Security Considerations¶

All certificate files must be in base64-encoded PEM format.

Follow your organisation's security policy

For all security and certficate procedures, ensure you follow you organisation's security policy.

Agent and Broker Certificate Validation¶

Enable validation of certificate files

For production deployments, Teradici strongly recommends enabling validation of certificate files presented by PCoIP agents and broker.

In brokered systems, Teradici recommends the following:

Install certificate files signed by a trusted certificate authority (CA) onto the agents and broker.
Ensure the intermediate or root certificate from the CA is installed in the PCoIP Connection Manager's keystore. See Importing Certificates into the Keystore.
Enable PCoIP Connection Manager agent and broker certificate validation:
1. Open /etc/ConnectionManager.conf in a text editor and set the following values:
```
AgentCertCheck = true

BrokerCertCheck = true
```
2. Restart the PCoIP Connection Manager to implement the change:
```
sudo service connection_manager restart
```
Configure the agents and broker to present certificate chain

Ensure the agents and the broker are configured to present the complete certificate chain to clients (namely, the PCoIP Connection Manager). If none of the certificate files in the chain are signed by an intermediate or root certificate in the PCoIP Connection Manager's keystore, certificate validation will fail.

Importing Certificates Into the Keystore¶

To validate the agent and broker certificates, the PCoIP Connection Manager uses the Java system default keystore. The exact location of the will vary depending on your Java installation and system configuration; in the Java home directory, the keystore path is typically java-home/jre/lib/security/cacerts.

To import a certificate into the keystore:

In the PCoIP Connection Manager server, open a command prompt.

Start the Java keytool:

sudo keytool -importcert –trustcacerts -file <path-to-certificate> -keystore <path-to-keystore> -alias <arbitrary-alias>

When prompted, enter the keystore password.
If the keytool cannot establish trust of the specified certificate, it displays the properties of the certificate followed by a prompt. In this case, verify you are importing the correct certificate and ensure that the certificate's constraints enable it to be used for certificate verification:
```
BasicConstraints:[

...

CA:true

...

]
```
At the Trust this certificate? prompt enter y and press Enter to complete the import.
Verify you get a confirmation that the certificate was added to keystore.

Certificate files do not need to be added to the keystore

Certificate files that the PCoIP Connection Manager and the PCoIP Security Gateway present to clients do not need to be added to the keystore, namely, CMCertificate.pem.

Managing the Keystore¶

Change your default password

Teradici strongly recommends changing the default password and using a password that conforms to your organization's security policy. Java's default keystore password is 'changeit'.

To list the certificates in the keystore:

keytool –list –v –keystore <path-to-keystore>

To determine whether a particular certificate is already installed to the keystore, it may be easier to search by Subject:

keytool –list –v –keystore <path-to-keystore> | grep "^Owner"

To change the keystore password:

keytool –storepasswd –keystore <path-to-keystore>

To remove a certificate from the keystore:

keytool –delete –alias <alias> -keystore <path-to-keystore>

PCoIP Connection Manager Supported TLS Cipher Suites¶

The PCoIP Connection Manager supports the following cipher suites for the TLS connections from the PCoIP client, to the connection broker, and to the PCoIP Agent (in decreasing order of preference):

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Blacklisting Cipher Suites for the PCoIP Client Connections¶

You can configure the PCoIP Connection Manager to support a subset of the previous cipher suites. The ClientSSLCipherBlackList setting enables you to remove cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.

Changing the ClientSSLCipherBlackList setting updates cipher suite list

Changing the ClientSSLCipherBlackList and then restarting the PCoIP Connection Manager service causes the SSLCipherSuite variable in /opt/Teradici/thirdparty/tomcat/conf/server.xml to be updated with the revised cipher suite list. Tomcat uses the ciphers specified in server.xml for all its inbound connections.

Blacklisting Cipher Suites for the Connection Broker and the PCoIP Agent Connections You can configure the PCoIP Connection Manager to support a subset of the previous cipher suites for connections to the connection broker and to the PCoIP agents. The ServerSSLCipherBlackList setting enables you to remove cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.

PCoIP Security Gateway Supported TLS Cipher Suites¶

The PCoIP Security Gateway supports the following cipher suites for TLS connections, in decreasing order of preference:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

You can configure the PCoIP Security Gateway to support a subset of the previous cipher suites. The SSLCipherBlackList setting enables removing cipher suites from the previous list. For more information, see PCoIP Connection Manager Configuration Settings.