default in RHEL/Rocky Linux 8. Attempts to use it in those operating systems may result in errors.

TLS 1.1 is insecure and Teradici strongly recommends that you do not enable it. If you must enable TLS 1.1, understanding that it is not secure, you must first update the CentOS security policy to LEGACY.

To view the current security policy, run the following command:

update-crypto-policies --show

To set the policy to LEGACY, run the following command:

update-crypto-policies --set LEGACY

Once this policy is set, you can proceed with the following instructions.

To use HTTPS/TLS on the PCoIP License Server:

Get a valid certificate and accompanying private key, and save them in JKS (Java Key Store) format. Ensure that the JKS file has a keystore password and storepass, and they both are the same.
Using a self-signed certificate (not recommended)

Teradici recommends using a CA-signed certificate whenever possible, but you can use a self-signed certificate if required.

If you must use a self-signed certificate, generate one using the following command. Replace <password> with your own password, and <License Server address> with the IP address or FQDN of the license server:
```
keytool -genkey -keyalg RSA -alias teradiciLicenseServer -keystore teradiciLicenseServer.jks -storepass <pasword> -validity 365 -keysize 2048 -noprompt -dname "CN=<License Server address>, OU=Teradici PCoIP License Server, O=Teradici Corp, L=Vancouver, ST=BC, C=CA" -keypass <password>
```
```
keytool -importkeystore -srckeystore teradiciLicenseServer.jks -destkeystore teradiciLicenseServer.p12 -deststoretype pkcs12
```
PCoIP agents can't validate self-signed certificates for HTTPS connections unless the public certificate is installed on the machine's trust store. For more information, see the RHEL instructions on this page.
Create a new /opt/flexnetls/certs directory, and copy the .jks file into it. Do not place .jks file under /opt/flexnetls/TERADICI/, which may be overwritten by future upgrades.

Give the .jks file appropriate permissions:

sudo chmod 440 /opt/flexnetls/certs/teradiciLicenseServer.jks

sudo chown root.pcoip_license_server /opt/flexnetls/certs/teradiciLicenseServer.jks

Create an obfuscated password using Flexera's password obfuscation tool, replacing <password> with your password:
```
cd /opt/flexnetls/TERADICI/
```
```
java -jar flexnetls.jar -password <password>
```
The output from this command shows the original password and the obfuscated password. Copy the obfuscated password (including OBF:) for use in the next step.
Configure the Local License Server settings to use the JKS:
1. Open /opt/flexnetls/TERADICI/local-configuration.yaml in a text editor using sudo.
2. Edit the following lines, replacing <obfuscated password> with the password you copied in the previous step. The configuration options are described next:
```
# local-configuration.

# HTTP listening port. Default is 7070. You can bind to an interface with this syntax: '[127.0.0.1].7070'.
port: 7070

...

# HTTPS server mode
https-in:
  # Set to true to enable
  enabled: true
  # HTTPS listening port
  port: 7071
  # Path to keystore
  keystore-path: /opt/flexnetls/certs/teradiciLicenseServer.jks
  # Keystore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here
  keystore-password: <obfuscated password>

...
```
  The options are:
  
  port: HTTP listen port. This is required to run the license server commands internally on the license server host. You can safely block this port externally.
  
  https-in/enabled: HTTPS-in enable. Set this to true to enable HTTPS for incoming connections to the license server.
  
  https-in/port: HTTPS-in port number. Set this to the HTTPS listening port for the license server.
  
  https-in/keystore-path: Set this to the full path for the JKS file that will be used for encryption.
  
  https-in/keystore-password: Set this to the keypass/storepass, preferably the obfuscated password you created earlier.

Restart the license server:

sudo systemctl restart flexnetls-TERADICI

When the server comes back up, verify that the system is listening on the configured HTTP and HTTPS ports (replace the ports in this example with your own as needed):

sudo netstat -tulpn | grep -e 7070 -e 7071

A positive response will look similar to the following example:

tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java
tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java

Verify that you can still view licenses:

pcoip-list-licenses

If you can view licenses, you will see output similar to the following example:

================================================================================
Name              Count           Version         Type              Expiration    
================================================================================

Agent-Graphics    1               2019.0209       CONCURRENT        2019-02-09    
Agent-Session     1               2019.0209       CONCURRENT        2019-02-09    

Total number of features : 2


=======================================================================================
Feature ID      Feature Name           Feature Version   Feature Count Used/Available
=======================================================================================
1               Agent-Graphics                2019.0209            0/1
2               Agent-Session                 2019.0209            0/1
=======================================================================================

Device Information:

-------------------------------------------------------------
Device Name                   Feature Registered(Used Count)
-------------------------------------------------------------
=======================================================================================

        Total feature count           : 2
        Total feature count used      : 0
        Total uncounted features      : 0
=======================================================================================

Verify that the license server setting in the Connection Manager is configured correctly.

When using HTTPS, it should be configured as follows (replace <License-Server-IP-or-FQDN> with the IP or FQDN of your license server, and <https-listen-port> with the port number you specified in step 5):
```
LicenseServerAddress = https://<License-Server-IP-or-FQDN>:<https-listen-port>/request
```
Verify that the PCoIP Agents can check out licenses.
1. Move to a PCoIP Agent desktop machine that will use this license server.
2. Verify that the License Server's firewall is open by opening a browser and visiting https://<License-Server-IP-or-FQDN>:<https-listen-port>/api/1.0/health.
  - If the page loads, the firewall configuration is correct.
  - If the page loads but throws a certificate error, the port is open but the certificate is invalid; see below for guidance.
  - If the page does not load, the port is most likely closed.
3. Verify that the PCoIP Agent machine can view license information from the License Server:
```
pcoip-validate-license
```

If a Certificate Fails to Validate¶

If the certificate fails to validate, it is likely because the Common Name for the certificate is invalid -- either incorrect, or not issued by a trusted Certificate Authority. Follow the instructions provided here to install or import certificates.

On PCoIP Agent for Linux machines, follow the instructions here to install or import the certificate.
On PCoiP Agent for Windows machines, follow the instructions here to install or import the certificate.