Contents

Certificate Usage Overview

The VE license server uses certificates for different purposes:

• License server operation: encrypted communication between license server and license clients (emulators)

• Web-based management GUI: encrypted (HTTPS) communication between the integrated license server web server and web browsers

This section provides an overview of the different scenarios and user options.

Certificates Used for License Server Operation

The communication between license server and license client (emulator) is encrypted. This encryption is based on TLS and requires matching certificates on sever and client sides.

Starting with VE License Server version 2.1.3, it is possible to use certificates created by the user, or certificates the user obtained from an official certificate authority (CA). This requires a matching emulator version. Currently, this is supported in Charon-SSP starting with version 5.5.5.

Older versions of the VE License Server and older versions of Charon emulator products use built-in certificates that cannot be changed.

Default Operation and Backward Compatibility

Caveat: certificates generated with the scripts in the VE License Server 2.4.9 and lower versions on RHEL 9.6 (OpenSSL 3.x) are not compatible with the Charon emulator on Rocky 8.x (OpenSSL 1.x). The scripts in VE 2.4.10 solve the problem.

By default, the VE license server and the license clients use their built-in certificate when configured for general VE mode. No action on the user's side is required in this case. However, there are some aspects to be considered:

AL Marketplace Images with Stromasys-operated Public License Servers

• Charon host instances based on marketplace image versions using the old certificate scheme: the Stromasys-operated public license servers offer the old certificate on port 8080 as before. The Charon instances will continue to run normally using their built-in certificates. This applies, for example to Charon-SSP images before version 5.5.5.

• Charon host instances based on marketplace image versions using the new certificate scheme: the Stromasys-operated public license servers offer the new certificate on port 8081. The Charon instances will use their built-in certificate and automatically connect to port 8081 of the public license server. This applies, for example, to Charon-SSP images of versions 5.5.5 and higher.

• Custom certificates are not possible if the public license servers are used.

• At the time of writing, AL marketplace images are only available for Charon-SSP.

AL Marketplace Images with Customer-operated AutoVE License Servers

• Emulator hosts that use AutoVE license servers are created from AL marketplace images. These images (if the feature is supported by the respective version) use the new certificates by default. The AutoVE license server must also support the new certificates for the configuration to work. An attempt to use a marketplace image including the new certificate version with a AutoVE server running a version not supporting the new certificates will lead to a registration failure and a Bad Certificate error in a network traffic trace.

• Emulator hosts based on AL marketplace images supporting the new certificates cannot register with an AutoVE server not supporting the new certificates. This means, for example, that Charon-SSP instances based on marketplace instances with SSP version 5.5.5 or higher are not compatible with AutoVE servers running a VE license server version before 2.1.3.

• A VE license server supporting the new certificates and running in AutoVE mode will always use the new certificate. Therefore, all Charon emulator hosts connecting to it must also use the new certificate.

• AutoVE peer servers must use compatible certificates (the same or based on the same root CE). Otherwise, the synchronization will fail.

• At the time of writing, AL marketplace images are only available for Charon-SSP.

General VE mode

• License server side: the VE license server will be initially installed using the old certificates. So backward compatibility to Charon emulator products using the old certificate is maintained.
  New certificates created by Stromasys are available in /opt/license_server/certs (file names *.sample). However, they will not become active until they are renamed such that the string .sample is removed from the name. This must be followed by a restart of the license server. Customers can also create their own certificates or obtain certificates from an official CA instead of using the certificates provided by Stromasys (described later in this document).

• License client (emulator) side: after the new certificates have been enabled on the license server, license clients must also use the new certificates. For this, the certificates provided by Stromasys with the installation kit (e.g. for SSP/4U: /opt/charon-ssp/ssp-4u/certs/*.sample) must again be renamed to remove the string .sample from the name and the emulator must be restarted. Customers can also create their own certificates or obtain certificates from an official CA instead of using the certificates provided by Stromasys (described later in this document).

• The *.sample certificates included in the kits cannot be used for AL or AutoVE environments.

Enabling New Certificates on License Server and Emulator

By default, the VE license server will use the old certificates to maintain compatibility. This section shows how to activate the new certificates.

Please note: all commands shown in this section are executed as the root user.

Activating the Certificates Provided by Stromasys

As part of certain RPM packages, Stromasys provides sample certificates for enabling the new certificates:

Please note: Charon-SSP marketplace images for licensing by Stromasys-operated public license servers (AL) or customer-operated AutoVE license servers do not contain these sample certificates. New versions of these marketplace images always use the new certificates.

To activate the preconfigured certificates, perform the following steps: