Sgd's security

Similar Messages

• SGD + Microsoft ISA 2006

  *-- Reposted as a Question -- (Didn't realise it helped get replys) :) --*
  Hi,
  I am hoping someone would be able to help me out here, we have recently purchased the SUN VDI and SGD which we have been looking at for sometime now, due to budgets this year it has taken some time but i have finally got there in the end and i am very happy with the VDI Service.
  I am trying to get the SGD working externally at the moment but it appears to be having problems when it launches the java engine, the java client shows the following in the console
  Java Plug-in 1.6.0_18
  Using JRE version 1.6.0_18-b07 Java HotSpot(TM) Client VM
  java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file Tester
  at java.lang.ClassLoader.defineClass1(Native Method)
  at java.lang.ClassLoader.defineClassCond(Unknown Source)
  at java.lang.ClassLoader.defineClass(Unknown Source)
  at java.security.SecureClassLoader.defineClass(Unknown Source)
  at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Exception: java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file Tester
  java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file com/tarantella/tta/client/tcc/lwplugin/pluginG/TCCHelper
  at java.lang.ClassLoader.defineClass1(Native Method)
  at java.lang.ClassLoader.defineClassCond(Unknown Source)
  at java.lang.ClassLoader.defineClass(Unknown Source)
  at java.security.SecureClassLoader.defineClass(Unknown Source)
  at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Exception: java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file com/tarantella/tta/client/tcc/lwplugin/pluginG/TCCHelperTo be quite honest none of that makes any kind of sense to me, but hopefully someone who is quite savey with Java will know what is going on ;)
  I did some logs on ISA using my External IP when access SGD and it did say connection denied to alot of .js paths so i am wondering weather it is the authentication of ISA that is stopping SGD bringing those files down from the server, the problem is i cannot allow it to not use the ISA Authentication as it needs to be over 443 and ISA obviously needs it to be secure using ISA Authentication for me to publish this.
  The procedure i have to use is browse to the SGD URL, Authenticate agaist ISA which then shows me the SGD Screen, I click on Login to Desktop which then gives me the SGD login, I then authenticate into SGD which then displays the JAVA Screen at that point is when it justs sits there doing nothing.
  Any help/advice will be appriciated
  Many Thanks,
  James.

  Well, I've not seen this before, but I've never seen anyone attempting to use ISA Server, either - I'd hope someone with more knowledge / experience with this product can offer some advice. Until then, guess you're stuck with me ...
  Anyway It would appear that the Tester.class applet is being prevented from being downloaded to your client, or is corrupted in some way. ISA Server is almost certainly causing this.
  I'd first just confirm you can connect from that client to an SGD host without going through an ISA server - connect to https://sgddemo.sun.com and login anonymously, make sure that works.
  You may want to first open up your Java Control Panel, and check your "Temporary Cache Files -> (View)" and then "Resources". you should see a few Java-related files, Tester.class, ttalwwin32G-jps.jar, and ttalwG-jps.jar - if present, make a note of their sizes. Delete these, and then connect to the above URL, they'll be re-loaded.
  Delete these again, then attempt to access via your ISA server again; are any of them reloaded? What's their size?
  As for connecting through ISA Server, I'm afraid I know little about its details, but I think it could be problematic. Are you running SGD in secure (https/aips) mode? Are you running firewall traversal mode? Once authenticated to ISA server, how is traffic directed to the SGD webserver? Is it proxied, or can you get a direct connection?
  Recall that SGD has two connections between the client and the SGD server - the first is the web browser - http or https - that handles logging you in, building a webtop, launching applications, etc. The second is the AIP connection - this is your display traffic, and can be encrypted or left unencrypted. This connection is initiated by a separate client component, and uses tcp port 3144 (for unencrypted connections), 5307 (for encrypted), and most commonly port 443, in "firewall traversal" or "firewall forwarding" mode. In this mode, both https and aip traffic are tunneled on port 443, and are "demultiplexed" on the SGD server.
  I'd thinking that firewall forwarding might have the best chance of succeeding in this environment, as ISA server won't be able to recognize the Java class libraries for what they are, since they're encrypted. But I'm still concerned about routing and such in an SSL environment - I'm not convinced you'll be able to route a client connection properly through the ISA server.
  Anyway, a quick way to setup security/firewall traversal is using the "tarantella security enable" command line - it'll create a self-signed cert, install it, and configure firewall traversal. Or, if you have a permanent cert, will install that as well.
  Here's where I'd recommend you use the Secure Gateway as an alternative entry point to your network ...

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB

• Secure connection suddenly broken in SGD 4.6 on CentOS?

  hello all,
  since yesterday, it is broken, when the first is displayed, and i choos "Login", the sgd displays:
  Error Page
  The following exception was thrown
  and nothing else
  looking at the server, i noticve this strange error:
  [root@nemo certs]# /opt/tarantella/bin/tarantella security certinfo --certfile ./cert-4607-my-site.fr.pem
  The certificate file doesn't exist.
  but i verified my files with openssl commands, and they are ok!
  i also noticed this kind of messages that happens often:
  Jan 24 22:05:07 nemo kernel: ttaxpe[19381]: segfault at 0000000000000008 rip 00000000080c2d4c rsp 00000000fff54400 error 4
  and in /opt/tarantella/var/log/error.log:
  2011/01/28 21:02:20.875 ssl10864 ssldaemon/socket/forwarderrorOracle Secure Global Desktop (4.6) ERROR:
  The Secure Global Desktop Security Daemon failed to create a socket connecting to the Secure Global Desktop server on port 443 on behalf of client 127.0.0.1:443.
  connect(11,127.0.0.1:443): (111) Connection refused ssldaemon/socket/forwarderror
  what can i do? Anybody can help or suggests something?
  thanks in advance
  gerard

  anybody here? Anybody has ever encountered this problem?
  i can reproduce it with an app server under solaris 10.
  I tried to restart all the processes without success.
  The only so-called workaround is to re-install everything :(
  gerard

• Securing sgd connections

  Hi Forum,
  we run sgd for a wile using the classic webtop through port 443 in a LAN without any problems.
  Now we tried to secure also sgd connections following the manual but get
  InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  We're running Fedora Core4 without any prbomes so far...
  Any hint from the community what we missed? (btw, we're using self signed certificate
  /opt/tarantella/bin/jre/bin/keytool -import -keystore /opt/tarantella/var/info/certs/keystore2 -file /opt/tarantella/webserver/apache/1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf/ssl.crt/server.crt)

  Sounds like the JVM can't find the self-signed certificate.
  Have you pointed it to the correct place in Resources.properties?
  e.g.
  keystore=/opt/tarantella/var/info/certs/keystore2
  keystorepass=whatever_your_password_is
  Are the permissions and owner of the file such that the Tomcat server can read it?
  Also (this may be a stupid question) did you say 'yes' when the keytool import asked you "Trust this certificate?" ?

• How do you allow Unix based ONC  RPC within the security constraints of SGD

  On our new boxes running SGD 4.2.91and up we notice that our applications that uses rpc to communicate no longer work. One of the programs, the arbitrator, (i.e. runs in its on process space, not a linked in library). Therefore, two user will share the same arbitrator (or conversely, only one arbitrator runs per machine). The arbitrator runs without a display (i.e. has no stdout, etc, similar to a daemon). The arbitration process also uses the UNIX kernel resource of shared memory. Here is what I have observed with my testing. The arbitrator routine is successfully registered in the port map ( svc_register). This means it does run. But later when svc_run is called, the process is not found ( actually the select fails), and ps �ef | grep arbitrator indicates that the arbitrator is not running

  Does SGD put any restrictions/constraints on ONC RPC, ie does it attempt to block or authenicate?
  What object list_attributes does the application that luanches arbitrator need?
  Does abribrator need to be in the list of allow applications for the current user? Can it be put in this list and not have an icon on the desktop ( since the user does not manually launch it, and usually is not even aware of it)?
  Or, more generally, how does the enumerated allowed list of executables handle a process that exec/forks a new process? ie does SGD have to know the forked process name, etc?

• How does one install SGD security pack?

  Need to install a SSL cert, can't seem to figure out how to install the Security Pack.
  The version i'm running is 4.5; Build: 20091119205307 on RedHat
  In the manual it states to run this command:
  # /opt/tarantella/bin/tarantella security certrequest
  But every time i run that, it just errors and states "missing component". So, i must be missing something.
  Do I need to download the Security Pack? If so, from where?
  Thanks in Advanced,
  david

  I think i figured it out. I had to first add tarantella to the path:
  PATH=$PATH:/opt/tarantella/bin; export PATH

• Windows domain authentication on Oracle Secure Global Desktop

  Hello,
  I made an upgrade of my oracle secure global desktop 4.62 version to 5.1 version.
  The problem is, I was using Windows Domain Authentication in 4.62 and this kind of authentication is not available in the 5.1 version.
  So now, my users cannot log in the application.
  Do you have a solution ?
  Thanks

  What are you authenticating to specifically?  An AD server?  Are you using any of the supported authentication mechanisms now supported?
  http://docs.oracle.com/cd/E41492_01/E41495/html/sgd-authentication.html#system-authentication-mechanisms-table

• Expired internal SSL cert on SGD 4.5?

  Upgraded Solaris SGD from 4.41.to 4.5. I use a SSL cert for our site, which is working fine. SGD login prompt appears and cert can be viewed and verified.
  However after logging in, I get a security warning on tcchelper saying that Sun's own Verisign certificate expired on 8/29/2010. Is a current cert available?

  yes, please open a case with Oracle Support and we will provide you an update on SGD 4.50.933.

• SGD 4.3 authenticate with AD(Users login n get different set of application

  Hi SGD Forum users,
  First of all, happy new year and happy holiday to all of you from new SGD user :-).
  We are planing to Demo SGD 4.3 to one of our customer by early next week.
  So, what the customer would like to see with the demo:
  1) From SunRay client, user1 launch Firefox browser and type the sgd web page.
  - Enter username and password ( Username and password must authenticate with AD ).
  - After successfully authenticate, user1 will get his webtop page.
  - In the webtop page, user1 only have two(2) applications to launch. First application is MS Office Word and Second application is Full Virtual XP desktop( 192.168.5.205 ).
  2) From SunRay client, user2 launch Firefox browser and type the sgd web page.
  - Enter username and password ( Username and password must authenticate with AD ).
  - After successfully authenticate, user2 will get his webtop page.
  - In the webtop page, user2 only have two(2) applications to launch. First application is MS Office Excel and Second application is Full Virtual XP desktop( 192.168.5.206 ).
  3) From SunRay client, user "manager" launch Firefox browser and type the sgd web page.
  - Enter username and password ( Username and password must authenticate with AD ).
  - After successfully authenticate, user "manager" will get his webtop page.
  - In the webtop page, user "manager" only have four(4) applications to launch. First application is MS Office Word, Second application is MS Office Excel, Third application is MS Office Powerpoint and Fourth application is Full Virtual XP desktop( 192.168.5.207 ).
  Note: The above mentioned users( user1, user2 and manager ) launch a different MS Office applications and different Virtual XP desktop servers.
  Here are my SGD 4.3 demo setup:
  - Install Solaris 10 06/06 OS for Sparc.
  - Install latest patches.
  - Create a local zone.
  - Install SRSS 3.1 and patches in Global zone.
  - Install SGD 4.3 in the local zone.
  - My colleague install 2x MS Server 2003( AD and DNS server )
  - My coleague install ESX( VM Server ) and created 3x Virtual XP Desktop( 192.168.5.205, 192.168.5.206 & 192.168.5.207 ).
  In my SGD, Array Manager, i had successfully set "Enabling the Active Directory login authority" as mentioned in the SGD Administrator Guide. I also login successfully to SGD server using user1, user2 and manager( Created in AD server ). So, my SGD server successfully communicated with AD server.
  When i test login user1 or user2 or manager to SGD server, they get same webtop with same applications. If i am not wrong, these behaviour is due to LDAP Profile under "o=Tarantella System Objects". If i put any application in LDAP Profile's Links tap, all the user whose authenticated with AD will be able to launch it.
  The customer requirement is, all the users authenticate with AD and the users should launch different applications and different Virtual XP Desktop as i mentioned earlier.
  Is it possible to perform the SGD demo as customer requirement ? If yes, can you guide and help me on how-to create different profile for each AD authenticated users.
  Thanks in advance.
  # Yours Sincerely,
  # Mohamed Ali Bin Abdullah.

  Hi Wai,
  Sorry not including full details of the person object in my previous posting.
  Here are the details of person object:
  General
  - Name: user1
  - Description:
  - Surname: esuria
  - Username: user1
  - Email: [email protected]
  - Locale: Automatic
  - Keyboard Map: Use XPE setting
  - Windows NT Domain: BIA
  - Bandwidth: None
  - Webtop Theme: Standard
  - Inherit parent's webtop content: NO
  - Shared between users(quest): NO
  - May log in to Secure Global Desktop: YES
  - Profile Editing: Use Parent setting
  - Clipboard Access: Use Parent Setting
  - Serial Port Mapping: Use Parent Setting
  Links
  o=BIA/cn=MS XP Desktop 192.168..5.205
  Thats the setting of user1 person object which i had created in my SGD but when user1 authenticated with AD, the user1 still sees LDAP Profile applications.
  What else, do i need to set in SGD and AD server side ?
  Thanks in advance.

• SGD - Fails to launch applications

  We are having a problem with SGD - we can not launch applications.
  We have SGD 4.2 running on a Solaris 10 server.
  We had SGD up and running good. However, we had several things occur and now it does not work. First we had to relocate our server due to building renovations. Then shortly after setting up the system in the new location, we had a hard drive fail. And unfortunately the sys admin guys did not have a good/current backup of the drive. We did however reload a backup that was about 9-months old. However it does not work correctly now.
  We can bring up the main SGD web page, can login to the system, and see the applications and function set up in object manager. However when we try to launch an application it fails.
  Looking in the error.log file we see a message "failed to open display"
  However we can not see how SGD sets the display to enable the application to be viewed over the web connection.
  Any help would be greatly appreciated.
  Thanks,
  Mike

  It is a good thing to have as much help as possible. One of the other SAs working on the problem entered his google search a little different and came up with this hit: (http://blogs.sun.com/malhar/entry/sun_secure_global_desktop_tarantella -- text below) that fixed our problem. Thought I would post it here for the next person who runs into the same problem.
  Sun Secure Global Desktop (Tarantella) "DISPLAY variable not set" error message?
  If you've been facing a problem with the erstwhile Tarantella, now Sun Secure Global Desktop (SGD), where you get don't see X applications opening up when you click the link, you're in luck.
  I have the solution.
  If you are fast enough to click on the "Show Details" button before the application loading window opens and then closes, you will see in the logs that the application cannot open because it finds that the DISPLAY variable is not set.
  Also, if you read the documentation, you will see that the admin guide explicitly asks you to NOT set the DISPLAY variable which gets set automatically. So where's the problem?
  What you need to do is this:
  1. Open the /etc/rc.d/init.d/Tarantella script in your favourite text editor
  2. Look for TTASSHCLIENT (this is usually commented out)
  You will notice that the line will look something like this
  #TTASSHCLIENT="";export TTASSHCLIENT
  3. Uncomment the line
  4. Add /usr/bin/ssh -X inside the quotes on the line to make the line look like this
  TTASSHCLIENT="/usr/bin/ssh -X";export TTASSHCLIENT
  And restart!
  That's it. You're problem is solved. I accept your thank yous in advance
  Posted at 06:23PM Dec 11, 2006 by malhar in General |
  Thanks again

• Setup AD integration With SGD

  I'm in the process of setting up a test for use of SGD within our organisation. I want to get rid of our current remote access procedure of using PPTP/VPN clients and give the user a complete browser experience. As part of this test I have a Solaris 10 VM running v4.20.983 of the SGD software. My question is now, is there a step by step guide I can follow to configure SGD with Windows 2003 AD integration so I can present remote users with a Windows Terminal Services session within a browser. This session would be a full desktop and not just a remote application?
  TIA.

  Many thanks for the clarification. Here's the last portion of the jserver log file with some warning errors etc:
  2010/02/03 18:52:39.430     (pid 13528)     server/ldap/warningerror     #1265223159430
  Sun Secure Global Desktop Software (4.5) WARNING:
  Directory Service Error from host
  Active Directory(ldap://172.16.0.5:3268::wm-exchange1.wmnet.local[/172.16.0.5]:[Down])
  Message:
  Socket timed out: connect timed out
  SGD will retry this directory server and if another failure is detected, SGD will failover to the next available directory server.
  To troubleshoot this error:
  - Verify that this host is contactable.
  - Verify that the LDAP service is available.
  2010/02/03 18:52:39.430     (pid 13528)     server/ad/warningerror     #1265223159431
  Sun Secure Global Desktop Software (4.5) WARNING:
  Failed to connect to the global catalog
  Active Directory(ldap://172.16.0.5:3268::wm-exchange1.wmnet.local[/172.16.0.5]:[Down]).
  Reason
  Socket timed out: connect timed out
  Global catalog
  Active Directory(ldap://172.16.0.5:3268::wm-exchange1.wmnet.local[/172.16.0.5]:[Down])
  cannot be used to retrieve data from the forest.
  To help troubleshoot this warning,
  - Verify that this global catalog is available on the network.
  - Verify that SGD can resolve the global catalog's hostname via DNS.
  - Verify that SGD can connect to port 3268 on the global catalog.
  - Verify that this server is a global catalog for the forest.
  2010/02/03 18:52:54.640     (pid 13528)     server/ad/warningerror     #1265223174640
  Sun Secure Global Desktop Software (4.5) WARNING:
  DNS lookup failed to find wm-sgd1
  Reason:
  javax.naming.ServiceUnavailableException: DNS server failure [response code 2]; remaining name 'wm-sgd1'
  wm-sgd1
  cannot be used by SGD.
  Make sure the DNS server contains a valid entry for this host.
  2010/02/03 18:52:54.640     (pid 13528)     server/ad/warningerror     #1265223174641
  Sun Secure Global Desktop Software (4.5) WARNING:
  Active Directory service discovery failed
  Failed to get IP addresses for the peer DNS name
  Current state:
  Looking up Global Catalog DNS name: _gc._tcp.WMNET.local. - HIT
  Looking for GC on server: Active Directory(ldap://172.16.0.5:3268::wm-exchange1.wmnet.local[/172.16.0.5]:[Up]) - ERROR
  Looking for GC on server: Active Directory(ldap://192.168.1.200:3268::wm-office1.wmnet.local[/192.168.1.200]:[Up]) - HIT
  Checking for CN=Configuration: DC=WMNET,DC=local - MISS
  Checking for CN=Configuration: CN=Configuration,DC=WMNET,DC=local - HIT
  Looking up domain root context: DC=WMNET,DC=local - HIT
  Looking up site context: CN=Sites,CN=Configuration
  Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
  Looking up addresses for peer DNS: wm-sgd1 - HIT
  Failed to discover Active Directory Site, Domain and server data.
  Make sure the DNS server contains the Active Directory service
  records for the forest. Make sure a Global Catalog server is available.
  2010/02/03 18:52:54.645     (pid 13528)     server/ldap/warningerror     #1265223174645
  Sun Secure Global Desktop Software (4.5) WARNING:
  LDAP call failed:
  null lookupLink-.../_ldapmulti/forest/("DC=WMNET,DC=LOCAL")
  Call took 35386ms.
  Reason:
  javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.
  The call to the directory server failed.
  Check the operation was correct, the LDAP configuration is valid, and the
  LDAP server is still running.

• Sgd + ldap auth + ssh and numeric usernames

  Hi there, sorry if there is a well known answer to my problem, bu tI have not found it.
  anyway, We have a problem where our customer wants to use purelly numeric usernames to logg in to secure global desktop
  From the point of secure global desktop we don't have any problems with this, the problem happens later on with the ssh to solaris (which is set up with ldap authentication) in that I have not been able to get purely numerical logins to work with solaris pam_ldap. Now some of you think that this is not an SGD problem, and that is true, but I was wondering if SGD could help me solve this.
  My question is simple, can SGD use a "different" username taken from ldap after it has logged in the user instead of the username tha tthe user provided.
  ex.
  the user loggs in to SGD with the username 173651
  when starting the application , instead of logging in to the application server (via ssh) with username 173651 it should take an other field from ldap that holds the solaris username.
  thanks for any answers and hints.

  Sorry, but you missunderstood my question a bit :-)
  What you suggest is a way for the users to type in an other username after logged in to Secure Global desktop, tha tis now what we want
  We want this to be done automaticly for us.
  First we have changed a bit how the login procedure works, when the user surfs to the SGD server they will not be presented with any choices, they wil be presented with a single login screen, when they have logged in SGD will automaticly start our application.
  the problem we have is that we want to use only digits as the login name in SGD, but unforutunally Solaris have some problems with using digits alone in usernames (and especially usernames longer then 8 characters)
  so I was hoping that SGD could read from LDAP (we are using LDAP user store, not UNIX) another value that it would use to login to the app server thorugh SSH
  for example, when logging in to SGD it loggs in towards the LDAP uid field, but when it starts the application SGD reads some other property from LDAP and sends that to ssh. Solaris is then also authenticating towards SSH and uses the second property to authenticate.
  If this cannot be done in Secure global Desktop, I think we will look at using a third party authenticator that can do what we want (hopefully OpenSSO can do this)

• SGD Portlet - Failed to build using Ant - UnsupportedClassVersionError

  Hi,
  I've downloaded the Sun Secure Global Desktop portlet source code from here: https://portlet-repository.dev.java.net/public/Download.html and I'm trying to compile it using Ant.
  I have Ant 1.7.0 and I'm using JRE 1.4.2_15. For some reason, the Ant task fails. Using the -debug and -logfile options, it points to a VersionTask class error:
  Adding reference: ant.PropertyHelper
  Detected Java version: 1.4 in: C:\Program Files\Java\j2sdk1.4.2_15\jre
  Detected OS: Windows XP
  Adding reference: ant.ComponentHelper
  Setting ro project property: ant.file -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build.xml
  Adding reference: ant.projectHelper
  Adding reference: ant.parsing.context
  Adding reference: ant.targets
  parsing buildfile C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build.xml with URI = file:/C:/Documents%20and%20Settings/Administrator/My%20Documents/Projects/2007/Bell/Sun%20SGD/sgdportlet/build.xml
  Setting ro project property: ant.project.name -> SGD Portlet
  Adding reference: SGD Portlet
  Setting ro project property: ant.file.SGD Portlet -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build.xml
  Project base dir set to: C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet
  +Target:
  +Target: all
  +Target: init
  +Target: version
  +Target: compile
  +Target: dist
  +Target: clean
  [antlib:org.apache.tools.ant] Could not load definitions from resource org/apache/tools/ant/antlib.xml. It could not be found.
  Setting project property: src -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\src
  Setting project property: build.top -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build
  Setting project property: build.webinf -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build\WEB-INF
  Setting project property: build.classes -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build\WEB-INF\classes
  Setting project property: dist -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\dist
  Setting project property: lib -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\lib
  Setting project property: web -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\web
  Setting project property: tools -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\tools
  Setting project property: webinf -> C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\web\WEB-INF
  Finding class com.tarantella.tools.ant.tasks.VersionTask
  Loaded from C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\lib\tarantella-tasks.jar com/tarantella/tools/ant/tasks/VersionTask.class
  BUILD FAILED
  C:\Documents and Settings\Administrator\My Documents\Projects\2007\Sun SGD\sgdportlet\build.xml:14: java.lang.UnsupportedClassVersionError: com/tarantella/tools/ant/tasks/VersionTask (Unsupported major.minor version 50.0)
       at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:115)
  I know this portlet code was just released this week, but has anybody had any success building the portlet into a .WAR file?
  Thanks in advance!
  Rob.

  I figured it out... the tarantella-tasks.jar file had class files in it that were compiled using jdk 6, and the rest of the project was compiled using jdk 1.4.2. Luckily, the source code was there so that I could recompile the classes back to 1.4.2 and it now works.

• SGD 4 6 AD intermittent failures

  Hello all
  I have an issue with SGD 4.6....
  The infrastructure:
  2 SGD 4.6 in array config
  1 AD for authentication
  First time I had authentication to the AD and I saw the tree of the AD on the SGD and every thing worked fine, one day I just couldn´t get the tree.
  The next day I found that I could autenticate with the AD in both servers, at the afternoon once again I lost auth in one of the array and a few minutes after on both servers, next day at mid morning I got authentication in one serverver, I restarted the second one and gained authentication again.
  When i try to set up the authentication in the global conf during those outages I got this message.
  *errorLDAP Connection Error
  Failed to connect, no servers available[ dcexternal-srv.company.com.gt='javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]'; ]*
  If I change the user for autentication (I now is not the one to get acces i got this message)
  LDAP Connection Error Fail to connect, invalid authentication credentials
  I´ll apreciate any help with this issue, is killing me and I have a whole project waiting to solve this.
  Regards,

  Hi there,
  The error:
  GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
  means that SGD cannot find an authentication realm for the AD server being connected to and therefore cannot connect.
  If your AD environment has more than one AD server check you have a domain_realm mapping in your krb5.conf file for the network domain company.com.gt. If the mapping is missing, assign an authentication realm to the company.com.gt domain.
  If your AD environment has only a single AD server, were there any DNS outages around the time of the AD failures? DNS outages can mean that SGD cannot resolve the hostname of the server and therefore cannot work out a domain and/or an authentication realm to use when connecting to the server.
  For the LDAP issue, you may need to reconfigure the search filter used to find users in LDAP as the default values are sometimes not adequate for AD. The following blog entry should provided more information on reconfiguring this value:
  http://blogs.sun.com/danielc/entry/using_ad_as_an_ldap
  Hope this helps,
  -- DD