How to use different keys or certificates with NoMachine 4
Table of Contents
| 1. How to replace the SSL certificate for nxd |
nxd is the NoMachine Network Daemon necessary to connect through NX protocol. Its SSL certificate is made of:
<installation directory>/etc/keys/host/nx_host_rsa_key.crt
<installation directory>/etc/keys/host/nx_host_rsa_key
where <installation directory> is
/usr/NX on Linux,
/Applications/NoMachine.app/Contents/Frameworks/ on Mac OS X and
c:\Program Files\NoMachine on Windows.
How to generate and use a new certificate and private key
Step 1
To generate a new certificate and private key for nxd, run from console:
<installation directory>/bin/nxkeygen -k privatekey -c certificate [-n length]
Important:
If you are using NoMachine tools on Linux or Mac OS X you need to set the LD_LIBRARY_PATH before running the nxkeygen tool. For example on Linux:
# export LD_LIBRARY_PATH=/usr/NX/lib
# <installation directory>/bin/nxkeygen -k privatekey -c certificate [-n length]
Then be sure that the new certificate and key have the same name of the original ones and proper permissions and ownership. On Linux they should look like this:
-rw------- 1 nx root 1675 2013-11-18 12:18 nx_host_rsa_key
-rw-r--r-- 1 nx root 1090 2013-11-18 12:18 nx_host_rsa_key.crt
and on Mac OS X like this:
-rw------- 1 nx wheel 1679 Apr 8 16:21 nx_host_rsa_key
-rw-r--r-- 1 nx wheel 1090 Apr 8 16:21 nx_host_rsa_key.crt
Step 2
Restart nxd once that the new certificate and key have been generated. Run from console:
<installation directory>/bin/nxserver --restart nxd
nxd can be restarted also in the Server preferences GUI.
Step 3
In the case of Cloud Server and web player, it's necessary to update the client.crt by adding content of the new certificate nx_host_rsa_key.crt.
For example on Linux, if the new certificate is placed in /usr/NX:
# echo "Host:localhost" > /var/NX/nxhtd/.nx/config/client.crt
# cat /usr/NX/etc/keys/host/nx_host_rsa_key.crt >> /var/NX/nxhtd/.nx/config/client.crt
# echo "Host:127.0.0.1" >> /var/NX/nxhtd/.nx/config/client.crt
# cat /usr/NX/etc/keys/host/nx_host_rsa_key.crt >> /var/NX/nxhtd/.nx/config/client.crt
Both entries for Host:localhost and Host:127.0.0.1 must be present in client.crt which should look like:
Host:localhost
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAP4YLqSxLm9xey/k41vmu+cwDQYJKoZIhvcNAQEFBQAw
(......)
-----END CERTIFICATE-----
Host:127.0.0.1
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAP4YLqSxLm9xey/k41vmu+cwDQYJKoZIhvcNAQEFBQAw
(....)
-----END CERTIFICATE-----
Important:
On Mac OS X the certificate is /Library/Application\ Support/NoMachine/var/nxhtd/.nx/config/client.crt and on Windows it is C:\ProgramData\NoMachine\nxhtd\.nx\config\client.crt
| 2. How to replace the SSL certificate for nxhtd |
nxhtd is the NoMachine Web Server included in the Cloud Server installation and necessary for running web sessions.
Installation comes with a self-signed a SSL Certificate File and SSL Certificate Key file intended to be just a sample. They are, respectively:
<installation directory>/etc/keys/host/ht_host_rsa_key.crt
<installation directory>/etc/keys/host/ht_host_rsa_key
Administrators have to replace the sample SSL Certificate File and Key File with their own certificate self-signed or acquired from a CA.
How to generate a new certificate
To generate a new SSH key pair run from console:
<installation directory>/bin/nxkeygen -k privatekey -p publickey [-n length]
Or use the standard ssh-keygen command from openssh.
Important:
if you are using NoMachine tools on Linux you need to set the LD_LIBRARY_PATH before running the nxkeygen tool:
# export LD_LIBRARY_PATH=/usr/NX/lib
# <installation directory>/bin/nxkeygen -k privatekey -p publickey [-n length]
How to use the new certificate
Step 1
Edit the nxhtd configuration file to point to the new certificate. Let's assume that the new certificate is made of: new_ht_host_rsa_key.crt and new_ht_host_rsa_key.
Edit the <installation directory>/etc/cloud.inc file and set:
SSLCertificateFile "<installationdirectory>/etc/keys/host/new_ht_host_rsa_key.crt"
SSLCertificateKeyFile "<installation directory>/etc/keys/host/new_ht_host_rsa_key"
Step 2
Then restart nxhtd by running from console:
<installation directory>/bin/nxserver --restart nxhtd
nxhtd can be restarted also in the Server preferences GUI.
Step 3
On Linux and Mac OS X it's necessary to update certificate permissions.
Run:
<installation directory>/bin/nxwebplayer --update
When executing "nxwebplayer --update", the nxhtd server is automatically restarted.
As an alternative, you can update permissions by hand to have:
--rw------- 1 nxhtd nxhtd 1,7K lis 20 18:40 new_ht_host_rsa_key
-rw-r--r-- 1 nxhtd nxhtd 1,1K lis 20 18:39 new_ht_host_rsa_key.crt
Then it's necessary to restart nxhtd.
| 3. How to replace the RSA key pair for nxsshd |
nxsshd is the NoMachine SSH server installed on Windows by any of the enterprise packages.
RSA keys are:
<installation directory>/etc/keys/host/ssh_host_rsa_key
<installation directory>/etc/keys/host/ssh_host_rsa_key.pub
How to generate a new certificate
You can generate a new SSH key pair by running from console:
<installation directory>/bin/nxkeygen -k privatekey -p publickey [-n length]
Or by using standard ssh-keygen command from openssh.
How to use the new certificate
Step 1
Configure nxsshd to use a different private key by editing:
<installation directory>/etc/sshd_config
uncomment and set a value for the HostKey configuration key.
Step 2
Then, it's necessary to restart nxsshd. This can be easily done by Server preferences GUI.
Important:
The public key, must be stored with the same file name of the private key but with .pub as postfix.
For example, if the new private key is new_rsa_key, the public key must be named new_rsa_key.pub
| 4. How to replace the DSA key pair for the remote nodes |
Server authenticates on the node with a DSA key pair. When adding the node to the server (by means of nxserver --nodeadd command), the public part of the key pair is automatically added to the remote node:
- if server-node protocol is NX, the key is added to <path to>/nx/.nx/config/authorized.crt
- if server-node protocol is SSH, the key is addded to <path to>/nx/.ssh/authorized_keys2 and <path to>/nx/.ssh/default.id_dsa.pub
where <path to> is:
/var/NX on Linux,
/Library/Application Support/NoMachine/var on Mac OS X and
C:\Users\nx on Windows.
Before proceeding, stop the server to prevent users from starting new sessions while replacing the server public key on the nodes.
IMPORTANT
If you are running Enterprise Server/Cloud Server in a multi-node environment with cluster failover enabled, please update the cluster configuration to synscronize it once the new key pair has been generated.
Run on the master or on the secondary server the following command:
nxserver --clusterupdate
How to remove the old server DSA key from the nodes
On the server host read the current server DSA key that is going to be replaced:
# cat <installation directory>/etc/keys/node.localhost.id_dsa.pub
where <installation directory> is:
/usr/NX on Linux,
/Applications/NoMachine.app/Contents/Frameworks/ on Mac OS X and
c:\Program Files\NoMachine on Windows.
On each of the node hosts remove the line containing the current server public key from the following files:
- for server-node connections by NX protocol:
<path to>/nx/.nx/config/authorized.crt
- for server-node connections by SSH protocol:
<path to>/nx/.ssh/authorized_keys2
<path to>/nx/.ssh/default.id_dsa.pub
How to generate a new key pair
You can generate a new SSH key pair by running from console on the server host:
<path to>/bin/nxkeygen -k <path to>/etc/keys/node.localhost.id_dsa -p <path to>/etc/keys/node.localhost.id_dsa.pub -t dsa
Or by using standard ssh-keygen command from openssh.
Important:
If you are using NoMachine tools on Linux or Mac OS X, you have to set the LD_LIBRARY_PATH before running the nxkeygen tool. For example on Linux:
# export LD_LIBRARY_PATH=/usr/NX/lib
# /usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/node.localhost.id_dsa -p /usr/NX/etc/keys/node.localhost.id_dsa.pub -t dsa
Then be sure that the new keys have the same name of the original ones and proper permissions and ownership. For example on Linux:
# chmod 600 /usr/NX/etc/keys/node.localhost.id_dsa
# chown nx:root /usr/NX/etc/keys/node.localhost.id_dsa
# chmod 644 /usr/NX/etc/keys/node.localhost.id_dsa.pub
# chown nx:root /usr/NX/etc/keys/node.localhost.id_dsa.pub
How to use the new key-pair
Check the current list of nodes from a console:
# <path to>/bin/nxserver --nodelist
and execute the following command for each of the nodes:
# <path to>/bin/nxserver --nodeupdate <node>
<path to>/bin/nxkeygen -k <path to>/etc/keys/cluster.id_dsa -p <path to>/etc/keys/cluster.localhost.id_dsa.pub -t dsa
Or by using standard ssh-keygen command from openssh.
Important:
If you are using NoMachine tools on Linux or Mac OS X, you have to set the LD_LIBRARY_PATH before running the nxkeygen tool. For example on Linux:
# export LD_LIBRARY_PATH=/usr/NX/lib
# /usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/cluster.localhost.id_dsa -p /usr/NX/etc/keys/cluster.localhost.id_dsa.pub -t dsa
Then be sure that the new keys have the same name of the original ones and proper permissions and ownership. For example on Linux:
# chmod 600 /usr/NX/etc/keys/cluster.localhost.id_dsa
# chown nx:root /usr/NX/etc/keys/cluster.localhost.id_dsa
# chmod 644 /usr/NX/etc/keys/cluster.localhost.id_dsa.pub
# chown nx:root /usr/NX/etc/keys/cluster.localhost.id_dsa.pub
How to use the new key-pair