A P P E N D I X  A

Global Settings and Caches

Use the Global Settings tabs to configure settings that apply to Sun Secure Global Desktop (SGD) as a whole. Changes made in the Global Settings tabs affect all SGD servers in the array.

Use the Caches tab to view and manage entries in the password cache and the token cache.

This chapter includes the following topics:


Secure Global Desktop Authentication Tab

Use the settings on the Secure Global Desktop Authentication tab to control how users log in to SGD. The settings apply to all SGD servers in the array. Changes to the settings take effect immediately.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

User authentication can be performed by an external authentication mechanism (third-party authentication), or SGD can perform the authentication using a specified repository (system authentication).

The Secure Global Desktop Authentication tab contains the following sections:

The Authentication Wizard

The Authentication Wizard guides you through the process of setting up authentication for SGD users. The number of steps shown in the Authentication Wizard depend on the choices you make as you work though the Wizard.

The available steps in the Authentication Wizard are as follows:

Token Generation

Usage: Select or deselect the check box.

Description

Whether to create authentication tokens for users so they can log in automatically to SGD.

To ensure that an authentication token cannot be intercepted and used by a third party, use secure Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) web servers and enable SGD security services.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Generate Authentication Tokens

Command Line

Command option: --login-autotoken 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables generation of authentication tokens for users.

--login-autotoken 0

Password Cache

Usage: Select or deselect the check box.

Description

Whether to save the user name and password that the user types to log in to SGD in the password cache.

If you are using SecurID authentication, do not save the user name and password, as SecurID passwords cannot be reused.

SGD cannot store the user names and passwords of users authenticated with third‐party authentication.

Array Manager: Application Launch Properties (Array-Wide) -> Authentication -> Save SGD Login Details in Cache

Command Line

Command option: --launch-savettapassword 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example saves user log in details in the password cache.

--launch-savettapassword 1

Third-Party Authentication

Usage: Select or deselect the check box.

Description

Select the check box to enable third-party authentication.

This attribute enables you to give access to SGD to users who have been authenticated by a third-party mechanism, such as web server authentication.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> External Authentication -> Use Third Party Authentication

Command Line

Command option: --login-thirdparty 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables third-party authentication.

--login-thirdparty 0

System Authentication

Usage: Select or deselect the check box.

Description

Specifies that user authentication is done by the SGD server. Selecting this option enables the Wizard screens for system authentication settings.

Command Line

There is no command line equivalent for this attribute.

Search Local Repository

Usage: Select or deselect the check box.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in the local repository and then uses the matching user profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> User Identity Mapping -> Search ENS for Matching Person

Command Line

Command option: --login-thirdparty-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching the local repository for a matching user profile is disabled.

--login-thirdparty-ens 0

Search LDAP Repository

Usage: Select or deselect the check box.

Description

Specifies that the LDAP repository is searched to find the user identity for a user who has been authenticated by a third-party authentication mechanism.

The search method used is defined by the Use Default LDAP Profile or Use Closest Matching LDAP Profile attribute.

Command Line

There is no command line equivalent for this attribute.

Use Default Third-Party Identity

Usage: Select or deselect the check box.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method does not perform a search. The user identity is the third-party user name. The third-party user profile, System Objects/Third Party Profile, is used.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> User Identity Mapping -> Use Default Profile

Command Line

Command option: --login-thirdparty-noens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, using the default user profile is disabled.

--login-thirdparty-noens 0

Use Default LDAP Profile

Usage: Select the option.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in an LDAP repository and then uses the default LDAP user profile, System Objects/LDAP Profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> User Identity Mapping -> Search LDAP and Use LDAP Profile

Command Line

Command option: --login-ldap-thirdparty-profile 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching LDAP and using the default LDAP profile is disabled.

--login-ldap-thirdparty-profile 0

Use Closest Matching LDAP Profile

Usage: Select the option.

Description

This attribute specifies a search method used by SGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.

This search method searches for the user identity in an LDAP repository and then uses the closest matching user profile in the local repository, allowing for differences between the LDAP and SGD naming systems.

SGD searches for the following until a match is found:

  • A user profile with the same name as the LDAP person object.

    For example, if the LDAP person object is cn=Emma Rald,cn=Sales,dc=Indigo Insurance,dc=com, SGD searches the local repository for dc=com/dc=Indigo Insurance/cn=Sales/cn=Emma Rald.

  • A user profile in the same organizational unit as the LDAP person object but with the name cn=LDAP Profile.

    For example, dc=com/dc=Indigo Insurance/cn=Sales/cn=LDAP Profile.

  • A user profile in any parent organizational unit with the name cn=LDAP Profile.

    For example, dc=com/dc=Indigo Insurance/cn=LDAP Profile.

  • If there is no match, the profile object System Objects/LDAP Profile is used for the user profile.

If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> User Identity Mapping -> Search LDAP and Use Closest ENS Match

Command Line

Command option: --login-ldap-thirdparty-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching LDAP and using the closest matching LDAP profile is disabled.

--login-ldap-thirdparty-ens 0

LDAP/Active Directory

Usage: Select or deselect the check box.

Description

Specifies that an LDAP directory server or Active Directory server is used for authentication.

Selecting this option enables the Wizard screen where you can type in LDAP directory server or Active Directory server details.

Command Line

There is no command line equivalent for this attribute.

Unix

Usage: Select or deselect the check box.

Description

Enables UNIX authentication.

Selecting this option enables the Wizard screen where you can configure UNIX authentication settings.

Command Line

There is no command line equivalent for this attribute.

Authentication Token

Usage: Select or deselect the check box.

Description

Enables authentication using an authentication token.

Authentication using an authentication token can only be used when the SGD Client is operating in Integrated mode.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Authentication Token Login Authority

Command Line

Command option: --login-atla 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, authentication using an authentication token is disabled.

--login-atla 0

Windows Domain Controller

Usage: Select or deselect the check box.

Description

Enables authentication against a Windows domain controller.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> NT Login Authority

Command Line

Command option: --login-nt 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, Windows Domain Controller authentication is disabled.

--login-nt 0

SecurID

Usage: Select or deselect the check box.

Description

Enables users with RSA SecurID tokens to log in to SGD.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> SecurID Login Authority

Command Line

Command option: --login-securid 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, SecurID authentication is disabled.

--login-securid 0

Anonymous

Usage: Select or deselect the check box.

Description

Enables users to log in to SGD without supplying a user name and password.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Anonymous User Login Authority

Command Line

Command option: --login-anon 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, anonymous user authentication is disabled.

--login-anon 0

Search Unix User ID in Local Repository

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to search for the user identity in the local repository and use the matching user profile.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> ENS Login Authority

Command Line

Command option: --login-ens 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching for the UNIX User ID in the local repository is enabled.

--login-ens 1

Search Unix Group ID in Local Repository

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the UNIX user identity and search for a user profile in the local repository that matches the user’s UNIX Group ID.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> UNIX Group Login Authority

Command Line

Command option: --login-unix-group 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, searching for the UNIX Group ID in the local repository is enabled.

--login-unix-group 1

Use Default User Profile

Usage: Select or deselect the check box.

Description

Specifies a search method used to find the user profile for an authenticated UNIX system user. Select this attribute to use the default UNIX user profile, System Objects/UNIX User Profile, for the authenticated user.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> UNIX User Login Authority

Command Line

Command option: --login-unix-user 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, using the default UNIX user profile (System Objects/UNIX User Profile) is enabled.

--login-unix-user 1

Windows Domain

Usage: Type the Windows domain name in the field.

Description

The name of the domain controller used for Windows domain authentication.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Windows NT Domain

Command Line

Command option: --login-nt-domain dom

Usage: Replace dom with the name of the Windows domain controller used to authenticate users.

In the following example, users are authenticated with the Windows domain controller sales.indigo-insurance.com.

--login-nt-domain sales.indigo-insurance.com

Active Directory

Usage: Select the option.

Description

Enables Active Directory authentication.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Active Directory Login Authority

Command Line

Command option: --login-ad 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, Active Directory authentication is enabled.

--login-ad 1

LDAP

Usage: Select the LDAP option.

Description

Enables LDAP authentication.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> LDAP Login Authority

Command Line

Command option: --login-ldap 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, LDAP authentication is enabled.

--login-ldap 1

URLs

Usage: Type the uniform resource locators (URLs) in the field. Type each separate URL on a line and press the Return key.

Description

The locations of the LDAP directory servers or Active Directory servers used for the following authentication mechanisms.

  • LDAP authentication

  • Third-party authentication (Search LDAP Repository options)

  • Active Directory authentication

If you use an LDAP directory for authentication, you can use SGD Directory Services Integration (DSI). DSI enables you to use an LDAP version 3 directory instead of the local repository for holding user information. Using DSI means you do not need to mirror your LDAP organization in the local repository.

See the LDAP Assignments for more information about using DSI.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> LDAP Server -> URL

LDAP Authentication

For LDAP authentication or third-party authentication, type in a list of URLs.

The URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, SGD tries the next one in the list.

Each URL has the form ldap://server:port/searchroot. Each of these options is defined as follows:

  • Server. The Domain Name System (DNS) name of the LDAP directory server.

  • Port. The Transmission Control Protocol (TCP) port that the LDAP directory server listens on for connections. You can omit this, and the preceding ":", to use the default port.

  • Searchroot. The position in the LDAP directory structure from where the LDAP repository starts searching for matching users. For example, dc=indigo-insurance,dc=com.

Use an ldaps:// URL if your LDAP directory server uses Secure Sockets Layer (SSL) connections. Extra configuration is required for SSL connections. See How to Enable LDAP Authentication for more information about securing connections to LDAP directory servers.

Active Directory Authentication

For an Active Directory repository, type in the URL of an Active Directory domain in the form ad://domain. For example, ad://east.indigo-insurance.com.

The URL must start ad://. Only type one domain.

Command Line

Command option: --login-ldap-url url

Usage: Replace url with the URLs of one or more LDAP directory servers.

In the following example, the URL of an LDAP directory server is specified.

--login-ldap-url "ldap://melbourne.indigo-insurance.com/dc=indigo-insurance,dc=com"

User Name and Password

Usage: Type the user name and password in the fields.

Description

The user name and password of a user that has privileges to search an LDAP directory server or Active Directory server. This is not required for some LDAP directory servers.

For LDAP authentication or third-party authentication, type the distinguished name of a user, such as cn=Bill Orange,cn=Users,dc=indigo-insurance,dc=com.

For Active Directory authentication, type a user principal name such as orange@indigo-insurance.com.



Note - For security reasons, the password is not displayed, even if it has been previously set.



Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> LDAP Server -> Username

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> LDAP Server -> Password

Command Line

From the command line, use the tarantella passcache new --ldap command.

Command option: tarantella passcache new --ldap --resuser resuser --respass respassr

Usage: Replace resuser and respass with the user name and password.

The following example specifies a user name (test1) and password (test2) for searching an LDAP directory server.

tarantella passcache new --ldap --resuser test1 --respass test2

Connection Security

Usage: Select the required option. If the SSL option is selected, an option for using client certificates is enabled.

Description

The mechanism used to secure the connection to an Active Directory server.

The supported mechanisms are Kerberos and SSL. If SSL is selected, client certificates can also be used for extra security.

The Kerberos option is selected by default.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Active Directory -> Use Certificates

Command Line

Command option: --tarantella-config-ad-usessl 1 | 0

Usage: Specify 1 to use SSL, or 0 to use Kerberos. The default setting is 0.

In the following example, the Kerberos protocol is used to authenticate the connection to an Active Directory server.

--tarantella-config-ad-usessl 0

Command option: --login-ldap-pki-enabled 1 | 0

Usage: Specify 1 (true) or 0 (false). This attribute is only used if SSL connections are enabled.

In the following example, client certificates are used to authenticate the SSL connection to an Active Directory server.

--tarantella-config-ad-usessl 1
--login-ldap-pki-enabled 1

Active Directory Base Domain

Usage: Type a domain name in the field.

Description

The domain that SGD uses for Active Directory authentication if users only supply a partial domain when they log in.

For example, if the base domain is set to indigo-insurance.com and a user logs in with the user name rouge@west, SGD tries to authenticate rouge@west.indigo-insurance.com.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Active Directory -> Base Domain

Command Line

Command option: --login-ad-base-domain dom

Usage: Replace dom with the base domain name to use for Active Directory authentication.

In the following example, a base domain of indigo-insurance.com is specified.

--login-ad-base-domain indigo-insurance.com

Active Directory Default Domain

Usage: Type a domain name in the field.

Description

The domain that SGD uses for Active Directory authentication if users do not supply a domain when they log in.

For example, if the default domain is set to east.indigo-insurance.com and a user logs in with the user name rouge, SGD tries to authenticate rouge@east.indigo-insurance.com.

Array Manager: Secure Global Desktop Login Properties (Array-Wide) -> Active Directory -> Default Domain

Command Line

Command option: --login-ad-default-domain dom

Usage: Replace dom with the default domain name to use for Active Directory authentication.

In the following example, a base domain of west.indigo-insurance.com is specified.

--login-ad-default-domain west.indigo-insurance.com


Application Authentication Tab

Settings on the Application Authentication tab control the user experience when starting applications.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

Changes to these attributes take effect immediately.

This tab contains the following sections:

Password Cache Usage

Usage: Select or deselect the check box.

Description

Whether to try the password the user typed for the SGD server, if it is stored in the password cache, as the password for the application server.

SGD server passwords might be stored in the cache if some applications are configured to run on the SGD host, or if Password Cache is selected.

This attribute can be overridden by a application server object’s Password Cache Usage attribute.

Array Manager: Application Launch Properties (Array-Wide) -> Authentication -> Try Secure Global Desktop Password if Cached

Command Line

Command option: --launch-trycachedpassword 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example uses the SGD password stored in the password cache when authenticating to an application server.

--launch-trycachedpassword 1

Action When Password Expired

Usage: Select an option.

Description

The action to take if the user’s password has expired on the application server.

The command line options and their Administration Console equivalents are shown in the following table.


Administration Console Command Line Description
Authentication Dialog dialog Show an SGD authentication dialog.
Aged Password Handler manual Show a terminal window, where the user can change their password.
Launch Failure none Take no further action. Treat as a startup failure.

For Windows applications that use the Microsoft Remote Desktop Protocol (RDP), it is the Terminal Server handles the authentication process. No information is returned to SGD indicating whether authentication succeeds or fails. This means that once SGD has cached a user name and password for the Windows application server, SGD never displays the authentication dialog again unless the user holds down the Shift key when they click an application’s link, or an Administrator deletes the user’s entry from the password cache.

Array Manager: Application Launch Properties (Array-Wide) -> If Password Has Expired

Command Line

Command option: --launch-expiredpassword manual | dialog | none

Usage: Specify an option.

In the following example, the user can change their password using a terminal window.

--launch-expiredpassword manual

Smart Card Authentication

Usage: Select or deselect the check box.

Description

Enable users to log in to a Microsoft Windows application server with a smart card.

Array Manager: Application Launch Properties (Array-Wide) -> Authentication -> Allow Smart Card Authentication

Command Line

Command option: --launch-allowsmartcard 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables users to log in using a smart card.

--launch-allowsmartcard 1

Dialog Display

Usage: Select or deselect the check boxes.

Description

Controls when the application server’s authentication dialog is displayed. The check boxes are inter-related, enabling you to select from three possible options.

The command line options and their Administration Console equivalents are shown in the following table.


Administration Console Command Line Description
On Shift-Click (selected)

On Password Problem (selected)

user Show the authentication dialog if the user holds down the Shift key when they click an application’s link, or if there is a password problem.
On Shift-Click (deselected)

On Password Problem (selected)

system Only show the authentication dialog when there is a password problem.
On Shift-Click (deselected)

On Password Problem (deselected)

none Never show the authentication dialog.

For Windows applications that use the Microsoft RDP protocol, it is the Terminal Server handles the authentication process. No information is returned to SGD indicating whether authentication succeeds or fails. This means that once SGD has cached a user name and password for the Windows application server, SGD never displays the authentication dialog again unless the user holds down the Shift key when they click an application’s link, or an Administrator deletes the user’s entry from the password cache.

Array Manager: Application Launch Properties (Array-Wide) -> Authentication Dialog

Command Line

Command option: --launch-showauthdialog user | system | none

Usage: Specify an option.

In the following example, the application server’s authentication dialog is shown if you hold down the Shift key and click a link to start an application, or if there is a problem with the password.

--launch-showauthdialog user

“Save Password” Box

Usage: Select or deselect the check boxes.

Description

Two attributes that control the initial state of the Save Password check box in the application server authentication dialog and whether users can change it.

If users cannot change the setting, the Initially Checked attribute determines whether users can save passwords in the application server password cache.

Array Manager: Application Launch Properties (Array-Wide) -> Save Password

Command Line

Command option: --launch-savepassword-initial checked | cleared

Command option: --launch-savepassword-state enabled | disabled

Usage: Specify a valid option.

In the following example, the initial state of the Save Password check box is selected. Users can change this setting.

--launch-savepassword-initial checked
--launch-savepassword-state enabled

“Always Use Smart Card” Box

Usage: Select or deselect the check boxes.

Description

Two attributes that control the initial state of the Always Use Smart Card check box in the application server authentication dialog box and whether users can change it.

If users cannot change the setting, the Initially Checked attribute determines whether the user’s decision to always use smart card authentication is cached.

Array Manager: Application Launch Properties (Array-Wide) -> Always Use Smart Card

Command Line

Command option: --launch-alwayssmartcard-initial checked|cleared

Command option: --launch-alwayssmartcard-state enabled|disabled

Usage: Specify a valid option.

In the following example, the initial state of the Always Use Smart Card check box is selected. Users can change to this setting.

--launch-alwayssmartcard-initial checked
--launch-alwayssmartcard-state enabled

Display Delay

Usage: Enter a time period, measured in seconds, in the field.

Description

The delay in seconds before showing the Application Launch dialog to users.

Array Manager: Application Launch Properties (Array-Wide) -> Launch Dialog

Command Line

Command option: --launch-showdialogafter secs

Usage: Replace secs with the delay, measured in seconds.

In the following example, the Application Launch dialog is displayed after two seconds.

--launch-showdialogafter 2

“Launch Details” Pane

Usage: Select or deselect the check boxes.

Description

Attributes that control the initial display state of the Launch Details area of the Application Launch dialog, whether users can change it and whether to show the Launch Details area if an application startup fails.

If users cannot change the setting, the Showed by Default attribute determines whether the users see the application launch details.

Array Manager: Application Launch Properties (Array-Wide) -> Launch Details

Array Manager: Application Launch Properties (Array-Wide) -> If Launch Fails

Command Line

Command option:

Command option: --launch-details-state enabled | disabled

Command option: --launch-details-showonerror 1 | 0

Usage: Specify a valid option.

In the following example, the initial state of the Launch Details area is hidden. Users can change this setting. The Launch Details area is shown if the application fails to start.

--launch-details-initial hidden
--launch-details-state enabled
--launch-details-showonerror 1


Communication Tab

Settings on the Communication tab control connections between the client device, the SGD server, and application servers. They also control the resumability behavior for application sessions.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

This tab contains the following sections:

Unencrypted Connections Port

Usage: Type a port number in the field.

Description

The TCP port number used for unencrypted connections between client devices and SGD servers.

Open this port in your firewall to enable connections from users who have standard connections. Standard connections are connections that do not use SSL.

You must restart every SGD server in the array for changes to this attribute to take effect.

The default is TCP port 3144.

Array Manager: Array Properties (Array-Wide) -> Port Numbers (Unencrypted Connections)

Command Line

Command option: --array-port-unencrypted tcp-port

Usage: Replace tcp-port with the port number to use for unencrypted connections.

In the following example, TCP port 3144 is used for unencrypted connections.

--array-port-unencrypted 3144

Encrypted Connections Port

Usage: Type a port number in the field.

Description

The TCP port number used for encrypted connections between client devices and SGD servers.

Open this port in your firewall to enable connections from users who have secure (SSL-based) connections to SGD.

You must restart every SGD server in the array for changes to this attribute to take effect.

The default is TCP port 5307.

Array Manager: Array Properties (Array-Wide) -> Port Numbers (Encrypted Connections)

Command Line

Command option: --array-port-encrypted tcp-port

Usage: Replace tcp-port with the port number to use for encrypted connections.

In the following example, TCP port 5307 is used for encrypted connections.

--array-port-encrypted 5307

AIP Keepalive Frequency

Usage: Type a time period, measured in seconds, in the field.

Description

Determines how often a keepalive message is sent to client devices during application sessions. The default value is 100 seconds.

Some Hypertext Transfer Protocol (HTTP) proxy servers close a connection if there is no activity on it. Using a keepalive ensures that a connection stays open.

Set this to 0 to disable keepalive messages.

This attribute is also used keep open connections between the SGD Client and the SGD server for client drive mapping.

Changes to this attribute take effect immediately.

Array Manager: Emulator Session Properties (Array-Wide) -> AIP Keepalive

Command Line

Command option: --sessions-aipkeepalive secs

Usage: Replace secs with the keepalive time period, measured in seconds.

In the following example, a keepalive message is sent to the client device every 100 seconds.

--sessions-aipkeepalive 100

Timeout for User Session Resumability

Usage: Type a timeout value, measured in minutes, in the field.

Description

For applications configured to be resumable during the user session, the length of time in minutes that a suspended application session is guaranteed to be resumable for if the connection to SGD is lost. Note that if the user logs out, the application sessions end. See the Application Resumability attribute.

After this period, the SGD server ends the session.

You can override this setting using the Application Resumability: Timeout attribute of an application.



Note - If an application is terminated because the SGD Client exits unexpectedly, the timeout is the timeout plus 20 minutes.



Changes to this attribute take effect immediately.

Array Manager: Emulator Session Properties (Array-Wide) -> Resumability Timeout -> Webtop Session

Command Line

Command option: --sessions-timeout-session mins

Usage: Replace mins with the timeout value, measured in minutes.

In the following example, the application session is resumable for 1440 minutes (24 hours).

--sessions-timeout-session 1440

Timeout for General Resumability

Usage: Type a timeout value, measured in minutes, in the field.

Description

For applications configured to be generally resumable, the length of time in minutes that a suspended application session is guaranteed to be resumable for after the user logs out or the connection to SGD is lost. See the Application Resumability attribute.

After this period the SGD server ends the session.

You can override this setting using the Application Resumability: Timeout attribute of an application.



Note - If an application is terminated because the SGD Client exits unexpectedly, the timeout is the timeout plus 20 minutes.



Changes to this attribute take effect immediately.

Array Manager: Emulator Session Properties (Array-Wide) -> Resumability Timeout -> Always

Command Line

Command option: --sessions-timeout-always mins

Usage: Replace mins with the timeout value, measured in minutes.

In the following example, the application session is resumable for 11500 minutes.

--sessions-timeout-always 11500

Resource Synchronization Service

Usage: Select or deselect the check box.

Description

Whether to enable replication of resources for the array.

If enabled, synchronization starts at a time determined by the Daily Resource Synchronization Time for each SGD server in the array.

Resource synchronization is enabled by default.

Changes to this attribute take effect immediately.

Array Manager: Array Properties (Array-Wide) -> Enable Resource Synchronization

Command Line

Command option: --array-resourcesync 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables resource synchronization for the array.

--array-resourcesync 0


Client Device Tab

Attributes on the Client Device tab are settings for the user’s client device. This tab controls the use of client device features for applications displayed through SGD.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

This tab contains the following sections:

Client Drive Mapping

Usage: Select or deselect the check box.

Description

Whether to enable client drive mapping (CDM) for the array.

To use client drive mapping, the Sun Secure Global Desktop Enhancement Module (SGD Enhancement Module) must be installed and running on the application server.

If you enable drive mapping, CDM services only become available when you restart all SGD servers in the array. To manually start CDM services without restarting the array, run the tarantella start cdm command on all SGD servers in the array.

If you disable drive mapping, the CDM processes only stop when you restart all SGD servers in the array. To manually stop CDM services without restarting the array, run the tarantella stop cdm command on all SGD servers in the array.

Changes to this attribute only take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Client Drive Mapping -> Let Users Access Client Drives

Command Line

Command option: --array-cdm 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables CDM for the array.

--array-cdm 1

Windows Internet Name Service (WINS)

Usage: Select or deselect the check box.

Description

Whether to enable the Windows Internet Name Service (WINS) to improve client drive access performance. Without WINS, performance can be limited by known problems with Microsoft Windows networking.

WINS services use User Datagram Protocol (UDP) port 137 on the SGD server.

Only enable WINS if either of the following is true:

  • Your Microsoft Windows application servers are on the same subnet as an SGD server in the array

  • Your Microsoft Windows application servers list an SGD server in the array as a WINS server

Changes to this attribute take effect on an SGD server the next time the server starts.

Array Manager: Array Properties (Array-Wide) -> Client Drive Mapping -> Use WINS for Better Performance

Command Line

Command option: --array-cdm-wins 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables WINS services for the array.

--array-cdm-wins 0

Fallback Drive Search

Usage: Select a drive letter from the Start At list and select a Direction option.

Description

Used for client drives that cannot be mapped using the configured drive letter, because that drive letter is already in use. This attribute specifies the drive letter to start searching from and the direction to search. The first unused drive letter is used to map the client drive.

The Start At list is used to specify the drive letter to start searching from. The Direction option specifies whether the alphabetic search is done backwards or forwards.

Changes to this attribute take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Client Drive Mapping -> Fallback Drive

Command Line

Command option: --array-cdm-fallbackdrive letter-direction

Usage: Replace letter-direction with a drive letter to start from and a search direction.

Allowed values are of the form [a-zA-Z][+-]. For example, V- to start at drive V and search alphabetically backwards, or f+ to search forwards from drive F. Drive letters are case-insensitive.

The default setting when CDM is enabled is to start at drive V and search backwards.

The following example starts at drive T and searches backwards.

--array-cdm-fallbackdrive t-

Windows Audio

Usage: Select or deselect the check box.

Description

Whether to enable Windows audio services for the array.

To play audio for Windows applications, audio redirection must be enabled on the Windows Terminal Server.

Changes to this attribute only take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Audio -> Enable Windows Audio Service

Command Line

Command option: --array-audio 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables Windows audio services for the array.

--array-audio 0

Windows Audio Sound Quality

Array Manager: Array Properties (Array-Wide) -> Audio -> Windows Audio Sound Quality

Usage: Select an option.

Description

The sample rate of the audio data.

Adjusting the audio quality increases or decreases the amount of audio data sent.

By default, SGD uses Medium Quality Audio.

The sample rates are as follows:

  • Low Quality Audio – 8 kHz.

  • Medium Quality Audio – 22.05 kHz.

  • High Quality Audio – Same as Medium Quality Audio. This is a Terminal Services restriction.

Command Line

Command option: --array-audio-quality low | medium | high

Usage: Specify an audio quality setting.

The following example specifies medium quality audio for Windows audio services.

--array-audio-quality medium

Unix Audio

Usage: Select or deselect the check box.

Description

Whether to enable UNIX platform audio services for the array.

UNIX platform audio is only available for X applications. The audio module of the SGD Enhancement Module must be installed and running on the application server.

Changes to this attribute only take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Audio -> Enable UNIX Audio Service

Command Line

Command option: --array-unixaudio 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables UNIX platform audio services for the array.

--array-unixaudio 0

Unix Audio Sound Quality

Usage: Select an option.

Description

The sample rate of the audio data.

Adjusting the audio quality increases or decreases the amount of audio data sent.

By default, SGD uses Medium Quality Audio.

The sample rates are as follows:

  • Low Quality Audio – 8 kHz

  • Medium Quality Audio – 22.05 kHz

  • High Quality Audio – 44.1 kHz

Array Manager: Array Properties (Array-Wide) -> Audio -> UNIX Audio Sound Quality

Command Line

Command option: --array-unixaudio-quality low | medium | high

Usage: Specify an audio quality setting.

The following example specifies medium quality audio for UNIX platform audio services.

--array-unixaudio-quality medium

Smart Card

Usage: Select or deselect the check box.

Description

Whether to enable smart card services for the array.

To use smart cards, smart card device redirection must be enabled on the Windows Terminal Server.

Changes to this attribute only take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Smart Card -> Enable Smart Card Services

Command Line

Command option: --array-scard 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables smart card services for the array.

--array-scard 1

Serial Port Mapping

Usage: Select or deselect the check box.

Description

Whether to enable access to serial ports for the array.

By default, access to serial ports is enabled.

Access to serial ports for individual users can be enabled and disabled using the Serial Port Mapping attribute for organization, organizational unit or user profile objects.

Changes to this attribute only take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Serial Port -> Enable Serial Port Mapping

Command Line

Command option: --array-serialport 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables access to serial ports for the array.

--array-serialport 1

Copy and Paste

Usage: Select or deselect the check box.

Description

Whether to allow copy and paste operations for Windows and X application sessions for the array.

By default, copy and paste is allowed.

Copy and paste operations for individual users can be enabled and disabled using the Copy and Paste attribute for organization, organizational unit or user profile objects.

Changes to this attribute only take effect for new application sessions.

Array Manager: Array Properties (Array-Wide) -> Clipboard -> Enable Copy and Paste

Command Line

Command option: --array-clipboard-enabled 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables copy and paste for Windows and X application sessions.

--array-clipboard-enabled 1

Client’s Clipboard Security Level

Usage: Type a number in the field.

Description

The security level for the SGD Client.

Used to control copy and paste operations between Windows or X application sessions and applications running on the client device.

The security level can be any positive integer. The higher the number, the higher the security level. The default security level is 3.

Changes to this attribute only take effect for new application sessions.

Array Manager: Array Properties (Array-Wide) -> Clipboard -> Client Security Level

Command Line

Command option: --array-clipboard-clientlevel num

Usage: Replace num with a positive integer that specifies the security level.

The following example specifies a client clipboard security level of 3.

--array-clipboard-clientlevel 3

Time Zone Map File

Usage: Type the file name in the field.

Description

A file that contains mappings between UNIX platform client device and Windows application server time zone names.

Command Line

Command option: --xpe-tzmapfile filename

Usage: Replace filename with the path to the time zone map file.

In the following example, a time zone map file is specified.

--xpe-tzmapfile "%%INSTALLDIR%%/etc/data/timezonemap.txt"

Editing

Usage: Select or deselect the check box.

Description

Whether to allow users to edit their own profiles for use with the SGD Client.

By default, profile editing is enabled.

If profile editing is disabled, it is disabled for all users, including SGD Administrators. However, SGD Administrators can still create and edit profiles using the Profile Editor application.

Profile editing for individual users can be enabled and disabled using the Client Profile Editing attribute for organization, organizational unit, or user profile objects.

Changes to this attribute only take effect for new user sessions.

Array Manager: Array Properties (Array-Wide) -> Profile Editing -> Enable User Profile Editing

Command Line

Command option: --array-editprofile 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables user profile editing for the array.

--array-editprofile 1


Printing Tab

Attributes on the Printing tab control printing from Windows applications that use RDP.

The settings on this tab are default settings, which can be overridden by the following attributes:

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

Client Printing

Usage: Select an option.

Description

Controls the client printers users can print to from Windows application.

By default, users can print to all their client printers.

If you select the No Printer option, you can still use an SGD Portable Document Format (PDF) printer.

Changes to this attribute take effect for new user sessions.

If SGD is configured so you can only print to the client’s default printer and you want to print to a different printer, log out of SGD. Then change the default printer and log in to SGD again.

Array Manager: Printing Properties (Array-Wide) -> Printing

Command Line

Command option: --printing-mapprinters 2 | 1 | 0

Usage: Specify one of the following options:

  • 2 – Allow users to print to all client printers

  • 1 – Allow users to print to the client’s default printer

  • 0 – No client printers available

The following example enables the user to print to all client printers from a Windows application.

--printing-mapprinters 2

Universal PDF Printer

Usage: Select or deselect the check box.

Description

Enables users to print from a Windows application using the SGD Universal PDF printer.

When a user prints to the Universal PDF printer, the print job is converted into a PDF file and is printed on the user’s client device.

This is enabled by default.

Changes to this attribute take effect for new user sessions.

Array Manager: Printing Properties (Array-Wide) -> PDF Printing -> Let Users Print to a PDF Printer

Command Line

Command option: --printing-pdfenabled 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables printing from Windows applications to the SGD Universal PDF printer.

--printing-pdfenabled 1

Make Universal PDF Printer the Default

Usage: Select or deselect the check box.

Description

Sets the SGD Universal PDF printer as the client’s default printer when printing from a Windows application.

When a user prints to the Universal PDF printer, the print job is converted into a PDF file and is printed on the user’s client device.

This attribute is only available if the Universal PDF printer is enabled.

By default, the Universal PDF printer is not the default printer.

Changes to this attribute take effect for new user sessions.

Array Manager: Printing Properties (Array-Wide) -> PDF Printing -> Make PDF Printer the Default for Windows 2000/3

Command Line

Command option: --printing-pdfisdefault 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, the SGD Universal PDF printer is set to be the client’s default printer.

--printing-pdfisdefault 1

Universal PDF Viewer

Usage: Select or deselect the check box.

Description

Enables users to print from a Windows application using the SGD Universal PDF Viewer printer.

When a user prints to the Universal PDF Viewer printer, the print job is converted into a PDF file and can be viewed, saved, or printed on the user’s client device.

This attribute is enabled by default.

Changes to this attribute take effect for new user sessions.

Array Manager: Printing Properties (Array-Wide) -> PDF Printing -> Let Users Print to a PDF Local File

Command Line

Command option: --printing-pdfviewerenabled 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables printing from Windows applications to the SGD Universal PDF Viewer printer.

--printing-pdfviewerenabled 1

Make Universal PDF Viewer the Default

Usage: Select or deselect the check box.

Description

Sets the SGD Universal PDF Viewer printer as the client’s default printer when printing from a Windows application.

When a user prints to the Universal PDF Viewer printer, the print job is converted into a PDF file and can be viewed, saved or printed on the user’s client device.

This attribute is only available if Universal PDF Viewer is enabled.

By default, the Universal PDF Viewer printer is not the default printer.

Changes to this attribute take effect for new user sessions.

Array Manager: Printing Properties (Array-Wide) -> PDF Printing -> Make PDF File Printer the Default for Windows 2000/3

Command Line

Command option: --printing-pdfviewerisdefault 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, the SGD Universal PDF Viewer printer is set to be the client’s default printer.

--printing-pdfviewerisdefault 0

Postscript Printer Driver

Usage: Type the printer driver name in the field.

Description

The name of the printer driver to use for SGD PDF printing. This printer driver must be installed on every Windows application server used with SGD.

The printer driver must be a PostScripttrademark printer driver.

The default is HP Color LaserJet 8500 PS.

The name of the printer driver must match the name of the printer driver installed on the Windows application server exactly. Pay particular attention to the use of capitals and spaces. The /opt/tarantella/etc/data/default.printerinfo.txt file contains all the common printer driver names, ordered by manufacturer. To avoid errors, copy and paste the driver name from this file.

Changes to this attribute take effect for new user sessions.

Array Manager: Printing Properties (Array-Wide) -> PDF Printing -> Driver Name

Command Line

Command option: --printing-pdfdriver driver_name

Usage: Replace driver_name with the PDF printer driver name.

In the following example, an HP Laserjet 4000 driver is used for PDF printing.

--printing-pdfdriver "HP Laserjet 4000 Series PS"


Performance Tab

Attributes on the Performance tab are used to specify the following load balancing settings:

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

Changes to these attributes take effect immediately.

Application Session Load Balancing

Usage: Choose an option.

Description

The algorithm used at application start time to choose the SGD server in the array that hosts the application session. In other words, the method used to choose where to run the Protocol Engine when a user starts an application.

Select the Server Hosting the User Session option to choose the SGD server in the array that is hosting the user session.

Array Manager: Load Balancing Properties (Array-Wide) -> Emulator Sessions -> Use Array Member With

Command Line

Command option: --sessions-loadbalancing-algorithm algorithm

Usage: Replace algorithm with the load balancing algorithm to use for application sessions.

The following algorithms are available:

  • Server Hosting the User Session – .../_beans/com.sco.tta.server.loadbalancing.tier2.LocalLoadBalancingPolicy

  • Least CPU Usage – .../_beans/com.sco.tta.server.loadbalancing.tier2.CpuLoadBalancingPolicy

  • Fewest Application Sessions – .../_beans/com.sco.tta.server.loadbalancing.tier2.SessionLoadBalancingPolicy

The following example specifies that the SGD server hosting the user session is used to host the application session.

--sessions-loadbalancing-algorithm \
.../_beans/com.sco.tta.server.loadbalancing.tier2.LocalLoadBalancingPolicy

Application Load Balancing

Usage: Select an option.

Description

The default algorithm SGD uses to choose the best application server to run the application. The server is selected from those defined on the application object’s Hosting Application Servers tab.

This attribute is only used if the value of the application object’s Application Load Balancing attribute is not set to Override Global Setting.

Select one of the following settings:

  • Most Free Memory. Choose the application server with the most free memory.

  • Least CPU Usage. Choose the application server with the most central processing unit (CPU) idle time.

  • Fewest Applications. Choose the application server that is running the fewest application sessions through SGD. This is the default setting.



Note - To use the Most Free Memory and Least CPU Usage algorithms, you must install the SGD Enhancement Module on the application server.



Array Manager: Load Balancing Properties (Array-Wide) -> Applications -> Use Application Server With

Command Line

Command option: --launch-loadbalancing-algorithm cpu | memory | sessions

Usage: Specify a valid option.

In the following example, the application server with the fewest application sessions is used to run the application.

--launch-loadbalancing-algorithm sessions


Security Tab

Attributes on the Security tab are global security attributes which apply to all SGD servers in the array.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

New Password Encryption Key

Usage: Select or deselect the check box.

Description

Whether to generate a new encryption key for the password cache when an SGD server is restarted.

If a new encryption key is generated, the existing password cache is preserved and encrypted with the new key.

Array Manager: Security Properties (Array-Wide) -> Password Cache -> Generate New Encryption Key on Restart

Command Line

Command option: --security-newkeyonrestart 1 | 0

Usage: Specify 1 (true) or 0 (false).

In the following example, a new encryption key for the password cache is not generated when an SGD server is restarted.

--security-newkeyonrestart 0

Timeout for Print Name Mapping

Usage: Type a timeout value, measured in seconds, in the field.

Description

The period of time an entry in the print name mapping table is retained. This table is used to ensure that users can print from an application and then exit the application, without losing the print job.

The timer starts counting when the user closes the last application on the application server.

Set the timeout value to be greater than the maximum delay between choosing to print from an application and the printer responding.

If you change this value, all existing expiry timeouts are reset. Changes take effect immediately.

To flush the table, type in 0 and click Apply. You can then set the timeout to the required value.

To display the table, use the tarantella print status --namemapping command.

Array Manager: Security Properties (Array-Wide) -> Print Name Mapping -> Expire After

Command Line

Command option: --security-printmappings-timeout seconds

Usage: Replace seconds with the timeout value, measured in seconds.

In the following example, the print name mapping table is retained for 1800 seconds (30 minutes).

--security-printmappings-timeout 1800

Connection Definitions

Usage: Select or deselect the check box.

Description

Whether to take note of the Connections attribute when a user logs in to SGD.

Select the check box, or set the command line option to 1, if you are using the Connections attribute for user profile, organizational unit, or organization objects.

Deselect the check box if SGD security services are not enabled.

If SGD security services are enabled, connections are secure unless the check box is selected and some connections are defined otherwise.

Deselecting the check box enables users to log in more quickly.

Changes to this attribute take effect immediately.

Array Manager: Security Properties (Array-Wide) -> Connection Types -> Apply When Users Log In

Command Line

Command option: --security-applyconnections 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables checking of connections for SGD log ins.

--security-applyconnections 0

X Authorization for X Display

Usage: Select or deselect the check box.

Description

Whether to secure all SGD X displays using X authorization. This prevents users from accessing X displays they are not authorized to access.

X authorization is enabled by default.

To use X authorization, xauth must be installed on the application server.

If X authorization is enabled, SGD checks the standard locations for the xauth binary. Extra configuration might be needed if the binary is in a nonstandard location.

Changes to this attribute take effect immediately.



Note - This attribute only secures the X display between the SGD server and the application server.



Array Manager: Security Properties (Array-Wide) -> X Displays -> Use X Authorization (xauth)

Command Line

Command option: --security-xsecurity 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables X authorization.

--security-xsecurity 1


Monitoring Tab

Settings on the Monitoring tab are used to configure system message log filters and enable billing services.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.

Log Filter

Usage: Type log filter definitions in the field. Press the Return key to add new entries.

Description

This attribute specifies which diagnostic messages are logged and a destination file or handler for log messages.

The attribute contains multiple values, each of the form:

component/subcomponent/severity:destination

Use the wildcard (*) to match multiple components, subcomponents and severities.

Valid destinations are a file name or the name of a plug-in log handler.

File names can include the placeholder %%PID%%, which is substituted with a process ID.

Changes to this attribute take effect immediately.

Array Manager: Array Properties (Array-Wide) -> Log Filter

Command Line

Command option: --array-logfilter filter...

Usage: Replace filter... with a list of log filter definitions. Separate each filter definition with a space. Quote any filters that contain wildcards (*), to stop your shell from expanding them.

The following example specifies a log filter that stores all warnings and error messages for the SGD server to a .log file.

--array-logfilter */*/*error:jserver%%PID%%_error.log

Billing Service

Usage: Select or deselect the check box.

Description

Whether to enable billing services for the array.

This might use significant additional disk space on SGD servers in the array.

If enabled, you can use tarantella query billing to analyze the billing logs.

You must restart an SGD server for billing services to start.

Array Manager: Array Properties (Array-Wide) -> Enable Billing Services

Command Line

Command option: --array-billingservices 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example disables billing services for the array.

--array-billingservices 0


Licenses Tab

The Licenses tab consists of two sections as follows:

New License Key

Usage: Type a license key in the field.

Description

To add a license key, type or paste the key into the empty field. Click the Add button to validate and activate the key.

As you add license keys, SGD updates the information in the Licenses table.

If an invalid license key is entered, a validation error message is displayed.

Array Manager: Licenses Properties (Array-Wide) -> License Keys

Licenses Table

The Licenses table shows the number of user licenses and application licenses for the SGD array. The current usage of licenses is also shown.

The number of license keys is indicated in brackets at the top of the table.

Array Manager: Licenses Properties (Array-Wide) -> License Summary

The Licenses table includes the following columns:

Key

Lists the installed license keys for the SGD array.

To remove a license key, click the Delete link in the Licenses table.

As you remove license keys, SGD updates the information in the Licenses table.

If you remove all the license keys, SGD reverts to evaluation mode or expired evaluation mode, depending on how recently you installed the software.

You cannot log in to an SGD server when it is in expired evaluation mode.

To license a server when it is in expired evaluation mode, you must either add a valid license key, using tarantella license add, or join the server to an array that is already fully licensed.

User

Shows the number of user licenses for each license key.

Subcolumns in the User column indicate the number of standard and secure user licenses.

The current number of user licenses being used is shown in the Current Use row of the table.

A user license is used when a user logs in and freed when the user logs out.

Application

Shows the number of application licenses for each license key.

Subcolumns in the Application column indicate the number of licenses for each application type: Windows, UNIX, AS/400, and Mainframe.

The current number of application licenses being used is shown in the Current Use row of the table.

An application license is used when a user starts the first application of one of the application types. The application license is freed when the last application of the same type terminates. A second application of the same type started by the same user does not use an additional license. Suspended applications use licenses.

Load Management

Indicates whether load management is active for each license key.

Command Line

From the command line, use the tarantella license commands to add and remove license keys and to show license status and license usage information. See The tarantella license Command.


Array Failover Tab

Attributes on the Array Failover tab are used to configure settings for array failover. Array failover is used when the primary SGD server in an array becomes unavailable.

From the command line, use the tarantella config list command to list these settings, and the tarantella config edit command to edit these settings.



Note - The Array Failover tab is not available in the current release. You can only configure these settings from the command line.



Enable Array Failover

Usage: Select or deselect the check box.

Description

Whether to enable array failover for the array. By default, array failover is disabled for SGD arrays.

Changes to this attribute take effect immediately.

Array Manager: No equivalent

Command Line

Command option: --array-failoverenabled 1 | 0

Usage: Specify 1 (true) or 0 (false).

The following example enables array failover for the SGD array.

--array-failoverenabled 1

Array Monitor Interval

Usage: Type a time period, measured in seconds, in the field.

Description

The length of time, in seconds, between operations used to monitor the array. The default value is 60 seconds.

This attribute is used with the Array Monitor Attempts attribute to determine the time period before array failover is started.

Changes to this attribute take effect immediately.

Array Manager: No equivalent

Command Line

Command option: --array-monitortime secs

Usage: Replace secs with the array monitor interval, measured in seconds.

The following example sets the array monitor interval to 30 seconds.

--array-monitortime 30

Array Monitor Attempts

Usage: Type a number in the field.

Description

The number of array monitoring operations that must fail before array failover is started. The default value is 10.

This attribute is used with the Array Monitor Interval attribute to determine the time period before array failover is started.

Changes to this attribute take effect immediately.

Array Manager: No equivalent

Command Line

Command option: --array-maxmonitors num

Usage: Replace num with the maximum number of array monitor attempts.

The following example sets the maximum number of array monitor attempts to 5.

--array-maxmonitors 5


Caches Tab

The Caches tab is where you can view, edit, and manage the caches used by SGD for authentication.

The Caches tab includes the following tabs:


Passwords Tab

Usage: Use the Password Cache table to manage entries in the password cache.

Description

The Passwords tab lists all password cache entries for the SGD array.

Use the New button to add a password cache entry, using the Create New Password Cache Entry page.

Use the Edit button to edit an entry in the password cache, or the Delete button to remove an entry from the password cache.

Use the Reload button to refresh the Password Cache table.

Use the Search field to search for entries in the Password Cache table. You can use the “*” wildcard in your search string. Typing a search string of name is equivalent to searching for “*name*” and returns any match of the search string. The number of results returned by a search is limited to 150, by default.

Adding Entries to the Password Cache

When you create a new password cache entry, it is important that you enter a valid name in the User Identity or Server fields on the Create New Password Cache Entry page. The Administration Console supports several ways that you can enter a name in the User Identity or Server field, as follows:

  • Browse button. If the selected User Identity Type option is Local or LDAP/Active Directory, you can use the Browse button next to the User Identity or Server field to browse for object names. Using the Browse button in this way avoids errors when typing in object names.

  • Full Name. Type the full name into the field. For example, you can type in the fully qualified name for an application server from the local repository as follows:

    .../_ens/o=appservers/cn=boston

  • Partial Name. Type a partial name, without the namespace prefix, in the field. Depending on the selected User Identity Type option, the Administration Console adds the relevant namespace prefix when the password cache entry is saved.

    For example, if you select UNIX (User/Groups) as the User Identity Type and type o=organization/cn=Indigo Jones in the field, the Administration Console creates the password cache entry using the name .../_user/o=organization/cn=Indigo Jones.

    The Administration Console adds the .../_user namespace prefix when the password cache entry is saved.

    The following table shows the namespace prefixes that the Administration Console adds for the selected User Identity Type option.


    User Identity Type Namespace Prefix
    Local .../_ens
    UNIX (User/Groups) .../_user
    Windows Domain Controller .../_wns
    LDAP/Active Directory .../service/sco/tta/ldapcache
    SecurID .../service/sco/tta/securid
    Anonymous None
    Third Party .../service/sco/tta/thirdparty

    If you specify a partial name in the Server field, the Administration Console adds the .../_ens/o=appservers namespace prefix when the password cache entry is saved.

LDAP names must be typed in using the SGD naming format. The following example shows a partial name for a user identity from an LDAP repository:

dc=com/dc=example/cn=indigo-jones

This name is converted to the correct LDAP format when the password cache entry is saved, as follows:

.../_service/sco/tta/ldapcache/cn=indigo-jones,dc=example,dc=com

Command Line

On the command line, use the tarantella passcache commands to list, add, and delete password cache entries. See The tarantella passcache Command.


Tokens Tab

Usage: Use the Token Cache table to manage entries in the token cache.

Description

The Tokens tab is used to manage tokens used for the authentication token authentication mechanism. This authentication mechanism is used when the SGD Client is in Integrated mode.

The Tokens tab lists all token cache entries for the SGD array.

Use the Delete button to delete a token from the token cache.

Use the Reload button to refresh the Token Cache table.

Use the Search field to search for entries in the Token Cache table. You can use the “*” wildcard in your search string. Typing a search string of name is equivalent to searching for “*name*” and returns any match of the search string. The number of results returned by a search is limited to 150, by default.

Command Line

On the command line, use the tarantella tokencache commands to list and delete token cache entries. See The tarantella tokencache Command.