Setup¶
Attention
We recommend using the latest config file as a starting point and moving changes from your old config file into the new one.
Configuration values are defined by nested XML elements in the
scyld-cloud-workstation.xml
config file. In Linux this can be found at
/opt/scyld-cloud-workstation/bin/scyld-cloud-workstation.xml
and in Windows this can be
found at C:\Program Files\Penguin Computing\Scyld Cloud Workstation\scyld-cloud-workstation.xml
. This section
describes properties in the config file.
For the purpose of this document, we refer to properties by using dot
notation. For example, config.Server.LogLevel
indicates that
LogLevel
is a property within Server
, which is a property
within config
. Since all properties begin with ‘config’, for
brevity we ignore it. Properties are case-sensitive.
Warning
The config file and private key files contains sensitive information that can compromise security if an attacker can read it. We strongly recommend limiting read and write access to the root / system administrator account.
Warning
Scyld Cloud Workstation includes a default private key, certificate file, username, and password that are not secure and should be changed.
Applying Config File Changes¶
Saved changes to the config file are only applicable once the service restarts. The Server.Auth.ShadowPassword setting is the one exception to this rule - saved changes to it are applicable immediately.
In Linux you can restart the service using the
systemctl restart
command:
systemctl restart scyld-cloud-workstation.service
In Windows you can restart the service using the Services tool. First
open the Task Manager by right-clicking on the Task Bar and select
Start Task Manager
. At the Task Manager, go to the Services
tab
and click on Services
. Right-click on scyld-cloud-workstation
in the the list
of services and select Restart
from the dropdown of actions.
In MacOS you can restart the service by calling the application with
the --service restart
flag. For example:
# Change to the application directory
cd /Applications/scyld-cloud-workstation.app/Contents/MacOS
# Restart the service
sudo ./scyld-cloud-workstation --service restart
The Scyld Cloud Workstation sign-in page should return after a few seconds.
Config File Settings¶
Attention
We recommend using the latest config file as a starting point and moving changes from your old config file into the new one.
The default config file comes with appropriate values for nearly all of the server settings.
In this section we discuss config settings that are commonly changed from the default config file.
License Management¶
For more information on license management, please see: Flexera License Management.
Server Authentication¶
User’s are authenticated using credentials defined by the
config file or by the ScyldCloudAuth web service. To disable
any of these, simply comment out these elements by wrapping them with
<!--
and -->
.
Authentication is enabled by default and in should not be disabled in
production systems. Server.Auth.Enabled should always be set to
true
.
There are several authentication schemes supported by Scyld Cloud Workstation. Each system is independent and can be enabled in parallel.
Config File Authentication
ScyldCloudAuth Authentication
OS Credential Authentication
Config File Authentication¶
Config File Authentication uses credentials stored in the config file. The following settings control Config File Authentication:
The ShadowPassword is set by calling scyld-cloud-workstation.sh --passwd
in Linux with sudo privileges, scyld-cloud-workstation.exe /passwd
in
Windows as an Administrator, or sudo scyld-cloud-workstation --passwd
.
Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword.
ScyldCloudAuth Authentication¶
ScyldCloudAuth Authentication uses the ScyldCloudAuth proxy service for authentication. To enable ScyldCloudAuth for authentication, set:
ScyldCloudAuth can be disabled by commenting or removing Server.Auth.ScyldCloudAuth.URL.
OS Credential Authentication¶
The credentials accepted by your remote Linux, Windows, or MacOS host can be used to sign into Scyld Cloud Workstation. This supports ActiveDirectory for Windows, and LDAP / PAM for Linux.
Important
While config file or ScyldCloudAuth usernames can be used to sign in to Scyld Cloud Workstation at any time, only a single set of OS credentials can only be used to sign-in at a time. This prevents different OS credentials from signing in at the same time.
This feature can be disabled by setting Server.Auth.OSAuthEnabled to
false
or removing it from the config file.
External Sign-In Pages¶
If your organization wants to use an external webpage for signing into Scyld Cloud Workstation, you can set the Server.Auth.ExternalSignInPage setting to the URL. The Scyld Cloud Workstation sign in page will show a link to the external sign-in page instead of the default sign-in interface.
Server Security¶
The cipher list will determine what ciphers are used to encrypt communication between your clients and your server. It is always a good idea to keep your server’s OpenSSL updated to the latest version.
We recommend using the default values for openSSL.server.cipherList.
Firewall¶
Your server host’s firewall needs to allows incoming connections to the server over port 443 if you are using use HTTPS or port 80 if you are using HTTP.
In Linux, you will have to update your firewall using iptables. In
most cases, adding the following line to your rules file (CentOS/RHEL:
/etc/sysconfig/iptables
) and restarting the iptables service will
allow incoming HTTPS traffic.
# Allow all https
-A INPUT -p tcp --dport 443 -j ACCEPT
Change 443 to 80 in the line above to accept incoming HTTP traffic over port 80 instead.
In Windows these rules are automatically set by the installer and removed by the uninstaller.
HTTPS / SSL Certificates¶
HTTPS and trusted SSL certificates are required to make all of your interactions with the server secure.
To ensure that connections are using the latest TLS protocol (as of
2015), set openSSL.server.requireTLSv1_2 to true
and enable HTTPS
by setting Server.Secure to true
.
Set openSSL.server.privateKeyFile and openSSL.server.certificateFile to the appropriate private key and SSL certificate paths.
If you have set a passphrase for your private key you will need to set openSSL.server.privateKeyPassphraseHandler.options.password.
An SSL certificate signed by a trusted certificate authority (CA) is used to encrypt and authenticate communication between a browser and server. To obtain an SSL certificate from a CA, you need to generate a certificate signing request (CSR) and submit it to the CA. A list of popular CA’s is given below:
Linux users need to install OpenSSL on the server to complete setup. For example:
# CentOS and Rocky Linux
sudo yum install openssl
# Ubuntu
sudo apt-get install openssl
The following sections describe how to use the openSSL
command to
create a new private key and CSR, a new CSR from an existing private
key, and a self-signed SSL certificate (not recommended).
Create a Private Key and a CSR¶
Use the openssl
command to creates a 2048-bit private key
(domain.key) and a CSR (domain.csr). If your CA supports SHA-2, add
the -sha256 option to sign the CSR with SHA-2.
openssl req -newkey rsa:2048 -nodes -sha256 -keyout domain.key -out domain.csr
Fill out the prompted questions to complete the CSR.
Warning
The contents of your private key should never be shared with anyone.
Create a CSR from an Existing Private Key¶
To create a CSR from an existing private key:
openssl req -key domain.key -new -out domain.csr
Fill out the prompted questions to complete the CSR.
Create a Private Key and Self-Signed SSL Certificate¶
You can create a self-signed SSL certificate instead of having one signed by a CA. The disadvantage to this is that in order to establish trust between the browser and the server, you must make a security exception for this certificate when you visit the page or install it in every browser.
openssl req \
-newkey rsa:2048 -nodes -sha256 -keyout domain.key \
-x509 -days 365 -out domain.crt
Fill out the prompted questions to complete the CSR.
Warning
The contents of your private key should never be shared with anyone.
Create a Self-Signed SSL Certificate from an Existing Private Key¶
To create a self-signed certificate from an existing private key:
openssl req \
-key domain.key -new \
-x509 -sha256 -days 365 -out domain.crt
Fill out the prompted questions to complete the CSR.
Settings Glossary¶
In this section we describe all of the settings available in the config file.
Note
All changes to Scyld.Auth settings except Scyld.Auth.Enabled take effect without a service restart.
Server.LogLevel¶
The verbosity of output in the log file.
The LogLevel value can be any one of the following (ordered least-to-most verbose): ‘none’, ‘fatal’, ‘critical’, ‘error’, ‘warning’, ‘notice’, ‘information’, ‘debug’, and ‘trace’.
Server.LogFormat¶
Format of the output. Defaults to:
%Y-%m-%d %H:%M:%S.%i:%q%q:%t
The format pattern is used as a template to format the message and is copied character by character except for the following special characters, which are replaced by the corresponding value.
¶ Pattern
Description
%s
message source
%t
message text
%l
priority level (1 .. 7)
%p
priority (Fatal, Critical, Error, Warning, Notice, Information, Debug, Trace)
%q
abbreviated message priority (F, C, E, W, N, I, D, T)
%P
process identifier
%T
thread name
%I
thread identifier (numeric)
%N
node or host name
%U
source file path (empty string if not set)
%u
source line number (0 if not set)
%w
date/time abbreviated weekday (Mon, Tue, …)
%W
date/time full weekday (Monday, Tuesday, …)
%b
date/time abbreviated month (Jan, Feb, …)
%B
date/time full month (January, February, …)
%d
date/time zero-padded day of month (01 .. 31)
%e
date/time day of month (1 .. 31)
%f
date/time space-padded day of month ( 1 .. 31)
%m
date/time zero-padded month (01 .. 12)
%n
date/time month (1 .. 12)
%o
date/time space-padded month ( 1 .. 12)
%y
date/time year without century (70)
%Y
date/time year with century (1970)
%H
date/time hour (00 .. 23)
%h
date/time hour (00 .. 12)
%a
date/time am/pm
%A
date/time AM/PM
%M
date/time minute (00 .. 59)
%S
date/time second (00 .. 59)
%i
date/time millisecond (000 .. 999)
%c
date/time centisecond (0 .. 9)
%F
date/time fractional seconds/microseconds (000000 - 999999)
%z
time zone differential in ISO 8601 format (Z or +NN.NN)
%Z
time zone differential in RFC format (GMT or +NNNN)
%L
convert time to local time (must be specified before any date/time specifier; does not itself output anything)
%E
epoch time (UTC, seconds since midnight, January 1, 1970)
%v[width]
the message source (%s) but text length is padded/cropped to ‘width’
%[name]
the value of the message parameter with the given name
%%
percent sign
Server.LogFile¶
A path to the log file of the Scyld Cloud Workstation server. By default this can be found in the directory of the Scyld Cloud Workstation executable and is named
scyld-cloud-workstation.log
. For more information on log output, see Log Output.Changed in v5.0.0. Default value changed.
Server.LogViewer.Enabled¶
Set to
true
to show links to the server and service log files in the Settings menu. Defaults tofalse
.
Server.BootLogFile¶
Windows only. A path to the log file of the Scyld Cloud Workstation meta-server. By default this can be found in the directory of the Scyld Cloud Workstation executable and is named
service.log
. For more information on log output, see Log Output.Changed in v5.0.0. Previously named Server.ServiceLogFile in v2.2.0. Default value changed
Server.LocalCursor¶
Determines if the client’s local cursor should be shown instead of the remote cursor. Enabling local cursor typically improves the user experience. Defaults to
true
.Added in v2.2.0.
Server.AutoLock¶
Determines if Scyld Cloud Workstation calls on the OS to lock the desktop upon disconnecting from the web page. Experimental. Defaults to
false
.Warning
NOTE: In Linux, screen locking is achieved by entering
Ctrl+Alt+l
on behalf of the user. While this will lock the screen for most, this feature is not guaranteed to work on all Linux systems.Updated in v5.0.0.
Server.IdleUserTimeout¶
The length of time (in minutes) that users must be inactive before all users are disconnected. This feature is disabled if value is
0.0
or less. Defaults to120
.Added in v5.0.0.
Server.Port¶
The port number used by the server. Defaults to
443
if Server.Secure istrue
or80
if Server.Secure isfalse
.
Server.Secure¶
Determines if the server operates over HTTPS (recommended). Defaults to
true
.
Server.LicenseFile¶
Specifies a license file path or a
port@host
address where a Scyld FlexLM license server is hosted. If the default license server port is being used (27002
), then@host
is also acceptable. Defaults toscyld-cloud-workstation.lic
.For more information on installing license files, see Flexera License Management
Added in v5.0.0.
Server.StartDelay¶
Specifies a sleep time to delay the start-up of Scyld Cloud Workstation in seconds. Defaults to 0.
Added in v5.0.0.
Server.Auth.Enabled¶
Determines if authentication is enabled and valid credentials are required to sign-in (recommended). Defaults to
true
.If
false
, then all authentication is disabled and any credentials can be used to sign-in. Guest invites are also disabled in this case.Note
Changing this value only takes effect after a service restart.
Server.Auth.ExternalSignInPage¶
A URL to your organization’s custom sign-in page. When this value is set to a non-empty string the normal sign-in user interface is replaced with a link to the custom sign-in page.
Note
Setting this value does not enable or disable any authentication protocols. Users may still be able to sign in using ajax calls even if the normal sign-in user interface is disabled.
Added in v9.1.
Server.Auth.Username¶
Declares a username to be used in combination with the password defined by Server.Auth.ShadowPassword at the Scyld Cloud Workstation sign in page.
Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword. To This must be specified with Server.Auth.ShadowPassword and is not necessarily the same as the username used by the remote operating system.
Note
Changing this value takes effect without a service restart.
Changed in v5.0.0.
Server.Auth.ShadowPassword¶
A shadowed password used to sign in to the Scyld Cloud Workstation sign in page. Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword. The format is as follows:
$6$<salt>$<hash>The initial 6 value should never be changed and signals that SHA-512 should be used. The <salt> and the plain text password are used to create the hashed password using the UNIX crypt method. See http://linux.die.net/man/3/crypt for more information on UNIX crypt.
Warning
Even though the ShadowPassword value encrypts your password, its contents should remain private. If you suspect that any part of the ShadowPassword has been compromised, please change your password immediately using our password update utility:
Linux:
sudo scyld-cloud-workstation.sh --passwd
Windows:
scyld-cloud-workstation.exe /passwd
MacOS:
sudo scyld-cloud-workstation --passwd
Note
Changing this value takes effect without a service restart.
Changed in v11.1.0.
Server.Auth.MinPasswordLength¶
The built-in password updater uses this value to require a minimum password length for Server.Auth.ShadowPassword and Server.Broker.ShadowPassword. This defaults to 6.
Note
Changing this value takes effect without a service restart.
Changed in v11.1.0.
Server.Auth.FailAttempts¶
The number of unsuccessful sign in attempts a client is allowed before the server temporarily rejects future requests from that client for a time period specified by Server.Auth.FailDelay. This helps reduce brute force attacks.
Note
Changing this value takes effect without a service restart.
Changed in v5.0.0.
Server.Auth.FailDelay¶
The length of time that the server will reject sign in requests from clients that repeatedly fail to sign in. See Server.Auth.FailAttempts for more information.
Note
Changing this value takes effect without a service restart.
Changed in v5.0.0.
Server.Auth.ScyldCloudAuth.URL¶
The URL to the Scyld Cloud Auth authentication web service. Only applies to Scyld Cloud Manager products.
Note
Changing this value takes effect without a service restart.
Changed in v5.0.0.
Server.Auth.ScyldCloudAuth.Allow¶
A list of
<Username></Username>
elements. Case insensitive. Each<Username>
element enables a username to be authenticated by ScyldCloudAuth. Usernames elements can use asterisk wildcard characters (i.e.*@penguincomputing.com
will enable all usernames that end in@penguincomputing.com
).Note
Changing this value takes effect without a service restart.
Changed in v11.0.0.
Server.Auth.ScyldCloudAuth.Deny¶
A list of
<Username></Username>
elements. Case insensitive. Each<Username>
element disables a username to be authenticated by ScyldCloudAuth. Usernames that are mentioned by both the Deny and Allow list are denied.Usernames elements can use asterisk wildcard characters (i.e.
*@penguincomputing.com
will enable all usernames that end in@penguincomputing.com
).Note
Changing this value takes effect without a service restart.
Changed in v11.0.0.
Server.Auth.ScyldCloudAuth.ApiKey¶
A string that uniquely identifies the server. This is required to making priviledged Scyld Cloud Auth web service calls.
Added in v9.1.
Server.Auth.ScyldCloudAuth.ApiSecret¶
A string that represents a shared secret between Scyld Cloud Workstation and the Scyld Cloud Auth server. This is required to make priviledged Scyld Cloud Auth web service calls.
Added in v9.1.
Server.Auth.Session.DefaultTimeout¶
The lifetime (in seconds) of a session token that starts upon successfully signing in. Session tokens let you access protected resources from the server such as creating a new remote-visualization connection. Increasing this value means a longer period of time you can access the resources without signing in again.
Existing remote-visualization connections are unaffected by session token timeouts. Defaults to
60
seconds.Note
Changing this value takes effect without a service restart.
Changed in v5.0.0.
Server.Auth.OSAuthEnabled¶
Determines if authentication using OS credentials is enabled. Defaults to
true
.Important
While config file or ScyldCloudAuth usernames can be used to sign in to Scyld Cloud Workstation at any time, only a single set of OS credentials can only be used to sign-in at a time. This prevents different OS credentials from signing in at the same time.
Note
Changing this value takes effect after a service restart.
Added in v6.1.0.
Server.Auth.Session.OnSignIn¶
The path of a script to execute immediately after signing in. The script is passed the system account name of the user as an argument. By default this is not set, but it can be used for custom sign-in initialization.
Note
Changing this value takes effect without a service restart.
Changed in v5.0.0.
Server.Auth.PAM.Service¶
The name of the PAM (Pluggable Authentication Module) service. Defaults to
login
.Added in v8.0.0.
Server.Broker.Username¶
Declares a username to be used in combination with the password defined by Server.Broker.ShadowPassword for accessing API calls only.
Config File Authentication can be disabled by commenting or removing Server.Broker.Username and Server.Broker.ShadowPassword. This must be specified with Server.Broker.ShadowPassword and is not necessarily the same as the username used by the remote operating system.
Note
Changing this value takes effect without a service restart.
Changed in v11.0.0.
Server.Broker.ShadowPassword¶
A shadowed password used to sign in to the Scyld Cloud Workstation sign in page. Config File Authentication can be disabled by commenting or removing Server.Broker.Username and Server.Broker.ShadowPassword. The format is as follows:
$6$<salt>$<hash>The initial 6 value should never be changed and signals that SHA-512 should be used. The <salt> and the plain text password are used to create the hashed password using the UNIX crypt method. See http://linux.die.net/man/3/crypt for more information on UNIX crypt.
Warning
Even though the ShadowPassword value encrypts your password, its contents should remain private. If you suspect that any part of the ShadowPassword has been compromised, please change your password immediately using our password update utility:
Linux:
sudo scyld-cloud-workstation.sh --broker-passwd
Windows:
scyld-cloud-workstation.exe /broker-passwd
MacOS:
sudo scyld-cloud-workstation --broker-passwd
Note
Changing this value takes effect without a service restart.
Changed in v11.1.0.
Server.Audio.Enabled¶
Determines if fetching the remote server’s audio is allowed. Defaults to
true
.If
true
, the remote server’s audio can be streamed.If
false
, the remote server’s audio can not be streamed.Added in v10.0.0.
Server.Audio.Output.BufferTime¶
The buffering time (in seconds) for the audio output stream.
Lowering the time improves synchronization with the video stream, but may result in more playback skipping.
Increasing the time results in a more stable playback, but adds latency to audio playback and causes it to be less synchronized with the video stream.
Note
If you are using devices that add additional latency (such as bluetooth speakers) then lowering this value may be beneficial.
Defaults to
0.020
.Changed in v10.2.0.
Server.Audio.Output.SampleRate¶
Determines the audio sample rate in Hz. Higher sample rates lead to better audio quality, but consumes more bandwidth. Supported values are
96000
,48000
,44100
, and22050
.Note
CD audio quality can be achieved with a sample rate of
44100
Hz and a format ofs16le
.Defaults to
44100
.Updated in v11.3.0. Added new supported values.
Server.Audio.Output.Stream.Format¶
Determines the audio output format. Note that audio bit depth (i.e., bits per sample) differs for each of the supported PCM formats below. Higher bit depth may improve audio quality, but will consume more bandwidth.
Note
CD audio quality can be achieved with a sample rate of
44100
Hz and a format ofs16le
.
Format
Description
s8
PCM 8-bit signed integer little endian
s16le
PCM 16-bit signed integer little endian
s24le
PCM 24-bit signed integer little endian
f32le
PCM 32-bit floating point little endian
Defaults to
s16le
.Added in v10.2.0.
Server.Audio.Output.Stream.Device¶
Linux Only. Determines the pulseaudio monitor sink to fetch audio from on the server. These names must end with
.monitor
. Usually this value is automatically detected and updated to reflect the operating system’s default audio device.To force the system to use a specific device, use the command:
pactl list short sinks
to see a list of the device names. In the example below, there are two available sinks:[root@server ~]# pactl list short sinks 0 alsa_output.pci-0000_00_04.0.analog-stereo ...(additional text)... 1 alsa_output.pci-0000_00_05.0.analog-stereo ...(additional text)...To select the first device, set the value of this setting to:
alsa_output.pci-0000_00_04.0.analog-stereo.monitor
.Defaults to
auto
.Added in v10.0.0.
Server.Keyboard.LocalhostAutoAssign¶
When set to ‘true’, host users that connect to a ‘localhost’ server are eligible to be automatically assigned control of the keyboard and mouse. This may be useful for certain VPN solutions that map remote addresses to ‘localhost’ addresses.
When set to ‘false’, host users that connect to a local machine can only receive control of the keyboard and mouse if it is assigned through the user interface.
Defaults to
false
.Added in v12.3.0.
Server.VideoSource¶
The video capture mechanism. Scyld Cloud Workstation currently supports these video sources:
x11
,nvfbc
,stream
,windda
, andauto
(default).The
x11
video source uses software encoding and only works for Linux systems. It supports a max frame rate of up to 60 fps.The
nvfbc
video source is for Linux systems with an NVIDIA GPU and driver that support NVIDIA GRID or NVIDIA NvFBC. It supports a max frame rate of up to 60 fps.The
windda
video source is optimized for Windows and supports a max frame rate of up to 60 fps.The
stream
video source uses software encoding and is available on all operating systems. This video source supports a max frame rate of up to 60 fps on ARM-based Macs, and 30 fps on all other systems.The
auto
video source will try to select the best video source for your system based on what is supported. On Windows systems,windda
is selected. On Linux systems that support NVIDIA GRID or NVIDIA NvFBC,nvfbc
is selected (otherwisex11
is selected). On MacOS systems,stream
is selected.Changed in v12.2.0. Added nvfbc.
Server.Video.MaxWidth¶
Any server-side video that exceeds this width is scaled down to this value. This is primarily used to prevent clients from receiving video with resolutions so high that the client can not process them fast enough.
A value of
-1
disables this threshold.Defaults to
2560
.Updated in v5.0.0. Changed default.
Server.Video.MaxHeight¶
Any server-side video that exceeds this height is scaled down to this value. This is primarily used to prevent clients from receiving video with resolutions so high that the client can not process them fast enough.
A value of
-1
disables this threshold.Defaults to
1440
.Updated in v5.0.0. Changed default.
Server.MultiUser.MaxClientCount¶
The maximum number of clients that can be connected at a time. Defaults to
6
.Added in v3.0.0.
Server.Video.Encoding.H264.AvgBitRate¶
This setting can be used to improve image quality at the cost of using more bandwidth.
The average video bit-rate is calculated by using a linear regression of two values based on the resolution of the screen and the number of bits per second, respectively. For more information, please see: Configure Video Bit-Rate
Defaults to
1280x720=3000k,1920x1080=6000k
.Updated in v9.1.9. Increased defaults.
Server.Video.Encoding.H264.StartFrameRate¶
Initial frame rate. Measured in frames per second. Defaults to
24
.Added in v2.2.0.
Server.Video.Encoding.H264.MinFrameRate¶
The lowest valid frame rate for a connection. Measured in frames per second. Defaults to
2
.Added in v2.2.0.
Server.Video.Encoding.H264.MaxFrameRate¶
The highest allowable frame rate for a connection. Measured in frames per second. Defaults to
30
.Windows using the default ‘windda’ video source and ARM-based Mac servers can support frame rates up to 60.
Server.VirtualHere.AllowedUsbDevices¶
A comma-separated list of USB device names (or parts of device names) that the server will match against to allow USB forwarding from clients. When this list is empty, all USB devices are allowed to be forwarded.
For example, the following setting in the configuration file would allow the server to only accept USB devices that have the word
Wacom
orSpeedline
in their name:
<AllowedUsbDevices>Wacom,Speedline</AllowedUsbDevices>
Server.QoS.Enabled¶
Enables the automatic adjustment of frame rate to adapt to current performance conditions. Frame rate will start at
Server.Video.Encoding.H264.StartFrameRate
and jump betweenServer.Video.Encoding.H264.MinFrameRate
andServer.Video.Encoding.H264.MaxFrameRate
.Setting this to
false
will cause the server to send a constant frame rate specified byServer.Video.Encoding.H264.StartFrameRate
.Server.Video.Encoding.H264.MinFrameRate
andServer.Video.Encoding.H264.MaxFrameRate
are ignored in this case.Defaults to
true
.
openSSL¶
All elements within the openSSL tag are described in the Poco SSLManager documentation.
openSSL.server.privateKeyFile¶
The path to the file containing the private key for the certificate in PEM format (or containing both the private key and the certificate). This path can be absolute or relative to the xml config file. Required for HTTPS support.
openSSL.server.certificateFile¶
The path to the file containing the server’s or client’s certificate in PEM format. Can be omitted if the the file given in privateKeyFile contains the certificate as well. This path can be absolute or relative to the xml config file.
openSSL.server.verificationMode¶
Specifies whether and how peer certificates are validated (see the Poco Context class for details). Valid values are
none
,relaxed
,strict
, andonce
. Defaults tonone
.Changed in v3.0.0. Default value changed.
openSSL.server.loadDefaultCAFile¶
Boolean value. Specifies wheter the builtin CA certificates from OpenSSL are used. Defaults to
true
.
openSSL.server.cipherList¶
Specifies the supported ciphers in OpenSSL notation.
Changed in v3.0.0. Default value changed.
openSSL.server.privateKeyPassphraseHandler.name¶
Defaults to
KeyFileHandler
. The name of the Poco class used for obtaining the passphrase for accessing the private key. If your private key does not use a passphrase, this value is ignored.Added in v2.2.0. Default value changed.
openSSL.server.privateKeyPassphraseHandler.options.password¶
The private key passphrase (ignored if there is no passphrase for the private key).
openSSL.server.invalidCertificateHandler.name¶
This should be set to ConsoleCertificateHandler. The name of the class used for confirming invalid certificates. Defaults to
RejectCertificateHandler
.Added in v2.2.0. Default value changed.
openSSL.server.cacheSessions¶
This should be set to
false
. Enables or disables session caching.
openSSL.server.extendedVerification¶
Enable or disable the automatic post-connection extended certificate verification.
openSSL.server.requireTLSv1_2¶
Require a TLSv1.2 connection. Defaults to
true
.Added in v2.2.0. Default value changed.
openSSL.client.verificationMode¶
Specifies whether and how peer certificates are validated when the server acts as a client to a third-party host (see the Poco Context class for details). Valid values are
none
,relaxed
,strict
, andonce
. Defaults torelaxed
. Setting this value tonone
is not recommended.Added in v3.0.0.
openSSL.fips¶
Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version that this library is built against supports FIPS mode.
Client Settings¶
Clients and browsers that meet the requirements listed in Client Requirements support TLS 1.2, WebGL, and WebSockets by default and require no further setup.
Attention
Contact your system administrator if TLS 1.2, WebGL, or WebSockets are disabled.