Certificates Used by the VE License Server
- W.Erber
Contents
Certificate Usage Overview
The VE license server uses certificates for different purposes:
- License server operation: encrypted communication between license server and license clients (emulators)
- Web-based management GUI: encrypted (HTTPS) communication between the integrated license server web server and web browsers
This section provides an overview of the different scenarios and user options.
Certificates Used for License Server Operation
The communication between license server and license client (emulator) is encrypted. This encryption is based on TLS and requires matching certificates on sever and client sides.
Starting with VE License Server version 2.1.3, it is possible to use certificates created by the user, or certificates the user obtained from an official certificate authority (CA). This requires a matching emulator version. Currently, this is supported in Charon-SSP starting with version 5.5.5.
Older versions of the VE License Server and older versions of Charon emulator products use built-in certificates that cannot be changed.
Default Operation and Backward Compatibility
By default, the VE license server and the license clients use their built-in certificate when configured for general VE mode. No action on the user's side is required in this case. However, there are some aspects to be considered:
AL Marketplace Images with Stromasys-operated Public License Servers
- Charon host instances based on marketplace image versions using the old certificate scheme: the Stromasys-operated public license servers offer the old certificate on port 8080 as before. The Charon instances will continue to run normally using their built-in certificates. This applies, for example to Charon-SSP images before version 5.5.5.
- Charon host instances based on marketplace image versions using the new certificate scheme: the Stromasys-operated public license servers offer the new certificate on port 8081. The Charon instances will use their built-in certificate and automatically connect to port 8081 of the public license server. This applies, for example, to Charon-SSP images of versions 5.5.5 and higher.
- Custom certificates are not possible if the public license servers are used.
- At the time of writing, AL marketplace images are only available for Charon-SSP.
AL Marketplace Images with Customer-operated AutoVE License Servers
- Emulator hosts that use AutoVE license servers are created from AL marketplace images. These images (if the feature is supported by the respective version) use the new certificates by default. The AutoVE license server must also support the new certificates for the configuration to work. An attempt to use a marketplace image including the new certificate version with a AutoVE server running a version not supporting the new certificates will lead to a registration failure and a Bad Certificate error in a network traffic trace.
- Emulator hosts based on AL marketplace images supporting the new certificates cannot register with an AutoVE server not supporting the new certificates. This means, for example, that Charon-SSP instances based on marketplace instances with SSP version 5.5.5 or higher are not compatible with AutoVE servers running a VE license server version before 2.1.3.
- A VE license server supporting the new certificates and running in AutoVE mode will always use the new certificate. Therefore, all Charon emulator hosts connecting to it must also use the new certificate.
- AutoVE peer servers must use compatible certificates (the same or based on the same root CE). Otherwise, the synchronization will fail.
- At the time of writing, AL marketplace images are only available for Charon-SSP.
General VE mode
- License server side: the VE license server will be initially installed using the old certificates. So backward compatibility to Charon emulator products using the old certificate is maintained.
New certificates created by Stromasys are available in /opt/license_server/certs (file names *.sample). However, they will not become active until they are renamed such that the string .sample is removed from the name. This must be followed by a restart of the license server. Customers can also create their own certificates or obtain certificates from an official CA instead of using the certificates provided by Stromasys (described later in this document). - License client (emulator) side: after the new certificates have been enabled on the license server, license clients must also use the new certificates. For this, the certificates provided by Stromasys with the installation kit (e.g. for SSP/4U: /opt/charon-ssp/ssp-4u/certs/*.sample) must again be renamed to remove the string .sample from the name and the emulator must be restarted. Customers can also create their own certificates or obtain certificates from an official CA instead of using the certificates provided by Stromasys (described later in this document).
- The *.sample certificates included in the kits cannot be used for AL or AutoVE environments.
Enabling New Certificates on License Server and Emulator
By default, the VE license server will use the old certificates to maintain compatibility. This section shows how to activate the new certificates.
Please note: all commands shown in this section are executed as the root user.
Activating the Certificates Provided by Stromasys
As part of certain RPM packages, Stromasys provides sample certificates for enabling the new certificates:
| Product | Version | Sample certificate file names |
|---|---|---|
| VE license server | Starting with version 2.1.3 |
|
| Charon-SSP (emulator RPMs for VE licensing) | Starting with SSP version 5.5.5 (example for 4U) |
|
| Starting with SSP version 5.6.2 (example for 4U) |
|
Please note: Charon-SSP marketplace images for licensing by Stromasys-operated public license servers (AL) or customer-operated AutoVE license servers do not contain these sample certificates. New versions of these marketplace images always use the new certificates.
To activate the preconfigured certificates, perform the following steps:
| Step Description | Examples | |
|---|---|---|
| 1 | Should there be active Charon emulators, cleanly shut down the guest systems and stop the emulators. | |
| 2 | Create a backup of the preconfigured certificates. | VE license server:# mkdir /opt/license-server/certs/Backup# cp /opt/license-server/certs/*.sample /opt/license-server/certs/Backup/ |
SSP/4U emulator host (replace ssp-4u with ssp-4v or ssp-4m as appropriate):# mkdir /opt/charon-ssp/ssp-4u/certs/Backup# cp /opt/charon-ssp/ssp-4u/certs/*.sample /opt/charon-ssp/ssp-4u/certs/Backup/ | ||
| 3 | Rename the preconfigured certificates on the VE license server. | # cd /opt/license-server/certs |
| 4 | Rename the preconfigured certificates on the emulator host. | SSP/4U emulator host (replace ssp-4u with ssp-4v or ssp-4m as appropriate):# cd /opt/charon-ssp/ssp-4u/certs/# rename -v .sample '' *.sample |
| 5 | Restart the license server. | # systemctl restart licensed |
| 6 | Restart emulators and guest systems. |
Please note: if the above steps were completed with an SSP version before 5.6.2 (old ssp.key and ssp.crt filenames used), and there is an upgrade to Charon-SSP to 5.6.2 or later, the old names will still be recognized.
Creating Custom Certificates
Please note:
- Customers can obtain certificates from an official CA or create self-signed certificates.
- Customers are solely responsible for obtaining or creating certificates in accordance with their organization's requirements. Any scripts and documentation provided by Stromasys are for illustrative purposes only.
- The different SSP emulator types (4M/4U/4V) can use different certificates, but the certificates must all be issued from the same root CA as the root CA used by the VE license server.
Special Considerations for Custom Certificates in AutoVE mode
The Charon AL marketplace images require special considerations with respect to custom certificates if they are to use a customer-operated AutoVE server:
- Please review the general certificate information above regarding AutoVE mode.
- AL marketplace images do not have a certs subdirectory in the /opt/charon-ssp/ssp-[4m|4u|4v] directory. To use non-default certificates for AutoVE, the certs directory must be created manually.
- If an instance is configured to use an AutoVE license server using non-default certificates, the initial registration at instance launch will fail. To allow a successful registration, perform the following steps after the initial launch:
- If necessary create the Charon certificates at the license server using the make-ssp-cert.sh or make-charon-cert.sh script as described above.
- Copy the resulting files and the ca.crt from the license server to /opt/charon-ssp/ssp-[4m|4u|4v]/certs of the Charon cloud instance.
- Restart the instance and verify in the license server log file (/opt/license-server/log/license.log) that the registration at the AutoVE server was successful (message example: Register from instance i-xxxxxxxxx: success.)
Using the Sample Scripts
The VE license server kit contains the following sample scripts in /opt/license-server/certs/tools for creating self-signed certificates for the license server and the Charon emulator host:
- make-root-cert.sh: sample script used to create a self-signed root certificate. Result: ca.key and ca.crt.
- make-server-cert.sh: sample script used to create the license server certificate. Result: server.key and server.crt.
- Sample script used to create the certificate for the Charon emulator host.
- VE license server starting with version 2.1.3 but before version 2.2.2: make-ssp-cert.sh (result: ssp.key and ssp.crt).
- VE license server starting with version 2.2.2: make-charon-cert.sh (result: charon.key and charon.crt).
Please note: in some environments, the sample scripts will log a warning message (Warning: ignoring -extensions option without -extfile). This message can normally be ignored. It is due to different OpenSSL versions supporting different parameters.
To use the sample scripts for updating the certificates used in your Charon environment, perform the following steps:
| Step Description | Examples | |
|---|---|---|
| 1 | Should there be active Charon emulators, cleanly shut down the guest systems and stop the emulators. | |
| 2 | If applicable, make a backup of the currently used certificates. | VE license server: |
SSP/4U emulator host (replace ssp-4u with ssp-4v or ssp-4m as appropriate):# mkdir /opt/charon-ssp/ssp-4u/certs/Backup# cp /opt/charon-ssp/ssp-4u/certs/*.crt /opt/charon-ssp/ssp-4u/certs/Backup/ | ||
| 3 | Modify the scripts according to your needs. | |
| 4 | Run the provided scripts on the VE license server: | # cd /opt/license-server/certs/tools# ./make-root-cert.sh# ./make-server-cert.sh# ./make-ssp-cert.sh or make-charon-cert.sh (depending on the license server version) |
| 5 | Copy the new certificates to the correct location: | Example for the license server: Please note: if the license server operates in AutoVE mode, the certificates must be copied |
Example for a Charon-SSP/4U emulator host (replace ssp-4u with ssp-4v or ssp-4m as appropriate):
If the emulator host is based on a Charon marketplace image and you did not change the default user configuration, you must copy the certificates first to the charon user account using sftp, and then move the files to the correct certs directory using the interactive login via the sshuser. | ||
| 6 | Restart the VE license server. | # systemctl restart licensed |
| 7 | Restart emulators and guest systems. |
License Server Log File Information
The license server shows whether the default certificates or custom certificates are being used.
AutoVE license server using default certificates:
************************************************************** VE License Server v2.1.4 Copyright (C) 1998-2022 Stromasys S.A. All Rights Reserved. ************************************************************** 2022-10-05 09:18:14 INFO MAIN Build time: Sep 30 2022 15:04:22 2022-10-05 09:18:14 INFO LICENSE Web server will use default certificate: web-server.pem.default. 2022-10-05 09:18:15 INFO LICENSE Default SSL certificates are used. 2022-10-05 09:18:15 INFO MAIN license server (AutoVE) is ready to serve on port 8083.
VE license server in general VE mode using external server certificates, but the default web server certificate:
************************************************************** VE License Server v2.1.4 Copyright (C) 1998-2022 Stromasys S.A. All Rights Reserved. ************************************************************** 2022-09-30 15:55:37 INFO MAIN Build time: Sep 30 2022 15:04:22 2022-09-30 15:55:37 INFO LICENSE Web server will use default certificate: web-server.pem.default. 2022-09-30 15:55:37 INFO MAIN license server (VE) is ready to serve on port 9093. 2022-09-30 15:55:37 INFO LICENSE External SSL certificates are used.
VE license server in general VE mode using external server certificates and custom web server certificate:
************************************************************** VE License Server v2.1.4 Copyright (C) 1998-2022 Stromasys S.A. All Rights Reserved. ************************************************************** 2022-10-05 15:25:30 INFO MAIN Build time: Sep 30 2022 15:04:22 2022-10-05 15:25:30 INFO LICENSE Web server will use custom certificate: web-server.pem 2022-10-05 15:25:30 INFO MAIN license server (VE) is ready to serve on port 9093. 2022-10-05 15:25:30 INFO LICENSE External SSL certificates are used.
Certificates Used for Web-GUI Operation
When connecting to the VE license server web-based management GUI for the first time, the web browser will issue a warning and inform the user that the connection is not private. This is due to the fact that Stromasys, when creating the installation kit, cannot foresee the actual customer environment. Thus, the SSL certificate included with the license server kit includes a dummy hostname that does not match the real hostname of the customer license server system, and it also contains Stromasys as the certificate authority which is unknown to web-browsers by default.
It is possible to override the warning and connect to the page. Otherwise, users must
- either obtain a certificate for the host from one of the commercial certificate authorities, or
- they must create their own self-signed certificate and add it to the web browser.
The default certificate is named web-server.pem.default and is located in /opt/license-server/certs. It is used by the license server web GUI unless there is a custom certificate named web-server.pem in the same directory. It will be overwritten by an update or a reinstallation of the license server.
Steps to create a self-signed certificate:
- Log in as the root user.
- Go to /opt/license-server/certs/tools.
- Create your private copy of the make-web-server-pem.sh (e.g., my-make-web-server-pem.sh).
- Edit your private copy of the script to include the correct hostnames for your license server in the CN and DNS fields.
- Run the script, e.g., my-make-web-server-pem.sh script.
- This will create the files web-server.pem and web-ca.cer.
- Move or copy the file web-server.pem to the /opt/license-server/certs/ directory.
- Restart the license server (
# systemctl restart licensed). - Import the root CA (web-ca.cer) into your browser’s Trusted Root Certification Authorities Certificate Store.
© Stromasys, 1999-2024 - All the information is provided on the best effort basis, and might be changed anytime without notice. Information provided does not mean Stromasys commitment to any features described.