C H A P T E R  1

New Features and Changes

This chapter describes the new features and changes in Sun Secure Global Desktop (SGD) versions 4.41, 4.40, and 4.31.

Topics in this chapter include the following:


New Features in Version 4.41

This section describes the features that are new in the SGD version 4.41 release.

New Command for Securing an SGD Server

SGD Administrators can now configure security automatically for an SGD server, using a single tarantella command. The following commands are now available:

The tarantella security enable command performs the following configuration:

The following limitations apply for these commands:

See the Sun Secure Global Desktop 4.41 Administration Guide for more details about the tarantella security enable and tarantella security disable commands.

Pull-Down Header for Kiosk Mode Applications

A new attribute (--allowkioskescape) enables a pull-down header for Windows applications and X applications running in kiosk mode.

The pull-down header includes icons for minimizing and closing the application window.

To display the pull-down header when this attribute is enabled, move the mouse to the top of the application window.

To enable or disable the pull-down header, configure the attribute for the Windows application or X application object. For example:


$ tarantella object edit \ 
--name "o=applications/cn=IndigoProject" --allowkioskescape true



Note - Currently, this attribute is only configurable from the command line.



Service Tag Support

SGD version 4.41 includes support for Sun Service Tags. If the Sun Service Tags software is present on the SGD host, SGD creates and registers a new service tag automatically during installation.

Registration of service tags is attempted on every instance of tarantella start until successful, after which registration does not take place again. This means that even if the Service Tags software is not present when SGD is installed, SGD will still register with it if you install the Service Tags software on the SGD host at a later date.

For more information about Sun Service Tags, see http://www.sun.com/bigadmin/hubs/connection/tasks/register.jsp.

Active Directory Authentication Log Filter

There is a new server/ad log filter, which enables logging of errors related to Active Directory authentication.

For example, you can use this log filter to find out why an Active Directory user cannot log in to SGD.

Active Directory SSL Security Without Client Certificates

SGD version 4.41 enables you to use Secure Sockets Layer (SSL) security when connecting to an Active Directory server, without using client certificates. This means that an SGD server can meet security requirements in an environment where client certificates are not required, or are not a viable option.The Sun Secure Global Desktop 4.41 Administration Guide provides details of how to configure this feature.


New Features in Version 4.40

This section describes the features that are new in the SGD version 4.40 release.

SGD Administration Console

The SGD administration tools, Object Manager, Array Manager, Configuration Wizard, and Session Manager have been replaced by the SGD Administration Console. The SGD Administration Console is a web application. The Administration Console can be used by SGD Administrators to configure SGD.

The Administration Console is localized into the languages supported by SGD: English, French, Japanese, Korean, Simplified Chinese, and Traditional Chinese.

To use the Administration Console, your browser must have JavaScript enabled.

Wherever possible, run the Administration Console on the primary server in the SGD array. Some operations, for example, creating new objects or editing object attributes, are best done on the primary server. If you perform these operations on a secondary server and the primary server is not running, your changes are not implemented.



Note - The SGD distribution includes a web archive (WAR) file for the Administration Console, sgdadmin.war. Using this file to deploy the Administration Console on another web application server is not supported.



You can start the Administration Console in one of the following ways:

See the Sun Secure Global Desktop 4.41 Administration Guide for more details about the Administration Console.

Terminology Changes

The Administration Console uses different terminology compared to previous SGD releases.

The following table lists some common terms used in version 4.31 and the corresponding term used in the Administration Console.


SGD Version 4.31 Administration Console
array member SGD server
browser-based webtop webtop
emulator session application session
Enterprise Naming Scheme (ENS) local repository
ENS equivalent name user profile
Fully Qualified Name user identity
host application server
intelligent array routing load balancing group
login authority system authentication
login profile user profile
person object user profile object
Tarantella Federated Naming (TFN) Not used
webtop session user session

Attribute Name Changes

Some attributes have been renamed for the Administration Console. The Sun Secure Global Desktop 4.41 Administration Guide includes the attribute names used in the Administration Console, along with the previous attribute name used in Object Manager and Array Manager.

The My Desktop URL

The My Desktop Uniform Resource Locator (URL) enables users to log in and display a full-screen desktop without displaying a webtop.

To be able to use the My Desktop URL, the user must be assigned an application object called My Desktop (cn=My Desktop). This object is created automatically when SGD is installed. By default, the object is configured to run the default desktop application available on the SGD server, for example, the Sun Java Desktop System. You can reconfigure this object to run any application you want, but it works best with full-screen desktop applications. If users require different desktop applications, you can create additional My Desktop objects as required. However, users must be assigned only one My Desktop application.



Note - Users can be assigned any number of applications, but the My Desktop URL only gives users access to the My Desktop application.



The My Desktop URL is http://server.example.com/sgd/mydesktop, where server.example.com is the name of an SGD server. This URL displays the SGD Login page. Once the user has logged in, the desktop session displays and the web browser can be closed.



Note - There are no controls for suspending or resuming the desktop application. Users must log out of the desktop application as normal.



Support for Roaming Profiles

Users with Microsoft Windows client devices can have roaming user profiles. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows computer they use. If Microsoft Windows users have roaming user profiles, the SGD client profile is automatically adjusted to allow for this, as follows:

The following settings from the SGD client profile are stored in the location of the user’s roaming profile:


Client Profile Setting Roaming Profile Entry
Login URL <url>
Add Applications to Start Menu <mode>
Automatic Client Login <autologin>

<AT>

Connect on System Login <autostart>
Connection Failure <reconnect mode>

<reconnect_attempts>

<reconnect_interval>


Automatic Timeout of Idle User Sessions

SGD Administrators can now configure an automatic timeout for idle user sessions.

The timeout enables user sessions to be suspended if there has been no application session or webtop activity for a specified time period. The timeout applies to all SGD servers in the array.

This timeout is only configurable from the command line. You cannot edit the timeout value using the Administration Console.

You configure the timeout with the following command:


$ tarantella config edit \
‐‐tarantella-config-array-webtopsessionidletimeout secs

Replace secs with the timeout value, measured in seconds.

A setting of 0 turns off the user session idle timeout feature. This is the default setting.

In the following example, user sessions are suspended after 1800 seconds (30 minutes) of inactivity.


$ tarantella config edit \
‐‐tarantella-config-array-webtopsessionidletimeout 1800

Netmask Filters for Specifying Network Addresses

You can now specify a netmask filter when setting the following attributes:

The netmask filter takes the format v.w.x.y/z. The previous “wildcard” type filters are still supported.

The following example uses a netmask filter to specify external DNS names.


$ tarantella config edit ‐‐server-dns-external \
 "192.168.55.0/24:boston.indigo-insurance.com"

Window Management Keys

A new Window Management Keys (--remotewindowkeys) attribute is available for the following object types:

Using this attribute, keyboard shortcuts that deal with window management can either be sent to the remote session or acted on locally. This setting is only effective for applications having a Window Type setting of Kiosk mode.

To exit Kiosk mode when this attribute is enabled, use the key sequence Alt-Ctrl-Shift-Space. This minimizes the kiosk session on the local desktop.

By default, the Windows key is now enabled in SGD Windows Terminal Services sessions. The default setting for the SGD Terminal Services Client (ttatsc) -windowskey option is on. You can change this option using the Arguments for Protocol (--protoargs) attribute on the Windows application object.

Support for Solaris 10 OS Trusted Extensions

SGD runs on Solaris 10 OS Trusted Extensions with the following known limitations:

Global Management of Passwords and Tokens

The Administration Console can be used to globally manage passwords and tokens for all users of SGD.

You can now manage passwords and tokens by user identity or by user profile. Previously, the Object Manager administration tool only supported management of passwords and tokens by user profile.

Subject Alternative Names for Server Certificates

If an SGD server has multiple DNS names, for example, it is known by different names inside and outside a firewall, you can specify the additional DNS names as subject alternative names when generating a Certificate Signing Request (CSR). This enables you to associate more than one DNS name with a server certificate.

The tarantella security certrequest command now prompts you to enter subject alternative names when generating a CSR.

The subject alternative names for a certificate can be displayed using the tarantella security certinfo command.

Time Zone Map File Attribute

A new Time Zone Map File attribute (--xpe-tzmapfile) is available.

The attribute enables you to specify a file that contains mappings between UNIX client device and Microsoft Windows application server time zone names. The attribute applies to all SGD servers in the array.

Session Directory for Windows Terminal Services

SGD version 4.40.917 and later supports Session Directory for Windows Terminal Services sessions running on Microsoft Windows Server 2003.

Session Directory can be used instead of SGD to handle session resumability for Windows applications. Session Directory is a database that keeps track of which users are running which sessions on which Windows application server.

Using Session Directory enables SGD users to reconnect automatically to their Windows session.


New Features in Version 4.31

This section describes the features that are new in the SGD version 4.31 release.

Audio Support in X Applications

SGD Administrators can now enable audio in X applications accessed using SGD.

To hear audio in X applications, the following conditions must be met:

The UNIX audio module contains an OSS audio driver emulator. The audio driver emulator is installed in the kernel when you install the UNIX audio module of the SGD Enhancement Module.



Note - As the UNIX audio module includes an audio driver emulator, the application server itself does not actually need to have a sound card.



Some X applications are hard-coded to use the /dev/audio or /dev/dsp devices for audio output. A new attribute for X application objects, Audio Redirection Library (--unixaudiopreload), enables an SGD audio redirection library to force the X application to use the SGD audio device.

Support for the Remote Desktop on Microsoft Windows Vista

Microsoft Windows Vista includes the Remote Desktop feature that enables you to access a computer using the Microsoft Remote Desktop Protocol (RDP). You can now use SGD and Remote Desktop, for example, to enable users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.

You can also install the SGD Enhancement Module on Microsoft Windows Vista client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.

SSH Client Settings

A new SSH Arguments (--ssharguments) attribute is available for the following object types:

With this attribute, you can specify the command-line arguments for the SSH client when the connection method for an application is SSH.


Changes in Version 4.41

This section describes the changes since the SGD version 4.40 release.

Changes to Supported Platforms

The supported platforms for SGD have changed, as follows:

See the Sun Secure Global Desktop 4.41 Installation Guide for more information about supported platforms for this release.

SGD Server Command-Line Changes

The commands used to control the SGD server and the SGD Web Server have been changed.

The following commands for stopping, starting, and restarting the SGD Web Server have been deprecated:

These commands are now implemented as subcommands for the tarantella start, tarantella stop, and tarantella restart commands.

In previous releases, the tarantella start, tarantella stop, and tarantella restart commands controlled the SGD server. By default, these commands now control the SGD server and the SGD Web Server.

New subcommands to the tarantella start, tarantella stop, and tarantella restart commands enable you to choose to start, stop, or restart either the SGD server or one or more components of the SGD Web Server.

The following table summarises the main command-line changes.


Command in Version 4.40 Command in Version 4.41
tarantella webserver start tarantella start webserver
tarantella webserver stop tarantella stop webserver
tarantella webserver restart tarantella restart webserver
tarantella start tarantella start sgd
tarantella stop tarantella stop sgd
tarantella restart tarantella restart sgd

See the Sun Secure Global Desktop 4.41 Administration Guide for more detailed information about the revised commands.

Changes to SGD Web Server Component Versions

The SGD Web Server now uses version 2 of Apache. Version information for the components of the SGD Web Server are shown in the following table.


Component Version
Apache HTTP Server 2.2.8
OpenSSL 0.9.8g
mod_jk 1.2.25
Apache Jakarta Tomcat 5.0.28
Apache Axis 1.2

JDK Version Change

The SGD installation now includes JDKtrademark version 1.6.0_05.

My Desktop Link

The SGD Web Server Welcome page now includes a My Desktop link. The SGD Web Server Welcome page is at http://server.example.com, where server.example.com is the name of an SGD server.

The My Desktop link enables users to log in and display a full-screen desktop, without displaying a webtop. See The My Desktop URL for more details.

Using the My Desktop link is an alternative to specifying the My Desktop URL. The My Desktop URL is http://server.example.com/sgd/mydesktop.

Changes to tarantella security start and tarantella security stop Commands

The --array and --server options have been deprecated for the tarantella security start and tarantella security stop commands.

This means that the tarantella security start and tarantella security stop commands can only be used to configure security for the SGD server on which the command is run.

Changes to tarantella status Command

If there are problems with the array, the tarantella status command now returns more detailed information about the array configuration. This information can be used to diagnose and fix array problems.

Enabling Secure Intra-Array Communications

In previous releases, enabling secure intra-array communications for an array was done by running a tarantella array join command on the secondary SGD server joining the array.

In the SGD 4.41 release, if you are using secure intra-array communication, the tarantella array join command must be run from the primary SGD server in the array.

Replacing an SGD Server Certificate

In the SGD 4.41 release, you can generate a new Certificate Signing Request (CSR) without affecting your current SGD server certificate.

This enables you to replace an SGD server certificate, for example because the original certificate is about to expire.

When you use the tarantella security certrequest command to generate a CSR, the private key is now stored in the /opt/tarantella/var/tsp/key.pending.pem file.

Performance Improvements for tarantella array Commands

The performance of the tarantella array commands has been improved. Configuring arrays of SGD servers is now a quicker process, compared to previous releases.


Changes in Version 4.40

This section describes the changes since the SGD version 4.31 release.

Retirement of Classic Clients

SGD version 4.31 was the last release to contain the Java technology clients, the SGD Native Clients and the classic webtop. The 4.40 release does not contain these clients.

As a result of this change, for this release of SGD, you cannot configure applications to display in a web browser window. The webtop and newbrowser options for the Window Type attribute (--displayusing) have been removed.

Login and Authentication Sequence

As a security measure to prevent denial-of-service attacks, the sequence of events when you log in to SGD has changed, as follows:

Start up of the SGD Client is indicated by an icon in the desktop task bar. See the Sun Secure Global Desktop 4.41 Installation Guide for more details about logging in to SGD.

You can no longer deny a connection to SGD based on the client’s IP address.

Server Certificates and Multiple External DNS Names

In previous releases, the --tarantella-config-ssldaemon-certificates attribute was used to associate an X.509 certificate with an external DNS name for an SGD server.

This attribute is no longer supported. In this release, you can specify external DNS names as subject alternative names when you generate a CSR.

See Subject Alternative Names for Server Certificates for more details.

Web Services Changes

The following web services changes have been implemented for this release:

Authentication Model Changes

In the 4.31 release, the startSession and the authenticateSession methods were used to authenticate a user session.

For the 4.40 release, creating and authenticating a user session have been combined into a single method, authenticate.

The startSession and authenticateSession methods are not available for the 4.40 release.

Renaming of Methods

Some overloaded methods were present in the 4.31 release. These methods were distinguished by the number and type of their parameters. All such overloaded methods have been renamed for the 4.40 release. Additionally, the mandatory parameters for the setSessionIdentity method have changed for the 4.40 release.

The following table lists the method name changes for this release.


Interface Name Method Name in Version 4.31 Method Name in Version 4.40
ITarantellaDatastore modify(String, String, String[]) modifyReplace (String, String, String[])
ITarantellaEvent adminSendClientSideMessage (String, String, String, String, String) adminBroadcastClientSideMessage (String, String, String, String, String)
ITarantellaExternalAuth setSessionIdentity (String, String) setSessionIdentity (String, String, String)
ITarantellaPrint printJobs(String) printAllJobs(String)
ITarantellaWebtopSession authenticateSession(String, String, String) authenticate(String, String, String, String)
ITarantellaWebtopSession authenticateSession(String, String, String, Item[], Item[]) authenticateExt(String, String, String, String, Item[], Item[])
ITarantellaWebtopSession setTCCConfiguration (String, String, String, String, String, Item[]) setTCCConfigurationOverrides (String, String, String, String, String, Item[])
ITarantellaWebtopSession startSession(*) No equivalent

New Web Service Operations

The following table lists the new web service operations.


Interface Name Method Name Description
ITarantellaDatastore deleteObjects

searchEnd

searchNext

searchStart

Delete several objects from the SGD datastore.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a datastore search, returning a subset of results.

ITarantellaEmulatorSession adminCount

adminSearchEnd

adminSearchNext

adminSearchStart

endSessions

Count the number of matching application sessions a search would return.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.

End multiple application sessions.

ITarantellaPrint adminCount

adminSearchEnd

adminSearchNext

adminSearchStart

Count the number of matching print jobs a search would return.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.

ITarantellaWebtopSession associateTCC

authenticate

authenticateExt

createView

adminEndSessions

adminCount

adminSearchEnd

adminSearchNext

adminSearchStart

Associate a user session with an existing SGD Client connection.

Authenticate a user session.

Authenticate a user session.

Create a new view of an existing user session.

End multiple user sessions.

Count the number of matching user sessions a search would return.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.

ITarantellaUtility searchEnd

searchNext

searchStart

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.


Document/Literal SOAP Message Encoding

The SOAP message encoding format used for SGD web services has changed from RPC/Encoded to Document/Literal.

To list the SGD web services, go to http://server.example.com/axis/services, where server.example.com is the name of an SGD server. Click on the wsdl link to see the Web Services Description Language (WSDL) listing for an SGD web service.

The WSDL listings for the RPC/Encoded versions of the web services are still included on this page. Do not use the RPC/Encoded versions for developing your own applications. These versions of the web services will be deprecated in future releases.

Querying Device Data

The adminLookupSession operation now returns device information. You can use this operation to query the --scottarawdevicedata and --scottadeviceaccessibledata device data attributes.

The returned device information can be used as a diagnostic tool.

Flushing the Kerberos Cache

A new setting for the tarantella cache command enables you to refresh the current Kerberos configuration settings for an SGD server.

The new option, krb5config, is used as follows:


$ tarantella cache --flush krb5config

This setting enables you to update the Kerberos configuration for an SGD server without having to restart the server. This feature is used for Active Directory authentication only.

tem status Command

For users of the SGD Enhancement Module, a new command is available.

The tem status command provides status information for load balancing, UNIX platform audio, and client drive mapping services for the SGD array. The command lists the installed modules and indicates whether they are running or not.

SGD Client Does Not Assume Java Technology by Default

The SGD Client can be started from the command line using the tcc command on Microsoft Windows client platforms, or the ttatcc command on UNIX, Linux, or Mac OS X client platforms.

In this release, by default, when you start the SGD Client from the command line or in Integrated mode, the SGD Client assumes that the client device does not have Java technology enabled. A new -use-java argument for the tcc and ttatcc commands configures the SGD Client to use Java technology.

In previous releases, by default, the SGD Client assumed Java technology was enabled. A -no-java argument for the tcc and ttatcc commands was available to override this behavior. This argument has now been deprecated.

The available arguments for the tcc and ttatcc commands are described in the Sun Secure Global Desktop 4.41 Administration Guide.

SGD Client Logs Client Device Information

The SGD Client now logs information on client devices. Device access data and error messages are logged for printing, serial port, client drive mapping, audio, and smart card devices.

The client device information is written to the SGD Client log file and is displayed on the Detailed Diagnostics page of the webtop.

Renamed Command Line Arguments

Several attributes have been renamed to give shorter attribute names. This prevents errors when typing these attributes on the command line. The following table lists the attribute names that have been renamed.


Attribute Name in Version 4.31 Attribute Name in Version 4.40
--tarantella-config-login-thirdparty-searchens --login-thirdparty-ens
--tarantella-config-login-thirdparty-allownonens --login-thirdparty-nonens
--tarantella-config-ldap-thirdpartyldapcandidate-useens --login-ldap-thirdparty-ens
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile --login-ldap-thirdparty-profile
--tarantella-config-xpeconfig-timezonemapfile --xpe-tzmapfile

Windows NT Domain Attribute

The Windows NT Domain attribute has been renamed to Domain Name. This attribute specifies the domain to use for the application server authentication process.

The following objects have this attribute:

PDF Printers Renamed

The names of the SGD PDF printers have changed as shown in the following table.


Printer Name in Release 4.31 Printer Name in Release 4.40
Universal PDF Universal PDF Printer
Print to Local PDF File Universal PDF Viewer

Window Closure Warning

For application objects configured with a Window Type setting of Independent Window, a warning dialog is now shown when the application window is closed. The dialog prompts you to confirm that you want to end the application session.

SOCKS Proxy Removed From Client Profile

You can no longer configure SOCKS proxy servers using the SGD Client profile.

You can still configure SOCKS proxy servers using the array routing feature. Use the following command:


$ tarantella config edit \
--tarantella-config-array-netservice-proxy-routes \
"192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080"

With this configuration, clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.

Administration Tools Removed From The Administrator Webtop

The Object Manager, Array Manager, Session Manager, and Configuration Wizard administration tools are no longer displayed on the Administrator’s webtop. These administration tools have been replaced by a browser-based administration tool called the Administration Console. See SGD Administration Console for more details.

The Configuration Wizard is still included in the SGD distribution, as an example web application. To display the Configuration Wizard, go to http://server.example.com/sgd/admin/configmgr/index.jsp, where server.example.com is the name of an SGD server.

Session Manager is still included in the SGD distribution, as an example web application. To display Session Manager, go to http://server.example.com/sgd/admin/sessmgr/index.jsp, where server.example.com is the name of an SGD server.

Login Script Changes

The login scripts in the /opt/tarantella/var/serverresources/expect directory have been rationalized. Some scripts have been renamed and others have been merged.

If you are using SecurID for application server authentication, objects now use the securid.exp script, rather than the securid/unix.exp script. For backward compatibility, a symbolic link now exists from securid/unix.exp to the new securid.exp script.

Enabling Input Methods for Locales

An input method (IM) is a program or operating system component that enables users to enter characters and symbols not found on their keyboard. On Microsoft Windows platforms, an IM is called an input method editor (IME).

When running applications, SGD enables an IM if either the TTA_PreferredLocale, TTA_HostLocale, or the LANG (from the application environment overrides) environment variables are set to a locale that requires an IM. The locales that require an IM are controlled by the IM_localeList variable, which is defined in the vars.exp login script.

By default, an IM is enabled for all Japanese, Korean, and Chinese locales. To enable an IM in other locales, you must edit vars.exp and add the locale to the IM_localeList variable.

SGD Client Termination Timeouts

If an application is terminated because the SGD Client exits unexpectedly, an additional value of 20 minutes is added to the following timeouts:


Changes in Version 4.31

This section describes the changes since the SGD version 4.30 release.

SecurID Authentication on Solaris x86 Platforms

In version 4.31, you can use SecurID authentication when SGD is installed on Solaris x86 platforms.

Support for Multiple SGD Servers in Integrated Mode

In version 4.30, it is possible to connect only to one SGD server when the SGD Client is in Integrated mode. In version 4.31, Integrated mode can be used with multiple SGD servers. In the desktop Start or Launch menu, a login link is available for each SGD server.

Array Routes

SGD has an array routes feature that enables you to configure server-side SOCKS proxy servers. You configure array routes with the following command:


$ tarantella config edit \
--tarantella-config-array-netservice-proxy-routes route...

Array routes are enhanced so that you can now configure a direct connection type. Use CTDIRECT as the connection type to specify the clients that can connect without using a proxy server.

The following is an example array route configuration:


$ tarantella config edit \ 
--tarantella-config-array-netservice-proxy-routes \
"192.168.5.*:CTDIRECT:" \
"192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080"

With this configuration, clients with IP addresses beginning 192.168.5 have a direct connection. Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.

SGD Startup Scripts

In version 4.31, the startup scripts that ensure SGD services stop and start when an SGD server is rebooted are renamed and restructured. The *Tarantella and *TarantellaWebserver scripts are replaced by a single script named *sun.com‐sgd‐base. The *tem script for the SGD Enhancement Module is now named *sun.com‐sgd‐em.

Untrusted Initial Connection Message

The Untrusted Initial Connection warning message that is displayed when users first connect to an SGD server is enhanced. Users can now view the server’s security certificate from this message.