Exit Print View

Oracle Secure Global Desktop Gateway Administration Guide for Version 4.6

Document Information

Preface

1.  Installing the SGD Gateway

2.  Configuring the SGD Gateway

A.  SGD Gateway Architecture Overview

B.  Command-Line Reference

C.  Advanced Configuration

Tuning the SGD Gateway

Changing the Maximum Number of AIP Connections

Calculating the Number of AIP Connections

Changing the Maximum Number of HTTP Connections

Changing the JVM Memory Size

Calculating the JVM Memory Size

Configuring HTTP Redirection

Changing the Binding Port for the SGD Gateway

Using Unencrypted Connections to the SGD Array

Using External SSL Accelerators

How to Enable External SSL Accelerator Support

Using Client Certificates With the SGD Gateway

How to Configure the SGD Gateway to Use Client Certificates

Enabling the Balancer Manager Application

The Reflection Service

Enabling the Reflection Service

How to Enable Unauthorized Access to the Reflection Service

How to Enable Authorized Access to the Reflection Service

Using the Reflection Service

About the RESTful Web Services

Examples of Using the Reflection Service

D.  Troubleshooting the SGD Gateway

How to Enable Authorized Access to the Reflection Service

  1. On the SGD Gateway host, log in as superuser (root).
  2. Export the certificate and private key for the reflection service.

    The certificate and private key for the reflection service are stored in the reflection service keystore, at /opt/SUNWsgdg/proxy/etc/keystore.reflection. This keystore is created automatically during installation of the SGD Gateway.

    By default, the reflection service keystore contains a single, self-signed certificate and key pair.

    1. Export the certificate for the reflection service.
      # /opt/SUNWsgdg/java/default/bin/keytool -exportcert \ 
      -alias server-name -rfc \
      -keystore /opt/SUNWsgdg/proxy/etc/keystore.reflection \
      -storepass "$(cat /opt/SUNWsgdg/etc/password)" \
      -file client.pem

      where server-name is the alias used for the reflection service certificate in the reflection keystore and client.pem is the file name of the exported certificate.

    2. Export the private key for the reflection service.

      Use the KeyManager application included with the SGD Gateway.

      # /opt/SUNWsgdg/java/default/bin/java \
      -jar /opt/SUNWsgdg/proxy/KeyManager.jar export \
      --keyfile client.key \
      --keystore /opt/SUNWsgdg/proxy/etc/keystore.reflection \
      --keyalias alias-name \
      --keypass "$(cat /opt/SUNWsgdg/etc/password)" \
      --storepass "$(cat /opt/SUNWsgdg/etc/password)"

      where alias-name is the alias used for the reflection service key in the reflection keystore and client.key is the file name of the exported key.

  3. Install the certificate and private key on the client device.

    The certificate and private key are used by the client device to authorize to the reflection service.

  4. Enable authorized access to the reflection service.

    On the SGD Gateway host, run the following command:

    # /opt/SUNWsgdg/bin/gateway config enable --services-reflection-auth
  5. (Optional) Change the interface and port used by the reflection service.

    The default binding used for authorized access to the reflection service is TCP port 82 on all interfaces. You can change this to another interface and a port that is not in use, as follows:

    # /opt/SUNWsgdg/gateway config edit \
    --services-reflection-binding int:portnum

    where int is the interface, and portnum is the port number used by the reflection service.

  6. Restart the SGD Gateway.
    # /opt/SUNWsgdg/bin/gateway restart
  7. Connect to the reflection service from the client device, using the certificate and private key.
    $ curl --cert client.pem --key client.key -k -X GET https://gateway.example.com:82

    In this example, the curl command is used to access the home page of the reflection service at https://gateway.example.com:82, where gateway.example.com is the name of the SGD Gateway. The certificate and private key for the reflection service are client.pem and client.key.

Using the Reflection Service

Use a client application to access the RESTful web services provided by the reflection service. Examples of suitable client applications include the following:

Alternatively, if you have your own client application that supports RESTful web services, you can use it to access the reflection service.


Note - You do not need to restart the SGD Gateway when you use the reflection service to change the configuration of the routing proxy.


Data can be returned from the reflection service in the following output formats:

About the RESTful Web Services

The following table lists the RESTful web services for the SGD Gateway reflection service.

Relative URI
HTTP Request Method
Description
/
GET
Shows high-level information for the routing proxy, such as the uptime.
/service
GET
Lists the available services.

A service represents an entry point from which the routing proxy creates incoming connections.

/service/Service-Id
GET
Lists information for a service, identified by Service-Id.
/service/Service-Id
PUT
Starts a service, identified by Service-Id.
/service/Service-Id
DELETE
Stops a service, identified by Service-Id.
/client
GET
Lists the available clients.

A client represents an exit point on which the routing proxy constructs outgoing connections.

/client/Client-Id
GET
Lists information for a client, identified by Client-Id.
/route
GET
Lists the available routes.

A route represents a path through the routing proxy, from incoming connections through services to outgoing connections through clients.

/route/Route-Id
GET
Lists information for a route, identified by Route-Id.
/route/Route-Id
PUT
Starts a route, identified by Route-Id.
/route/Route-Id
DELETE
Stops a route, identified by Route-Id.
/route/Route-Id/connection
GET
Lists the connections for a specific route, identified by Route-Id.
/route/Route-Id/connection/Connection-Id
DELETE
Terminates a connection, identified by Connection-Id.
/connection
GET
Lists all currently running connections, for all routes.
/logging/level
GET
Shows the global logging level.
/logging/level/Log-Level
PUT
Sets the routing proxy’s global logging level.
/logging/Package/level
GET
Shows the logging level for a specific component of the routing proxy.
/logging/Package/level/Log-Level
PUT
Sets the logging level for a specific component of the routing proxy.

To access a RESTful web service, append the relative URI for the web service to the Uniform Resource Locator (URL) of the reflection service.

For example, to list the available routes for an SGD Gateway, gateway.example.com, append /route to the URL of the reflection service, as follows:

$ curl --cert client.pem --key client.key -k -X GET https://gateway.example.com:82/route

where client.pem and client.key are the certificate and private key for the reflection service. In this example, the client is authorized before accessing the reflection service.

Examples of Using the Reflection Service

All of the following examples use the curl command as a client application to access the reflection service.

The examples use authenticated access to the reflection service on an SGD Gateway called gateway.example.com. The client is authorized using a certificate, client.pem, and a private key, client.key.

To list the available services for the SGD Gateway:

$ curl --cert client.pem --key client.key -k \
-X GET https://gateway.example.com:82/service

To stop a route, specify the Route Id that the reflection service uses for the route:

$ curl --cert client.pem --key client.key -k \
-X GET https://gateway.example.com:82/route
Route Id  Route Uptime   Service Id  ...
0         21h18m20s743m  ssgd-route-service  ...
1         21h18m20s736m  shttp-ssl-service   ...
$ curl --cert client.pem --key client.key -k \
-X DELETE https://gateway.example.com:82/route/1

To set the global logging level to FINER:

$ curl --cert client.pem --key client.key -k \
-X PUT https://gateway.example.com:82/logging/level/FINER