How to enable TLS for PCoIP License Server

Rate this Article

October 24, 2018

Last modified: 09/03/2023, 6:12 pm

Knowledge Base Article Tutorial Licensing Security HP Anyware

It is highly recommended to use encrypted HTTPS when communicating with the local PCoIP license server.

This tutorial details the steps to set up TLS for PCoIP License Server

Get a valid certificate and private key for that certificate and save them in JKS (Java Key Store) format.
- Ensure that the JKS file has a keystore password and storepass and they both are the same.
- You can generate a self-signed JKS using the following command.
  - ```
  keytool -genkey -keyalg RSA -alias teradiciLicenseServer -keystore teradiciLicenseServer.jks -storepass mypassword -validity 365 -keysize 2048 -noprompt -dname "CN=10.0.112.63, OU=Teradici PCoIP License Server, O=Teradici Corp, L=Vancouver, ST=BC, C=CA" -keypass mypassword
  keytool -importkeystore -srckeystore teradiciLicenseServer.jks -destkeystore teradiciLicenseServer.p12 -deststoretype pkcs12
```
- NOTE:
  - Replace the CN part with the License Server IP or Full Qualified Domain Name (FQDN).
  - Use your own password in place of mypassword.
  - If you use a self-signed certificate , the PCoIP Agent won't be able to validate the certificate for the HTTPS connection unless the public certificate is installed on the machine's trust store.

Copy the .JKS file to the local license server (i.e., to /opt/flexnetls/TERADICI/) and give it appropriate permissions

chmod 440 /opt/flexnetls/TERADICI/teradiciLicenseServer.jks
chown root.pcoip_license_server /opt/flexnetls/TERADICI/teradiciLicenseServer.jks

Edit the Local License Server settings to use the JKS. Edit the /opt/flexnetls/TERADICI/local-configuration.yaml file
- For additional security it is worthwhile to use Flexera's password obfuscation tool in order to not put a plaintext password in the configuration file. To do so, on the local license server, run the following command
  - ```
  cd /opt/flexnetls/TERADICI/
  java -jar flexnetls.jar -password mypassword
```
- The output of the above would be something like e.g.,: mypassword => OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm in which case you would enter OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm in place of mypassword in the configuration file.
- Edit the following lines in the /opt/flexnetls/TERADICI/local-configuration.yaml
  - ```
  # local-configuration.
  
  # HTTP listening port. Default is 7070. You can bind to an interface with this syntax: '[127.0.0.1].7070'.
  port: 7071
  
  ...
  
  # HTTPS server mode
  https-in:
  # Set to true to enable
  enabled: true
  # HTTPS listening port
  port: 7070
  # Path to keystore
  keystore-path: /opt/flexnetls/TERADICI/teradiciLicenseServer.jks
  # Keystore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here
  keystore-password: OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm
  
  ...
```
- The options are:
  - (a) HTTP listen port. This is required to run the license server commands internally on the license server host, but this port should not be externally accessible if using HTTPS.
  - (b) HTTPS-in enable. Set this to true to enable HTTPS for incoming connections to the license server.
  - (c) HTTPS-in port. Set this to the HTTPS listening port for the license server.
  - (d) Keystore-path. Set this to the full path for the JKS file that will be used for encryption.
  - (e) Keystore-password. Set this to the keypass/storepass, preferably the obfuscated password.

Restart the license server and verify that you can still view licenses and that it is listening on both the specified HTTP and HTTPS ports.

# systemctl restart flexnetls-TERADICI
# netstat -tulpn | grep -e 7070 -e 7071
tcp6       0      0 :::7070                 :::*                    LISTEN      3083/java          
tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java
$ pcoip-view-license
================================================================================
Name              Count           Version         Type              Expiration    
================================================================================
 
Agent-Graphics    1               2019.0209       CONCURRENT        2019-02-09    
Agent-Session     1               2019.0209       CONCURRENT        2019-02-09    
 
Total number of features : 2
 
 
=======================================================================================
Feature ID      Feature Name           Feature Version   Feature Count Used/Available
=======================================================================================
1               Agent-Graphics                2019.0209            0/1
2               Agent-Session                 2019.0209            0/1
=======================================================================================
 
Device Information:
 
-------------------------------------------------------------
Device Name                   Feature Registered(Used Count)
-------------------------------------------------------------
=======================================================================================
 
        Total feature count           : 2
        Total feature count used      : 0
        Total uncounted features      : 0
=======================================================================================

Note:
- HTTPS 7070 should work fine.
- HTTP 7071 is for internal communication only so it is OK if you have firewall configuration to block the port.

Verify that the license server setting in the Connection Manager is configured correctly (http://www.teradici.com/web-help/pcoip_connection_manager_security_gateway/1.8.1_1.14.1/#5_CM_SG/3_Config_CM.htm).
- In HTTPS mode, it should be configured as follows (ie, with HTTPS in the URL instead of HTTP):
  - ```
  LicenseServerAddress = https://<License-Server-IP-or-FQDN>:7070/request
```
Verify that the PCoIP Agents can check out licenses.
- To check that the firewall is open, in browser go to the license server URL: https://<license-server-ip/fqdn>:<https-listen-port>/api/1.0/health.
  - If the page fails to load the port is likely closed, if the page shows a certificate error, the certificate is not valid.
- For Linux agent, following this tutorial to install/import the certificate: https://www.bounca.org/tutorials/install_root_certificate.html
- For Windows agent, install the certificate: http://www.sqlservermart.com/HowTo/Windows_Import_Certificate.aspx
- Finally, validate the license status.
  - ```
  pcoip-validate-license
```
- If the certificate fails to validate, it is likely because the Common Name for the certificate is invalid ie, the Common Name is incorrect or it was not issued by a trusted Certificate Authority.
  - (a) For a Common Name error, the certificate needs to re-generated.
  - (b) For a trusted CA error, the CA's public cert needs to be installed on the system.