Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

The SGD Client

Overview of the SGD Client

Configuring the SGD Client

The SGD Client Helper

Installing the SGD Client

Automatic Installation of the SGD Client

How to Enable Automatic Installation for Roaming User Profiles

Manual Installation of the SGD Client

Running the SGD Client From the Command Line

Command-Line Examples

Starting the SGD Client Without Any Arguments

Connecting to a Particular SGD Server

Overriding the Login URL

Web Services Developer Options

Using SGD Without Java Technology

How to Use SGD Without Java Technology

Client Profiles

Client Profiles and the SGD Client

Managing Client Profiles

How to Configure Client Profile Editing for Users

Client Profile Settings

About the Profile Cache

Microsoft Windows Users With Roaming User Profiles

Integrated Mode

Working in Integrated Mode

Setting Up the SGD Client for Integrated Mode

Authentication Token Authentication

How Authentication Token Authentication Works

User Identity and User Profile

Authentication Tokens and Security

How to Enable Authentication Token Authentication

Administering Authentication Tokens

Troubleshooting Automatic Logins

Configuring the Client Profile for Integrated Mode

Configuring Applications for Integrated Mode

Webtops

Setting the Language for the Webtop

Overriding the Default Language for the Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Integrated Mode

This section describes how you can access SGD from the desktop Start or Launch Menu on the client device. Operating SGD in this way is called Integrated mode.

When users first connect to an SGD server, they usually start a browser and go to the http://server.example.com/sgd URL, where server.example.com is the name of an SGD server. They can then log in to SGD and display a webtop. However, once users have logged in, the SGD Client can be configured to use Integrated mode. When the SGD Client operates in Integrated mode, the links for starting applications are displayed in the desktop Start or Launch Menu, instead of on the webtop. This means that users can run remote applications in the same way as local applications. Depending on how you configure Start Menu integration, there might be no need to use a browser.

Use Integrated mode if your organization prefers not to use Java technology on the client device. See also Using SGD Without Java Technology.

The desktop systems that supported for Integrated mode are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

This section includes the following topics:

Working in Integrated Mode

When the SGD Client is in Integrated mode, the user logs in to SGD by clicking the Login link on their desktop Start or Launch Menu.

Figure 6-1 Logging In From the Desktop Start Menu

Screen capture showing Integrated mode log in option on the desktop Start or Launch Menu.

If the user has logged in to more than one SGD server, there is a Login link for each server in the Start or Launch Menu.


Note - To use Integrated mode, you must log in using the Start or Launch Menu. Integrated mode is not available if you start a browser and log in.


Once the user has logged in to SGD, the Start or Launch Menu is updated with the links for the applications they can run through SGD.

Figure 6-2 Application Links in the Desktop Start Menu

Screen capture showing Integrated mode application links in the desktop Start or Launch Menu.

To start an application, the user clicks the application’s link on the Start or Launch Menu. To start another instance of the application, the user clicks the link again.

Working in Integrated mode simplifies session management. Unlike the webtop, there are no controls for suspending and resuming applications. Instead, when the user logs out, the SGD Client automatically suspends or ends all running application sessions. When the user logs in again, the SGD Client automatically resumes all suspended sessions.

In Integrated mode, users cannot start applications with a different user name and password, by pressing and holding down the Shift key when clicking the application’s link. See Users Can Start Applications With Different User Names and Passwords.

Printing is simplified too. Printing is always “on” and print jobs go straight to the printer the user has selected. Unlike the webtop, print jobs cannot be managed individually.

If the user needs to display a webtop, for example to be able to edit their profile, resume a suspended application, or manage printing, they can click the Webtop link on the Start Menu. The user is not prompted to log in, as they already have a user session. The webtop is displayed in their default browser.

If the user has arranged any of their webtop content to display in groups, those groups are also used in the Start or Launch Menu. If the group is configured to hide webtop content, the content does not display in the Start or Launch Menu.

To log out of SGD, the user clicks the Logout link on the Start or Launch Menu.

Setting Up the SGD Client for Integrated Mode

Setting up Integrated mode for the SGD Client involves the following configuration steps:

  1. Enable at least one other authentication mechanism.

    The user must log in and be authenticated by another authentication mechanism so that SGD can store a user identity and user profile when the user generates an authentication token.

    You can use third-party authentication, or any of the other system authentication mechanisms, apart from anonymous user authentication.

    See Secure Global Desktop Authentication.

  2. Configure SGD for authentication token authentication.

    In Integrated mode, if you configure the SGD Client to log in users in automatically to SGD, an authentication token is used to authenticate the user.

    See Authentication Token Authentication.

  3. Enable client profile editing.

    Client profile editing must be enabled, to allow users to generate authentication tokens. You can enable profile editing for all users, or just for users that require authentication tokens.

    See How to Configure Client Profile Editing for Users.

  4. Configure the client profile for Integrated mode.

    Integrated mode must be enabled in the client profile. Other settings in the client profile also affect how Integrated mode works.

    See Configuring the Client Profile for Integrated Mode.

  5. Applications might have to be configured to give users the best experience.

    See Configuring Applications for Integrated Mode.

Authentication Token Authentication

Authentication token authentication enables users to log in to SGD if the SGD Client submits a valid authentication token.

Authentication token authentication can only be used when the SGD Client is operating in Integrated mode and a user has an authentication token.

Authentication token authentication is disabled by default.

This section includes the following topics:

How Authentication Token Authentication Works

When the SGD Client starts, it submits an authentication token to SGD. The user does not enter a user name or password.

If the authentication token is invalid or the SGD Client does not submit a token, the user is not logged in. The SGD login screen is displayed in a browser, so that the user can log in using another system authentication mechanism.

If the SGD Client submits a valid authentication token, the user is logged in.

User Identity and User Profile

The SGD server stores the authentication token against the identity of the user when they generated their authentication token. This means the user identity and user profile used are those of the authentication mechanism that originally authenticated the user. See Chapter 2, User Authentication for details of the SGD authentication mechanisms.

Authentication Tokens and Security

When a user generates an authentication token and saves their client profile, the SGD server sends the authentication token to the SGD Client. The SGD Client stores the token in the profile cache on the client device. See About the Profile Cache.

To ensure an authentication token cannot be intercepted and used by a third party, use secure HTTP over Secure Sockets Layer (HTTPS) web servers and enable SGD security services.

When a user generates an authentication token, SGD maintains a record of the tokens issued in a token cache. SGD stores the authentication token using the current identity of the user when the token was generated.

When a user logs in with an authentication token, the authentication token enables SGD to “remember” the user’s original identity and user profile. All user sessions and application sessions are managed using the original user identity and user profile.

If the original login becomes invalid, for example because the UNIX system account is disabled or the password has expired, the user can still log in automatically if they have a valid token. However, they cannot run any applications using the invalid credentials.

How to Enable Authentication Token Authentication

  1. In the Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.

    On the Global Settings -> Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.

  2. On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
  3. On the System Authentication - Repositories step, select the Authentication Token check box.
  4. On the Review Selections step, check your authentication configuration and click Finish.

    The Secure Global Desktop Authentication Configuration Wizard closes.

  5. On the Secure Global Desktop Authentication tab, select the Token Generation check box.
  6. Click Save.
Administering Authentication Tokens

SGD Administrators can use the Administration Console or the tarantella tokencache command to administer authentication tokens. The following administration tasks can be done:

If token generation is enabled, users can generate a new authentication token from the webtop.

How to View Authentication Tokens

You can view the entries in the token cache that belong to a particular user identity or user profile.

How to Delete Authentication Tokens

Deleting a token from the token cache makes the token stored on a client device invalid. If the SGD Client presents an invalid token, the user is prompted to log in with a user name and password. The user must then generate another authentication token if they want to log in automatically.

How to Disable Token Generation

Use this procedure to prevent SGD from issuing new authentication tokens. If authentication token authentication is still enabled, users with existing authentication tokens can still log in to SGD.

  1. In the Administration Console, go to the Global Settings -> Secure Global Desktop Authentication tab.

    Deselect the Token Generation check box and click Save.

  2. (Optional) On the command line, use the following command:
    $ tarantella config edit --login-autotoken 0

How to Generate a New Authentication Token

If a user needs to generate a new authentication token, they must edit their client profile.

  1. Click the Edit button in the Applications area of the webtop and then go to the Client Settings tab.
  2. Clear the Automatic Client Login box.
  3. Click Save.
  4. Check the Automatic Client Login box.
  5. Click Save.

    See Setting Up the SGD Client for Integrated Mode for more details about using an authentication token to log in to SGD.

Troubleshooting Automatic Logins

To troubleshoot problems with automatic logins, use the following log filters:

server/login/*:autologin%%PID%%.log
server/login/*:autologin%%PID%%.jsl
server/tokencache/*:autologin%%PID%%.log
server/tokencache/*:autologin%%PID%%.jsl

The server/login/* filter enables you to see when authentication tokens are used for authentication and when they fail.

The server/tokencache/* filter enables you to see errors with operations on the token cache. For example, to see why a token is not added to the token cache.

See Using Log Filters to Troubleshoot Problems With an SGD Server for more information on configuring and using SGD log filters.

Configuring the Client Profile for Integrated Mode

The following settings in a client profile are applicable when using Integrated mode.

Setting
Description
Add Applications to Start Menu
Enables Integrated mode.

Causes the SGD Client to add icons to the user’s desktop Start or Launch Menu.

Automatic Client Login
Enables automatic logins to SGD.

If this is disabled, users must log in with a browser. This means they see a webtop and have applications in their desktop Start or Launch Menu.

If this is enabled, an authentication token is generated when the client profile is saved.Only users can select this check box.

Connect on System Login
If enabled, the SGD Client connects each time the user logs into the desktop system.

If Automatic Client Login is also enabled, this gives users a single sign-on experience.

Proxy Settings
Proxy server settings can be configured in the client profile itself or obtained from the user’s browser.

Configuring the settings in the client profile itself reduces the need for a browser.

See Configuring Client Proxy Settings for more details.

SGD Administrators can configure all these settings apart from the Automatic Client Login.

When configuring Integrated mode, ensure that the login URL in the client profile contains a fully qualified domain name.

All of the available client profile settings for Integrated mode can be configured by both SGD Administrators and users, except for the Automatic Client Login setting.

The Automatic Client Login setting enables automatic logins to SGD, and can only be configured by individual users. This is because when Automatic Client Login is first enabled, SGD generates a unique authentication token for the user when the client profile is saved. The authentication token is stored in the profile cache on the user’s client device. This means that users must be able to edit their client profiles, in order to generate an authentication token.

If a user logs in to different SGD servers, they must log in to each SGD server and edit their client profile.

If a user edits their client profile, they must log out of SGD and log in again for the changes to take effect.

To use automatic logins, users click the SGD Login link in their desktop Start menu. If the Connect on System Login check box in the client profile is selected, the SGD Client logs in automatically when a user logs in to their desktop.

Configuring Applications for Integrated Mode

For applications that are configured with a Window Type of Independent Window, closing the window might end or suspend the application session, depending on the setting of the application’s Window Close Action attribute.

In Integrated mode, there are no controls for suspending and resuming individual application instances. Applications that are configured to be always resumable are automatically suspended when you log out and resumed when you log in. In the Administration Console, application objects that are always resumable have an Application Resumability setting of General in the Launch tab.

While in Integrated mode, you can only resume a suspended session by displaying a webtop and using the session controls for the application.

You might also want to configure the Number of Instances attribute, to limit the number of instances of applications that users can run.