C H A P T E R 1 |
This chapter describes the new features and changes in Sun Secure Global Desktop (SGD) versions 4.41, 4.40, and 4.31.
This section describes the features that are new in the SGD version 4.41 release.
SGD Administrators can now configure security automatically for an SGD server, using a single tarantella command. The following commands are now available:
tarantella security disable – Restores the security settings of an SGD server, to the state before running tarantella security enable.
The tarantella security enable command performs the following configuration:
The following limitations apply for these commands:
The SGD server must have a fresh installation of SGD. The commands cannot be used if you are upgrading the software on an SGD server.
See the Sun Secure Global Desktop 4.41 Administration Guide for more details about the tarantella security enable and tarantella security disable commands.
A new attribute (--allowkioskescape) enables a pull-down header for Windows applications and X applications running in kiosk mode.
The pull-down header includes icons for minimizing and closing the application window.
To display the pull-down header when this attribute is enabled, move the mouse to the top of the application window.
To enable or disable the pull-down header, configure the attribute for the Windows application or X application object. For example:
$ tarantella object edit \ --name "o=applications/cn=IndigoProject" --allowkioskescape true |
Note - Currently, this attribute is only configurable from the command line. |
SGD version 4.41 includes support for Sun Service Tags. If the Sun Service Tags software is present on the SGD host, SGD creates and registers a new service tag automatically during installation.
Registration of service tags is attempted on every instance of tarantella start until successful, after which registration does not take place again. This means that even if the Service Tags software is not present when SGD is installed, SGD will still register with it if you install the Service Tags software on the SGD host at a later date.
For more information about Sun Service Tags, see http://www.sun.com/bigadmin/hubs/connection/tasks/register.jsp.
There is a new server/ad log filter, which enables logging of errors related to Active Directory authentication.
For example, you can use this log filter to find out why an Active Directory user cannot log in to SGD.
SGD version 4.41 enables you to use Secure Sockets Layer (SSL) security when connecting to an Active Directory server, without using client certificates. This means that an SGD server can meet security requirements in an environment where client certificates are not required, or are not a viable option.The Sun Secure Global Desktop 4.41 Administration Guide provides details of how to configure this feature.
This section describes the features that are new in the SGD version 4.40 release.
The SGD administration tools, Object Manager, Array Manager, Configuration Wizard, and Session Manager have been replaced by the SGD Administration Console. The SGD Administration Console is a web application. The Administration Console can be used by SGD Administrators to configure SGD.
The Administration Console is localized into the languages supported by SGD: English, French, Japanese, Korean, Simplified Chinese, and Traditional Chinese.
To use the Administration Console, your browser must have JavaScript enabled.
Wherever possible, run the Administration Console on the primary server in the SGD array. Some operations, for example, creating new objects or editing object attributes, are best done on the primary server. If you perform these operations on a secondary server and the primary server is not running, your changes are not implemented.
You can start the Administration Console in one of the following ways:
Click the Administration Console link on the webtop of an SGD Administrator.
Click the Launch the Sun Secure Global Desktop Administration Console link on the SGD Web Server Welcome Page at http://server.example.com, where server.example.com is the name of an SGD server.
Go to http://server.example.com/sgdadmin, where server.example.com is the name of an SGD server.
See the Sun Secure Global Desktop 4.41 Administration Guide for more details about the Administration Console.
The Administration Console uses different terminology compared to previous SGD releases.
The following table lists some common terms used in version 4.31 and the corresponding term used in the Administration Console.
SGD Version 4.31 | Administration Console |
---|---|
array member | SGD server |
browser-based webtop | webtop |
emulator session | application session |
Enterprise Naming Scheme (ENS) | local repository |
ENS equivalent name | user profile |
Fully Qualified Name | user identity |
host | application server |
intelligent array routing | load balancing group |
login authority | system authentication |
login profile | user profile |
person object | user profile object |
Tarantella Federated Naming (TFN) | Not used |
webtop session | user session |
The My Desktop Uniform Resource Locator (URL) enables users to log in and display a full-screen desktop without displaying a webtop.
To be able to use the My Desktop URL, the user must be assigned an application object called My Desktop (cn=My Desktop). This object is created automatically when SGD is installed. By default, the object is configured to run the default desktop application available on the SGD server, for example, the Sun Java Desktop System. You can reconfigure this object to run any application you want, but it works best with full-screen desktop applications. If users require different desktop applications, you can create additional My Desktop objects as required. However, users must be assigned only one My Desktop application.
Note - Users can be assigned any number of applications, but the My Desktop URL only gives users access to the My Desktop application. |
The My Desktop URL is http://server.example.com/sgd/mydesktop, where server.example.com is the name of an SGD server. This URL displays the SGD Login page. Once the user has logged in, the desktop session displays and the web browser can be closed.
Note - There are no controls for suspending or resuming the desktop application. Users must log out of the desktop application as normal. |
Users with Microsoft Windows client devices can have roaming user profiles. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows computer they use. If Microsoft Windows users have roaming user profiles, the SGD client profile is automatically adjusted to allow for this, as follows:
Settings specific to the user’s client device, for example the proxy server configuration, are stored on the client device.
By default, this is homedrive\Documents and Settings\username\Local Settings\Application Data\Sun\SSGD\profile.xml
Settings specific to the user, for example the preferred language, are stored in the location of the roaming user profile.
Usually, this is homedrive\Documents and Settings\username\Application Data\Sun\SSGD\profile.xml
Note - This location also contains the user’s hostsvisited and certstore.pem files. |
The following settings from the SGD client profile are stored in the location of the user’s roaming profile:
Client Profile Setting | Roaming Profile Entry |
---|---|
Login URL | <url> |
Add Applications to Start Menu | <mode> |
Automatic Client Login | <autologin> |
Connect on System Login | <autostart> |
Connection Failure | <reconnect mode> |
SGD Administrators can now configure an automatic timeout for idle user sessions.
The timeout enables user sessions to be suspended if there has been no application session or webtop activity for a specified time period. The timeout applies to all SGD servers in the array.
This timeout is only configurable from the command line. You cannot edit the timeout value using the Administration Console.
You configure the timeout with the following command:
$ tarantella config edit \ ‐‐tarantella-config-array-webtopsessionidletimeout secs |
Replace secs with the timeout value, measured in seconds.
A setting of 0 turns off the user session idle timeout feature. This is the default setting.
In the following example, user sessions are suspended after 1800 seconds (30 minutes) of inactivity.
$ tarantella config edit \ ‐‐tarantella-config-array-webtopsessionidletimeout 1800 |
You can now specify a netmask filter when setting the following attributes:
The netmask filter takes the format v.w.x.y/z. The previous “wildcard” type filters are still supported.
The following example uses a netmask filter to specify external DNS names.
$ tarantella config edit ‐‐server-dns-external \ "192.168.55.0/24:boston.indigo-insurance.com" |
A new Window Management Keys (--remotewindowkeys) attribute is available for the following object types:
Using this attribute, keyboard shortcuts that deal with window management can either be sent to the remote session or acted on locally. This setting is only effective for applications having a Window Type setting of Kiosk mode.
To exit Kiosk mode when this attribute is enabled, use the key sequence Alt-Ctrl-Shift-Space. This minimizes the kiosk session on the local desktop.
By default, the Windows key is now enabled in SGD Windows Terminal Services sessions. The default setting for the SGD Terminal Services Client (ttatsc) -windowskey option is on. You can change this option using the Arguments for Protocol (--protoargs) attribute on the Windows application object.
SGD runs on Solaris 10 OS Trusted Extensions with the following known limitations:
SGD must be installed to a labelled zone. See the Sun Secure Global Desktop 4.41 Installation Guide for more information about installing SGD on Solaris 10 OS Trusted Extensions.
Client drive mapping is not supported for UNIX platform client devices [6610354].
Audio is not supported for UNIX platform applications [6610352].
Integrated mode is not supported for Solaris 10 OS Trusted Extensions client platforms [6610371].
Kiosk mode display for applications does not provide the best user experience for Solaris 10 OS Trusted Extensions client platforms [6594795].
The Administration Console can be used to globally manage passwords and tokens for all users of SGD.
You can now manage passwords and tokens by user identity or by user profile. Previously, the Object Manager administration tool only supported management of passwords and tokens by user profile.
If an SGD server has multiple DNS names, for example, it is known by different names inside and outside a firewall, you can specify the additional DNS names as subject alternative names when generating a Certificate Signing Request (CSR). This enables you to associate more than one DNS name with a server certificate.
The tarantella security certrequest command now prompts you to enter subject alternative names when generating a CSR.
The subject alternative names for a certificate can be displayed using the tarantella security certinfo command.
A new Time Zone Map File attribute (--xpe-tzmapfile) is available.
The attribute enables you to specify a file that contains mappings between UNIX client device and Microsoft Windows application server time zone names. The attribute applies to all SGD servers in the array.
SGD version 4.40.917 and later supports Session Directory for Windows Terminal Services sessions running on Microsoft Windows Server 2003.
Session Directory can be used instead of SGD to handle session resumability for Windows applications. Session Directory is a database that keeps track of which users are running which sessions on which Windows application server.
Using Session Directory enables SGD users to reconnect automatically to their Windows session.
This section describes the features that are new in the SGD version 4.31 release.
SGD Administrators can now enable audio in X applications accessed using SGD.
To hear audio in X applications, the following conditions must be met:
The UNIX audio module of the SGD Enhancement Module must be installed and running on the application server.
The X application must output audio using the Open Sound System (OSS). If your system uses the Advanced Linux Sound Architecture (ALSA), you might have to enable the ALSA OSS emulation modules in the kernel.
The SGD UNIX audio service must be enabled in the Administration Console. The service is disabled by default.
The UNIX audio module contains an OSS audio driver emulator. The audio driver emulator is installed in the kernel when you install the UNIX audio module of the SGD Enhancement Module.
Note - As the UNIX audio module includes an audio driver emulator, the application server itself does not actually need to have a sound card. |
Some X applications are hard-coded to use the /dev/audio or /dev/dsp devices for audio output. A new attribute for X application objects, Audio Redirection Library (--unixaudiopreload), enables an SGD audio redirection library to force the X application to use the SGD audio device.
Microsoft Windows Vista includes the Remote Desktop feature that enables you to access a computer using the Microsoft Remote Desktop Protocol (RDP). You can now use SGD and Remote Desktop, for example, to enable users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.
You can also install the SGD Enhancement Module on Microsoft Windows Vista client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.
This section describes the changes since the SGD version 4.40 release.
The supported platforms for SGD have changed, as follows:
SGD servers. Fedora Linux 8 is now supported as an SGD server installation platform. Fedora Linux 7 is not supported in this release.
SGD Enhancement Module. Fedora Linux 8 and Windows Server 2008 are now supported as installation platforms for the SGD Enhancement Module. Fedora Linux 7 is not supported in this release.
Client platforms. Fedora Linux 8 and Red Hat Desktop version 5 are now supported client platforms. Fedora Linux 7 and Red Hat Desktop version 4 are not supported in this release. The Mozilla 1.5 browser is not supported for this release.
See the Sun Secure Global Desktop 4.41 Installation Guide for more information about supported platforms for this release.
The commands used to control the SGD server and the SGD Web Server have been changed.
The following commands for stopping, starting, and restarting the SGD Web Server have been deprecated:
These commands are now implemented as subcommands for the tarantella start, tarantella stop, and tarantella restart commands.
In previous releases, the tarantella start, tarantella stop, and tarantella restart commands controlled the SGD server. By default, these commands now control the SGD server and the SGD Web Server.
New subcommands to the tarantella start, tarantella stop, and tarantella restart commands enable you to choose to start, stop, or restart either the SGD server or one or more components of the SGD Web Server.
The following table summarises the main command-line changes.
Command in Version 4.40 | Command in Version 4.41 |
---|---|
tarantella webserver start | tarantella start webserver |
tarantella webserver stop | tarantella stop webserver |
tarantella webserver restart | tarantella restart webserver |
tarantella start | tarantella start sgd |
tarantella stop | tarantella stop sgd |
tarantella restart | tarantella restart sgd |
See the Sun Secure Global Desktop 4.41 Administration Guide for more detailed information about the revised commands.
The SGD Web Server now uses version 2 of Apache. Version information for the components of the SGD Web Server are shown in the following table.
Component | Version |
---|---|
Apache HTTP Server | 2.2.8 |
OpenSSL | 0.9.8g |
mod_jk | 1.2.25 |
Apache Jakarta Tomcat | 5.0.28 |
Apache Axis | 1.2 |
The SGD Web Server Welcome page now includes a My Desktop link. The SGD Web Server Welcome page is at http://server.example.com, where server.example.com is the name of an SGD server.
The My Desktop link enables users to log in and display a full-screen desktop, without displaying a webtop. See The My Desktop URL for more details.
Using the My Desktop link is an alternative to specifying the My Desktop URL. The My Desktop URL is http://server.example.com/sgd/mydesktop.
The --array and --server options have been deprecated for the tarantella security start and tarantella security stop commands.
This means that the tarantella security start and tarantella security stop commands can only be used to configure security for the SGD server on which the command is run.
If there are problems with the array, the tarantella status command now returns more detailed information about the array configuration. This information can be used to diagnose and fix array problems.
In previous releases, enabling secure intra-array communications for an array was done by running a tarantella array join command on the secondary SGD server joining the array.
In the SGD 4.41 release, if you are using secure intra-array communication, the tarantella array join command must be run from the primary SGD server in the array.
In the SGD 4.41 release, you can generate a new Certificate Signing Request (CSR) without affecting your current SGD server certificate.
This enables you to replace an SGD server certificate, for example because the original certificate is about to expire.
When you use the tarantella security certrequest command to generate a CSR, the private key is now stored in the /opt/tarantella/var/tsp/key.pending.pem file.
This section describes the changes since the SGD version 4.31 release.
SGD version 4.31 was the last release to contain the Java technology clients, the SGD Native Clients and the classic webtop. The 4.40 release does not contain these clients.
As a result of this change, for this release of SGD, you cannot configure applications to display in a web browser window. The webtop and newbrowser options for the Window Type attribute (--displayusing) have been removed.
As a security measure to prevent denial-of-service attacks, the sequence of events when you log in to SGD has changed, as follows:
In SGD version 4.31, the SGD Client was started before the login screen was shown.
For SGD version 4.40, the SGD Client is not started until after the user successfully authenticates at the login screen.
Start up of the SGD Client is indicated by an icon in the desktop task bar. See the Sun Secure Global Desktop 4.41 Installation Guide for more details about logging in to SGD.
You can no longer deny a connection to SGD based on the client’s IP address.
In previous releases, the --tarantella-config-ssldaemon-certificates attribute was used to associate an X.509 certificate with an external DNS name for an SGD server.
This attribute is no longer supported. In this release, you can specify external DNS names as subject alternative names when you generate a CSR.
See Subject Alternative Names for Server Certificates for more details.
The following web services changes have been implemented for this release:
In the 4.31 release, the startSession and the authenticateSession methods were used to authenticate a user session.
For the 4.40 release, creating and authenticating a user session have been combined into a single method, authenticate.
The startSession and authenticateSession methods are not available for the 4.40 release.
Some overloaded methods were present in the 4.31 release. These methods were distinguished by the number and type of their parameters. All such overloaded methods have been renamed for the 4.40 release. Additionally, the mandatory parameters for the setSessionIdentity method have changed for the 4.40 release.
The following table lists the method name changes for this release.
Interface Name | Method Name in Version 4.31 | Method Name in Version 4.40 |
---|---|---|
ITarantellaDatastore | modify(String, String, String[]) | modifyReplace (String, String, String[]) |
ITarantellaEvent | adminSendClientSideMessage (String, String, String, String, String) | adminBroadcastClientSideMessage (String, String, String, String, String) |
ITarantellaExternalAuth | setSessionIdentity (String, String) | setSessionIdentity (String, String, String) |
ITarantellaPrint | printJobs(String) | printAllJobs(String) |
ITarantellaWebtopSession | authenticateSession(String, String, String) | authenticate(String, String, String, String) |
ITarantellaWebtopSession | authenticateSession(String, String, String, Item[], Item[]) | authenticateExt(String, String, String, String, Item[], Item[]) |
ITarantellaWebtopSession | setTCCConfiguration (String, String, String, String, String, Item[]) | setTCCConfigurationOverrides (String, String, String, String, String, Item[]) |
ITarantellaWebtopSession | startSession(*) | No equivalent |
The following table lists the new web service operations.
The SOAP message encoding format used for SGD web services has changed from RPC/Encoded to Document/Literal.
To list the SGD web services, go to http://server.example.com/axis/services, where server.example.com is the name of an SGD server. Click on the wsdl link to see the Web Services Description Language (WSDL) listing for an SGD web service.
The WSDL listings for the RPC/Encoded versions of the web services are still included on this page. Do not use the RPC/Encoded versions for developing your own applications. These versions of the web services will be deprecated in future releases.
A new setting for the tarantella cache command enables you to refresh the current Kerberos configuration settings for an SGD server.
The new option, krb5config, is used as follows:
$ tarantella cache --flush krb5config |
This setting enables you to update the Kerberos configuration for an SGD server without having to restart the server. This feature is used for Active Directory authentication only.
For users of the SGD Enhancement Module, a new command is available.
The tem status command provides status information for load balancing, UNIX platform audio, and client drive mapping services for the SGD array. The command lists the installed modules and indicates whether they are running or not.
The SGD Client can be started from the command line using the tcc command on Microsoft Windows client platforms, or the ttatcc command on UNIX, Linux, or Mac OS X client platforms.
In this release, by default, when you start the SGD Client from the command line or in Integrated mode, the SGD Client assumes that the client device does not have Java technology enabled. A new -use-java argument for the tcc and ttatcc commands configures the SGD Client to use Java technology.
In previous releases, by default, the SGD Client assumed Java technology was enabled. A -no-java argument for the tcc and ttatcc commands was available to override this behavior. This argument has now been deprecated.
The available arguments for the tcc and ttatcc commands are described in the Sun Secure Global Desktop 4.41 Administration Guide.
The SGD Client now logs information on client devices. Device access data and error messages are logged for printing, serial port, client drive mapping, audio, and smart card devices.
The client device information is written to the SGD Client log file and is displayed on the Detailed Diagnostics page of the webtop.
Several attributes have been renamed to give shorter attribute names. This prevents errors when typing these attributes on the command line. The following table lists the attribute names that have been renamed.
Attribute Name in Version 4.31 | Attribute Name in Version 4.40 |
---|---|
--tarantella-config-login-thirdparty-searchens | --login-thirdparty-ens |
--tarantella-config-login-thirdparty-allownonens | --login-thirdparty-nonens |
--tarantella-config-ldap-thirdpartyldapcandidate-useens | --login-ldap-thirdparty-ens |
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile | --login-ldap-thirdparty-profile |
--tarantella-config-xpeconfig-timezonemapfile | --xpe-tzmapfile |
The Windows NT Domain attribute has been renamed to Domain Name. This attribute specifies the domain to use for the application server authentication process.
The names of the SGD PDF printers have changed as shown in the following table.
Printer Name in Release 4.31 | Printer Name in Release 4.40 |
---|---|
Universal PDF | Universal PDF Printer |
Print to Local PDF File | Universal PDF Viewer |
For application objects configured with a Window Type setting of Independent Window, a warning dialog is now shown when the application window is closed. The dialog prompts you to confirm that you want to end the application session.
You can no longer configure SOCKS proxy servers using the SGD Client profile.
You can still configure SOCKS proxy servers using the array routing feature. Use the following command:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes \ "192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080" |
With this configuration, clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.
The Object Manager, Array Manager, Session Manager, and Configuration Wizard administration tools are no longer displayed on the Administrator’s webtop. These administration tools have been replaced by a browser-based administration tool called the Administration Console. See SGD Administration Console for more details.
The Configuration Wizard is still included in the SGD distribution, as an example web application. To display the Configuration Wizard, go to http://server.example.com/sgd/admin/configmgr/index.jsp, where server.example.com is the name of an SGD server.
Session Manager is still included in the SGD distribution, as an example web application. To display Session Manager, go to http://server.example.com/sgd/admin/sessmgr/index.jsp, where server.example.com is the name of an SGD server.
The login scripts in the /opt/tarantella/var/serverresources/expect directory have been rationalized. Some scripts have been renamed and others have been merged.
If you are using SecurID for application server authentication, objects now use the securid.exp script, rather than the securid/unix.exp script. For backward compatibility, a symbolic link now exists from securid/unix.exp to the new securid.exp script.
An input method (IM) is a program or operating system component that enables users to enter characters and symbols not found on their keyboard. On Microsoft Windows platforms, an IM is called an input method editor (IME).
When running applications, SGD enables an IM if either the TTA_PreferredLocale, TTA_HostLocale, or the LANG (from the application environment overrides) environment variables are set to a locale that requires an IM. The locales that require an IM are controlled by the IM_localeList variable, which is defined in the vars.exp login script.
By default, an IM is enabled for all Japanese, Korean, and Chinese locales. To enable an IM in other locales, you must edit vars.exp and add the locale to the IM_localeList variable.
This section describes the changes since the SGD version 4.30 release.
In version 4.31, you can use SecurID authentication when SGD is installed on Solaris x86 platforms.
In version 4.30, it is possible to connect only to one SGD server when the SGD Client is in Integrated mode. In version 4.31, Integrated mode can be used with multiple SGD servers. In the desktop Start or Launch menu, a login link is available for each SGD server.
SGD has an array routes feature that enables you to configure server-side SOCKS proxy servers. You configure array routes with the following command:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes route... |
Array routes are enhanced so that you can now configure a direct connection type. Use CTDIRECT as the connection type to specify the clients that can connect without using a proxy server.
The following is an example array route configuration:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes \ "192.168.5.*:CTDIRECT:" \ "192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080" |
With this configuration, clients with IP addresses beginning 192.168.5 have a direct connection. Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.
In version 4.31, the startup scripts that ensure SGD services stop and start when an SGD server is rebooted are renamed and restructured. The *Tarantella and *TarantellaWebserver scripts are replaced by a single script named *sun.com‐sgd‐base. The *tem script for the SGD Enhancement Module is now named *sun.com‐sgd‐em.
Copyright © 2008, Sun Microsystems, Inc. All rights reserved.