Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

Arrays

The Structure of an Array

Replicating Data Across the Array

Communication Between Array Members

Secure Intra-Array Communication

Managing Arrays and SGD Servers

Array Resilience

How Array Resilience Works

Failover Stage

Recovery Stage

Examples of How Array Resilience Works

Primary Server Goes Down

Array Splits into Two Arrays

Configuring Arrays

How to Enable Secure Intra-Array Communication

How to Add a Server to an Array (Secure Intra-Array Communication Enabled)

How to Add a Server to an Array (Secure Intra-Array Communication Disabled)

How to Change the Primary Server in an Array

How to Remove a Server From an Array

How to Change the Cipher Suite for Secure Intra-Array Communication

Configuring Array Resilience

How to Enable Array Failover for an Array

How to Configure the Array Failover Grace Period

How to Show the Backup Primaries List for an Array

How to Add an Entry to the Backup Primaries List

How to Change the Position of an Entry in the Backup Primaries List

How to Delete an Entry From the Backup Primaries List

How to Configure the Find New Primary Timeout

How to Configure the Action When Failover Ends

How to Rebuild an Array Manually

Load Balancing

User Session Load Balancing

Using The Load-Balancing JSP Technology Page to Distribute User Sessions

How to Configure the Load-Balancing JSP Technology Page to Distribute User Sessions

Using an External Mechanism to Distribute User Sessions

How to Configure the Load-Balancing JSP Technology Page for an External Load Balancing Mechanism

How to Configure the Load-Balancing JSP Technology Page for Use With My Desktop

Additional Load-Balancing JSP Technology Page Configuration

Using Another Webtop

Localized Splash Screen

Other Variables

Application Session Load Balancing

Application Load Balancing

Defining the Application Servers to Run the Application

Selecting the Load Balancing Method

Load Balancing Groups

How Application Load Balancing Works

Dynamic Application Servers and Load Balancing

Application Server Availability

Application Server Filters

Load Balancing Groups

Server Affinity

The Relative Power of the Application Servers

Example Relative Power Calculation 1

Example Relative Power Calculation 2

The Application Server With the Least Load

Fewest Application Sessions

Example Load Calculation Using Fewest Application Sessions

Least CPU Usage

Example Load Calculation Using Least CPU Usage

Most Free Memory

Example Load Calculation Using Most Free Memory

How Advanced Load Management Works

Tuning Application Load Balancing

Application Server's Relative Power

Load Balancing Listening Ports

SGD Requests Updates From an Application Server

Frequency of the Load Calculation

Frequency of Updates to the Primary SGD Server

Reliability of CPU and Memory Data

Frequency of Updates to Array Members

Editing Application Load Balancing Properties

The Global Load Balancing Properties File

The Application Server Load Balancing Properties File

How to Create an Application Server Load Balancing Properties File

The Load Balancing Service Properties File

SGD Web Server and Administration Console

Introducing the SGD Web Server

Securing the SGD Web Server

The httpd.conf.secure File

Using the Administration Console

Supported Browsers for the Administration Console

Starting the Administration Console

Deploying the Administration Console on Other Web Application Containers

Avoiding SGD Datastore Update Problems

Performing Array Operations Using the Administration Console

Administration Console Configuration Settings

Number of Search Results

Synchronization Wait Period

Searching and Displaying LDAP Data

Session Timeout

Securing Access to the Administration Console

Monitoring and Logging

The SGD Datastore

User Sessions and Application Sessions

User Sessions

Idle User Session Timeout

Application Sessions

Anonymous Users and Shared Users

Using Log Filters to Troubleshoot Problems With an SGD Server

Selecting a Component and Subcomponent

Selecting the Severity

Using Wildcards

Selecting a Destination

Using Log Files

Using Log Handlers

Examples of Using Log Filters

Viewing Log Output

Using Log Filters for Auditing

Viewing Audit Log Information

Examples of Using Log Filters for Auditing

Using Log Filters to Troubleshoot Problems With Protocol Engines

Examples of Using PE Log Filters

PE Log File Destinations

Viewing PE Log Output

Resetting a PE Log Filter

SGD Web Server Logging

Tomcat JSP Technology Container Logs

Apache Web Server Logs

SGD Client Logging

SGD Server Certificate Stores

The CA Certificate Truststore

How to Import CA Certificates or Certificate Chains into the CA Certificate Truststore

The Client Certificate Store

How to Create a Client Certificate CSR for an SGD Server

How to Install a Client Certificate for an SGD Server

SGD Installations

About Your SGD Installation

bin Directory

etc Directory

lib Directory

var Directory

webserver Directory

Backing Up and Restoring an SGD Installation

How to Make a Full Backup of an SGD Installation

Restoring a Damaged SGD Component

Binaries, Scripts, and Template Files

Login Scripts

Server Configuration

Global Configuration

The Local Repository

Automatic Log Archives

SGD Printing

SGD Web Server, Web Services, and the Webtop

How to Do a Full Restore of an SGD Installation

Troubleshooting Arrays and Load Balancing

Troubleshooting Array Resilience

Showing Status Information For an SGD Array

Enabling Array Resilience Logging

Troubleshooting Clock Synchronization Issues

Troubleshooting Advanced Load Management

The Load Balancing Service Is Not Working

SGD Ignores an Application Server Load Balancing Properties File

One of the Application Servers Is Never Picked

One of the Application Servers Is Always Picked

Two Identical Application Servers, But One Runs More Applications Than the Other

The SGD Server Log File Shows an Update Received for an Unknown ID

SGD Uses Too Much Network Bandwidth

Users Cannot Connect to an SGD Server When It Is In Firewall Traversal Mode

Users Cannot Relocate Their Sessions

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

SGD Web Server and Administration Console

This section contains information about the web server that is included with SGD and the SGD Administration Console..

This section includes the following topics:

Introducing the SGD Web Server

When you install SGD, the SGD web server is also installed. The SGD web server is preconfigured for use with SGD. The components included with the SGD web server are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

If you have an existing web server on the SGD host, this is not affected by the SGD web server, as the SGD web server listens on a different port.

You can configure the SGD web server using standard Apache directives. See the Apache documentation for details.

You can control the SGD web server independently of the SGD server, using the tarantella start webserver, tarantella stop webserver, and tarantella restart webserver commands.

Securing the SGD Web Server

By default, the SGD web server is configured to be a secure HTTPS web server and to share the SGD server SSL certificate used for SGD security services.

Directory indexes are disabled by default for the SGD web server. This means that users cannot browse the directories on the SGD web server.

If you require enhanced security, a more secure version of the httpd.conf Apache configuration file used by the SGD web server is supplied. See The httpd.conf.secure File for more details about this file.

The httpd.conf.secure File

The httpd.conf.secure file is an Apache server configuration file that configures the SGD web server for enhanced security. The file is included with the SGD distribution, at /opt/tarantella/webserver/apache/apache-version/conf/httpd.conf.secure on the SGD host.

The httpd.conf.secure file provides the following additional security features, compared to the standard httpd.conf file used by the SGD web server:

To use httpd.conf.secure on an SGD server that has previously been secured, you must first disable security on the SGD server, before installing the httpd.conf.secure file. You can then enable security services for the SGD server, as described in Secure Connections to SGD Servers.


Caution

Caution - Do not use httpd.conf.secure if you have used the tarantella security enable command to configure security automatically on the SGD server.


Using the Administration Console

This section describes how to run the Administration Console. It also includes details of how to avoid some common problems when using the Administration Console.

Supported Browsers for the Administration Console

To display the Administration Console, you can use a supported browser. The browser must have the JavaScript programming language enabled. The supported browsers are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.


Caution

Caution - When using the Administration Console, do not use the browser’s Back button. Instead, use the Jump to Object View and Jump to Navigation View links, or the Object History list, to navigate through the Administration Console pages.


Starting the Administration Console

The Administration Console works best when you run it on the primary SGD server in the array.

You can start the Administration Console in the following ways:


Note - The Administration Console is for SGD Administrators only. To use the Administration Console you must log in as, or be logged in as, an SGD Administrator.


Deploying the Administration Console on Other Web Application Containers

The Administration Console is only supported when used with the SGD web server.

The Administration Console ships with a web application archive (WAR) file, sgdadmin.war. Using this file to redeploy the Administration Console on another web application server is not supported.

Avoiding SGD Datastore Update Problems

You can perform operations on the SGD datastore, such as creating new objects and editing object attributes, using the Administration Console from any SGD server in the array.

When you edit the SGD datastore, the changes you make are sent to the primary SGD server. The primary SGD server then replicates these changes to all secondary servers in the array.

By running the Administration Console from the primary SGD server, you can avoid problems due to the following:

Performing Array Operations Using the Administration Console

The following limitations apply when using the Administration Console to perform array operations, such as array joining or array detaching:

Administration Console Configuration Settings

The deployment descriptor for the Administration Console web application contains settings that control the operation of the Administration Console. The deployment descriptor is the following file:

/opt/tarantella/webserver/tomcat/tomcat-version/sgdadmin/WEB-INF/web.xml

This section describes the settings in the deployment descriptor that you might want to configure. Most of the settings are context parameters, contained in <context-param> elements. You must not change any other settings in the web.xml file.

When working with deployment descriptor settings, note the following:

Number of Search Results

The com.sun.tta.confmgr.DisplayLimit context parameter enables you to configure the maximum number of search results you can display in the Administration Console. The default is 150. If there are more results than the display limit, the Administration Console displays a message. Increasing the display limit can have an effect on performance. Set the display limit to 0 to see unlimited search results.

Synchronization Wait Period

The com.sun.tta.confmgr.ArraySyncPeriod context parameter is only used if you are running the Administration Console from a secondary server, and you create or edit objects in the SGD datastore. This parameter enables you to configure the period of time, in milliseconds, that the Administration Console waits for changes to be copied across the array before proceeding. The default value is 250. The Administration Console waits for twice this setting, a default of 0.5 seconds, before proceeding.

Searching and Displaying LDAP Data

The com.sun.tta.confmgr.LdapSearchTimeLimit context parameter enables you to configure the maximum time, in milliseconds, to allow for a search of a Lightweight Directory Access Protocol (LDAP) directory. The default is 0, which means the search time is unlimited. Only change this context parameter if you have particularly slow LDAP directory servers.

The following context parameters are used to filter the display of LDAP data, when you select Local + LDAP in the Repository list in the Administration Console:

These context parameters contain the definitions of what the Administration Console considers as LDAP containers, users, and groups. You might want to change these filters to improve performance, or to change the definition of these LDAP object types to match those used in your LDAP directory. To avoid inconsistencies, if you change a filter for the navigation tree, you must also change the filter used for the LDAP search.

Session Timeout

The session-timeout setting defines the period of time after which the user is logged out if there is no activity, meaning no HTTP requests, in the Administration Console. The default setting is 30 minutes, to ensure unattended Administration Console sessions are not left open indefinitely.


Note - The session-timeout setting is independent of the timeout attribute for inactive user sessions, tarantella-config-array-webtopsessionidletimeout.


Securing Access to the Administration Console

Because the Administration Console is a web application, you can control which client devices are allowed to access it.For example, you can do this by configuring the SGD web server to use the Apache <Location> directive, as in the following example:

<Location /sgdadmin>
   Order Deny,Allow
   Deny from all
   Allow from 129.156.4.240
</Location> 

In this example, only client devices with an IP address of 129.156.4.240 are allowed to access the /sgdadmin directory on the SGD web server. The /sgdadmin directory contains the home page of the Administration Console.

For more information on how to configure the <Location> directive, check the Apache documentation.