Skip to content

Enabling HTTPS/TLS for PCoIP License Server

Enabling HTTPS/TLS on the License Server

Offline Environments     Online Environments

Important: Always use HTTPS

The default communication protocol is HTTP, which is less secure than HTTPS. We strongly recommend using HTTPS when communicating with the local HP Anyware license server.

Warning: Only internal network usage is supported

The HP Anyware License Server only supports company internal network usage. It is not designed to receive connections from the public internet.

TLS 1.1 Considerations

TLS 1.1 is disabled by default in RHEL/Rocky Linux 8. Attempts to use it in those operating systems may result in errors.

TLS 1.1 is insecure and we strongly recommend that you do not enable it. If you must enable TLS 1.1, first update the CentOS security policy to LEGACY.

To view the current security policy, run the following command:

update-crypto-policies --show 

To set the policy to LEGACY, run the following command:

update-crypto-policies --set LEGACY

Once this policy is set, you can proceed with the following instructions.

Prerequisites for Using HTTPS/TLS

Before enabling HTTP/TLS, get a valid certificate and accompanying private key, and save them in the JKS (Java Key Store) format. Ensure that the JKS file has a keystore password and storepass, and they both are the same.

We recommend using a CA-signed certificate whenever possible, but you can use a self-signed certificate if required.

If you must use a self-signed certificate, generate one using the following command. Replace <password> with your own password, and <license server="" address=""> with the IP address or FQDN of the license server:

keytool -genkey -keyalg RSA -alias HPAnywareLicenseServer -keystore HPAnywareLicenseServer.jks -storepass <pasword> -validity 365 -keysize 2048 -noprompt -dname "CN=<License Server address>, OU=HP Anyware License Server, O=HP Corp, L=Vancouver, ST=BC, C=CA" -keypass <password>
keytool -importkeystore -srckeystore HPAnywareLicenseServer.jks -destkeystore HPAnywareLicenseServer.p12 -deststoretype pkcs12

Anyware agents can't validate self-signed certificates for HTTPS connections unless the public certificate is installed on the machine's trust store. For more information, see the RHEL instructions on this page.

Procedure

  1. Create a new /opt/flexnetls/certs directory, and copy the .jks file into it. Do not place .jks file under /opt/flexnetls/HP/, which may be overwritten by future upgrades.

  2. Give the .jks file appropriate permissions:

    sudo chmod 440 /opt/flexnetls/certs/HPAnywareLicenseServer.jks
    
    sudo chown root.pcoip_license_server /opt/flexnetls/certs/HPAnywareLicenseServer.jks
    

  3. Create an obfuscated password using Flexera's password obfuscation tool, replacing <password> with your password:

    cd /opt/flexnetls/HP/
    
    java -jar flexnetls.jar -password <password>
    

  4. The output from this command shows the original password and the obfuscated password. Copy the obfuscated password (including OBF:) for use in the next step.

  5. Configure the Local License Server settings to use the JKS:

    1. Open /opt/flexnetls/HP/local-configuration.yaml in a text editor using sudo.

    2. Edit the following lines, replacing <obfuscated password=""> with the password you copied in the previous step. The configuration options are described next:

    # local-configuration.
    
    # HTTP listening port. Default is 7070. You can bind to an interface with this syntax: '[127.0.0.1].7070'.
    port: 7070
    
    ...
    
    # HTTPS server mode
    https-in:
      # Set to true to enable
      enabled: true
      # HTTPS listening port
      port: 7071
      # Path to keystore
      keystore-path: /opt/flexnetls/certs/HPAnywareLicenseServer.jks
      # Keystore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here
      keystore-password: <obfuscated password="">
    
    ...
    

    The options are:

    port: HTTP listen port. This is required to run the license server commands internally on the license server host. You can safely block this port externally.

    https-in/enabled: HTTPS-in enable. Set this to true to enable HTTPS for incoming connections to the license server.

    https-in/port: HTTPS-in port number. Set this to the HTTPS listening port for the license server.

    https-in/keystore-path: Set this to the full path for the JKS file that will be used for encryption.

    https-in/keystore-password: Set this to the keypass/storepass, preferably the obfuscated password you created earlier.

    Restart the license server:

    sudo systemctl restart HPAnywareLicenseServer
    
  6. When the server comes back up, verify that the system is listening on the configured HTTP and HTTPS ports (replace the ports in this example with your own as needed):

    sudo netstat -tulpn | grep -e 7070 -e 7071
    
  7. A positive response will look similar to the following example:

    tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java
    tcp6       0      0 :::7071                 :::*                    LISTEN      3083/java
    
  8. Verify that you can view licenses:

    pcoip-list-licenses
    
  9. If you can view licenses, you will see output similar to the following example:

    ================================================================================
    Name              Count           Version         Type              Expiration    
    ================================================================================
    
    Agent-Graphics    1               2019.0209       CONCURRENT        2019-02-09    
    Agent-Session     1               2019.0209       CONCURRENT        2019-02-09    
    
    Total number of features : 2
    
    =======================================================================================
    Feature ID      Feature Name           Feature Version   Feature Count Used/Available
    =======================================================================================
    1               Agent-Graphics                2019.0209            0/1
    2               Agent-Session                 2019.0209            0/1
    =======================================================================================
    
    Device Information:
    
    -------------------------------------------------------------
    Device Name                   Feature Registered(Used Count)
    -------------------------------------------------------------
    =======================================================================================
    
            Total feature count           : 2
            Total feature count used      : 0
            Total uncounted features      : 0
    =======================================================================================
    ```
    
  10. Verify that the license server setting in the Connection Manager is configured correctly.

  11. When using HTTPS, it should be configured as follows (replace <license-server-ip-or-fqdn> with the IP or FQDN of your license server, and <https-listen-port> with the port number you specified in step 5):

    LicenseServerAddress = https://<License-Server-IP-or-FQDN>:<https-listen-port>/request
    
  12. Verify that the Anyware Agents can check out licenses.

    1. Move to a Anyware Agent desktop machine that will use this license server.

    2. Verify that the License Server's firewall is open by opening a browser and visiting https://<license-server-ip-or-fqdn>:<https-listen-port>/api/1.0/health.

    3. If the page loads, the firewall configuration is correct.

    4. If the page loads but throws a certificate error, the port is open but the certificate is invalid; see below for guidance.

    5. If the page does not load, the port is most likely closed.

  13. Verify that the Anyware Agent machine can view license information from the License Server:

    pcoip-validate-license